249bd0e1f47297c24a589054a4d0f033548c0e4b854776dbc4899ac62e9261f2

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79f670f569f3bc41cd136655c5644fa0N.exe
Size

93KB
MD5

79f670f569f3bc41cd136655c5644fa0
SHA1

d08f5436b23fc0499605f728d4b3f5ebcb89fe3d
SHA256

249bd0e1f47297c24a589054a4d0f033548c0e4b854776dbc4899ac62e9261f2
SHA512

33efe6c47d1b76b1e26fd12a9b0a3c55bd63c5c66868effd7615556f5035608b73a343dfdaca741f00efa5e07063ecdd531504a09c40496d9abfe7d7110e76d5
SSDEEP

1536:vh11Vr1UTrJBh2Ev3b7V/BywlPKjyFumpXymNBLMTDOuyYENHeohK5yb+BoR7sxf:vhB12rJBjvLywNKgtlI/yNHayYoU4wdJ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcjdam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfaigclq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahfkimd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	79f670f569f3bc41cd136655c5644fa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eafbmgad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnngpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Babcil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmggingc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcjdam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egbken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdmaoahm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmggingc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphqji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjcmngnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmladm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Binhnomg.exe

Executes dropped EXE 64 IoCs

pid	Process
5116	Bmdkcnie.exe
3984	Bpcgpihi.exe
3112	Bbaclegm.exe
2328	Bjhkmbho.exe
1580	Bmggingc.exe
2240	Babcil32.exe
4812	Binhnomg.exe
3140	Bphqji32.exe
1148	Bfaigclq.exe
1752	Bmladm32.exe
1084	Bbhildae.exe
228	Cmnnimak.exe
2100	Cdhffg32.exe
2356	Cgfbbb32.exe
1496	Cienon32.exe
64	Calfpk32.exe
948	Cdjblf32.exe
3960	Cgiohbfi.exe
5032	Cdmoafdb.exe
4932	Ciihjmcj.exe
3732	Cdolgfbp.exe
1896	Ccblbb32.exe
3704	Cacmpj32.exe
384	Dgpeha32.exe
2648	Dphiaffa.exe
736	Dcffnbee.exe
2552	Dahfkimd.exe
4584	Dgdncplk.exe
2668	Dnngpj32.exe
2728	Dpmcmf32.exe
3436	Djegekil.exe
2364	Dnqcfjae.exe
744	Dcnlnaom.exe
3240	Djgdkk32.exe
2784	Dncpkjoc.exe
5020	Ddmhhd32.exe
928	Dcphdqmj.exe
1272	Eaaiahei.exe
3088	Edoencdm.exe
2376	Ejlnfjbd.exe
2336	Epffbd32.exe
3592	Ekljpm32.exe
4736	Eafbmgad.exe
4044	Eddnic32.exe
516	Egbken32.exe
2880	Eqkondfl.exe
4320	Egegjn32.exe
4768	Ejccgi32.exe
4164	Eqmlccdi.exe
1972	Fggdpnkf.exe
3672	Fjeplijj.exe
1128	Fqphic32.exe
4312	Fgiaemic.exe
2860	Fncibg32.exe
3052	Fdmaoahm.exe
4896	Fkgillpj.exe
2136	Fbaahf32.exe
4172	Fgnjqm32.exe
4336	Fnhbmgmk.exe
3208	Fcekfnkb.exe
1576	Fjocbhbo.exe
5132	Fbfkceca.exe
5172	Gcghkm32.exe
5212	Gjaphgpl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ldbhiiol.dll	79f670f569f3bc41cd136655c5644fa0N.exe
File created	C:\Windows\SysWOW64\Cdhffg32.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Dikifc32.dll	Dcphdqmj.exe
File opened for modification	C:\Windows\SysWOW64\Eafbmgad.exe	Ekljpm32.exe
File created	C:\Windows\SysWOW64\Ojimfh32.dll	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gjficg32.exe
File opened for modification	C:\Windows\SysWOW64\Ejccgi32.exe	Egegjn32.exe
File created	C:\Windows\SysWOW64\Iolgql32.dll	Fgnjqm32.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhda32.exe	Gjaphgpl.exe
File opened for modification	C:\Windows\SysWOW64\Dcphdqmj.exe	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Ejccgi32.exe	Egegjn32.exe
File created	C:\Windows\SysWOW64\Dmfbkh32.dll	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Bmladm32.exe	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Nmlpen32.dll	Dcnlnaom.exe
File opened for modification	C:\Windows\SysWOW64\Ejlnfjbd.exe	Edoencdm.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Eafbmgad.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Ddmhhd32.exe	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Cgilho32.dll	Epffbd32.exe
File created	C:\Windows\SysWOW64\Cdolgfbp.exe	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Ddmhhd32.exe	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Fbaahf32.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Paifdeda.dll	Gcjdam32.exe
File created	C:\Windows\SysWOW64\Fekmfnbj.dll	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Dahfkimd.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Babcil32.exe	Bmggingc.exe
File created	C:\Windows\SysWOW64\Bbhildae.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Nppbddqg.dll	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Dncpkjoc.exe	Djgdkk32.exe
File created	C:\Windows\SysWOW64\Fbjbac32.dll	Eafbmgad.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fcekfnkb.exe
File created	C:\Windows\SysWOW64\Nhbjnc32.dll	Eddnic32.exe
File created	C:\Windows\SysWOW64\Kcpcgc32.dll	Dnqcfjae.exe
File opened for modification	C:\Windows\SysWOW64\Gjficg32.exe	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Bcidlo32.dll	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Dpmcmf32.exe	Dnngpj32.exe
File created	C:\Windows\SysWOW64\Bailkjga.dll	Dnngpj32.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Bbaclegm.exe	Bpcgpihi.exe
File created	C:\Windows\SysWOW64\Cdmoafdb.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Dgpeha32.exe
File opened for modification	C:\Windows\SysWOW64\Dnngpj32.exe	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Fjeplijj.exe	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Fcekfnkb.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Gcghkm32.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Elekoe32.dll	Bmdkcnie.exe
File opened for modification	C:\Windows\SysWOW64\Cdhffg32.exe	Cmnnimak.exe
File opened for modification	C:\Windows\SysWOW64\Dnqcfjae.exe	Djegekil.exe
File created	C:\Windows\SysWOW64\Ncjiib32.dll	Djgdkk32.exe
File created	C:\Windows\SysWOW64\Eacdhhjj.dll	Fggdpnkf.exe
File opened for modification	C:\Windows\SysWOW64\Bpcgpihi.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Fcanfh32.dll	Bmggingc.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Cgfbbb32.exe
File opened for modification	C:\Windows\SysWOW64\Eaaiahei.exe	Dcphdqmj.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gjficg32.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Calfpk32.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Dgpeha32.exe
File opened for modification	C:\Windows\SysWOW64\Dgdncplk.exe	Dahfkimd.exe
File created	C:\Windows\SysWOW64\Epffbd32.exe	Ejlnfjbd.exe
File opened for modification	C:\Windows\SysWOW64\Fqphic32.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Qjfpkhpm.dll	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Dnngpj32.exe	Dgdncplk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5580	5476	WerFault.exe	163

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfkceca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejlnfjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjaphgpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79f670f569f3bc41cd136655c5644fa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahfkimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcjdam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjcmngnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhildae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cienon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafbmgad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calfpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdolgfbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfbbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpmcmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgiohbfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmdkcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacmpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egbken32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdncplk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djegekil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dncpkjoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphqji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnimak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpcgpihi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaaiahei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epffbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfaigclq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmoafdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdiakp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmggingc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnngpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnlnaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjhkmbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhffg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdmaoahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbmadd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babcil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjeplijj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binhnomg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacdhhjj.dll"	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhffg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bphqji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjaofnii.dll"	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egbken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcekfnkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbjnc32.dll"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpndppf.dll"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhpfk32.dll"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhaiafem.dll"	Ejlnfjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll"	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll"	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnngpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	79f670f569f3bc41cd136655c5644fa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fachkklb.dll"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjficg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	79f670f569f3bc41cd136655c5644fa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmanm32.dll"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbaahf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplqhmfl.dll"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdmaoahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll"	79f670f569f3bc41cd136655c5644fa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjnfn32.dll"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifcnk32.dll"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	79f670f569f3bc41cd136655c5644fa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkgillpj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 5116	2180	79f670f569f3bc41cd136655c5644fa0N.exe	91
PID 2180 wrote to memory of 5116	2180	79f670f569f3bc41cd136655c5644fa0N.exe	91
PID 2180 wrote to memory of 5116	2180	79f670f569f3bc41cd136655c5644fa0N.exe	91
PID 5116 wrote to memory of 3984	5116	Bmdkcnie.exe	92
PID 5116 wrote to memory of 3984	5116	Bmdkcnie.exe	92
PID 5116 wrote to memory of 3984	5116	Bmdkcnie.exe	92
PID 3984 wrote to memory of 3112	3984	Bpcgpihi.exe	93
PID 3984 wrote to memory of 3112	3984	Bpcgpihi.exe	93
PID 3984 wrote to memory of 3112	3984	Bpcgpihi.exe	93
PID 3112 wrote to memory of 2328	3112	Bbaclegm.exe	94
PID 3112 wrote to memory of 2328	3112	Bbaclegm.exe	94
PID 3112 wrote to memory of 2328	3112	Bbaclegm.exe	94
PID 2328 wrote to memory of 1580	2328	Bjhkmbho.exe	95
PID 2328 wrote to memory of 1580	2328	Bjhkmbho.exe	95
PID 2328 wrote to memory of 1580	2328	Bjhkmbho.exe	95
PID 1580 wrote to memory of 2240	1580	Bmggingc.exe	96
PID 1580 wrote to memory of 2240	1580	Bmggingc.exe	96
PID 1580 wrote to memory of 2240	1580	Bmggingc.exe	96
PID 2240 wrote to memory of 4812	2240	Babcil32.exe	97
PID 2240 wrote to memory of 4812	2240	Babcil32.exe	97
PID 2240 wrote to memory of 4812	2240	Babcil32.exe	97
PID 4812 wrote to memory of 3140	4812	Binhnomg.exe	98
PID 4812 wrote to memory of 3140	4812	Binhnomg.exe	98
PID 4812 wrote to memory of 3140	4812	Binhnomg.exe	98
PID 3140 wrote to memory of 1148	3140	Bphqji32.exe	99
PID 3140 wrote to memory of 1148	3140	Bphqji32.exe	99
PID 3140 wrote to memory of 1148	3140	Bphqji32.exe	99
PID 1148 wrote to memory of 1752	1148	Bfaigclq.exe	100
PID 1148 wrote to memory of 1752	1148	Bfaigclq.exe	100
PID 1148 wrote to memory of 1752	1148	Bfaigclq.exe	100
PID 1752 wrote to memory of 1084	1752	Bmladm32.exe	101
PID 1752 wrote to memory of 1084	1752	Bmladm32.exe	101
PID 1752 wrote to memory of 1084	1752	Bmladm32.exe	101
PID 1084 wrote to memory of 228	1084	Bbhildae.exe	102
PID 1084 wrote to memory of 228	1084	Bbhildae.exe	102
PID 1084 wrote to memory of 228	1084	Bbhildae.exe	102
PID 228 wrote to memory of 2100	228	Cmnnimak.exe	103
PID 228 wrote to memory of 2100	228	Cmnnimak.exe	103
PID 228 wrote to memory of 2100	228	Cmnnimak.exe	103
PID 2100 wrote to memory of 2356	2100	Cdhffg32.exe	104
PID 2100 wrote to memory of 2356	2100	Cdhffg32.exe	104
PID 2100 wrote to memory of 2356	2100	Cdhffg32.exe	104
PID 2356 wrote to memory of 1496	2356	Cgfbbb32.exe	105
PID 2356 wrote to memory of 1496	2356	Cgfbbb32.exe	105
PID 2356 wrote to memory of 1496	2356	Cgfbbb32.exe	105
PID 1496 wrote to memory of 64	1496	Cienon32.exe	107
PID 1496 wrote to memory of 64	1496	Cienon32.exe	107
PID 1496 wrote to memory of 64	1496	Cienon32.exe	107
PID 64 wrote to memory of 948	64	Calfpk32.exe	108
PID 64 wrote to memory of 948	64	Calfpk32.exe	108
PID 64 wrote to memory of 948	64	Calfpk32.exe	108
PID 948 wrote to memory of 3960	948	Cdjblf32.exe	109
PID 948 wrote to memory of 3960	948	Cdjblf32.exe	109
PID 948 wrote to memory of 3960	948	Cdjblf32.exe	109
PID 3960 wrote to memory of 5032	3960	Cgiohbfi.exe	110
PID 3960 wrote to memory of 5032	3960	Cgiohbfi.exe	110
PID 3960 wrote to memory of 5032	3960	Cgiohbfi.exe	110
PID 5032 wrote to memory of 4932	5032	Cdmoafdb.exe	111
PID 5032 wrote to memory of 4932	5032	Cdmoafdb.exe	111
PID 5032 wrote to memory of 4932	5032	Cdmoafdb.exe	111
PID 4932 wrote to memory of 3732	4932	Ciihjmcj.exe	113
PID 4932 wrote to memory of 3732	4932	Ciihjmcj.exe	113
PID 4932 wrote to memory of 3732	4932	Ciihjmcj.exe	113
PID 3732 wrote to memory of 1896	3732	Cdolgfbp.exe	114

C:\Users\Admin\AppData\Local\Temp\79f670f569f3bc41cd136655c5644fa0N.exe
"C:\Users\Admin\AppData\Local\Temp\79f670f569f3bc41cd136655c5644fa0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\Bmdkcnie.exe
  C:\Windows\system32\Bmdkcnie.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SysWOW64\Bpcgpihi.exe
    C:\Windows\system32\Bpcgpihi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\SysWOW64\Bbaclegm.exe
      C:\Windows\system32\Bbaclegm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Fdmaoahm.exe
        
        C:\Windows\system32\Fdmaoahm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 412
        72⤵
        Program crash
        
        PID:5580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5476 -ip 5476
1⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:8
1⤵
PID:5968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Babcil32.exe

Filesize
93KB

MD5
31e23aee0fa1882b587e8967e1bc1906

SHA1
8ffae4518a89f09db9723b18167b828054b8afbc

SHA256
2d821bae3730ac04156109e7b18c8cf8f2f3d10973e5ef5e0919fc709fba0642

SHA512
a85255928dd7cfeea5b5b00ee331a80087f01add8fca4558bccfc3773751d7cf78aa8ada0aad4e2ce71606e267ecd37dce2a2668634947bdd06cba46459b27f7

Download Submit
C:\Windows\SysWOW64\Bbaclegm.exe

Filesize
93KB

MD5
b1311c1c76505c5ab7cb74c344f2dc43

SHA1
68ec3ad21b849a4394cd31e55052279b3d0bdb7f

SHA256
9ebb4836dc62bb70cb872aa47386674edc02d7180223b846fa7c9a19834cc83e

SHA512
43d13036c9fe5025f48027766050b1837fb867a4655b05a686e1a2bf6adb66aa433720a5e752f980014ca182da3dc5cc38dc9651a758091508bbf4c523f3551f

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
93KB

MD5
32601f1c29f084d3737dd0ab64ef9b0c

SHA1
91bb25ed9598db5b2122bf044437e6dadfa8a06e

SHA256
f4b4169b00c39642f9e4109ede62d8c699f49f88121dea82fc4abaa7537e8818

SHA512
8e801a273d12845fe0381532cb28ae9d989efa125c2a6a12252fc23ce93930904062817ab02bd4a167d67358db236eb637fbb131dbb323344feb5119bba4b5cf

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
93KB

MD5
008aa7e1bb873ad409df088617e6d473

SHA1
7e88866450e0827d712eda8e29459866683e81f5

SHA256
641acd987db7df4fd96944e1b1aacdd8605b469025f82a2f1b9dae6d6d2167fe

SHA512
477fba9599f5afcebada866b5e5bb21e182eff0dd1fed123a40fe8ca82ce6d2a7b2e2b691ca28a5a49a6fb5d086ecef08050947f3850a2cf2f1549e3d44abbad

Download Submit
C:\Windows\SysWOW64\Bfaigclq.exe

Filesize
93KB

MD5
f9b033c0565118a8faf5ba974da8c02a

SHA1
6a0d3195a03507eef14c699044c9cf36f7b4f2cd

SHA256
b21c4ce6a056860c22af5639cb111ca70a973f66bd6294d89583d974e9ec1b5f

SHA512
24fca86ad777f3e88e72379142b7a13b89bd9f0a115bee3ccb847118aef6cb6082ee21b4e75e655d643640b119f9c3c5ac02e4e38ba4d25894947b22a210a51e

Download Submit
C:\Windows\SysWOW64\Binhnomg.exe

Filesize
93KB

MD5
663c5878696888bd550ca0e5047408cd

SHA1
3c629e308aabbfef6809c9eea8511bde82c11341

SHA256
6f3d0fa7e2f542d60c7dc00d62d3dbc9ec9685e1d38c68ff97284ec6d95e8acf

SHA512
9ac054bee772424189435fc83681507f16b759365f3ec83ce307ba8af4094d19681f56e23309d841eba487517ad88bcb649d5f6395efe428d5f63b375b01de6b

Download Submit
C:\Windows\SysWOW64\Bjhkmbho.exe

Filesize
93KB

MD5
5fc86bbf9b832343439de517f4a9c40f

SHA1
e5070e90be03ce0a7aa22e79a10db26d2753c19b

SHA256
544c975102f0a78a076ac01f61783861d22ae296713dd0399c2d0087ef4b2983

SHA512
f9fc3d661e10f348115faf61d4a96faea81230180fbb61c9e45049b5fab53718db83075e0e5d131b1f70807d352b4e02f01ae8f3e17d1e2ae6cd99a769fbc220

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
93KB

MD5
3ffb844a50a2f896d0f5cc206b708490

SHA1
96799a9bb3e0f25ef051802ea83186895ea192ce

SHA256
1e4ba64e8fe45c2094c19941a5c36e4dd55f4f6bd0a7ed5199d205522a14e76a

SHA512
499891ffce4982aca7c3a10b155125033d49bd3a1f9de4ccc97a78172cc9cc70ceeb725bcf9ae43494392b300da307d59facfca925a89c718e6d863f2e38e583

Download Submit
C:\Windows\SysWOW64\Bmggingc.exe

Filesize
93KB

MD5
4ec353076481d497fbf9bdd6f01531ad

SHA1
b7302f2c044044ef63c2103d5d22506d5214a0b6

SHA256
567feaeb3f60357a280fbc4f5a24585c66d78cb513dab511132df93b9819ee2b

SHA512
1ecffa592b386910b4c0c77ff76ef7ade823f01ac27257fd995a59a456955060351dd98d9c6d6aff4f1da5b563a1e9fda142e5f5fd29522337ff4467938ce2c9

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
93KB

MD5
454e81d86c749de3045dce08a4eed377

SHA1
022f18f6f805c264ff1c99ddc94280e68c048839

SHA256
e6d8d92b1c4db15174a3d6db4a6f0681003ec0f6542fc392fc9e8a77bdf4e018

SHA512
1c60db0d017ae2c001bc471e85442e9515fd8f59df2d26e9231c5e3b627ca2322836e550373ab77ed961fd76351e9cf51f29d81aa83ede6911a7a06a1a73928a

Download Submit
C:\Windows\SysWOW64\Bpcgpihi.exe

Filesize
93KB

MD5
3b8056485b67639bb850544bea688bed

SHA1
4b77be0fd37d825a88c729278fc851d3ab3fdb71

SHA256
591880a589d642d2d9883813bd300cd827299ac8b925539c61cebdb22554081b

SHA512
a923c058d8a7c964116cff578578b7b9a6c53c4b59b622a16e796f887c2a189cd91297b5773b9b840b0ac0a15d02ab63cfe4dbc59489a0e067f8386862dfc170

Download Submit
C:\Windows\SysWOW64\Bphqji32.exe

Filesize
93KB

MD5
4a155ea12900d13446c6c2e3e6236ee9

SHA1
a7ce32afe64665f1cd88c5e0723cbe182669fe15

SHA256
78f545764ee1ec7122cc299ca20f382f18f4839c274c6c400c4908af276f6f56

SHA512
d151692e405c58a838261b6484a3d59b2b2e6a9e025615e5eab1ea3ec7350570e05d50110763a6d52461f462fb2e0beef80652629ecf1849a75b66e934f4e25e

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
93KB

MD5
26fd3962c4d6c68b6a1dc4ee19825d1f

SHA1
09e52e17daffed09cedd13c870b08aa38b1a2084

SHA256
1eb0ca7e11abbb0bfcca636fead8e806f2f5114164b93692edcdba1025118dc8

SHA512
191c1fcd942f602d747ce7cb843c91ac53a5f126af12a96d1c0aee192f4ca44b4283f3fdf72a0ac569183cd51608dc400bc44892da5753e8bae13d41c484839e

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
93KB

MD5
ec5ff6cb62fe9eebc18de05728313521

SHA1
79c50244c7442f0e3460d8419ff704bfe8e43cac

SHA256
7dfe4a96b7a38ba4cab3d34398a7d93d86c595fb0e18b62ef762c927799fd010

SHA512
a9e5109ae9541e04d4653bf57908d012096af41cea4c1cf181ffeb9506ae749de62ea81acaa58843c3be9fb7ddb006172f9e356b2541cb8cf34f55ee77d8e259

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
93KB

MD5
a4b0640317f7ef7023cbc4d0166de56e

SHA1
66590473669a3026fd8ea5a259c68481688fbf42

SHA256
d05ba3c3dcebf327321e6fccd0ca824d51ab18447de1b25916dc5d6edf24255f

SHA512
26c821d9b831c33447b156610cad77867bd9c95b9a87e690e77ca08742b48c6fef5a5558bf7d817043aa1771c0e94219af70730b556b3de2b022fbe64a58b89f

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
93KB

MD5
2c0ff3d3dcb8986567b11068f745c2cd

SHA1
69ab25c01c152eb94209e67d08e07ebfa224422b

SHA256
fadaee723ecd93a66d84801e0ac908893c6bbe305e25465d887972f7731d351f

SHA512
4596b8cd6cd4b1a3ecb24609b5794df9242ce3208ab9a3ba51fad77a222f18d5febe1940da83866fda176e00f828b28c15891715524c364a4522583451a6383b

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
93KB

MD5
fb75d0f2ab861e4157be45c5b0e4f46f

SHA1
a126ef151462fca033fc352f8f20a121f1131bea

SHA256
1fc2c9c5effc588f3d222ac054f73d2da4e88d74e76377f1d18fa22f0ee1d153

SHA512
97e13cf5b0c3770584e5a21e545f6d25ed37fa8b0f4cc03187b6c80c94e05df2a7a8f2f10a2c60fba8375d855649a65e3fb9bb272440dc62c03ce0c7b108e78e

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
93KB

MD5
e9ad3538ee6d0970a108434a3a372f78

SHA1
382d6eec4961c3f7ea7f58718367cc1744ce6a0b

SHA256
2ecbefdd4c66d54b4769cb7a24fcbb6f6f8a401d15bfba07b7445b3b3336ffe0

SHA512
7a94763398a5e79d9a8d2f70e32e72709b4f73d3401962eeffe102a391c5990955feb75b27889b375e150400954ab6cc1a8b202537ec2ee9e3b2b52e74514209

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
93KB

MD5
1f016656d42e0e25819adf20b067964e

SHA1
8c566854ec261baafc509745f85f3914e1e9bbe4

SHA256
d18e55809756fc3572ca34efe3e31df9b293cb5cbc70c7f655a50620bb0bee6f

SHA512
d385a51aba597008806f0372be21b93ea2058b030d398095fb191fa165ff9cc0bb84e9a93fd05a358e6b3c0d2364661f86adfdeef4e3073b8f824a9b03c7dfd5

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
93KB

MD5
89492b314565f5bbd78b3bb899177160

SHA1
89ece2025879f6ea5d171afadcb825cbf5fa42b3

SHA256
3305365aed8c13769a7fc6201bcf6f508330ca5cb61b0c2dd326c50334a04a0e

SHA512
3df3a436e05b746872e2adc4eee64d5ebe5cb662f86e9599ed6ff9ca19e1ad6172218e358fb2bab697b78e25cab338ddb897da4f98baf5f6e3afd1e95fbe7782

Download Submit
C:\Windows\SysWOW64\Cgiohbfi.exe

Filesize
93KB

MD5
435ab4a0da6b25d28ff8fe6daa9f17a4

SHA1
15a7b248faaa10f30c6b393dd114922ebec31a16

SHA256
bc0b37315fe99af19a734edf6dfcb8f10f0ea143ab33a58597feced0d9b86f4a

SHA512
2a366c4add280f3a09d8676fde0e3b673b1b63deb61e21edfd5475c3d76927aa52f7606d978357bb8aea9ead6c0ec26698b97cfc1f19e7de7f38e7b2b16bfe3c

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
93KB

MD5
9d078e354f7abd5aab48fd655f4f5b1c

SHA1
9f15d38609c0b54547d13c1c01c440b8e595c086

SHA256
7124ae0091c502a4853119d4878d551fb937b5295c0d11115f8928b03c87f215

SHA512
9819813df1ba0e79872cb7f24f4024fa23554ee8496d22aeb63ce5b2d0d18e8690120bf5bcdaf205469f4aca02325644c5eee20817d5e7cc55cfdd42b12aa093

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
93KB

MD5
3a9f3a12e6191cef2e31792564b3e309

SHA1
98e7abde19cde7235e0b916d195bfc5955d119de

SHA256
dc12b79a5b0eb1e052fe68f5242157a227f3186be5fb89d248baae948e10c3ba

SHA512
51a22ebc7c57ec9e0098dbfbf134792e09a1b004ba08d76d70408deaba293ee404adfe7cf32c1f2c43574507052340151b17756c015827e3e6ae8377adbfc094

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
93KB

MD5
7a3c05138ee1d8a1f99cae21c216b070

SHA1
7bfecdca3c7b22f6bc4e507c91fc2b7cc711451e

SHA256
2e3e5dba5cb45900c9075a60b692244be8c78d3ca517c3150ee561d84db278ad

SHA512
88c92aacdb96617a5eb74249461d316dea0e249a6c1001c3856982f55242a0d41972021547fe7eb73ac88d121640723b8d218ded8679e32b1a73c296934836e9

Download Submit
C:\Windows\SysWOW64\Dahfkimd.exe

Filesize
93KB

MD5
51985ec596776b3b3d78726c46c5d277

SHA1
f6c08e25ff9db221097126d39e93041745faffd2

SHA256
6ffec971b6d6d78fd736aed63a2ea694d8215b3cb25510e6a79ca1130fbdb1d0

SHA512
6bc3ce330e41d3694bd6e6314a235ef6d7c12889238be96785f8fe661389d1514871c81c333d644fc10f92f27fd254da1c2e3d841330354b6d64434f3192d8af

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
93KB

MD5
a9cd00e97c2130881aeb0b20b1385fe8

SHA1
14cdc9e451f8034c6c90b447098cbdb95ded009e

SHA256
9d5e38fc718e5e28642061b1efee94e8222a5e15d0c923cbbc6e1ed6446687f5

SHA512
dcb68101bec789544a58af349041ede5b3c5b953b4ed865a783e2d1da87727f0b344534ae6caa21f6c3eb4210a2a799f669f18f342f365fc122f3384d131b5a0

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
93KB

MD5
40901eaa341024e4ab817e415f70ab84

SHA1
9055bbb56fce5200339b870ad16af96102d1a4ef

SHA256
2d76063358918f9393cc4b24a329ddde764ddbfa7da0d59dc85782ea07c990ab

SHA512
1aa34b480009dbd58041ff029367ea96082083419a0a10d4d5a373a595877671d760d3bd38293cbd642350fe7bc85304cac3ee52970bb49898f5167f7043fdcd

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
93KB

MD5
0a7a37265e8ec1ab1e8cf3be33896600

SHA1
e770dd02448498b03546545252621c22faad84c6

SHA256
0e7934e475f574cb78890b585d733863463dfc455cc714ca782582147ca6da4b

SHA512
3596631db8d5e7fd547b732364f660c1c8d66eea82f6bc6091874e7eec58cf530a0b9d36d68937c731e71a9f51d9243d23f5c8e4e1aba5e46d11690cea65cc52

Download Submit
C:\Windows\SysWOW64\Djegekil.exe

Filesize
93KB

MD5
29c4a90f8917025f4d77dc553334c611

SHA1
8ae93472a38628e445193208b89d87a58f43a938

SHA256
c5379def1d0faaa364c56ba09177c298bff640d8c15c696db33f2b91ca98d0ec

SHA512
bca05d5a2bc32e723ab32503569d38ae0584034d990f5ef73063015a5a425c09a58ae61b8e0a8089e736dd973734eaf477a0788be352162d012c94815ce1df8e

Download Submit
C:\Windows\SysWOW64\Dnngpj32.exe

Filesize
93KB

MD5
d1ccb5501cbf27997a01c11b14e15ba9

SHA1
e869ef1ab0b3e523447be8dcef5803a6df59ab3e

SHA256
3e52d8e9f87b7ca901ff0af7655f6c9b5c578d44930fc4dca1c592b8af9bc23d

SHA512
5f6da16a446cd1ebae926f5d600b070024618961def62b6dbf1ccea82e9991f1aad2cd5032c83edadbc7a49dd7bf78e46f8e2a4a0cb90e91d0592b1953064185

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
93KB

MD5
3993790b2aa3420fdcd26c5beb6dc05f

SHA1
48eedba7e2fff506eac2c9104f05294a7df798b0

SHA256
8e2bcb2d1a73024d728afdbdac0d0c9dca4b920008d51b613b2681f756953688

SHA512
338b4b62fef09a3a5ae050502fc183f682fb8d0d0c47bbe45c6c9610660a0a660d8438b81629251b403a98274c8ab27d0b87f2123f51a61efd543fe6d1b92412

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
93KB

MD5
a6ba7347550822e95eff77edff39f6c6

SHA1
0372a1373dfbc7f19284e70970f386667626e035

SHA256
e09fb43c9e13744127c53392e26974f3641f1c20b5d144228b6a093acf3545a8

SHA512
a2e00ffc1451ca754325f65a0699858eb2ef872138230fcecb914a0bb544e77bc082cffa67f88a19540da902896f697d7e08318c6cbe4e231f55706da9a78432

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
93KB

MD5
a2973c4ba34b3ebae110af89db30a860

SHA1
9dd647464bc8f5457e6dc5c41ab7de41e3c2df12

SHA256
6a14fe44f2e4fc6bac6be2d748fb5170cc532e7123a3ce7daf2bc3eb9b440d8d

SHA512
01c2bd7be4fcb7deed7322c0d4923898a0381987ee827d07adb23831a32ef9cf536e1785c3042c7bd2e72026776c7f3fbbb82eb284db09c3845427e07569eca1

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
93KB

MD5
74cbf33882a1d10e35278328a9c8545c

SHA1
ea3f7ab95c0bc2e7f1a00ba4a4271fb530bab325

SHA256
44d0e5576d0f547b0b0ac7f37f2ad288a27fe9c693198e7b08a77fd265b6ccb0

SHA512
165d2b93118e8b4365bf1a27eed2a3979cf6e6c8bc9f0c4c0dc03174430801f3ecc0ed50e488d812cf20d096ae6cf22900ddd1cd0e885f6d5bc7eff85c5e6c66

Download Submit
C:\Windows\SysWOW64\Gcjdam32.exe

Filesize
93KB

MD5
5a72cd959bec2562a0a50e8fe564ce0e

SHA1
2af478fbb928a2cb89d93d85cf5a401c9692613d

SHA256
28a1aa6e0c9d25b1a4fd22533ed3b1d3b0c85b10f331cc15f2a513327dc2f9ab

SHA512
e9f9f20226fc556b2a44379127ae4cb3efdac659cce3a68d9e6d631712a1118462eee7fdf812cdd1daafa1038a05f4628af74f9f112048ee59799b555696cd44

Download Submit
C:\Windows\SysWOW64\Gdiakp32.exe

Filesize
93KB

MD5
9ffd791e6213af24de3ad015f511ae9a

SHA1
9056315ec3824e29ea604ecc4ab4f6d5406ff3d0

SHA256
573f5022530894f2bffcbba85266ee3098883b90a2b03b04d40d8e435f4ea13b

SHA512
39c56d9fcfee7014ffa43c8bcdad7cfce3034850a4b150af11587de50cf5fe5b39df2c68118544f9213d151ce42144791eb542c0ea033479d105a8afd090c63c

Download Submit
C:\Windows\SysWOW64\Ijgiemgc.dll

Filesize
7KB

MD5
f99f94a0a4fae1d4275ab51a3a0fb052

SHA1
29891debe8b443444196847a9880d0f2bb2957ef

SHA256
6bea8408cfbea733103238fcd1447072693d171719ea6efd61965b1343c15ae1

SHA512
84650bbe6d0d1133ee10ea2512d4163f63105af1e70bcb8c7c4f4c47153c227959c8b9efe380297d95729eff05a1bddb938dcd0ddd259d521c83feea7c714dc2

Download Submit
memory/64-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/228-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/384-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/516-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/516-509-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/736-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/744-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/928-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/948-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1148-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1496-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1576-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1576-493-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1752-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1896-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-504-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2136-497-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2136-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2180-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2240-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-36-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2356-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2364-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2552-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2648-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2668-236-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2860-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2860-500-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2880-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2880-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3052-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3052-499-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3088-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3112-27-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3208-494-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3208-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3240-272-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3436-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3592-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3672-503-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3672-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3704-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3732-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3960-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3984-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4044-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4164-505-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4164-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4172-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4172-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4312-501-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4312-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4320-507-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4320-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4336-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4336-495-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4584-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4736-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4768-506-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4768-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4812-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4896-498-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4896-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4932-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5020-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5032-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5116-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5132-492-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5132-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5172-491-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5172-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5212-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5212-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5252-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5300-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5300-489-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5348-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5348-488-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5392-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5392-486-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5432-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5432-487-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5476-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5476-485-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads