002e1ca54b6e525b5fecaa60f42fad9d57c01e70cb6f817e3e8c1053ad617caf

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915bdfe4d90ec33004d50abe880939a0N.exe
Size

85KB
MD5

915bdfe4d90ec33004d50abe880939a0
SHA1

a6e17f7402d521806a067902ebfd44e9f7c47808
SHA256

002e1ca54b6e525b5fecaa60f42fad9d57c01e70cb6f817e3e8c1053ad617caf
SHA512

feba10371083ad1099dadf799186520996081a71af6e3478e47635c1091e0221cb0ef78cfc7336df6701a175de653db6d005ef912ff9ce68f5211beca2c61c68
SSDEEP

1536:7dCeXfCprit/wboHy/sFmGWhaXecC2LHr8MQ262AjCsQ2PCZZrqOlNfVSLUK+:FXapriOuwGjX9HgMQH2qC7ZQOlzSLUK+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egkddo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhifi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjficg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icachjbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibbcfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hccggl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgihop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gndbie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieeimlep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkefmjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnfooe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ielfgmnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egegjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcekfnkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilmedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eaceghcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjcmngnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkdod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccggl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hegmlnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblflp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	915bdfe4d90ec33004d50abe880939a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kahinkaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icfmci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblflp32.exe

Executes dropped EXE 64 IoCs

pid	Process
3492	Dickplko.exe
4544	Dajbaika.exe
32	Ddhomdje.exe
2148	Dggkipii.exe
2596	Djegekil.exe
788	Dgihop32.exe
4024	Dncpkjoc.exe
4768	Dpalgenf.exe
3780	Egkddo32.exe
1128	Ejjaqk32.exe
3572	Eaaiahei.exe
1028	Edoencdm.exe
2336	Ekimjn32.exe
4772	Enhifi32.exe
2416	Eaceghcg.exe
440	Ecgodpgb.exe
1844	Ejagaj32.exe
4312	Ecikjoep.exe
2176	Egegjn32.exe
2444	Fclhpo32.exe
824	Fdkdibjp.exe
4432	Fboecfii.exe
1948	Fglnkm32.exe
1536	Fnffhgon.exe
2372	Fdpnda32.exe
2824	Fnhbmgmk.exe
2784	Fdbkja32.exe
2948	Fcekfnkb.exe
3336	Fnjocf32.exe
4364	Fqikob32.exe
2076	Gjaphgpl.exe
4204	Gjcmngnj.exe
1388	Gbkdod32.exe
3904	Gclafmej.exe
4188	Gggmgk32.exe
208	Gjficg32.exe
2208	Gkefmjcj.exe
2192	Gndbie32.exe
1256	Gnfooe32.exe
4032	Hccggl32.exe
3004	Hnhkdd32.exe
4328	Hgapmj32.exe
2332	Hbfdjc32.exe
3012	Hgcmbj32.exe
4920	Hjaioe32.exe
1996	Hegmlnbp.exe
2880	Hjdedepg.exe
4664	Hannao32.exe
3924	Hkcbnh32.exe
1316	Iapjgo32.exe
5020	Ielfgmnj.exe
1548	Ijiopd32.exe
2908	Icachjbb.exe
4588	Ibbcfa32.exe
2020	Ieqpbm32.exe
212	Inidkb32.exe
1200	Iagqgn32.exe
1456	Icfmci32.exe
4656	Ilmedf32.exe
5044	Inkaqb32.exe
3060	Ieeimlep.exe
3992	Ihceigec.exe
780	Ijbbfc32.exe
2896	Jaljbmkd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Emjnfn32.dll	Gggmgk32.exe
File created	C:\Windows\SysWOW64\Fbbnhl32.dll	Icachjbb.exe
File created	C:\Windows\SysWOW64\Jblflp32.exe	Jjdokb32.exe
File created	C:\Windows\SysWOW64\Ifkqol32.dll	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Gdmkfp32.dll	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Hjaioe32.exe	Hgcmbj32.exe
File opened for modification	C:\Windows\SysWOW64\Inkaqb32.exe	Ilmedf32.exe
File created	C:\Windows\SysWOW64\Fbbojb32.dll	Kdkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbpf32.exe	Kajfdk32.exe
File created	C:\Windows\SysWOW64\Dncpkjoc.exe	Dgihop32.exe
File opened for modification	C:\Windows\SysWOW64\Ihceigec.exe	Ieeimlep.exe
File opened for modification	C:\Windows\SysWOW64\Jjgkab32.exe	Jhhodg32.exe
File created	C:\Windows\SysWOW64\Jjmannfj.dll	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Jjdokb32.exe	Jdjfohjg.exe
File created	C:\Windows\SysWOW64\Ldnemdgd.dll	Jblflp32.exe
File opened for modification	C:\Windows\SysWOW64\Jjihfbno.exe	Jbncbpqd.exe
File created	C:\Windows\SysWOW64\Jjnmkgom.dll	Djegekil.exe
File created	C:\Windows\SysWOW64\Egkddo32.exe	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Fachkklb.dll	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Obcckehh.dll	Iagqgn32.exe
File opened for modification	C:\Windows\SysWOW64\Jhhodg32.exe	Jejbhk32.exe
File created	C:\Windows\SysWOW64\Lhpnlclc.exe	Leabphmp.exe
File created	C:\Windows\SysWOW64\Edoencdm.exe	Eaaiahei.exe
File created	C:\Windows\SysWOW64\Iolgql32.dll	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Hannao32.exe	Hjdedepg.exe
File opened for modification	C:\Windows\SysWOW64\Ieeimlep.exe	Inkaqb32.exe
File created	C:\Windows\SysWOW64\Dcmnee32.dll	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Kdlmhj32.dll	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Fhjaco32.dll	Lolcnman.exe
File opened for modification	C:\Windows\SysWOW64\Eaaiahei.exe	Ejjaqk32.exe
File opened for modification	C:\Windows\SysWOW64\Fnjocf32.exe	Fcekfnkb.exe
File opened for modification	C:\Windows\SysWOW64\Gnfooe32.exe	Gglfbkin.exe
File created	C:\Windows\SysWOW64\Lqcnhf32.dll	Ielfgmnj.exe
File created	C:\Windows\SysWOW64\Kkegbpca.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Gggmgk32.exe	Gclafmej.exe
File opened for modification	C:\Windows\SysWOW64\Icfmci32.exe	Iagqgn32.exe
File opened for modification	C:\Windows\SysWOW64\Jbncbpqd.exe	Jjgkab32.exe
File opened for modification	C:\Windows\SysWOW64\Khabke32.exe	Kahinkaf.exe
File created	C:\Windows\SysWOW64\Jhhodg32.exe	Jejbhk32.exe
File opened for modification	C:\Windows\SysWOW64\Lhmafcnf.exe	Leoejh32.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Akpbem32.dll	Iapjgo32.exe
File created	C:\Windows\SysWOW64\Ilmedf32.exe	Icfmci32.exe
File created	C:\Windows\SysWOW64\Eepbdodb.dll	Jdjfohjg.exe
File created	C:\Windows\SysWOW64\Gqpbcn32.dll	Jjdokb32.exe
File created	C:\Windows\SysWOW64\Gdqeooaa.dll	Jacpcl32.exe
File created	C:\Windows\SysWOW64\Okliqfhj.dll	Gglfbkin.exe
File created	C:\Windows\SysWOW64\Hccggl32.exe	Gnfooe32.exe
File created	C:\Windows\SysWOW64\Inidkb32.exe	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Dfaadk32.dll	Inkaqb32.exe
File opened for modification	C:\Windows\SysWOW64\Djegekil.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Ndnoffic.dll	Kajfdk32.exe
File opened for modification	C:\Windows\SysWOW64\Lbcedmnl.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Ieaqqigc.dll	Lhbkac32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqabib.exe	Khkdad32.exe
File created	C:\Windows\SysWOW64\Dikifc32.dll	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Qmofmb32.dll	Ecgodpgb.exe
File opened for modification	C:\Windows\SysWOW64\Hannao32.exe	Hjdedepg.exe
File created	C:\Windows\SysWOW64\Iapjgo32.exe	Hkcbnh32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfohjg.exe	Jaljbmkd.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Dggkipii.exe	Ddhomdje.exe
File created	C:\Windows\SysWOW64\Anijgd32.dll	Edoencdm.exe
File created	C:\Windows\SysWOW64\Gndbie32.exe	Gkefmjcj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5864	6036	WerFault.exe	203

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkddo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaljbmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejbhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fglnkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gclafmej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fboecfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koimbpbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gndbie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hegmlnbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djegekil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnhkdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kajfdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khabke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	915bdfe4d90ec33004d50abe880939a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjaqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjcmngnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hccggl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inidkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieeimlep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjdokb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhomdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dncpkjoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icachjbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihceigec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijiopd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpalgenf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbfdjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbkdod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkefmjcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnfooe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjaioe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcekfnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaaiahei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gglfbkin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnimkcjf.dll"	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll"	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ielfgmnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijmbbnl.dll"	Hnhkdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompbfo32.dll"	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiocnbpm.dll"	Ieeimlep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	915bdfe4d90ec33004d50abe880939a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhnbgoib.dll"	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqeooaa.dll"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gclafmej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jooeqo32.dll"	Ijiopd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ielfgmnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhomdeb.dll"	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll"	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbfdjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbigo32.dll"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfmjjmdm.dll"	Hgcmbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjdokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnakk32.dll"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egkddo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifdeda.dll"	Gjaphgpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneilmna.dll"	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjaco32.dll"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfooh32.dll"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iagqgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll"	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djegekil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmnee32.dll"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjaphgpl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 3492	4892	915bdfe4d90ec33004d50abe880939a0N.exe	89
PID 4892 wrote to memory of 3492	4892	915bdfe4d90ec33004d50abe880939a0N.exe	89
PID 4892 wrote to memory of 3492	4892	915bdfe4d90ec33004d50abe880939a0N.exe	89
PID 3492 wrote to memory of 4544	3492	Dickplko.exe	90
PID 3492 wrote to memory of 4544	3492	Dickplko.exe	90
PID 3492 wrote to memory of 4544	3492	Dickplko.exe	90
PID 4544 wrote to memory of 32	4544	Dajbaika.exe	91
PID 4544 wrote to memory of 32	4544	Dajbaika.exe	91
PID 4544 wrote to memory of 32	4544	Dajbaika.exe	91
PID 32 wrote to memory of 2148	32	Ddhomdje.exe	92
PID 32 wrote to memory of 2148	32	Ddhomdje.exe	92
PID 32 wrote to memory of 2148	32	Ddhomdje.exe	92
PID 2148 wrote to memory of 2596	2148	Dggkipii.exe	93
PID 2148 wrote to memory of 2596	2148	Dggkipii.exe	93
PID 2148 wrote to memory of 2596	2148	Dggkipii.exe	93
PID 2596 wrote to memory of 788	2596	Djegekil.exe	94
PID 2596 wrote to memory of 788	2596	Djegekil.exe	94
PID 2596 wrote to memory of 788	2596	Djegekil.exe	94
PID 788 wrote to memory of 4024	788	Dgihop32.exe	95
PID 788 wrote to memory of 4024	788	Dgihop32.exe	95
PID 788 wrote to memory of 4024	788	Dgihop32.exe	95
PID 4024 wrote to memory of 4768	4024	Dncpkjoc.exe	96
PID 4024 wrote to memory of 4768	4024	Dncpkjoc.exe	96
PID 4024 wrote to memory of 4768	4024	Dncpkjoc.exe	96
PID 4768 wrote to memory of 3780	4768	Dpalgenf.exe	97
PID 4768 wrote to memory of 3780	4768	Dpalgenf.exe	97
PID 4768 wrote to memory of 3780	4768	Dpalgenf.exe	97
PID 3780 wrote to memory of 1128	3780	Egkddo32.exe	98
PID 3780 wrote to memory of 1128	3780	Egkddo32.exe	98
PID 3780 wrote to memory of 1128	3780	Egkddo32.exe	98
PID 1128 wrote to memory of 3572	1128	Ejjaqk32.exe	99
PID 1128 wrote to memory of 3572	1128	Ejjaqk32.exe	99
PID 1128 wrote to memory of 3572	1128	Ejjaqk32.exe	99
PID 3572 wrote to memory of 1028	3572	Eaaiahei.exe	100
PID 3572 wrote to memory of 1028	3572	Eaaiahei.exe	100
PID 3572 wrote to memory of 1028	3572	Eaaiahei.exe	100
PID 1028 wrote to memory of 2336	1028	Edoencdm.exe	102
PID 1028 wrote to memory of 2336	1028	Edoencdm.exe	102
PID 1028 wrote to memory of 2336	1028	Edoencdm.exe	102
PID 2336 wrote to memory of 4772	2336	Ekimjn32.exe	103
PID 2336 wrote to memory of 4772	2336	Ekimjn32.exe	103
PID 2336 wrote to memory of 4772	2336	Ekimjn32.exe	103
PID 4772 wrote to memory of 2416	4772	Enhifi32.exe	104
PID 4772 wrote to memory of 2416	4772	Enhifi32.exe	104
PID 4772 wrote to memory of 2416	4772	Enhifi32.exe	104
PID 2416 wrote to memory of 440	2416	Eaceghcg.exe	105
PID 2416 wrote to memory of 440	2416	Eaceghcg.exe	105
PID 2416 wrote to memory of 440	2416	Eaceghcg.exe	105
PID 440 wrote to memory of 1844	440	Ecgodpgb.exe	107
PID 440 wrote to memory of 1844	440	Ecgodpgb.exe	107
PID 440 wrote to memory of 1844	440	Ecgodpgb.exe	107
PID 1844 wrote to memory of 4312	1844	Ejagaj32.exe	108
PID 1844 wrote to memory of 4312	1844	Ejagaj32.exe	108
PID 1844 wrote to memory of 4312	1844	Ejagaj32.exe	108
PID 4312 wrote to memory of 2176	4312	Ecikjoep.exe	109
PID 4312 wrote to memory of 2176	4312	Ecikjoep.exe	109
PID 4312 wrote to memory of 2176	4312	Ecikjoep.exe	109
PID 2176 wrote to memory of 2444	2176	Egegjn32.exe	111
PID 2176 wrote to memory of 2444	2176	Egegjn32.exe	111
PID 2176 wrote to memory of 2444	2176	Egegjn32.exe	111
PID 2444 wrote to memory of 824	2444	Fclhpo32.exe	112
PID 2444 wrote to memory of 824	2444	Fclhpo32.exe	112
PID 2444 wrote to memory of 824	2444	Fclhpo32.exe	112
PID 824 wrote to memory of 4432	824	Fdkdibjp.exe	113

C:\Users\Admin\AppData\Local\Temp\915bdfe4d90ec33004d50abe880939a0N.exe
"C:\Users\Admin\AppData\Local\Temp\915bdfe4d90ec33004d50abe880939a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\Dickplko.exe
  C:\Windows\system32\Dickplko.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\Dajbaika.exe
    C:\Windows\system32\Dajbaika.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\Ddhomdje.exe
      C:\Windows\system32\Ddhomdje.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:32
    - - C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        27⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Fcekfnkb.exe
        
        C:\Windows\system32\Fcekfnkb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Gkefmjcj.exe
        
        C:\Windows\system32\Gkefmjcj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        40⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Gnfooe32.exe
        
        C:\Windows\system32\Gnfooe32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\Hccggl32.exe
        
        C:\Windows\system32\Hccggl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        44⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Hjaioe32.exe
        
        C:\Windows\system32\Hjaioe32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Hegmlnbp.exe
        
        C:\Windows\system32\Hegmlnbp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Hjdedepg.exe
        
        C:\Windows\system32\Hjdedepg.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3924
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Ibbcfa32.exe
        
        C:\Windows\system32\Ibbcfa32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        65⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        67⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        74⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        82⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        85⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6028
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        94⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        97⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        109⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6036 -s 404
        110⤵
        Program crash
        
        PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=3872 /prefetch:8
1⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6036 -ip 6036
1⤵
PID:5372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dajbaika.exe

Filesize
85KB

MD5
67b2ab3694f1b8bff4ef26ce745300b1

SHA1
4d3ce606fecb4cc1073242b4af5eddcdfcc156d6

SHA256
93910b35f96f879b11f2978f2d605edb1365d1d18003c44b1ac979271eed88a2

SHA512
eeebb5522c8993e6a34e0c13b8f3ef0a90e015e2796c97595284b2097114993bc350482108e0cfb9ba89a5288b316f8709115c96680a155743a0fd61481a8205

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
85KB

MD5
4cfaa44e9059f0460ec91c1461a05247

SHA1
83df164c553b6283b0bdf57eb5fbc45767719ab7

SHA256
fba6b7ff99b59a36064c4445f6577a595d62d00b3c039cf1ed0800747153af65

SHA512
49a84c2e88dc5bf75a5a18d792c33d1f6f853d4af52966c05df68db7af8f3681cd5f0463333714112ab1cf94042d4d82261e134a669e4a3ea551f86f5c3bcc77

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
85KB

MD5
c7809d5167eed6223f3f1ba543c7f327

SHA1
44ea39d192e717a4aad785ac931183db27dd258b

SHA256
2c2ae92be86ee5d013ca8befd6af22b840202847ca77f4990d82dbc1ad8cff5c

SHA512
6fa06c9323d13f5c7dc6de9710047869d6310094502fcb8f568774a45810e46c7665953ce8873c3d368393699cbd1a7563beace9d3dad0320f6ef85ec1a39aca

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
85KB

MD5
ac7062b1903fd9aa18df0088bf236455

SHA1
0c055a98928bd3b1b51a155c2117b47ea9bef587

SHA256
38433e0e3af8fe573c4335d85ad2aee7d0c675a5bf9ad2e0211cba13b9a17431

SHA512
19b227f3c3a3d92c6b0b337efcb99ef46ac592280f9eaeb0e2ab900a30c415ff5c1789cfb1b72dd3630e0442091a55284b70a38ea0f1aa33c453e89cae18abab

Download Submit
C:\Windows\SysWOW64\Dickplko.exe

Filesize
85KB

MD5
0793f30f5b208106bf9fa941a21b5820

SHA1
19f5fa01f71107a9497379565dcfd769a5542729

SHA256
d5d1643023c6e164ec60f9c34e7f092bf5bb3689acc3c45619cbd4850fd1fc24

SHA512
386033bd58ee507dd8be71f9362796696275faf30de383cb5633fdcc29aa7b30345f46e2f868f060507a66dca98899d5dec45e41cee0344db676f92f299df0f6

Download Submit
C:\Windows\SysWOW64\Djegekil.exe

Filesize
85KB

MD5
bb8cf55615d208e5cc119b0145150334

SHA1
79eb6344551414833bec3c4b27ff5c1e0474ae33

SHA256
7673faa9b1ab12fe673d1a8e9fa8bf37412081f41f86ab7bd71e631129092ced

SHA512
3265525cd8b55661a8be52780f0aa09ebbd83ee04872a02ee4d4b2c415948091aac05f0303ca8dee7b537d81e1346f1d548bc7e6a19f737f32e51bd86941a545

Download Submit
C:\Windows\SysWOW64\Dncpkjoc.exe

Filesize
85KB

MD5
80a44179f3263b48e8d92524911147c9

SHA1
acba6bcc497468526ca46808ae908245262c5446

SHA256
f0f422e1fe6a803b52e8597d89129fdb47084d6804603978c2a5a3f04616a6c8

SHA512
30453a0dd8b4141a142f42fad1e570ce223d45eca2f388506b48650a805c2322b27feea4944d7ed71026531101e96fd1978d09b84dd492f3bb0a90f1c2f0a5c3

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
85KB

MD5
27f933651a95e4bb60c8e1af36fe463d

SHA1
8f26525f10492eb7aa5bf35de725da624bca5e16

SHA256
a13a61d749e93b8498566eb338c521e49e3beb2f8e1729d49ad8f8a3658dd06b

SHA512
9b35b535bfef7caef927bfbc820e64608a084ee9943365840be2719911f9fb62c2ea36ee147d3822bf65776f47afbfd4d955ce8c35df395debaf81696de3e8a8

Download Submit
C:\Windows\SysWOW64\Eaaiahei.exe

Filesize
85KB

MD5
3c2ebb5616af098fac956d5d031fd114

SHA1
159e9285823ab9a5c53555651eef266af7d5fd06

SHA256
d513f097fe1ac9ef2a57662a95f73c96b92b45a8bd644986275febc9225afb79

SHA512
34ed0415bd8ccda874f46122412324bb391f50d1c7ee86f5fb3d04f9de211c8e5b751773ff62c0765492d5e7a4f35e2b600fbe2e1f6aa593dfdcf933e1c8f79d

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
85KB

MD5
c7f6f69224200dddf6976b4563755db1

SHA1
8a39aeb17fe1d545e7eaae93f72fcd4c0ec40a16

SHA256
ca28c31ed1485569c8ba106e44dfd95e5ac6e280120a45e63209daf2e34cc300

SHA512
53fdca6e41deacf3b4b767acbbf4ec9cae933ccd44ebbc9a2cabf6f983fd3e1fe6fce2225dde0a2ffb1d0e9913869a1621f8a463bac1c5824a2dbac92b481a98

Download Submit
C:\Windows\SysWOW64\Ecgodpgb.exe

Filesize
85KB

MD5
662ea3794a2c8c2c3e1153d2210719c0

SHA1
a9a74a90415a19af4c3b0157382b269edf63bcd1

SHA256
cd4d98a90176617b845b9b1bc9890443f6721920965e9a19928fdfad5f407b36

SHA512
6d6adf8c662da34d0284e6efa5d05100862793486687b489a2581867948952872d9dca7ffecd9f7ebb3d44293ff0424e326b45287bffba8b102867e741538fbe

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
85KB

MD5
3b00c612f0762dac046859ec35a19c95

SHA1
d6e7b804ab9c7f55d90ebb25d45677d37e11701e

SHA256
5b2ed79bcc1124ebbddace82b966ff2efbc4842a5047d09d8c46dc9696119035

SHA512
547f46adf0d154ceec3d627fe3b4408e1227663e5f83119d8317acd6e6a754f16f7a148cddd86a2111fe1f8167060f3981f0e0db4bed17869a1df3fd567e6039

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
85KB

MD5
eda23cc11ab43b508dc9299ea479c54e

SHA1
d1850f107461268a46b6e483f033f7c5260ca6a8

SHA256
bc6bc144d3410fccb80fd137d8303fe5be25e5ac90a3578cb26d98364016c81f

SHA512
a9c04f6f0d29edbb9213acd63b11e3d84c1361fedae64a03248649ccb9dc6762209faf088543d4cd6595ed35b6dab0440599f14fbfabd88d20ca1ea996c63156

Download Submit
C:\Windows\SysWOW64\Egegjn32.exe

Filesize
85KB

MD5
559b7992e6f4d5c4bdc4635a61da56db

SHA1
67c0f7109ff0bb39001420941df0e07eacaa5273

SHA256
0c8ee91a90a6b90fc9a336d3f9bdcec90a143e98f1c1ee400c24ce5cd2976bc3

SHA512
53e64cf843bb549cdb217c1775cc857c7e0539ff7b7f28f914c626c23f898705f90b30da4767aefa978f3b47ac6f43532a63baeea8c93e43ac3614d56ea963ed

Download Submit
C:\Windows\SysWOW64\Egkddo32.exe

Filesize
85KB

MD5
f4f5b992e8a64293cf4646813c00f9df

SHA1
6cfdbff2bf347de9792f79663d7108cee0c936d2

SHA256
9a87b3de921ab20ccc629ac418bec58de14543399432a0ee666eba4848e1aeaf

SHA512
14125f78f222ff27b2db0c247b57403ddb340527c2f40ec4c673aa5af27a92b7de1c2e30e1dc960ed374bd53a27fc7debb8241bc66390c6f77cfc76b5c11772e

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
85KB

MD5
7df43a759c6f95dc888167b7de06daeb

SHA1
7647a84afaf36ea54ef3caf30f90d42371c686ac

SHA256
18586e3d9f30a9a53993426b47e0e99eb7ce16eea66794eb57df07ce24847ea9

SHA512
e0d65d8349a9ed280e56a64913f950748d9bea2cde5e36b626d861cb2f6583ea9ce7602b164273881495c26071b2fb265bd1c5392eace1429ef5400856ddfee9

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe

Filesize
85KB

MD5
c07274ef13033bea7b2695728764f21e

SHA1
3bbe3735c5ae305e7d3cdbd754541feb867fe0a3

SHA256
3f37af562e5e905732bfd370bf2664b2cd4b90d9579d3846e7cf0b6283b987f3

SHA512
db01e1a0bfd98b2e97d53d6ed6c455aaf11f49ebbb046f740dec71b7b8b649d0b8e4ee0014aa9f265bae3a7b4c62d38ee7c1d78f003f9bf84f3d69e1b4f55181

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
85KB

MD5
b18efca257680eee14d1aa52b2ddd73c

SHA1
3126583c9b66869a5ff18681c49f9a93634cddf6

SHA256
02f993c5b1a52ea8a81003c4631c5c7e8cfae83b025394e53e25d7251aad3fe3

SHA512
878ff790fc6318491b7f39e64fd2e87944a8ff4fe9931ebc0deddf33d0c9024be5791e4438a486ede60dec3a0c3f3d73569dd19c112a477983b7387a44b39c56

Download Submit
C:\Windows\SysWOW64\Enhifi32.exe

Filesize
85KB

MD5
f5767d82382060785215be7bfdcedb62

SHA1
275e99ecda1cf03de1553b5309945e8f6fbe070d

SHA256
eee121cfe8436425417de9a3b701d9e37f886a8bf28e4a565e9684b0b9e7c4ca

SHA512
d87b52a2a5903e5d6a67a5a8ea461224da42576957fe92212d99699d00b502de94d809ad7bc5a023b929f7b164c99a4d783b15bb864e6a7d52449f8e1578162b

Download Submit
C:\Windows\SysWOW64\Fboecfii.exe

Filesize
85KB

MD5
acb33d600331578f0f561d81a056b6d1

SHA1
3c43798839203b6096784a6d326866733ba43909

SHA256
ce00da0471206e4f6114daf2de4853d4146750d440115130bcb4fc3491929e45

SHA512
51e93554fab7d6b13eb7618e5437c6ac5d9fb17c187fd1216cfa1a16d59b38c0529d83abc54fb24d95a7658178a2609f519fd2bf32df6342e064e87d63f773e9

Download Submit
C:\Windows\SysWOW64\Fcekfnkb.exe

Filesize
85KB

MD5
cc52bc91cf2b13436c03012c5d7e0c3d

SHA1
c6705cba0615e0c97de320c4a3022c789a1338ca

SHA256
c517332b328e4ec4a86c2f4e850f368f7bc8135fe4207aa7ea8bd8d53f5bc88d

SHA512
fa03379a73614628537777a947e00b6072bacf5041d04273a60c2705554a575c459f4f0da570bf91bf3b7a80a62bdbdd380ae041e37e2a29496269be2fdd5923

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
85KB

MD5
677aca8daaf2517d8b6bda08811cc00f

SHA1
4bda0a42cfd767a783467b14d74696acf7c35af3

SHA256
c8f5e28bdbd65a3d7ae69c35702b41957b635e3447dad2c57b077dac479d142e

SHA512
5f6093d18f25ae90ff5c0b895261fb4178c370987c23ca47e6bf2afcccea1795e0992da56a4625b15e1a91c7b5d4e10c65d6c4f93d613d6d66876216f9633697

Download Submit
C:\Windows\SysWOW64\Fdbkja32.exe

Filesize
85KB

MD5
78229e5cb831992a1405f1c8ae19e2d0

SHA1
d86bd269c57f9314ef8c5635e2b24741b9ff2aef

SHA256
17208b8db6a3734cc719b2222aabc2a6ed367c6792916060a361108676af038e

SHA512
c3dbaf4c097987ddd8eeebfeed8aa83d8730bd93cf55c6b80908e083caa94d0cb3c5117247cbfdeb4fe3474a4bf4603a16f4db717bae569b21b6df7da53e3b26

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
85KB

MD5
27642326f5e5616d43dc727a8385c026

SHA1
5ae03079bf0da9196e013fa8eef8128258ff34bb

SHA256
dfc421f50775d47997f294992e1d962caff5ecd4fe17f2f1aa499798ea93b385

SHA512
6f214f41a55f76783d44e7979b92e12abc84bd4675eee684598fc2c517455d8204e9c47dd2c109106684034638c41686b4b72e762a8c7f51f97077275819b9f6

Download Submit
C:\Windows\SysWOW64\Fdpnda32.exe

Filesize
85KB

MD5
183b92cf7d1e9ccc792cdddbbc21b9b7

SHA1
94ab7a5824b82fcb25a48ef40368e23cc7152610

SHA256
76617ce92728af6d6381c1c71da36e8b0d2fb605cc44f2648286ee2f71d0a28e

SHA512
fd44dfa5c2c33b034f5c2f920b4f514c81f6ea2d79c8868156e25278e3ac5dfb0b60e857f5dbad4000d53b17105b296ccb020c062eeb7975f6333bbf1cd8fc73

Download Submit
C:\Windows\SysWOW64\Fglnkm32.exe

Filesize
85KB

MD5
148ddb62e48957163d6d716766d029cc

SHA1
59a9391092bcc9c9ca137d99ab4ee3fa8e95199f

SHA256
0165585800d983c37204f8121c0767e325997aec71b5ac06370792984b2c3a6e

SHA512
7f45b6fabcbddf6e34572cd89554eea8cc028e12a14db29ded5afe3ee5a73fba96d2b34d41a924c3efb610de06cbf8d80d7f5c72f7dcb59d3f881c3394c476bd

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
85KB

MD5
7f31e1e298d86bf54f61c25e9c0b8e32

SHA1
23c4e6b0378d548f1e6f3d0d59e5fade192dad21

SHA256
b62787a1650cfde57892a86d1834e3b17b389eb1322e54ef7481b201189f0c6a

SHA512
3564696df57fe616d3ba5bd5961f86a3e37af0775d91f82a1cacb25521a6b8dc848d1c108772e7a8f7d980c01eb42808d8c9c3f2a4af45e7ed82b107a353dd2a

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe

Filesize
85KB

MD5
0c4653c66d39be02300d3fb24590b196

SHA1
166a7258ab420daa6b3b8671371769ea22923056

SHA256
c1419ab4ae171791c15eea2ec9778eda4c1616e0dd828d88f7cd5e0cd000f936

SHA512
e0afdd2a00c75eaf385672c01efe1d3132b2819e81834cf309b8decb2ddb4c9198cd3602665ccd3fd777ad6e6e55cae0bc2c6d2f10f1e0b92cec30599ec18d8b

Download Submit
C:\Windows\SysWOW64\Fnjocf32.exe

Filesize
85KB

MD5
1dd699a35aea56733f8c7ec476f12109

SHA1
33d25657f64e4e59f0f5fc026098238b28de24ac

SHA256
4b5736e6133a3322bf16cab10a94079a8fcd5cc5085072a3f856281f0f8bbd05

SHA512
9fea655af36028f1ec8c176085d9fe8ae556dbc0049567b91c1e914214c33936ff9ee89e2e852235b2a414740d931bf2c40e87a7ac1a6238921afeb800dcadc5

Download Submit
C:\Windows\SysWOW64\Fqikob32.exe

Filesize
85KB

MD5
10631349be56f78400be253e7ff38831

SHA1
25e9e5478b13bf428643d55afcf06dd629d73083

SHA256
e0e0f19cb48384f83a5947d113e932053c86bc88a85e4999d4c38643826f15c1

SHA512
978c66cac4635b86f65d29610c912b2ae8d34a19470b57c493c7b84d00254e6af71273537f6498164da4c8771181c6fcce5c5b9cc66dc2cf188767b637262c74

Download Submit
C:\Windows\SysWOW64\Gjaphgpl.exe

Filesize
85KB

MD5
4afd8e52d7790822f725897e1f939df4

SHA1
66e336e89bd4a977cf4db5fddbdd412609bf46df

SHA256
352d1115ea88b61d1de955954281d76c0df4a52f76d83c2bf3dd8b4b4796f297

SHA512
fe90c4560c18456165a690594418601af5955c4c6f22bc1400546d5b4ded1f4e36a9bcef1c4fac861290cec39c7af03a886741e9974cf412638cddd5e535d83d

Download Submit
C:\Windows\SysWOW64\Gjcmngnj.exe

Filesize
85KB

MD5
2754531eedf8abb0d7f182f791276bee

SHA1
c4b1bc22b13dc226d63bc5dd889829a7c96e283d

SHA256
7189e1cb10c95fa7961a8806aab92249dfe6f1e2130de15507ab1a47f44580d7

SHA512
3aa53f2a2d7ca4e550c479949acddf84d9ee953d1c81479bf660b7535d10587e0bff262467c537df3e6f11ee0bb53019b9dba1e01f67d24c6a9180c784945368

Download Submit
C:\Windows\SysWOW64\Gndbie32.exe

Filesize
85KB

MD5
383d1518a48d4d260aeac30bf325b2ac

SHA1
4615300c95af363caeaf390551be7eae7578fa2a

SHA256
e20fb591ca09bf2be79a89d70a704632f87b14c1f20f94678a653d0365ac5885

SHA512
aca905265af43418137f7546a39223dbe45d5c9ee41d68e84c417e3a2bf89fa65a936dd8917e0555c8713455de0b0c5fa55e9c8e4be48e5292a276282f214a98

Download Submit
C:\Windows\SysWOW64\Hgcmbj32.exe

Filesize
85KB

MD5
a9816c0e3f236c1824a35368a1c1b860

SHA1
2ebe78f2340c5697d2a55d26d10d30fb8b467f0f

SHA256
c7a532b974f5f503a26eedb2d7dd66c0591fdc9c634ac50f93e79b45acecd6de

SHA512
8a49794a10447563a3b30182c5168a7bb023b28774d774e98e3a439acb2b832224e0bc21663a8d8e21c4301772d7108ac40d8b8ba9b8f9511e7f4680459a0dd2

Download Submit
C:\Windows\SysWOW64\Hnhkdd32.exe

Filesize
85KB

MD5
2fff01aaaf9989853ad82f58b4ff2f81

SHA1
ab75cb725cb40a6d25fb73ac785188d6d15a4e6b

SHA256
11b30c4b69d3811d35cd45ae16b506903a7e1f843712a3c7f5d0c30796f9af72

SHA512
5217a6bd8ecfe932560c3eee9d36974207812c09818739db614c80e0413f278f08284540995842c8c82cba6152b9030f671e28e2154728d4d30bb6ffc3e66505

Download Submit
C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
85KB

MD5
9d60a4b91e0cd5531befb56662230a3d

SHA1
9b1a1cb3ab175b7532bcbd50fb19798b38fe461e

SHA256
b9a394ab768b4cc3ce1caa592ceb7a4194fae6f81cc1062f8154e5fe78ce66b6

SHA512
aee3ddc2b31f65aa061982e5f9846485b91715bffd54fc1c70641e3bbfc4d1867e489d5af4e16e4a52fb1fc81d86b108763f9a2643b87b2092867f5b9e3b1251

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
85KB

MD5
e9d1e8514702e9fbe0154037904fa355

SHA1
be1f00d710846dfcea5e1484c5e75daaa98d8720

SHA256
48155b5f687121316c26faeeae64e2e260e6c6892dcbd7e8aff4e7b91ee46808

SHA512
7eeb63816427cce625a9ef8a8347d3fa9d561801a51813e7e58a61552da7d7184b29ba1f663522ba0b1d9c94bc1e8d8c78d07334907b4e9197a15fa1f2d04791

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
85KB

MD5
608e6e434507cd0d0fe6a90622d0856d

SHA1
8c8b32dbe3dafa15ceb86b4c348f08efb3cc5b73

SHA256
96229950809588ea1d04e0cde772a045c83ce0097a05cdede3a72dc38adf9dd5

SHA512
ec38fa7a086f6478428204f84ac84edebf4dbd669ee2ec793f7fa4e601f7e6741e6db2f77e70c2833a66f07230999923ddb638f5592d012d10a71f5da33c58ff

Download Submit
C:\Windows\SysWOW64\Leoejh32.exe

Filesize
85KB

MD5
a0c72679d66b4a7551de7417f8b2b5b8

SHA1
b69633f5cdb81aafee61233ecdeae108ea49b178

SHA256
de9550ccadaaba650678a2e2cf9f266e64eb22f6d1ff7c1b742d33b300fafe59

SHA512
9fe8077da66b9ea263901f8666bc9e2123b7ec8db50b4c2092ecbd76e23b5fbc530fb432a17a571318a8fbbc0735f9897050a2b084ca8b66524ab9104ad9928c

Download Submit
memory/32-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/32-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/208-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/208-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/440-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/440-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/788-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/788-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/824-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1128-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1128-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1256-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1256-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1316-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1388-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1536-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1536-204-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1548-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1844-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1844-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1996-372-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2076-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2076-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2192-378-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2192-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2332-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2332-420-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2336-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2372-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2372-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2416-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2416-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2444-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2444-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2784-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-379-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-421-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2948-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2948-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-427-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3336-253-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3344-385-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3572-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3572-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3780-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3780-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3904-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3904-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-393-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4024-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4024-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4032-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4032-331-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4188-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-337-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4312-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4328-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4328-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4364-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4432-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4432-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4544-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4544-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4588-428-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4664-386-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4772-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4920-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4920-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5020-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads