d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe
Size

416KB
MD5

aa1ba4f6dc28d72e45dba2e592f3c18f
SHA1

f30a30a4c2aab25107307b75a174ec1d23de8c6e
SHA256

d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191
SHA512

f19a38321511a3fb46ce8ccf0e21b7825a0c5bbd6767d820749785cb7d51e9cd10e5da85e6a19dbebdb29c16b8a92045355e5783f52ea43cfc42d4fc8186ba95
SSDEEP

12288:v1mchYlFiWVPh2kkkkK4kXkkkkkkkkl888888888888888888ni:lhYlFiWVPh2kkkkK4kXkkkkkkkkU

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Injqmdki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giolnomh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmbndmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iediin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inmmbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gefmcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iediin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaagcpdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkefbcmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhkin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giolnomh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkhbgbkc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfhfhbce.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inmmbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jipaip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnmiag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehpcehcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhbpkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gekfnoog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaagcpdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqkmplen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkqlgc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkefbcmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkhbgbkc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gefmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqkmplen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcnoejch.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmimcbja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epeoaffo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadcipbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhbpkh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkqlgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfhfhbce.exe

Executes dropped EXE 48 IoCs

pid	Process
2684	Epeoaffo.exe
2916	Ehpcehcj.exe
2588	Fhbpkh32.exe
2776	Fkqlgc32.exe
3000	Fkefbcmf.exe
872	Fkhbgbkc.exe
2140	Gmhkin32.exe
2652	Giolnomh.exe
1616	Gefmcp32.exe
1720	Gonale32.exe
2972	Gekfnoog.exe
1320	Gaagcpdl.exe
2120	Hadcipbi.exe
3064	Hmmdin32.exe
1848	Hqkmplen.exe
1068	Hfhfhbce.exe
2264	Hmbndmkb.exe
1924	Iikkon32.exe
2312	Ibcphc32.exe
2460	Iebldo32.exe
1748	Injqmdki.exe
2372	Iediin32.exe
2036	Inmmbc32.exe
2800	Iakino32.exe
2232	Imbjcpnn.exe
2576	Ieibdnnp.exe
2808	Japciodd.exe
2544	Jcnoejch.exe
1932	Jpepkk32.exe
3024	Jcqlkjae.exe
756	Jbfilffm.exe
2212	Jipaip32.exe
2508	Jnmiag32.exe
352	Jfcabd32.exe
2884	Kambcbhb.exe
684	Kidjdpie.exe
2200	Kdnkdmec.exe
1148	Kmfpmc32.exe
3060	Kdphjm32.exe
300	Kkjpggkn.exe
2968	Kmimcbja.exe
2316	Kdbepm32.exe
2464	Kfaalh32.exe
1948	Kmkihbho.exe
2256	Kdeaelok.exe
1180	Kgcnahoo.exe
2520	Llpfjomf.exe
2780	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
1544	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe
1544	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe
2684	Epeoaffo.exe
2684	Epeoaffo.exe
2916	Ehpcehcj.exe
2916	Ehpcehcj.exe
2588	Fhbpkh32.exe
2588	Fhbpkh32.exe
2776	Fkqlgc32.exe
2776	Fkqlgc32.exe
3000	Fkefbcmf.exe
3000	Fkefbcmf.exe
872	Fkhbgbkc.exe
872	Fkhbgbkc.exe
2140	Gmhkin32.exe
2140	Gmhkin32.exe
2652	Giolnomh.exe
2652	Giolnomh.exe
1616	Gefmcp32.exe
1616	Gefmcp32.exe
1720	Gonale32.exe
1720	Gonale32.exe
2972	Gekfnoog.exe
2972	Gekfnoog.exe
1320	Gaagcpdl.exe
1320	Gaagcpdl.exe
2120	Hadcipbi.exe
2120	Hadcipbi.exe
3064	Hmmdin32.exe
3064	Hmmdin32.exe
1848	Hqkmplen.exe
1848	Hqkmplen.exe
1068	Hfhfhbce.exe
1068	Hfhfhbce.exe
2264	Hmbndmkb.exe
2264	Hmbndmkb.exe
1924	Iikkon32.exe
1924	Iikkon32.exe
2312	Ibcphc32.exe
2312	Ibcphc32.exe
2460	Iebldo32.exe
2460	Iebldo32.exe
1748	Injqmdki.exe
1748	Injqmdki.exe
2372	Iediin32.exe
2372	Iediin32.exe
2036	Inmmbc32.exe
2036	Inmmbc32.exe
2800	Iakino32.exe
2800	Iakino32.exe
2232	Imbjcpnn.exe
2232	Imbjcpnn.exe
2576	Ieibdnnp.exe
2576	Ieibdnnp.exe
2808	Japciodd.exe
2808	Japciodd.exe
2544	Jcnoejch.exe
2544	Jcnoejch.exe
1932	Jpepkk32.exe
1932	Jpepkk32.exe
3024	Jcqlkjae.exe
3024	Jcqlkjae.exe
756	Jbfilffm.exe
756	Jbfilffm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gaagcpdl.exe	Gekfnoog.exe
File created	C:\Windows\SysWOW64\Epeoaffo.exe	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe
File created	C:\Windows\SysWOW64\Fkhbgbkc.exe	Fkefbcmf.exe
File created	C:\Windows\SysWOW64\Imbjcpnn.exe	Iakino32.exe
File created	C:\Windows\SysWOW64\Kfaalh32.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Hqkmplen.exe	Hmmdin32.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ieibdnnp.exe	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Jnmiag32.exe	Jipaip32.exe
File created	C:\Windows\SysWOW64\Jfcabd32.exe	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Kmimcbja.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Pgdokbck.dll	Fkqlgc32.exe
File created	C:\Windows\SysWOW64\Ibcphc32.exe	Iikkon32.exe
File created	C:\Windows\SysWOW64\Mgqbajfj.dll	Iebldo32.exe
File created	C:\Windows\SysWOW64\Iediin32.exe	Injqmdki.exe
File created	C:\Windows\SysWOW64\Ikbilijo.dll	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Bccjfi32.dll	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Fkhbgbkc.exe	Fkefbcmf.exe
File created	C:\Windows\SysWOW64\Iebldo32.exe	Ibcphc32.exe
File created	C:\Windows\SysWOW64\Inmmbc32.exe	Iediin32.exe
File created	C:\Windows\SysWOW64\Kambcbhb.exe	Jfcabd32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Idhdck32.dll	Ehpcehcj.exe
File created	C:\Windows\SysWOW64\Gbejnl32.dll	Fkhbgbkc.exe
File opened for modification	C:\Windows\SysWOW64\Hadcipbi.exe	Gaagcpdl.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Llpfjomf.exe
File opened for modification	C:\Windows\SysWOW64\Epeoaffo.exe	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe
File created	C:\Windows\SysWOW64\Ljdpbj32.dll	Fhbpkh32.exe
File opened for modification	C:\Windows\SysWOW64\Kmimcbja.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Ecfgpaco.dll	Hmbndmkb.exe
File created	C:\Windows\SysWOW64\Mlpckqje.dll	Iakino32.exe
File opened for modification	C:\Windows\SysWOW64\Inmmbc32.exe	Iediin32.exe
File created	C:\Windows\SysWOW64\Japciodd.exe	Ieibdnnp.exe
File opened for modification	C:\Windows\SysWOW64\Jcnoejch.exe	Japciodd.exe
File created	C:\Windows\SysWOW64\Kdnkdmec.exe	Kidjdpie.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Kmimcbja.exe
File opened for modification	C:\Windows\SysWOW64\Kfaalh32.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Aibijk32.dll	Gaagcpdl.exe
File created	C:\Windows\SysWOW64\Faphfl32.dll	Iediin32.exe
File opened for modification	C:\Windows\SysWOW64\Iediin32.exe	Injqmdki.exe
File opened for modification	C:\Windows\SysWOW64\Imbjcpnn.exe	Iakino32.exe
File created	C:\Windows\SysWOW64\Fbbngc32.dll	Imbjcpnn.exe
File opened for modification	C:\Windows\SysWOW64\Giolnomh.exe	Gmhkin32.exe
File opened for modification	C:\Windows\SysWOW64\Iikkon32.exe	Hmbndmkb.exe
File created	C:\Windows\SysWOW64\Bodilc32.dll	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Jpepkk32.exe	Jcnoejch.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Kidjdpie.exe	Kambcbhb.exe
File created	C:\Windows\SysWOW64\Kmfpmc32.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Hlekjpbi.dll	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Moibemdg.dll	Gmhkin32.exe
File created	C:\Windows\SysWOW64\Gaagcpdl.exe	Gekfnoog.exe
File opened for modification	C:\Windows\SysWOW64\Gekfnoog.exe	Gonale32.exe
File created	C:\Windows\SysWOW64\Pgejcl32.dll	Hadcipbi.exe
File created	C:\Windows\SysWOW64\Iikkon32.exe	Hmbndmkb.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	Kidjdpie.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Iacoff32.dll	Gonale32.exe
File created	C:\Windows\SysWOW64\Hqkmplen.exe	Hmmdin32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2804	2780	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfhfhbce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcabd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epeoaffo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hadcipbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmmdin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmiag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Giolnomh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gekfnoog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmhkin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmbndmkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhbpkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebldo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iakino32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inmmbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehpcehcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gefmcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaagcpdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injqmdki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkefbcmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkqlgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbfilffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iediin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieibdnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkhbgbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqkmplen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikkon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmimcbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcnoejch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kambcbhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gonale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Japciodd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcnoejch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkefbcmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fganph32.dll"	Fkefbcmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkhbgbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gonale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqfopomn.dll"	Hqkmplen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aibijk32.dll"	Gaagcpdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmbndmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbbcale.dll"	Giolnomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giolnomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeiojhn.dll"	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faphfl32.dll"	Iediin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaagcpdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljdpbj32.dll"	Fhbpkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moibemdg.dll"	Gmhkin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inmmbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll"	Japciodd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbejnl32.dll"	Fkhbgbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacoff32.dll"	Gonale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfhfhbce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdmckc32.dll"	Gekfnoog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gekfnoog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaagcpdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqbajfj.dll"	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll"	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhebh32.dll"	Hfhfhbce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miqnbfnp.dll"	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll"	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blghgj32.dll"	Epeoaffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdokbck.dll"	Fkqlgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hadcipbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibcphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakino32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2684	1544	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe	30
PID 1544 wrote to memory of 2684	1544	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe	30
PID 1544 wrote to memory of 2684	1544	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe	30
PID 1544 wrote to memory of 2684	1544	d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe	30
PID 2684 wrote to memory of 2916	2684	Epeoaffo.exe	31
PID 2684 wrote to memory of 2916	2684	Epeoaffo.exe	31
PID 2684 wrote to memory of 2916	2684	Epeoaffo.exe	31
PID 2684 wrote to memory of 2916	2684	Epeoaffo.exe	31
PID 2916 wrote to memory of 2588	2916	Ehpcehcj.exe	32
PID 2916 wrote to memory of 2588	2916	Ehpcehcj.exe	32
PID 2916 wrote to memory of 2588	2916	Ehpcehcj.exe	32
PID 2916 wrote to memory of 2588	2916	Ehpcehcj.exe	32
PID 2588 wrote to memory of 2776	2588	Fhbpkh32.exe	33
PID 2588 wrote to memory of 2776	2588	Fhbpkh32.exe	33
PID 2588 wrote to memory of 2776	2588	Fhbpkh32.exe	33
PID 2588 wrote to memory of 2776	2588	Fhbpkh32.exe	33
PID 2776 wrote to memory of 3000	2776	Fkqlgc32.exe	34
PID 2776 wrote to memory of 3000	2776	Fkqlgc32.exe	34
PID 2776 wrote to memory of 3000	2776	Fkqlgc32.exe	34
PID 2776 wrote to memory of 3000	2776	Fkqlgc32.exe	34
PID 3000 wrote to memory of 872	3000	Fkefbcmf.exe	35
PID 3000 wrote to memory of 872	3000	Fkefbcmf.exe	35
PID 3000 wrote to memory of 872	3000	Fkefbcmf.exe	35
PID 3000 wrote to memory of 872	3000	Fkefbcmf.exe	35
PID 872 wrote to memory of 2140	872	Fkhbgbkc.exe	36
PID 872 wrote to memory of 2140	872	Fkhbgbkc.exe	36
PID 872 wrote to memory of 2140	872	Fkhbgbkc.exe	36
PID 872 wrote to memory of 2140	872	Fkhbgbkc.exe	36
PID 2140 wrote to memory of 2652	2140	Gmhkin32.exe	37
PID 2140 wrote to memory of 2652	2140	Gmhkin32.exe	37
PID 2140 wrote to memory of 2652	2140	Gmhkin32.exe	37
PID 2140 wrote to memory of 2652	2140	Gmhkin32.exe	37
PID 2652 wrote to memory of 1616	2652	Giolnomh.exe	38
PID 2652 wrote to memory of 1616	2652	Giolnomh.exe	38
PID 2652 wrote to memory of 1616	2652	Giolnomh.exe	38
PID 2652 wrote to memory of 1616	2652	Giolnomh.exe	38
PID 1616 wrote to memory of 1720	1616	Gefmcp32.exe	39
PID 1616 wrote to memory of 1720	1616	Gefmcp32.exe	39
PID 1616 wrote to memory of 1720	1616	Gefmcp32.exe	39
PID 1616 wrote to memory of 1720	1616	Gefmcp32.exe	39
PID 1720 wrote to memory of 2972	1720	Gonale32.exe	40
PID 1720 wrote to memory of 2972	1720	Gonale32.exe	40
PID 1720 wrote to memory of 2972	1720	Gonale32.exe	40
PID 1720 wrote to memory of 2972	1720	Gonale32.exe	40
PID 2972 wrote to memory of 1320	2972	Gekfnoog.exe	41
PID 2972 wrote to memory of 1320	2972	Gekfnoog.exe	41
PID 2972 wrote to memory of 1320	2972	Gekfnoog.exe	41
PID 2972 wrote to memory of 1320	2972	Gekfnoog.exe	41
PID 1320 wrote to memory of 2120	1320	Gaagcpdl.exe	42
PID 1320 wrote to memory of 2120	1320	Gaagcpdl.exe	42
PID 1320 wrote to memory of 2120	1320	Gaagcpdl.exe	42
PID 1320 wrote to memory of 2120	1320	Gaagcpdl.exe	42
PID 2120 wrote to memory of 3064	2120	Hadcipbi.exe	43
PID 2120 wrote to memory of 3064	2120	Hadcipbi.exe	43
PID 2120 wrote to memory of 3064	2120	Hadcipbi.exe	43
PID 2120 wrote to memory of 3064	2120	Hadcipbi.exe	43
PID 3064 wrote to memory of 1848	3064	Hmmdin32.exe	44
PID 3064 wrote to memory of 1848	3064	Hmmdin32.exe	44
PID 3064 wrote to memory of 1848	3064	Hmmdin32.exe	44
PID 3064 wrote to memory of 1848	3064	Hmmdin32.exe	44
PID 1848 wrote to memory of 1068	1848	Hqkmplen.exe	45
PID 1848 wrote to memory of 1068	1848	Hqkmplen.exe	45
PID 1848 wrote to memory of 1068	1848	Hqkmplen.exe	45
PID 1848 wrote to memory of 1068	1848	Hqkmplen.exe	45

C:\Users\Admin\AppData\Local\Temp\d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe
"C:\Users\Admin\AppData\Local\Temp\d8b4c87bc3534a5e4cbcc8c981ba00ac5bd5224046e2d511d49ff9ca4bad3191.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\Epeoaffo.exe
  C:\Windows\system32\Epeoaffo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\Ehpcehcj.exe
    C:\Windows\system32\Ehpcehcj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\Fhbpkh32.exe
      C:\Windows\system32\Fhbpkh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\Fkqlgc32.exe
        
        C:\Windows\system32\Fkqlgc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\Fkefbcmf.exe
        
        C:\Windows\system32\Fkefbcmf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Fkhbgbkc.exe
        
        C:\Windows\system32\Fkhbgbkc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Gmhkin32.exe
        
        C:\Windows\system32\Gmhkin32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Giolnomh.exe
        
        C:\Windows\system32\Giolnomh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Gefmcp32.exe
        
        C:\Windows\system32\Gefmcp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Gonale32.exe
        
        C:\Windows\system32\Gonale32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Gekfnoog.exe
        
        C:\Windows\system32\Gekfnoog.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Gaagcpdl.exe
        
        C:\Windows\system32\Gaagcpdl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Hadcipbi.exe
        
        C:\Windows\system32\Hadcipbi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Hmmdin32.exe
        
        C:\Windows\system32\Hmmdin32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Hqkmplen.exe
        
        C:\Windows\system32\Hqkmplen.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Hfhfhbce.exe
        
        C:\Windows\system32\Hfhfhbce.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Hmbndmkb.exe
        
        C:\Windows\system32\Hmbndmkb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Iikkon32.exe
        
        C:\Windows\system32\Iikkon32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Ibcphc32.exe
        
        C:\Windows\system32\Ibcphc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Iebldo32.exe
        
        C:\Windows\system32\Iebldo32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Injqmdki.exe
        
        C:\Windows\system32\Injqmdki.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Iediin32.exe
        
        C:\Windows\system32\Iediin32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Inmmbc32.exe
        
        C:\Windows\system32\Inmmbc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Iakino32.exe
        
        C:\Windows\system32\Iakino32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Imbjcpnn.exe
        
        C:\Windows\system32\Imbjcpnn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Ieibdnnp.exe
        
        C:\Windows\system32\Ieibdnnp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Japciodd.exe
        
        C:\Windows\system32\Japciodd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Jcnoejch.exe
        
        C:\Windows\system32\Jcnoejch.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Jpepkk32.exe
        
        C:\Windows\system32\Jpepkk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Jcqlkjae.exe
        
        C:\Windows\system32\Jcqlkjae.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Jbfilffm.exe
        
        C:\Windows\system32\Jbfilffm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Jnmiag32.exe
        
        C:\Windows\system32\Jnmiag32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Jfcabd32.exe
        
        C:\Windows\system32\Jfcabd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\Kambcbhb.exe
        
        C:\Windows\system32\Kambcbhb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:300
        
        C:\Windows\SysWOW64\Kmimcbja.exe
        
        C:\Windows\system32\Kmimcbja.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 140
        50⤵
        Program crash
        
        PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fkqlgc32.exe

Filesize
416KB

MD5
53e7bb7026d0fbe1a5c44a49a07429ff

SHA1
9d03ba6fcd60935059a07ba013ba708c6df9c63b

SHA256
6290ac52038186381fabdc238b18d981486e72e754b79ac6204279ca1489b1c1

SHA512
2033ab8aeba0ac28e95bca7b9257a8a93086a7a08d908c3915d1bde4ac36043415fafc4d05c5f044cd71696dd1c9db9a4b895d2f174d740d1e291c71f50b2279

Download Submit
C:\Windows\SysWOW64\Giolnomh.exe

Filesize
416KB

MD5
4273882f65c8f3dcde3023431301cc28

SHA1
0ed1e6447100e1667a851a88e6cff559d23ae8ba

SHA256
ed1e1509af0ebce5e2595ca42ee2eedbabd47d074b4a26ab1c312152dfee210d

SHA512
748e6125cf85744374076b0266163b01a225162b35f11459bc1368f5550d909fce27a5d729574017daffc9f40f4e98bb2d5d32701d6f9560f6a09f3802eb30b1

Download Submit
C:\Windows\SysWOW64\Hfhfhbce.exe

Filesize
416KB

MD5
6a4f65e890af690b5ef4489a9d84197f

SHA1
d9c9a6fb26af311b51b39c0d67d36778cbb66639

SHA256
681d4811fcce1a62df2366ac16d3191f950d002da66b567ca758dc696e6e6d09

SHA512
3c77018bb85d4369a68a1414eb55276ad78f1ff23ceb5ad4c4600a6ea6705793a04e65354e527ee668530f958cf49f6dd1b6b5b3fff040bf30dfc95797678806

Download Submit
C:\Windows\SysWOW64\Hmbndmkb.exe

Filesize
416KB

MD5
7c2e0b4331c26a57accbe7ebaff5037f

SHA1
c02edce119be45afdce8986f47dba12dd1c7c967

SHA256
b3c18afdc69ce8470aadc31f3c28e6bf6bf95b421a3aa2762141d3193c006876

SHA512
0f901051fad098ec6b9d028b042e32c67fc8c597f1ee4bc01b8ce00165e576559c6734349fea9d1e0041216ecf91af1a0b825922399f0ebb93b39a82cd097c35

Download Submit
C:\Windows\SysWOW64\Hmmdin32.exe

Filesize
416KB

MD5
fb462b28d07e3784a935b8cc3aebd47c

SHA1
5431ddb20b492b8f84bf96145e3930dd16689b55

SHA256
068f5ae0d85089ffede7c75df07dac30a038b60b80f271e030e5a0e41f364b32

SHA512
82f3f83fb63b4a388bc8a76063700c5ab497e95fbf9f6cb1a91f7803e0a7fc0a83363217dc25aad678b922e8d2f8452920d500303723da9c18df80dddf46d8ab

Download Submit
C:\Windows\SysWOW64\Hqkmplen.exe

Filesize
416KB

MD5
3916a6af841ecee40da33486ecb10429

SHA1
f7e6804d4de833fae6f8ad926883ae1fa382c79d

SHA256
604ef0613114a9c5828c058a6b29670a1b35d26d7f519a2d8f7fd584e87d89e2

SHA512
9c8966cdf57c67adc614f20954b93b33adb7f31940b2c90fc36fd46a446aa2c17b1f449fe69d24b6dacc362d7e83fa6833908cde07ca2be4806661e600f9182a

Download Submit
C:\Windows\SysWOW64\Iakino32.exe

Filesize
416KB

MD5
2022c9c2d4c5712a31aa4a4284338a61

SHA1
4af74078d3031ffc4f38cfa2a9ed020105392520

SHA256
2c4f8c31fa206894e1a3832647d67a8121472d2be4c737f8256e71202f16ce55

SHA512
725f5e7ba1ea54ceb352246e919517298f0cda8517288acea708756692c444d969e8d8b703709f647eef384bf8f0b8f33b9ea2fe488c45fc9b8aa5e7d3aec4d3

Download Submit
C:\Windows\SysWOW64\Ibcphc32.exe

Filesize
416KB

MD5
4e7d517d8bee7ddbee49185de88e7eef

SHA1
f5e0c7939fbdc4aad6015a6d4faddb248b462d79

SHA256
0e4235a8e737d6904fbb25e9d701c8886789fe430e91c194d20f6eacb21ec09d

SHA512
a0c2b83c5aecbd94d3c487ba747bd920f67d546b27105b81bf3680e4e69d81665a3e4482ba22f978d36fff239d684caa180c29c5d2f0132e562d0662937da891

Download Submit
C:\Windows\SysWOW64\Iebldo32.exe

Filesize
416KB

MD5
0d2ed2c7c5a9d4c083ddb3c04556e37a

SHA1
69b925f1aa56bb8efe47d5f5d348464c265be097

SHA256
7cc5f87d82ae1e743635fa53f473b137e91132933d82bc9ba23f0a73529becee

SHA512
47ba7184fca5444844e8100692a024c65d4b77dc1a21e1bc0645e92fd810dee547d326bd5d5ff77b22e06883a37a2607d7fa971ef82576bc3ea8557380b2d2c8

Download Submit
C:\Windows\SysWOW64\Iediin32.exe

Filesize
416KB

MD5
b2385582cd8e9bc605a5c7ae26359c39

SHA1
f6510f12e3a4c5f71298002370bb4e297ca31fb4

SHA256
a9fcae0d5f6999567c93a413fe386f4f0b7b61fbbb265b45bb5da94687fd3fd6

SHA512
a43a04cf1306e6fe6ec53d4b83813b03cee0c2c114f8f65ff3da28de1149b8969c8fc6018ef45a7028894d704adec37b23fc8ea4504ad38a83faceae96abd0af

Download Submit
C:\Windows\SysWOW64\Ieibdnnp.exe

Filesize
416KB

MD5
0fca5100ce2e808af1e9d72b80b40931

SHA1
c5b41d82bd7d2b580c3bc27c4be8e459b0ec9ace

SHA256
e73a3a872f3c08f6caa5d9e7e1d2de95eaaf31f5930bd8058617aa750a9fd2b3

SHA512
9c0658f8abca235c3b33f882113a8efa9b425309d566505f5a0b138c6e285f950c7f9e2732b66be78d7c11366b7ade0eece7ae827a7d4e9919986874f520b157

Download Submit
C:\Windows\SysWOW64\Iikkon32.exe

Filesize
416KB

MD5
a084759a5c6591bfbc624fb2f32b77f9

SHA1
72edeb2aa83d1b71638777cf85f125debd1d1b9f

SHA256
56be95528583c1afd1c6cff267f0fac4a844df102f87e5ff7093941dbefd2dd1

SHA512
57cfe2c9f7ef10dcac63fcf38750c0e4f5c3e904b25a40d2ca51cebefbb205cab6acedb8ebd7b7b7a499034b58dc30ace9d5644531ce09c600471e43c1ea9e12

Download Submit
C:\Windows\SysWOW64\Imbjcpnn.exe

Filesize
416KB

MD5
c596c914ebc8a7fde0ad391291746b6f

SHA1
b97900e5abaac6c800600798fe97a3c0c7f861b2

SHA256
f5a612e009a49ec23a7faae16585b19e5f82b92051f78239ed1f32d8cfaca5ad

SHA512
b91912799f5352425138d75a53f3b72a0cff6ebdae71536dc5e423ea6ca41064cdff6b4c25bc9e0ba1d6e8f716143bba163dc4347ec28c23cd975bd97e1b6308

Download Submit
C:\Windows\SysWOW64\Injqmdki.exe

Filesize
416KB

MD5
23cbd87e0fb44b6bdd7dbac65e28b2cf

SHA1
868baa333695a43d5f7c4e8c7c051c44f480d264

SHA256
e28bca579f8949e3fdc0a45f1d447350452e024f1531dd436e66939c49cc71d4

SHA512
0637778e4e36b63939b635c730f25c037e98fa7a329c7f0f57fbea1825399f3526e0ff9b3da9d23543e31ca2750a3e03c4c1e019a3fefd2bcbe4de5c8a225d6b

Download Submit
C:\Windows\SysWOW64\Inmmbc32.exe

Filesize
416KB

MD5
9e7654d61a32d48d7abd089ea4807ad0

SHA1
fbc14b93cc3fb780490b0508ea36d6d9d3e151ea

SHA256
666244a4e8b45c7d6294cafe789e1ab365b159ca1b683c5efc5d905024f582ae

SHA512
22ffa730a5b72046ebb5baed2ef9a05c795e174ba08f4af74027b63d30ee06633556592edc0e27ebd95efee3b17c82da620517ad0e9708cc2d16c4db426d165a

Download Submit
C:\Windows\SysWOW64\Japciodd.exe

Filesize
416KB

MD5
fa2b38f591d3dea768171cdaa36e5627

SHA1
bf5855eb67f5c16b04d476e85d8b2b76988c631f

SHA256
49662b8a5bfff9772966cc0fb3f470c4ce61050b320d3b65ffb51371161ee414

SHA512
da5e66053c43631ccf4416b0ce12983cecb9719758d04509942601b550a96adf89166f5cf9b1046e2dc2af036729b76f408d1acd7470d7539e5a72a460b63980

Download Submit
C:\Windows\SysWOW64\Jbfilffm.exe

Filesize
416KB

MD5
e7683a9d7250fea42b83f8b08800556e

SHA1
cb1a72556c69952ec130c37ebe348c2d36dfe041

SHA256
0f2dceed4347b3fabc77e1354c310e24eab52ad3c4f7c5f3874307bedf470b9c

SHA512
7d5b0b8efb77c0cc10517fe8ae9267dc0d394542378131c6682a05d4ba78d737605d6cd3864320e71c0fa9ddef1b3563625488ab71509ac3765cbc47c6552f53

Download Submit
C:\Windows\SysWOW64\Jcnoejch.exe

Filesize
416KB

MD5
5c46f8ff3fb7952452805b005667e9b1

SHA1
cb2de83de025d463cec7e0b58a4723f2cb7cc4e2

SHA256
8404301956e5bc8d569cdedb50c4bf38cf4afb495bc69f594f50fa6828b2ba21

SHA512
4e7930f349796ecc231c305557f5851de9c4c15b2dec44acd70e35374dd357e728b6677ec49f941564ded0f1aed2bffe43c00efb48ca3135e4ef73cbad8d2343

Download Submit
C:\Windows\SysWOW64\Jcqlkjae.exe

Filesize
416KB

MD5
a16769fad0a61a5ba497c5e3b38613d0

SHA1
9ee85b03ea17385e0719b54b21200e823ec12512

SHA256
78ae6650ae80d98b191d6e70d90ba481798bb3b6166addd6d3a9452f148de7b8

SHA512
fa5ee1cf4ccba175a0b6e47a83a2860a23d31715df6a79477bf43c2c4fbe32337f654c5af11b40494665b248ac123ff087fa07337db7dc611da533b881bdc1a5

Download Submit
C:\Windows\SysWOW64\Jfcabd32.exe

Filesize
416KB

MD5
711bf9f94d72cb1934ebc8d32f690ffe

SHA1
4e684d88f9d1ff7aaf382b26025f51cc13bf00f1

SHA256
8aebeca8874587f8ea9e61c1438a3b679c7e89e8d129ebbc1de3ac2f454e926b

SHA512
1e519a0108b29031c39bd7e027acceb5cc3276e121d8aa65c6d8857b41ae50a79d15f3ec866862b93c67ad176c9fa2d735cbaa76957f39011df04371e2cd48e2

Download Submit
C:\Windows\SysWOW64\Jipaip32.exe

Filesize
416KB

MD5
e92873be8ba098d555eab6cc9d7e97b9

SHA1
b8f5f7697a1d2bb7bb7600b583cd4a31f40de06e

SHA256
0380d9b9b0144af38f8aca5da115c109f19da2011508ec14a37778663d37aefe

SHA512
a8f407d4107ebf3094a819a25310e2654946c9475a846b7c279fcce5c35ffac1e08dc3a9ba6d564b9e3d777a092ad4a1250759ce28e91ac128293b13475eb452

Download Submit
C:\Windows\SysWOW64\Jnmiag32.exe

Filesize
416KB

MD5
d96f9de58b3ee91143ae9d3ca2df7ca5

SHA1
323a2b48a38160fb946d45a1453aa22832e4895f

SHA256
4748d314b68af3e5fcbdf54e8ca55f5384206f782fdfa7b50b7da88aeefe5594

SHA512
2b3770dbde2d17d5e0fa0b996c88bf1369e8d67014a7cd4c9be403dd9980632d9a0c66352121cffa103d89885d190b05e0af0b8bccb510ece4e8b6208cbbea26

Download Submit
C:\Windows\SysWOW64\Jpepkk32.exe

Filesize
416KB

MD5
75fdfde527e88601619c367a72e800fe

SHA1
8ab23482298a81894f7ad6783a7eae9112b95671

SHA256
1d54f0788045cfaadd7586583df7cda753e3b350523271378f008de89f733f54

SHA512
73306be42a7c33a712c1d312f06cde8586442d54aa316abcdcb91941133018a14a429e7db79f89904c75478c055e4b1c62ec3d91621b4293a60cb3a615ee1526

Download Submit
C:\Windows\SysWOW64\Kambcbhb.exe

Filesize
416KB

MD5
7f8ebd399484f24e78adec8dc8f9b83c

SHA1
f2c7809ef71b3007b9687837295c403c8dd0bdef

SHA256
27dad6e6c0c1eb97aaf7b129595d01f2e8a8ff61e83b589a7873d0c4e254d1f5

SHA512
45b1dbd04d314c3c95bad150fc741cd979803f18a6ba0b4844a32289872538e7be0c7f6ec57c3beeee46c260d08d7240b422d5e93a7bf0eeb97273bef75fb6a0

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
416KB

MD5
4d18b1e17db81cd94e432f158f29e6a7

SHA1
435a2689abd58b7300eaa062db4ae4d0d87c0767

SHA256
9e3c018662c108de1d66eace2da223e8464b9e308aaee2593b3fa9e8c9773e26

SHA512
87b813f46707c8649966fec229dd3eebd1ad2dab641686943cf2ccb76f2b673ce441fc23abb2d54c0318d3f732a67f9bebbdd10acca3bb61598a680a9dcdef42

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
416KB

MD5
e14e32e924300ebb9006069663e17281

SHA1
c3c11965ac35eb3e613be503d5e1aaa0a5a22630

SHA256
cdec47302ea48d7e3a1bfd68d926dfe3c83f8c571212e1ad12e9f9b8e4ccd9dc

SHA512
a175d84cdddf07f31107a5247a7854243f1d160bf93347f42f0aa90fa207b856f7e8ee77a4bc5e5093016ceae1ac9de109232833b6a73b243739c8ddfb5e09ca

Download Submit
C:\Windows\SysWOW64\Kdnkdmec.exe

Filesize
416KB

MD5
43e9a828f926c506faf444d25d5adf38

SHA1
ceec17536a65d568046314bc98ba254d3ea4a7fc

SHA256
41aa8abbb580101f5642e7debea1ce75a3a8438ad88c5be9230da0a2bb59a3e0

SHA512
4c121d7c2cc735f71400db28e7e965e360f817781b9d20ec50e5526f446c5be23b2804056f1852bb341f4e988f2764c42e3255c69b3f9a773c9bb3d307a45f71

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
416KB

MD5
4acfd3376633f454fba7c87995ddc307

SHA1
2cfccc5d35663a9010cf10050740a6a5fa54f196

SHA256
d76128368084307e7fabb703e570a6d9cc1e503d7cf913bbeb723feea3e6b48e

SHA512
3d2ab08278e743fca3ca52e6cb174ebf55de9336364b0fb8bc88f7b1fca2ec07cff14d5502f557670d3871bd4775f34578f0132400a10c7aa524d9cc9c6a40b7

Download Submit
C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
416KB

MD5
22c178748923b391ede97587854c4676

SHA1
d6ee547bfc80273467ca81f291e1f93c0285678c

SHA256
de5ae47e6ed4044aad96aa99f16fe5b91d45322101e315debc524f593b182748

SHA512
6d9b5573eb737d15c98b1915646ed5debeaf86ee2b787f7a9115849b47158423ff6d4cbcc170f8586249598575ee665e9eb043ef264c01629eeb751fa3acbafd

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
416KB

MD5
9222afed7b66d611d63ef4cd10938711

SHA1
1c95ff4882848dee358ccf79d54caef6a58c01da

SHA256
7dec93fc0a5490cef6e274383e2631b9964263f9d7732407136c594a6ef98855

SHA512
18b13d9b736d8385ec11b3ef32e4236539c009600deaa41ecc81574a04a01efb20cdf51bff16ab4413b04cfef959ecce9241813f053c7583eecf827cd8b7471e

Download Submit
C:\Windows\SysWOW64\Kidjdpie.exe

Filesize
416KB

MD5
ec7e6e6dbf1e77972901f108302b42b1

SHA1
d5ba713e3ebc91b142e02118dd6de1774cfa149a

SHA256
36fe9addc32959f76557ca350b61e1976fb9a7791b725e80d5229d31948c9ca7

SHA512
81a3f1431c718d11c2e64e5a6c608923cda782ce0ea30ec444913a6ace94488127402f4b2a6c6d317ff715d46267aa6c2ca40d718d26ccf6afcc0cc0dd6858bc

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
416KB

MD5
5bff984420653d9e3e5220523821b6e8

SHA1
d1cdc495914788c3b2837f8ae27df32b1d552e56

SHA256
463b1bda719e946d2928b284ce70392c2151fea0e134565b2d789a4f9dd268a2

SHA512
bf6aea77f57d92906a3a29d536b0d10809d565208244587b1a29cd1fb7e6a32642fb8692f53ff1a0153a223d20cc98e3a06d9be6bf63e8e26e74affab798724b

Download Submit
C:\Windows\SysWOW64\Kmfpmc32.exe

Filesize
416KB

MD5
5138b0c47fc6107e9187901f55bd45cc

SHA1
45b122d96afb47a944a316df668e637d3a096b08

SHA256
8d2556c1b8fcd90f1ea669bdd0f7ee05932191acbd15e48e60ad09ef9155b1cf

SHA512
6b4de067bb150bac817eae7626a25862a32cdf4d272f4a9ec785b467d4480f529289eef048450ca4160947e9127639ff4b3d12a97046007f88640b662a2c25dd

Download Submit
C:\Windows\SysWOW64\Kmimcbja.exe

Filesize
416KB

MD5
faa648f89ee48e5e1b33a5452801c0e1

SHA1
67c6a56642a5c3e2ce61511a35404f0d4e0bb29d

SHA256
0b40f43e9c569d1575adb26168c0577312f69ce9c79deb918417ef27591d74d6

SHA512
81aed92471cd4b571d00a092d0f4d2f4044c0f8cb9aebb6f8241ee3d5ed4edaf2aeb32130bbf5f68afdeb690e88e31122673a11ccd4dcb7a93a8e5224812daf9

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
416KB

MD5
eff2531b3a935ea30890d1daddb0773c

SHA1
453216956806f0dac9661c733735a6694e6c2b45

SHA256
32ec85846dcb7217b806c52b90175cafad1b746f25a6a63459e3d9d3a52da52f

SHA512
54d263fa195587cf5d72473d9e3cfc12a805e0c62804d0ffc10522f462ac3a1138f7c07644900d488edb3588296c4b6a99b6d2e482d689d9e24907f544f1423e

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
416KB

MD5
73c68ae59a082c2521fef1d05c235545

SHA1
e8ee72956626ee0c3594387f15bda9182a995a3a

SHA256
cdb4d02231d06d0260719cba5ab1c89982732751b6ae46be8e83230b9e4e1478

SHA512
ce3d808144d69b6186e2ee6b2bc339abc560aa7dab5ddf45de8775ddb59e261869f57804ca5937bfd2228b04cfce5e9c35b514f1dfb47519120b5f765b9c4d93

Download Submit
C:\Windows\SysWOW64\Llpfjomf.exe

Filesize
416KB

MD5
b75c02f6fbe3cf33ef6fe6982cc5004a

SHA1
058df8028d7f289769b24af3a24baba14dc321bc

SHA256
8225f64b015c523ff045ec33afa2ca2b74f8e6793c3798e3eb7b11ffc596c506

SHA512
b59125b5ee9611685e64753b76206fe181577d71e42aeb27894de90402b4d8830fc7e3783dc0ee22bbf2bc10cf6f67efbd3cb71eff43740dd1d28271af1541d9

Download Submit
\Windows\SysWOW64\Ehpcehcj.exe

Filesize
416KB

MD5
4a0274ee89548276beb4a637608da1ac

SHA1
56ffc53aa1cbe7c1d32f35bdac37a7604546f3b7

SHA256
5ffd2b2ce32de5f72a1912d9e0c920b36ec833d98b38ebb46fc1fe6e55a663d0

SHA512
fde66969776e5d8111653a9e19ce8f1dcb5ff178fd70b164d464ee3f4be8ce932b8a4546d17ff3276647c691118ae0c038062af2dc34cdd0280a125a73f21d30

Download Submit
\Windows\SysWOW64\Epeoaffo.exe

Filesize
416KB

MD5
a1aea9b825ecc5a8e66b8c54fcf6bd14

SHA1
4c4637aa56c521b32563a4f9c246b45511bd110d

SHA256
d6ead5589f038a484e9b099b5f308a2472fb30584340ec77d6b7fb5e8f706c6b

SHA512
6fb3aef99825fdfa6ed765dd96dc9f91463ab89acd64894a801dea63e861a19f8bfe7f59ccdce41bd6e0c637f28364aa8f34d2d98c6015641fb227f29eaf9090

Download Submit
\Windows\SysWOW64\Fhbpkh32.exe

Filesize
416KB

MD5
9796829091d20897862bf4e2da9a060f

SHA1
cd9afaf3d89ef6b3d0058c598bdce9a464dcf006

SHA256
0c1f6e8d28b9877b501f50c3a0838357b8f9390585cab0f57bdb6537ca9b1f81

SHA512
aeb9673b43e03ba68ff85ab99e22d458f0271a5c91a8734205f0f53f4db07e11ad271a33b16bf2cb57b04598372bcf87c5c3a0874385fb0cd9ce151621b1ad32

Download Submit
\Windows\SysWOW64\Fkefbcmf.exe

Filesize
416KB

MD5
c017f63702bc9010a319529fc7d48ecd

SHA1
aadc431c3525019a810822971c22ad7a4b955f60

SHA256
b25156c6b36fccd7cb16d79334639631db3ae19ead79318d7b4eb6477b9c731d

SHA512
4246a47c4ab68f9df9534a4b92e0f0c83a92207dacc7cebe87d484c8967e6da3d06e6c39d70fae8a83a1a77627c7c6c8656846b8b7712e40341246f71590005b

Download Submit
\Windows\SysWOW64\Fkhbgbkc.exe

Filesize
416KB

MD5
3c1a1a26b7ee88e8763efc54c0130137

SHA1
ce0c95a46b2b59e415ecc3c917c919fe97498616

SHA256
eb0fcfa67c15f30c772c4e6f42e88ef3380004067494e42dd489b39e648ff799

SHA512
28fab4f0b6139d2918e8cbf79f0e4c755e53b4c5da69526937294e0d366b65281618851eae4601d1499e41871b4f3212c3ed3cb2d64b56b47c298e2a6bebc985

Download Submit
\Windows\SysWOW64\Gaagcpdl.exe

Filesize
416KB

MD5
24aecdada65d173f7fcc404800e3e09f

SHA1
74b8b9f6ed018c71d44a654110d6da41ccadbb17

SHA256
d2105018f1ffacaf35f087f5c25437e5d9e6719c51d3997c2de65f34480b36f2

SHA512
94ffd91bdd984f16c3b1c31132d945f32b2c14e52681716cfd11398b3aad0fd868d12c2e1b0853191b659e09c89fa067fd39ff8918b571a9579e9414db7d6ce4

Download Submit
\Windows\SysWOW64\Gefmcp32.exe

Filesize
416KB

MD5
48bd18785d3e247f8bf1bc2b30c35c08

SHA1
ff576d4fb6243348d2aef9a657b3d68daa0a6095

SHA256
d3ea3058e0ce8824feaa16c68bab20b8973aa18c060cb66daf52110ac02afcd5

SHA512
f6b28bab64f8cf726c2d8d88e4d0a6a84aca32371a2bd284ded95621c1fe8809c6c28b364171edcf4b37b84a23181584a6620f729af9636b2c05ca1ba229966a

Download Submit
\Windows\SysWOW64\Gekfnoog.exe

Filesize
416KB

MD5
ea32a002ea3d3cd43b2d9f912fd78e44

SHA1
5d7dd4651ca71b9fb32e505bf7e1b72180e65a9c

SHA256
7bb00d9f99d12f7901ebdc899c2803e80610a17296fe2d07614c027125796ffc

SHA512
9c52e48496b1ac90c60a80ae6eb3bf713343526b32588def96730af420cd1c86c701a3b04d9d395fdeb365946d61c9d693e811b0b189fef7c22fb8c6b2117962

Download Submit
\Windows\SysWOW64\Gmhkin32.exe

Filesize
416KB

MD5
709601a1805cb089b1928b4713be8734

SHA1
abce5006a97aa52dd43d3a3957ee65e0c375e368

SHA256
ee429c17829dfbf9c39ad4c713e05eef28382e2c821b4f69c6a86544be94d6ca

SHA512
81c49ef0f8851a0515029312e1eb654f59abbb02dca0010915bea90ef71b240f9c1115076d0fde72da093f720ad4f10bec2745df0ca0894327857605a4cdd4f0

Download Submit
\Windows\SysWOW64\Gonale32.exe

Filesize
416KB

MD5
8e2e244664a05056d3764f8556ffea5d

SHA1
2e90f8b89f49826979ea069c474f6b8ede298ec1

SHA256
88125045fcd23b20686352afa6acf3e1d56eaa0174e02e3806833c5401fb08e6

SHA512
5e420657b762c09d6d8dbe7b02246714062b1834fb9748bec1cb861acb02838667370cd1b5bba254d4cddd282efa77a9f74fe98764816d983c7440ffb64b9d5f

Download Submit
\Windows\SysWOW64\Hadcipbi.exe

Filesize
416KB

MD5
d4ab0f32fd346de4c142c845cf2f81c6

SHA1
5b7cbbc3708a71117f1cfbd03a123ef3e43803b8

SHA256
2e8c28fe65932b701292926ea87b64b0c639120f81a1ed4c14aadd36e94ed6b1

SHA512
f4f75aefd7ff530dc48638e341d3b4e8dd38ad167f09f0fbc226df509a8256b46483ab828e4a143d19c45e9f960ce0ddb92417e5aef32f1139cb30e6f896bf7a

Download Submit
memory/352-430-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/352-431-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/352-417-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/684-439-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/684-449-0x0000000001F70000-0x0000000001FB2000-memory.dmp

Filesize
264KB

Download
memory/684-448-0x0000000001F70000-0x0000000001FB2000-memory.dmp

Filesize
264KB

Download
memory/756-394-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/756-393-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/756-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/872-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/872-89-0x00000000005E0000-0x0000000000622000-memory.dmp

Filesize
264KB

Download
memory/1068-226-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1068-228-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1148-461-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-472-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1148-470-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1320-176-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1320-164-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1544-6-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1544-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1616-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1616-131-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/1720-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1720-145-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1748-285-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/1748-284-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/1748-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1848-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1848-219-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1924-255-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1924-256-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1924-242-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1932-367-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1932-372-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1932-373-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2036-307-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2036-306-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2036-301-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-178-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2120-191-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2140-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2200-459-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/2200-460-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/2200-450-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2212-408-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2212-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2212-409-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2232-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2232-328-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2232-329-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2264-240-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2264-241-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2312-263-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2312-257-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-262-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2372-299-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2372-300-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2372-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2460-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2460-273-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2460-274-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2508-416-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2508-412-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2508-410-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2544-365-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/2544-366-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/2576-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2576-344-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/2576-343-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/2588-46-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2652-117-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2652-109-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-21-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2684-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-54-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-66-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2800-320-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2800-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2800-322-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2808-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2808-350-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2808-351-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2884-438-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2884-437-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2884-432-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2916-45-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2916-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-158-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/3000-80-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/3000-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3024-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3024-387-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/3064-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-205-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/3064-204-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads