42984e864bab816ed3aa394d6c9fadf6b022281581dfb95a08744c112fe530c1

Analysis

max time kernel
32s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e80e415aaad420fb813fe80c25c20e80N.exe
Size

64KB
MD5

e80e415aaad420fb813fe80c25c20e80
SHA1

cbad51a073dd72f7071f14eda4c35e4309830821
SHA256

42984e864bab816ed3aa394d6c9fadf6b022281581dfb95a08744c112fe530c1
SHA512

f9e4c47677692d480d94bac7151d37d67e092014ac5aa4471c12d148b7994dd1bab45c73acbc72e6afa4cd29389b50fa8e76127de7636da537b18d29d5aeac54
SSDEEP

768:hGmzi3vNhs/ROUUbNzGSIWau4bJo6pUqYOQX+8/1H5WGUZEgruCHPkJLzt1SZIkN:ITA7UbYzbcx4GUXruCHcpzt/Idn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gknjecab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ionlpdha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgccjenb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcidofcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioqhed32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikjcikm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jafnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnjoap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhpkbbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e80e415aaad420fb813fe80c25c20e80N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgjdecca.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbohblcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcbapdgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfecfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jakhckdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iifphj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjlfkaqk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbcnloam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgqfefpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnhoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifmgman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhdlo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iglmjf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iocekd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcekdg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfoni32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iqgbihel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jafnhl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Honpqaff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfanlpff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjocaaoh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iqiooh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iadabljk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcidofcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hajogm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iglmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jafnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfanlpff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffggo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbhhl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcceqa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkqgkcpp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcbapdgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Infefqkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcekdg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iadabljk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedgnjon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e80e415aaad420fb813fe80c25c20e80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcceqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcpejd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjhpc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icenedep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icenedep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhpkbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gknjecab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hahbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjlfkaqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaiknk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hajogm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jafnhl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijacgnjj.exe

Executes dropped EXE 56 IoCs

pid	Process
1952	Gcceqa32.exe
2500	Gjmnmk32.exe
2572	Gknjecab.exe
2108	Hahbam32.exe
2852	Hdfoni32.exe
2124	Hkqgkcpp.exe
2620	Hajogm32.exe
2640	Hhdgdg32.exe
2444	Honpqaff.exe
2692	Hqplhi32.exe
2168	Hgjdecca.exe
1992	Hbohblcg.exe
1660	Hdneohbk.exe
1628	Hcpejd32.exe
1856	Hglakcao.exe
2268	Hcbapdgc.exe
2980	Hfanlpff.exe
904	Iqgbihel.exe
2016	Icenedep.exe
1984	Iibgmk32.exe
1412	Iqiooh32.exe
1104	Iffggo32.exe
2280	Ijacgnjj.exe
2368	Ionlpdha.exe
2676	Icjhpc32.exe
2460	Ifhdlo32.exe
1520	Iifphj32.exe
2884	Ioqhed32.exe
2696	Ifjqbnnl.exe
2592	Iglmjf32.exe
3032	Iocekd32.exe
1968	Infefqkg.exe
2228	Iadabljk.exe
1944	Jikjcikm.exe
1680	Jjlfkaqk.exe
1468	Jbcnloam.exe
2904	Jafnhl32.exe
2888	Jafnhl32.exe
1568	Jcekdg32.exe
388	Jcekdg32.exe
3012	Jgqfefpe.exe
2244	Jjocaaoh.exe
836	Jnjoap32.exe
932	Jaiknk32.exe
2556	Jedgnjon.exe
1108	Jgccjenb.exe
2148	Jfecfb32.exe
2960	Jjapfamf.exe
2012	Jnmlgpeo.exe
2276	Jakhckdb.exe
2372	Jcidofcf.exe
2804	Jcidofcf.exe
2816	Jfhpkbbj.exe
2632	Jifmgman.exe
2760	Jmbhhl32.exe
2304	Jppedg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2524	e80e415aaad420fb813fe80c25c20e80N.exe
2524	e80e415aaad420fb813fe80c25c20e80N.exe
1952	Gcceqa32.exe
1952	Gcceqa32.exe
2500	Gjmnmk32.exe
2500	Gjmnmk32.exe
2572	Gknjecab.exe
2572	Gknjecab.exe
2108	Hahbam32.exe
2108	Hahbam32.exe
2852	Hdfoni32.exe
2852	Hdfoni32.exe
2124	Hkqgkcpp.exe
2124	Hkqgkcpp.exe
2620	Hajogm32.exe
2620	Hajogm32.exe
2640	Hhdgdg32.exe
2640	Hhdgdg32.exe
2444	Honpqaff.exe
2444	Honpqaff.exe
2692	Hqplhi32.exe
2692	Hqplhi32.exe
2168	Hgjdecca.exe
2168	Hgjdecca.exe
1992	Hbohblcg.exe
1992	Hbohblcg.exe
1660	Hdneohbk.exe
1660	Hdneohbk.exe
1628	Hcpejd32.exe
1628	Hcpejd32.exe
1856	Hglakcao.exe
1856	Hglakcao.exe
2268	Hcbapdgc.exe
2268	Hcbapdgc.exe
2980	Hfanlpff.exe
2980	Hfanlpff.exe
904	Iqgbihel.exe
904	Iqgbihel.exe
2016	Icenedep.exe
2016	Icenedep.exe
1984	Iibgmk32.exe
1984	Iibgmk32.exe
1412	Iqiooh32.exe
1412	Iqiooh32.exe
1104	Iffggo32.exe
1104	Iffggo32.exe
2280	Ijacgnjj.exe
2280	Ijacgnjj.exe
2368	Ionlpdha.exe
2368	Ionlpdha.exe
2676	Icjhpc32.exe
2676	Icjhpc32.exe
2460	Ifhdlo32.exe
2460	Ifhdlo32.exe
1520	Iifphj32.exe
1520	Iifphj32.exe
2884	Ioqhed32.exe
2884	Ioqhed32.exe
2696	Ifjqbnnl.exe
2696	Ifjqbnnl.exe
2592	Iglmjf32.exe
2592	Iglmjf32.exe
3032	Iocekd32.exe
3032	Iocekd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jafnhl32.exe	Jbcnloam.exe
File created	C:\Windows\SysWOW64\Hpahod32.dll	Gcceqa32.exe
File created	C:\Windows\SysWOW64\Ekoelpgo.dll	Hajogm32.exe
File created	C:\Windows\SysWOW64\Hbohblcg.exe	Hgjdecca.exe
File created	C:\Windows\SysWOW64\Jpomgn32.dll	Hgjdecca.exe
File created	C:\Windows\SysWOW64\Iifphj32.exe	Ifhdlo32.exe
File created	C:\Windows\SysWOW64\Amppecdn.dll	Iifphj32.exe
File opened for modification	C:\Windows\SysWOW64\Iocekd32.exe	Iglmjf32.exe
File opened for modification	C:\Windows\SysWOW64\Hdfoni32.exe	Hahbam32.exe
File opened for modification	C:\Windows\SysWOW64\Iifphj32.exe	Ifhdlo32.exe
File opened for modification	C:\Windows\SysWOW64\Jcidofcf.exe	Jpnhoh32.exe
File created	C:\Windows\SysWOW64\Gcceqa32.exe	e80e415aaad420fb813fe80c25c20e80N.exe
File created	C:\Windows\SysWOW64\Ioqhed32.exe	Iifphj32.exe
File opened for modification	C:\Windows\SysWOW64\Ioqhed32.exe	Iifphj32.exe
File opened for modification	C:\Windows\SysWOW64\Alhgml32.dll	Jcidofcf.exe
File created	C:\Windows\SysWOW64\Aabioeeg.dll	Hkqgkcpp.exe
File created	C:\Windows\SysWOW64\Iqgbihel.exe	Hfanlpff.exe
File created	C:\Windows\SysWOW64\Iglmjf32.exe	Ifjqbnnl.exe
File opened for modification	C:\Windows\SysWOW64\Jedgnjon.exe	Jaiknk32.exe
File created	C:\Windows\SysWOW64\Hahbam32.exe	Gknjecab.exe
File opened for modification	C:\Windows\SysWOW64\Hbohblcg.exe	Hgjdecca.exe
File created	C:\Windows\SysWOW64\Lomaoi32.dll	Iffggo32.exe
File created	C:\Windows\SysWOW64\Ciagloib.dll	Ifhdlo32.exe
File created	C:\Windows\SysWOW64\Iocekd32.exe	Iglmjf32.exe
File created	C:\Windows\SysWOW64\Jgccjenb.exe	Jedgnjon.exe
File created	C:\Windows\SysWOW64\Icjhpc32.exe	Ionlpdha.exe
File created	C:\Windows\SysWOW64\Jeahpajf.dll	Icjhpc32.exe
File opened for modification	C:\Windows\SysWOW64\Jikjcikm.exe	Iadabljk.exe
File opened for modification	C:\Windows\SysWOW64\Jnmlgpeo.exe	Jjapfamf.exe
File opened for modification	C:\Windows\SysWOW64\Jgccjenb.exe	Jedgnjon.exe
File created	C:\Windows\SysWOW64\Aqpcnnah.dll	Gjmnmk32.exe
File created	C:\Windows\SysWOW64\Bnnfdpgo.dll	Hahbam32.exe
File created	C:\Windows\SysWOW64\Iqiooh32.exe	Iibgmk32.exe
File created	C:\Windows\SysWOW64\Iffggo32.exe	Iqiooh32.exe
File created	C:\Windows\SysWOW64\Jbcnloam.exe	Jjlfkaqk.exe
File opened for modification	C:\Windows\SysWOW64\Jbcnloam.exe	Jjlfkaqk.exe
File created	C:\Windows\SysWOW64\Nhobdf32.dll	Jaiknk32.exe
File created	C:\Windows\SysWOW64\Jifmgman.exe	Jfhpkbbj.exe
File created	C:\Windows\SysWOW64\Jmbhhl32.exe	Jifmgman.exe
File created	C:\Windows\SysWOW64\Nggmpg32.dll	Hdfoni32.exe
File created	C:\Windows\SysWOW64\Honpqaff.exe	Hhdgdg32.exe
File opened for modification	C:\Windows\SysWOW64\Hcbapdgc.exe	Hglakcao.exe
File opened for modification	C:\Windows\SysWOW64\Iqgbihel.exe	Hfanlpff.exe
File opened for modification	C:\Windows\SysWOW64\Ifhdlo32.exe	Icjhpc32.exe
File created	C:\Windows\SysWOW64\Kmkbmgkn.dll	Iocekd32.exe
File created	C:\Windows\SysWOW64\Bojdkqpm.dll	Jgqfefpe.exe
File created	C:\Windows\SysWOW64\Hinmcp32.dll	Jgccjenb.exe
File created	C:\Windows\SysWOW64\Hgfgajna.dll	Ionlpdha.exe
File opened for modification	C:\Windows\SysWOW64\Jnjoap32.exe	Jjocaaoh.exe
File created	C:\Windows\SysWOW64\Jnmlgpeo.exe	Jjapfamf.exe
File opened for modification	C:\Windows\SysWOW64\Keiahkgk.dll	Jafnhl32.exe
File created	C:\Windows\SysWOW64\Kcpbge32.dll	Jcekdg32.exe
File created	C:\Windows\SysWOW64\Jaiknk32.exe	Jnjoap32.exe
File created	C:\Windows\SysWOW64\Jigoolcf.dll	Honpqaff.exe
File opened for modification	C:\Windows\SysWOW64\Hgjdecca.exe	Hqplhi32.exe
File created	C:\Windows\SysWOW64\Iadabljk.exe	Infefqkg.exe
File opened for modification	C:\Windows\SysWOW64\Jafnhl32.exe	Jbcnloam.exe
File created	C:\Windows\SysWOW64\Anflgdik.dll	Hfanlpff.exe
File created	C:\Windows\SysWOW64\Dcbhfd32.dll	Iqgbihel.exe
File created	C:\Windows\SysWOW64\Icokamph.dll	Iglmjf32.exe
File created	C:\Windows\SysWOW64\Jikjcikm.exe	Iadabljk.exe
File created	C:\Windows\SysWOW64\Jnjoap32.exe	Jjocaaoh.exe
File created	C:\Windows\SysWOW64\Pjfndg32.dll	Jfecfb32.exe
File created	C:\Windows\SysWOW64\Jakhckdb.exe	Jnmlgpeo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2932	2304	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcceqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcbapdgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iffggo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iglmjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjapfamf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnhoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbohblcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqgbihel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifhdlo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifjqbnnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedgnjon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcidofcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e80e415aaad420fb813fe80c25c20e80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioqhed32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbcnloam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcekdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hahbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdfoni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqplhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hajogm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Honpqaff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ionlpdha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcekdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iadabljk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfecfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfhpkbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jafnhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgccjenb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhdgdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hglakcao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icenedep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iifphj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjocaaoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcidofcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgjdecca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfanlpff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqiooh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjlfkaqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgqfefpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnjoap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jakhckdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbhhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdneohbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcpejd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Infefqkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaiknk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkqgkcpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iibgmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjmnmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icjhpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iocekd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikjcikm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jafnhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gknjecab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijacgnjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmlgpeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifmgman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jppedg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnfdpgo.dll"	Hahbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeahpajf.dll"	Icjhpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iifphj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehgjigei.dll"	Jjlfkaqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgccjenb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbhhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agimahlk.dll"	Hhdgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iocekd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfecfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmoca32.dll"	Jnmlgpeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jakhckdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hajogm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hglakcao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ionlpdha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkqgkcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lomaoi32.dll"	Iffggo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iglmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkbmgkn.dll"	Iocekd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feoebegk.dll"	Jakhckdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcceqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpcnnah.dll"	Gjmnmk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfanlpff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcekdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhobdf32.dll"	Jaiknk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgccjenb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gknjecab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgjdecca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfllcnff.dll"	Ioqhed32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jikjcikm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jafnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iocekd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Infefqkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piajea32.dll"	Gknjecab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eieonq32.dll"	Hqplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbohblcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfanlpff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iqgbihel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcekdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnjoap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkqgkcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdneohbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icjhpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhdlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jafnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hqplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkdloal.dll"	Ifjqbnnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaiknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpifijek.dll"	Jcidofcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcieegdh.dll"	Jfhpkbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhpkbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnennln.dll"	Jmbhhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcbapdgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iqiooh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iqiooh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfgajna.dll"	Ionlpdha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiahkgk.dll"	Jafnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcekdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifmgman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e80e415aaad420fb813fe80c25c20e80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hahbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icokamph.dll"	Iglmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jikjcikm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjlfkaqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hahbam32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1952	2524	e80e415aaad420fb813fe80c25c20e80N.exe	29
PID 2524 wrote to memory of 1952	2524	e80e415aaad420fb813fe80c25c20e80N.exe	29
PID 2524 wrote to memory of 1952	2524	e80e415aaad420fb813fe80c25c20e80N.exe	29
PID 2524 wrote to memory of 1952	2524	e80e415aaad420fb813fe80c25c20e80N.exe	29
PID 1952 wrote to memory of 2500	1952	Gcceqa32.exe	30
PID 1952 wrote to memory of 2500	1952	Gcceqa32.exe	30
PID 1952 wrote to memory of 2500	1952	Gcceqa32.exe	30
PID 1952 wrote to memory of 2500	1952	Gcceqa32.exe	30
PID 2500 wrote to memory of 2572	2500	Gjmnmk32.exe	31
PID 2500 wrote to memory of 2572	2500	Gjmnmk32.exe	31
PID 2500 wrote to memory of 2572	2500	Gjmnmk32.exe	31
PID 2500 wrote to memory of 2572	2500	Gjmnmk32.exe	31
PID 2572 wrote to memory of 2108	2572	Gknjecab.exe	32
PID 2572 wrote to memory of 2108	2572	Gknjecab.exe	32
PID 2572 wrote to memory of 2108	2572	Gknjecab.exe	32
PID 2572 wrote to memory of 2108	2572	Gknjecab.exe	32
PID 2108 wrote to memory of 2852	2108	Hahbam32.exe	33
PID 2108 wrote to memory of 2852	2108	Hahbam32.exe	33
PID 2108 wrote to memory of 2852	2108	Hahbam32.exe	33
PID 2108 wrote to memory of 2852	2108	Hahbam32.exe	33
PID 2852 wrote to memory of 2124	2852	Hdfoni32.exe	34
PID 2852 wrote to memory of 2124	2852	Hdfoni32.exe	34
PID 2852 wrote to memory of 2124	2852	Hdfoni32.exe	34
PID 2852 wrote to memory of 2124	2852	Hdfoni32.exe	34
PID 2124 wrote to memory of 2620	2124	Hkqgkcpp.exe	35
PID 2124 wrote to memory of 2620	2124	Hkqgkcpp.exe	35
PID 2124 wrote to memory of 2620	2124	Hkqgkcpp.exe	35
PID 2124 wrote to memory of 2620	2124	Hkqgkcpp.exe	35
PID 2620 wrote to memory of 2640	2620	Hajogm32.exe	36
PID 2620 wrote to memory of 2640	2620	Hajogm32.exe	36
PID 2620 wrote to memory of 2640	2620	Hajogm32.exe	36
PID 2620 wrote to memory of 2640	2620	Hajogm32.exe	36
PID 2640 wrote to memory of 2444	2640	Hhdgdg32.exe	37
PID 2640 wrote to memory of 2444	2640	Hhdgdg32.exe	37
PID 2640 wrote to memory of 2444	2640	Hhdgdg32.exe	37
PID 2640 wrote to memory of 2444	2640	Hhdgdg32.exe	37
PID 2444 wrote to memory of 2692	2444	Honpqaff.exe	38
PID 2444 wrote to memory of 2692	2444	Honpqaff.exe	38
PID 2444 wrote to memory of 2692	2444	Honpqaff.exe	38
PID 2444 wrote to memory of 2692	2444	Honpqaff.exe	38
PID 2692 wrote to memory of 2168	2692	Hqplhi32.exe	39
PID 2692 wrote to memory of 2168	2692	Hqplhi32.exe	39
PID 2692 wrote to memory of 2168	2692	Hqplhi32.exe	39
PID 2692 wrote to memory of 2168	2692	Hqplhi32.exe	39
PID 2168 wrote to memory of 1992	2168	Hgjdecca.exe	40
PID 2168 wrote to memory of 1992	2168	Hgjdecca.exe	40
PID 2168 wrote to memory of 1992	2168	Hgjdecca.exe	40
PID 2168 wrote to memory of 1992	2168	Hgjdecca.exe	40
PID 1992 wrote to memory of 1660	1992	Hbohblcg.exe	41
PID 1992 wrote to memory of 1660	1992	Hbohblcg.exe	41
PID 1992 wrote to memory of 1660	1992	Hbohblcg.exe	41
PID 1992 wrote to memory of 1660	1992	Hbohblcg.exe	41
PID 1660 wrote to memory of 1628	1660	Hdneohbk.exe	42
PID 1660 wrote to memory of 1628	1660	Hdneohbk.exe	42
PID 1660 wrote to memory of 1628	1660	Hdneohbk.exe	42
PID 1660 wrote to memory of 1628	1660	Hdneohbk.exe	42
PID 1628 wrote to memory of 1856	1628	Hcpejd32.exe	43
PID 1628 wrote to memory of 1856	1628	Hcpejd32.exe	43
PID 1628 wrote to memory of 1856	1628	Hcpejd32.exe	43
PID 1628 wrote to memory of 1856	1628	Hcpejd32.exe	43
PID 1856 wrote to memory of 2268	1856	Hglakcao.exe	44
PID 1856 wrote to memory of 2268	1856	Hglakcao.exe	44
PID 1856 wrote to memory of 2268	1856	Hglakcao.exe	44
PID 1856 wrote to memory of 2268	1856	Hglakcao.exe	44

C:\Users\Admin\AppData\Local\Temp\e80e415aaad420fb813fe80c25c20e80N.exe
"C:\Users\Admin\AppData\Local\Temp\e80e415aaad420fb813fe80c25c20e80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\Gcceqa32.exe
  C:\Windows\system32\Gcceqa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\Gjmnmk32.exe
    C:\Windows\system32\Gjmnmk32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\Gknjecab.exe
      C:\Windows\system32\Gknjecab.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Hahbam32.exe
        
        C:\Windows\system32\Hahbam32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\SysWOW64\Hdfoni32.exe
        
        C:\Windows\system32\Hdfoni32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Hkqgkcpp.exe
        
        C:\Windows\system32\Hkqgkcpp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Hajogm32.exe
        
        C:\Windows\system32\Hajogm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Hhdgdg32.exe
        
        C:\Windows\system32\Hhdgdg32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Honpqaff.exe
        
        C:\Windows\system32\Honpqaff.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Hqplhi32.exe
        
        C:\Windows\system32\Hqplhi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Hgjdecca.exe
        
        C:\Windows\system32\Hgjdecca.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Hbohblcg.exe
        
        C:\Windows\system32\Hbohblcg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Hdneohbk.exe
        
        C:\Windows\system32\Hdneohbk.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Hcpejd32.exe
        
        C:\Windows\system32\Hcpejd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Hglakcao.exe
        
        C:\Windows\system32\Hglakcao.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Hcbapdgc.exe
        
        C:\Windows\system32\Hcbapdgc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Hfanlpff.exe
        
        C:\Windows\system32\Hfanlpff.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Iqgbihel.exe
        
        C:\Windows\system32\Iqgbihel.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Icenedep.exe
        
        C:\Windows\system32\Icenedep.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Iibgmk32.exe
        
        C:\Windows\system32\Iibgmk32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Iqiooh32.exe
        
        C:\Windows\system32\Iqiooh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Iffggo32.exe
        
        C:\Windows\system32\Iffggo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Ijacgnjj.exe
        
        C:\Windows\system32\Ijacgnjj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Ionlpdha.exe
        
        C:\Windows\system32\Ionlpdha.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Icjhpc32.exe
        
        C:\Windows\system32\Icjhpc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Ifhdlo32.exe
        
        C:\Windows\system32\Ifhdlo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Iifphj32.exe
        
        C:\Windows\system32\Iifphj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Ioqhed32.exe
        
        C:\Windows\system32\Ioqhed32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Ifjqbnnl.exe
        
        C:\Windows\system32\Ifjqbnnl.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Iglmjf32.exe
        
        C:\Windows\system32\Iglmjf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Iocekd32.exe
        
        C:\Windows\system32\Iocekd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Infefqkg.exe
        
        C:\Windows\system32\Infefqkg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Iadabljk.exe
        
        C:\Windows\system32\Iadabljk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Jikjcikm.exe
        
        C:\Windows\system32\Jikjcikm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Jjlfkaqk.exe
        
        C:\Windows\system32\Jjlfkaqk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Jbcnloam.exe
        
        C:\Windows\system32\Jbcnloam.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Jafnhl32.exe
        
        C:\Windows\system32\Jafnhl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Jafnhl32.exe
        
        C:\Windows\system32\Jafnhl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Jcekdg32.exe
        
        C:\Windows\system32\Jcekdg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Jcekdg32.exe
        
        C:\Windows\system32\Jcekdg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Jgqfefpe.exe
        
        C:\Windows\system32\Jgqfefpe.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Jjocaaoh.exe
        
        C:\Windows\system32\Jjocaaoh.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Jnjoap32.exe
        
        C:\Windows\system32\Jnjoap32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Jaiknk32.exe
        
        C:\Windows\system32\Jaiknk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Jedgnjon.exe
        
        C:\Windows\system32\Jedgnjon.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\Jgccjenb.exe
        
        C:\Windows\system32\Jgccjenb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Jfecfb32.exe
        
        C:\Windows\system32\Jfecfb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Jjapfamf.exe
        
        C:\Windows\system32\Jjapfamf.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Jnmlgpeo.exe
        
        C:\Windows\system32\Jnmlgpeo.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Jakhckdb.exe
        
        C:\Windows\system32\Jakhckdb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Jpnhoh32.exe
        
        C:\Windows\system32\Jpnhoh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Jcidofcf.exe
        
        C:\Windows\system32\Jcidofcf.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Jcidofcf.exe
        
        C:\Windows\system32\Jcidofcf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Jfhpkbbj.exe
        
        C:\Windows\system32\Jfhpkbbj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Jifmgman.exe
        
        C:\Windows\system32\Jifmgman.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Jmbhhl32.exe
        
        C:\Windows\system32\Jmbhhl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Jppedg32.exe
        
        C:\Windows\system32\Jppedg32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 140
        59⤵
        Program crash
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hajogm32.exe

Filesize
64KB

MD5
c3db53a34f0b466286f121363aa85ac3

SHA1
a61430f1ad319cbbbfbcc6d331fc0c489c55990a

SHA256
e2a412c2527d86a0b9f31286f7d7f677f2cd6a830b1f11335dd65eee89b8b032

SHA512
19bfbc4fa4bc1f4fbe6d9393aa083c58e644fbce4a0edf83e4921d3399583a5bf8d4ba4ee1efb261df9cad8bf104793d87e6584e9b3a48fd01c043d72ed97dc3

Download Submit
C:\Windows\SysWOW64\Hcpejd32.exe

Filesize
64KB

MD5
49f98add6cd125cfd9fe24ab642aec0c

SHA1
9537c91a4adb9e63eb2a03256268c4adfb9b3f37

SHA256
65079622f4b8098af20ea35b5dae0b720fec6d33a05d20e1c9be0a6dc29577fb

SHA512
a2090b9ddad2274c59b879f14fe9a5aba095cb71763149f6210cbf1792ce7325016b22219f9d976bc14090262d5fbe9b9f4655d176afd6e6b7faffa9332b9a01

Download Submit
C:\Windows\SysWOW64\Hdneohbk.exe

Filesize
64KB

MD5
287f03a2cb032c63c6dbccfedaab22e3

SHA1
d29480285ca4c47fce6316432085eb6ee92ba70a

SHA256
e5c2d40d835d9732496db7f78e6ee7faf4cd0039d53b340c5f39b3b93e5bcdb6

SHA512
a6ee64848afba66978643c3a4c5d3d8fbb9cd77479e9d01a4300e3e9606df14f0549499a66cf1ab7cf5618172e5d014538f68708f5e7bdc5daf452c98ffe3bae

Download Submit
C:\Windows\SysWOW64\Hfanlpff.exe

Filesize
64KB

MD5
5721946e3be557825128bba85ee0c28a

SHA1
9a5eb364ef4b4b98cd2794ed2f65d332a068ce3d

SHA256
8b10b81ced364520d74e20724e684d191ac8a07c332f1eef6c0737db7c28e8d4

SHA512
fdfa54a88ced8e14ae4a17b8ac08c8f125ff1a81541ef1088844cd2dc897b176a4dc35e7535e41af5e9a614b45a97e63299e0f2115fafe223e8aa5b75ea93be1

Download Submit
C:\Windows\SysWOW64\Iadabljk.exe

Filesize
64KB

MD5
87ee7736634c01a37274766bf2020a27

SHA1
6ab62ca45f4a10063f8b9af42a975e5bb9d71d6e

SHA256
eaa46757abf397f034450d1553580266df7f46d9287f5e7ed59a93eaa1f5efb1

SHA512
ddcc15666c17321acc4dad66d6fce2152229bee8eb41d99e3c04650bcc711e2300d9729d07cd4e0931262483de584d6d465192deea901ca379cad98c7b08ec8d

Download Submit
C:\Windows\SysWOW64\Icenedep.exe

Filesize
64KB

MD5
59fa0d84dab2a275d6bd824488b68ca1

SHA1
1681a7be1367edfe41a7e25ac7f6a700b18bb9f4

SHA256
0fca212b643afde72ee7fec9a34892d8240b52f0f9914f3a155daf82fdc098a2

SHA512
169607fa984fb1df33b2bb711e6724910ab822a75fb718b7148538efad82b22736cd88da2c47f283f3be92539d199f1ac0aff0ead133bb45c156e49d10fe0d72

Download Submit
C:\Windows\SysWOW64\Icjhpc32.exe

Filesize
64KB

MD5
92f0ad94bbc3ad58f1417f17c99f33fa

SHA1
c25fd1422a670ab6f130ed9641f9b6b498f018ba

SHA256
2e6811154e4f9decab7fd07a918fa9f9d42869ee18354618eb68e66c9e150cc4

SHA512
206c4bb58f8f47b1c167d61315bd6a2d334d68d80f3b7339234e4e94b5bc589f940c8620b09c3a03a6c7aa97e435157c125a41bdfd3c88334bdd74a0fa9b7fcb

Download Submit
C:\Windows\SysWOW64\Iffggo32.exe

Filesize
64KB

MD5
5df98a7e2546ee8580d0a16b4b793295

SHA1
1fd67f53a86f08fde680927562a4fd8bcebda5ad

SHA256
0ac907ed62e710cb7bd52003b148fccd154b18fecd753051fb62f0cfc8ade7a6

SHA512
c08c5ebd868a670ca1acdd586293c392e5c89bfd1a2287b887de5b193ee888674a231d6412c1f4b7542aecd7d5fb4960811dca12d23df7f7e9efc2587aa6e5a6

Download Submit
C:\Windows\SysWOW64\Ifhdlo32.exe

Filesize
64KB

MD5
24e0cecc8d1d56514b42487b6d8c47c7

SHA1
c22614d9aee5ec8716007815f0ea3e97641336ce

SHA256
c7d666ac498a9eef8077dbb3a47e8992425ba4425a2f9f52b3090c239daf16bd

SHA512
9dd17609e8ecee90144aa4cf255fbbf99dead73b8db44911e899b3ec5417e636dc368e6b1d41b3023e81d8a7e18823256b68ea33d6cd0db1d8a3d899e166798f

Download Submit
C:\Windows\SysWOW64\Ifjqbnnl.exe

Filesize
64KB

MD5
37334dfaaa4be71886195e992212f168

SHA1
2e4450b098e14da8c9663488c6ba95aec8fb55dd

SHA256
62dcac2a95407ce74727d900a6b6eb42e1c7dd16f7c084fe7d8da4e3e5c582dc

SHA512
424d1bb401eacd692d0ef442401e4da1a13c57002bf4e075bc45552d07766ba2f5069cb05a480158d71e9484907f701f7323a47f5b02dd972e44be75af23a054

Download Submit
C:\Windows\SysWOW64\Iglmjf32.exe

Filesize
64KB

MD5
2698b4dd72cdabb02a783bc839918307

SHA1
61b511269d84d4ee17db2f761b115e186e7776a0

SHA256
52d9971b8d51a6c2255d7e3fddf921ca553460c385fb3e35ca74e1a7cf386ac9

SHA512
007e0abd92b6c2937eaa86474148e127c1ce4f5ae04054e07cba2602020b510d4053e7afb20cbe19de5899924c53742ce71a62adc439fff9efb2259c02ba8c60

Download Submit
C:\Windows\SysWOW64\Iibgmk32.exe

Filesize
64KB

MD5
2cbc5eadcf939f4829a5c7ccb41d242e

SHA1
fed31674a7920d1356f31af952d14736119162c7

SHA256
8aff94fbbd6badd2603242f825fa6d5195b39a56d2743c478a58d3d3e16fe3ea

SHA512
3474f49ef51457b62d3ef5f9b022578d50d7af9baa8e3713679c99f09018897bb8a13aa71882d399c24057c4e734b789e2a4614c79b2415fbb3fd33be8ac3669

Download Submit
C:\Windows\SysWOW64\Iifphj32.exe

Filesize
64KB

MD5
10d1daace73f74569c4465f8fe5252e7

SHA1
fb50b66a61b66e6c24cd9a7cc2848777f5674cb4

SHA256
c91df9a46428a42a37cf71fe8940c4ea644b25bf9e110630111fe596fe318675

SHA512
7214b58a697f48006a2af0ec43498860054db565884e76f8f5ab3f49e569b0f169f88f11e6efb9a945b2689c5e730389bd195a0901d84ecfcf03d006b11d1019

Download Submit
C:\Windows\SysWOW64\Ijacgnjj.exe

Filesize
64KB

MD5
4867f36e11352e0fbccd81417c2be6a2

SHA1
78e6110ece12a572f0e0822d606c0062bc40ceb4

SHA256
f27a5ade22e24656d868eb572eb1fbee148dee7eb3b1ff2543f74cdffb6ca17b

SHA512
770b9d41653516ef970959f0a3842d7cf2762684edfe01e2d024a87f614f28308fb52a0ec1e8d5169c78af6fa513c187918aeb124e91c4a7233a094fc677c673

Download Submit
C:\Windows\SysWOW64\Infefqkg.exe

Filesize
64KB

MD5
abd806df4d9968145e11d8d7a0c6eae8

SHA1
28d6eec21bf74b000f0316a6ef0a4b27873027de

SHA256
b39a0d3668c1688fb7b3c42ce2c888ac90e1414267a7426f605970d3c3fa4acc

SHA512
83e6f1c8dc7927e3ae09ddcdea2bc3fe23f18247f5e11ceee12ea93681cc12058d3f9f67cf69c58fdf42e2724e88dee07109c1cbc28e9c49e6b3fb7e44c800c0

Download Submit
C:\Windows\SysWOW64\Iocekd32.exe

Filesize
64KB

MD5
974e86d10f38ba7b613ab16862439a05

SHA1
2c5320899c4b0876ddae3749951508fab1e6c8dd

SHA256
64d167c9893c546173192a01eeb4fee6dae6468ec28891ec9bc5cc98139de685

SHA512
b3f0d872b93508757fdd358fa5964f32fb7bc70e3e49d652a1c132ca844df0f328a7402ee00ce597fc57ca4855c70f19d5c9ae64061f3164d0bc08457b71e4d5

Download Submit
C:\Windows\SysWOW64\Ionlpdha.exe

Filesize
64KB

MD5
be5af2e1391861a57733837716652b89

SHA1
02e16022d328eaf96baf9550ea87740740500166

SHA256
02087991fede28887b7e7f9f4b021718e37133d3a269819c0a6b8bb71fd66385

SHA512
3fc084b37fe381741e3a604a9ecb99375dc8b36c2fd1a3361cd16e44ea94a08eea6e3c3ce381287b8fb7ce2724b60d036978d31e11451e14868707b47285fa91

Download Submit
C:\Windows\SysWOW64\Ioqhed32.exe

Filesize
64KB

MD5
b88860d94e051724b362e1b939967133

SHA1
8e521b6ab1cb618fd100f24a0c7713861d07f13b

SHA256
1c90f1e553f21bed951a391a1de43ec6f535c57191c1900d85cbd002d45d36dc

SHA512
c07dff8680416c578baf0b282df9e4b56e9d9993fdc182a174b35e42d2023fbc6984fcd805268e3e0f0dd8a12e368e55d84205b7c674f0a3b1a0a1ff200c4818

Download Submit
C:\Windows\SysWOW64\Iqgbihel.exe

Filesize
64KB

MD5
bf980b3617278dca2f8ddc52f31bceb6

SHA1
40c73e44b6122da4aa0d8deb51a875eb2c12bfea

SHA256
55fc16a0aeb162e0e682d9e1b9fd4d15faefa6e16681bd45b88d78931e90c700

SHA512
052371903f585730d86a500bd896519d3d4042932fa2e742d0f5a54cb2b87f1cb205a8ca9a7c6628ad5383bef24d4cbae982de15b0da11c69c93c885a00b149c

Download Submit
C:\Windows\SysWOW64\Iqiooh32.exe

Filesize
64KB

MD5
bb34b7561f9ff2fdb479254844861b65

SHA1
c6904e1d821d0ebf5600f5b7d87444a1f405a4a2

SHA256
b8561abaebe9cae4c46cf56784e4673a8dbbfc18f22e50ad51ea2beb54572ceb

SHA512
fc361ac906e5e6193abdc6fa097e655eb96eb32685b626ffdbf14aad0f615e84bae791b0287264cec677c84f652d06aa7d5f9acbfb857c2a64dfb95a0accb950

Download Submit
C:\Windows\SysWOW64\Jafnhl32.exe

Filesize
64KB

MD5
03c45a60cd6f2df40a8348c6927841a3

SHA1
50c1b364e7b1281880b335e79d7136532c9a1ee9

SHA256
040e7d3ddfbe54e362ec7d54a58dcf7404f4b8e1cdcba99f6dcf5851379bf058

SHA512
b62814f13efbf1b588df39e2d6fb9880bd6b6c995a85dd805d28fd2b47a48ec3653294d25aae0509da86b154aa39c615deab533e553c7ca0ddbe4acb59d56433

Download Submit
C:\Windows\SysWOW64\Jaiknk32.exe

Filesize
64KB

MD5
69178430811f2ffcebbea8097269de2b

SHA1
71db2698d63abb21ea178953a1d94a7c49d80dc8

SHA256
446ff278218b24fe88e1fc08f5856a1f64fbb2401ec9ce92b4429258052f9716

SHA512
f03d0d80492f640d62c0c5d86fad236ec16b1d532d961d6cd155ef2a41e698984334ba657d05660456cda4c2e36a41340c9a1458e80ddbfc39dc4af6dd77b85a

Download Submit
C:\Windows\SysWOW64\Jakhckdb.exe

Filesize
64KB

MD5
58373809de907227d9e7bf605b5e228a

SHA1
49073b9790f139d756c4067646609f9e8807908e

SHA256
6db743259f2003d2651097c6b7dcec342bbb0eafac2b2c6c1e3e2ff63abe8450

SHA512
3d261493ec243abb7ec5c91c75ef1bbc09787711dc79361354feb10abc6f070ae09ecfb794db7f1d726813ab997e4dbf0602670954b1c6163539cdca58643d57

Download Submit
C:\Windows\SysWOW64\Jbcnloam.exe

Filesize
64KB

MD5
bdc6bf6f4704befeca3c90ae2bd0dff1

SHA1
cd25169a38ed942a108f0224563dc7676d97bc1e

SHA256
ae437a89175a1c4e7c32de69c8c87984b008ae89ae13a89fd392ddf372b3bc4d

SHA512
4e3602a5e258c08e289ffbc3663e7fbe0bdc79c57ce5073284e5fcf908c6f866dfcec951c06fcf43a2a58cec24896cfbe1b989c4008ee2d7dec6dc31cb6b7aff

Download Submit
C:\Windows\SysWOW64\Jcekdg32.exe

Filesize
64KB

MD5
1bb41c1c64a66be479cca2a1b49c606f

SHA1
e91e9c94c53e368280d63153343b9779ef4eca83

SHA256
901f2009e7f07f3aab88119f5932ba89d441f4c3de5a327050015102d78cb57f

SHA512
4b0641af26a9aa60b2b5d6193420bcd99b7987586fe292a56a8a06308ab9852bff1be33438d592267efb1129cde031174bab376867b34f43e684d50c3b83522c

Download Submit
C:\Windows\SysWOW64\Jcidofcf.exe

Filesize
64KB

MD5
0285518c96a2d7f1b40eea76cb1bfb84

SHA1
c40e091ed0e449302e04710ac2c9898d680aca00

SHA256
0a715a962e9356ad8697d55d6b6560316b3fe82684321f8fd74afbb3e936c8e4

SHA512
9dd5b140e8219cabafdcb1227653115ad0bf5d26d5fc6e07e874a98fae56cf9c7b5dc9623c1a2e177387f91652cd38d8c39ff00bda34319a996d3724ccdddc4c

Download Submit
C:\Windows\SysWOW64\Jedgnjon.exe

Filesize
64KB

MD5
95f37cb6f315133d147e4c870512f6f9

SHA1
e53549997e5a329707dddbec2e5dc4d4c1166766

SHA256
817ff87918d4759f065dad81f986abb08c6d16e42675c8ecc2b910f2dbd1312f

SHA512
84983a36ab0ed6c486b26ad7a6663ede3209b52bdafcb09f2c7c06108fc6d20dbfcf0fb3808e31fc37f086d124fac4da25f34a6e425585a41ed964beb84830c8

Download Submit
C:\Windows\SysWOW64\Jfecfb32.exe

Filesize
64KB

MD5
3bd08a80a28aff2f7c5152a2e81f7c6b

SHA1
058f42dac9e0afc7f21ba1dcb0845895df719248

SHA256
2abb14fe3fb30e9c19796c374746fa7f143815051109123edc23e03ff721bb60

SHA512
6cac829d100533ca2a73070f9e561951a3ff256034473873144789a7479b185992f1a532f83202d1802f9e089e41de7945cc36c54b8a44253d8440f991c8b92d

Download Submit
C:\Windows\SysWOW64\Jfhpkbbj.exe

Filesize
64KB

MD5
e51985921b95507b9babbadfa75d3a00

SHA1
774d34adda9f9df5664caf28c59f061def0ceb0c

SHA256
57fc6400b890e35eb0b032f46017cd2a4a51f3e4dc4851189264c54774e43d70

SHA512
4079ca308efc409605f197fc9d08b36168b8ade8921f10a10094a5e421a494be27f2d98edafca5c586278314750c8c8c340ca4ba85506357b022114ad3d780f8

Download Submit
C:\Windows\SysWOW64\Jgccjenb.exe

Filesize
64KB

MD5
ab65282878bd1e8c8fd126fb0b4796f5

SHA1
00648d5602691caf32e399993071fe7c849b82d7

SHA256
48ab65781ad85b3f04cbc9f12650a3e7841760e257ca9176775e47dec765a370

SHA512
5df16fbf21d49d38304e2b1c374acf997f85eafe86af563b9819c1d7cbb2f44c9f6a5a1142d0a8b8b056d50af33d0ffa799a673e8a92be50ab8e5debb47b9be0

Download Submit
C:\Windows\SysWOW64\Jgqfefpe.exe

Filesize
64KB

MD5
df724ccc0c4831d590da8d9942ed699a

SHA1
a8552676567d5648fb8ea9644042a9d492f4ba0e

SHA256
477321394c2f387df5d3b6b5ee5d687800db4d2a66c46f34dbd2b6faf618ff72

SHA512
1ce8119bc71dea905c9e6f700c312db080771de51334d96ad827b0bed524060e80679bc9b80ee793c1597afc2b69df5be797ff835b07a3c2c909b87497e05528

Download Submit
C:\Windows\SysWOW64\Jifmgman.exe

Filesize
64KB

MD5
de48e41667461a9e6c5ac01a45436d55

SHA1
26ce69654c811b927c60868759b9ebc69b40d33e

SHA256
822f6400b943ff6b2cc581f7dda9a799abe7d1a00bf7b6e3b2d7c2a968aabeb9

SHA512
9dab75a84fee01727eed1375acdfd56d57b5f78d38238a4709289d8f22036b530b36eda0fa869b4431eace3f448de07760c1721b7ab21be96fe135c77138b8f3

Download Submit
C:\Windows\SysWOW64\Jikjcikm.exe

Filesize
64KB

MD5
8f0acf05451c5d9be34d388d67ec447b

SHA1
e18dc55f46ada1511ac3754d3a147f8f62a81485

SHA256
dc3d1ee2adb56c66ff4b89bf9cfb75af3aa0e46cf7c46717e4b8f721ef256fa3

SHA512
72b478a8f6dfc37025ab74d4efddfc14de9a1813e27493bb506b67e312b3b192c8b66e1981a9aa708693dd1098b7f29141e3d66f06611cf68a792d395af4b6e8

Download Submit
C:\Windows\SysWOW64\Jjapfamf.exe

Filesize
64KB

MD5
877a6c34cf0e0645001a4e3317496127

SHA1
354b678b2f5fd670a04e54bbf07b629b7bd68ee0

SHA256
27be44127f5e63cba740cd04c774d2bdeb9bd3e0ae6e952f9852048f81ab485a

SHA512
3e8bf63713309c64d5f24ce021b2e90e8021b49a8d509f7d3a25841da647c46daa8a897f12aba3ebb9f418d82f959f6d2d245c09c2e9b4041d4da71da10a9278

Download Submit
C:\Windows\SysWOW64\Jjlfkaqk.exe

Filesize
64KB

MD5
7bed5c79aac9d85932dfb040b92e4a60

SHA1
3b2bff5c0f7bb85fa9f3bdc65957dc516b4be580

SHA256
f60d8f5f2c46670cd76792d4ea2752dce7ddcda28f5c5afd8c08aa686b95ae9d

SHA512
77873b2f6b548020b069f7ffd6c73c4fda363c73d6fa30ac558fe84f964de425aa62f1a2e9f982a823d4207cc8c3a6e242b010296115d5e4909cb672990eca0f

Download Submit
C:\Windows\SysWOW64\Jjocaaoh.exe

Filesize
64KB

MD5
e1e2b2056b1af50117252bc3eea7289f

SHA1
209109d153d020c10cc904cde678ef4e3cb1c7a6

SHA256
90715d6d9c0d7f533c2c8c78003e1a58ac7fb24563472e443021d13eced6070c

SHA512
95ad491cab2033db91ed244416a38d12427c722a98a829227152c1c4621351136738d8003de27004fa86a2970b3bf8cdf68a9011ce57f398ddb7f294fad6cba4

Download Submit
C:\Windows\SysWOW64\Jmbhhl32.exe

Filesize
64KB

MD5
4586bf747387ebe663b314d0cd8eb104

SHA1
80272b5b3d51768ee013ee9ffc638fe1368d68bb

SHA256
0d4baec7aa7481c8269dc95775751ca8aac85d08fa2bdb60ebbf434a30c29805

SHA512
260bd42685f543ad50a48d1d1d96051d7fdfd97e5a5e466e411ee312a8673690bec48fa5d1db5f1e21fff9edd8ea129eaaafd0df17701904405390f23d1e8039

Download Submit
C:\Windows\SysWOW64\Jnjoap32.exe

Filesize
64KB

MD5
ccea91626bfc65f64126a8972de32a87

SHA1
9f6b8b7c71d43fab8a6761e374358cd6b62ea99b

SHA256
3ffa30adbdd96347d290e685bc94b766735fe2bf57940e73c0bf99571476e6aa

SHA512
ef94d7c3363e9efa760db83f9379a262001d24fd42dfb55435edb67e336cdc6bf9bbee0d87b2f147faf4b92f1098d78df702e43e1ea183714493d01a77e6168c

Download Submit
C:\Windows\SysWOW64\Jnmlgpeo.exe

Filesize
64KB

MD5
6cd6c16065e5569e0f10fe10450e898a

SHA1
b7fd5fd0a0d8e1b53709efea5543f6e6f9b21bdb

SHA256
60ae72660167ae7ccec4f0005a100cf5c0f8fdd2e76076a8516fb1005fc2df6a

SHA512
01d69c937e1ba2a175c2a3f4d8e0f2b027a50619089cfce891de189ca86ae75295d4c2f0d6f21d824c45a2f83914f27543c636793ba65ace356c9ada54d8c9af

Download Submit
C:\Windows\SysWOW64\Jppedg32.exe

Filesize
64KB

MD5
c27733a2dc81e3133d58f02925aedbd8

SHA1
8fa9849db8f9dfb53db24e949dbeb385646310ba

SHA256
6662401e68c2ecd18db818e447fb1ad9eb1ed71002de2313a87ff81212e27fc1

SHA512
f418447fdb9f291dcd8730b616203e3f45f17b71a4cf255d71d22ca8bf34823c0338f555b241f74d2b47ea2a545331db751783915b57f188a9be71d418130e53

Download Submit
\Windows\SysWOW64\Gcceqa32.exe

Filesize
64KB

MD5
449def0eb237f4b1d4b91a15e1fa2d40

SHA1
102a1e6a4cffbcaac56f34718ee663fe5411fb18

SHA256
7534dff87bde63c672bc2b69b411185f057774329067cfaa8ca8900e7e29ad30

SHA512
30a0c39ebfbd93b716ee7d5370a7444cabffd562b71219170a3f1ffc3ef2ce2b4cb26834195c95f45b95783808f62ed00279b0f1976f5737999f69c9dcfef999

Download Submit
\Windows\SysWOW64\Gjmnmk32.exe

Filesize
64KB

MD5
13061bc442f81a3798f495d2a041e14b

SHA1
c9fe4afc95b197ac040b4ca936de5f67b4038a97

SHA256
9609c63064a138b6d84e42f9a999834e7b1c8530f40e6b7f88df700d5eaa8071

SHA512
0517c314286e4458992b8c8e35d3527d35fedd954ecae6775f32df6c7710ae7c2186e976c9c2eb679f2cbc0ca482ce8551b6c135318e70e961b96eac77ce960a

Download Submit
\Windows\SysWOW64\Gknjecab.exe

Filesize
64KB

MD5
40b223de2c74eb534ee1d4f5ca8df4b2

SHA1
4a98b3fdb2377034f7b9189257a9b28622f6d2b7

SHA256
b82af6faaf8ee5b617e424cb6327f3ed40603a9a3a66705a10887114f4896636

SHA512
19994cdf8467b84bd69427b4e2341f626f737baa718be4f3ab69ef589b16f845f02ce4378824e1210a0e97d3f65aa1c41d422d4fde3cc671eb8b71f78e175708

Download Submit
\Windows\SysWOW64\Hahbam32.exe

Filesize
64KB

MD5
6376c102cd45c20d554c2127d3bba4b9

SHA1
69923d13dae4849ca57af9eab8152e8b863707f8

SHA256
42c5f98257f305b6b050a726db201e0824e21fe9fcf32769af5af648c4056b89

SHA512
b861e5798a633869233714b1d93c6704e08c271fc9b86b69189a0993ee20855c7d23f7f1c6ecf1207f30b09fe547b55ab01ceeca6792f87e61c42493bde9a86c

Download Submit
\Windows\SysWOW64\Hbohblcg.exe

Filesize
64KB

MD5
a962a35698aefd12bc44ccbd4c6d230c

SHA1
752aedeab220ffc5a33c8570a7969f7be62135ef

SHA256
b8e96c942b4d87c8a986653cd348d9985ccec548ae3e6fc9e252d41439672a9f

SHA512
9952bf7a75bf0f55cd1d1991c8583cd7030bbef166b119f34774323cc92e441e75a3639ddedb963e8f888a758e3826ea134792b875827b050009ea9e350addbd

Download Submit
\Windows\SysWOW64\Hcbapdgc.exe

Filesize
64KB

MD5
c96cdc1d178cc021f04bde3762e161fd

SHA1
cc69cef940af19aa66d3e70700a2ec6ff2779a13

SHA256
c047d944582dfb2a47de829e9d19c7aebaca276be74aa82fa35b319c779f483d

SHA512
672a8fef2e650f9df9597a80c1709d62a0f57484feb029e2baf6e4f9c03519fb954fd4243c3e6816dc3dd3c81052d919a6feda467a4f38dbf40d2fb5571bd47a

Download Submit
\Windows\SysWOW64\Hdfoni32.exe

Filesize
64KB

MD5
8c5fe91dbe060eb2a6b1d0df056ad036

SHA1
dbab6522b45b2d29df8a9b742fda64dd681e86d4

SHA256
c46b890f9f0de9d55ff5c716586742dac265300b12f90b1de73a70a583a5edf6

SHA512
dfb67bfc1e106960f32ccbea85b2a25b48cf97b988def988bf313fd99da7cc1fb1d8d1f257a07d830730e02bfeff24259b73c51edcc2959de96043f15aaa5a6b

Download Submit
\Windows\SysWOW64\Hgjdecca.exe

Filesize
64KB

MD5
1543f1fccca33c47f40a8b84141c7ec4

SHA1
63ddf004277fc39cdfcb8fed0759f070cddd46dd

SHA256
2f67092fc397f7694c669e58eb40eb72eeb8d224b0562ad8ecea6b523820f89d

SHA512
f5cdcc5a033556db18786aa3d5da89da1e4a84ff5f995c342e8992b38db1fb9bf7118d816b5714620faa6d956cea0590cdce1f9be644c610e7bf95709d1fa5e3

Download Submit
\Windows\SysWOW64\Hglakcao.exe

Filesize
64KB

MD5
68f06809de8d801de08974da9ef33334

SHA1
bd99f1f5ff85f4950ba8b7486061d3fb09d502dd

SHA256
0825e64cb2a5dd963c586f97a58d60abbc57ab842a548da3a8bc16b5f7676610

SHA512
38c35e4d0fe652ee90ce69ac91dbb5d9790709181dbf81face27fe8fd0565dacc471681202b9b76df485da48f04b6d7c0f7464ac610909f0403caca88b4e4ccb

Download Submit
\Windows\SysWOW64\Hhdgdg32.exe

Filesize
64KB

MD5
1d1ea1b2eb7f67e42438215333f2953e

SHA1
84851e403571068222683e6d28dd24ca74233b6b

SHA256
02d4ac251099227dbac1d78bea5d4049e599119bb1b4f8bc0293e733f0b73e44

SHA512
8c05ae1074d48207a5609abca7379d8a3b003960498973db24500724ad512b8b1430e5c5b987da28c1fdae7962aa12d4894e1bef926fb678f7d0092723a1fa17

Download Submit
\Windows\SysWOW64\Hkqgkcpp.exe

Filesize
64KB

MD5
2a519cc3726824f36c4453cb92b316a5

SHA1
4b3f8162ef3c507b0dbeca7e89a82364409c397d

SHA256
44df363ae0d0e8f75b75f2c6f4bbd33db30ec4830167e16c597f2c17ce1a7977

SHA512
c588e326f60250319587b01ee85f06382516250db60fbbefea517a434922bf1b11bfbed8edf44d02654ee1c6638a57151180becb6bffe35c564dd0cb911dd5f4

Download Submit
\Windows\SysWOW64\Honpqaff.exe

Filesize
64KB

MD5
689af79c115c1826fc2040b610dc6403

SHA1
3b8699ed7508615d1059bafa79be72070f4eb7a9

SHA256
be3da28ea186b99ef65fc454e52cc3a3f3fd6ef676bcc68c7f47b544d13dc2c4

SHA512
d18d7ae66b4d370991e9a3b3bd9009d36ac37b213531820822920f3d07c64da732022a57921e1bd4b63c10724467cf6c9cc707e3884682b6529c008ff5dda147

Download Submit
\Windows\SysWOW64\Hqplhi32.exe

Filesize
64KB

MD5
e1ff33e997e39368a23d5c90052cd5f8

SHA1
ea3f7bb15c3cb94de80add6279d2a28dfe99edbe

SHA256
4dc05755db7c62069729d3652e789ecd95a38b3bfa6bf76cb46aafe452ccda62

SHA512
0ecce9bfdd36a7befec62576e92aad625a71d1c882e12d844e9df3084590f1be5449ca33e6a8eec8f717a2267968c626f8fa4f020f9770ca91e9ee94f70227ee

Download Submit
memory/904-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/904-323-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/904-275-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/904-277-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1104-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-307-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1520-374-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1520-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-220-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1628-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-221-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1628-267-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1628-263-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1628-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-208-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1660-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-195-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-236-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1856-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-286-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1952-70-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1952-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-26-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1952-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-334-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1984-298-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1984-297-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1992-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-194-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2016-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-153-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2124-100-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2124-95-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2124-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-169-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2168-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-246-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2268-296-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2268-300-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2268-251-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2280-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-330-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2368-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-140-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2444-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-362-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2500-85-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2500-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2524-67-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2524-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2524-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-86-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-48-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2572-102-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2572-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-111-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2620-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-175-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2640-130-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2676-351-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2676-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-158-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2692-211-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2692-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-223-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2692-160-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2696-394-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2852-137-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2852-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-79-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2852-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-384-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2884-388-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2980-262-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2980-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-312-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2980-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-311-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads