8a01d83df74b6fdeec5139d810cba6807d4ef2d85b1467d8b56bf9b009f0dc5a

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

023f3235cd857f6904f6151a63d03460N.exe
Size

128KB
MD5

023f3235cd857f6904f6151a63d03460
SHA1

cd833a2cde5a4d91d966bd25e50162fbc8c69075
SHA256

8a01d83df74b6fdeec5139d810cba6807d4ef2d85b1467d8b56bf9b009f0dc5a
SHA512

a5e7ec4b51d989a155465bc8c1bc4f84044cdb72b99aadcdf913af5cb2de3124d1a8629cd2d917cd6c0a33c6987bf1ea58b6ea52f5827db9beac656810f89f8e
SSDEEP

3072:pMkAZjnF6qP+mqBjNav3J9IDlRxyhTbhgu+tAcrbFAJc+i:wFPmmqiv3sDshsrtMk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjdki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhiabbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkefmjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjaphgpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkjohi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mafofggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nconfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obidcdfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkohchko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fggdpnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjnaaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehjfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkcbnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iccpniqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loopdmpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gglfbkin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgeihiac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hegmlnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabglnco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Janghmia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdnjfojj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmodffo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohbjkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekqckmfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkhlcnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkhlcnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjdki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkholi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qifbll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcdqhecd.exe

Executes dropped EXE 64 IoCs

pid	Process
2424	Cdolgfbp.exe
3584	Ckidcpjl.exe
776	Ccdihbgg.exe
3604	Daeifj32.exe
3200	Dcffnbee.exe
2096	Dnljkk32.exe
4328	Dgdncplk.exe
5016	Dajbaika.exe
4664	Dnqcfjae.exe
4792	Dpopbepi.exe
4296	Dcnlnaom.exe
2848	Dpalgenf.exe
2428	Dcphdqmj.exe
1716	Eaaiahei.exe
4508	Egnajocq.exe
3992	Ejlnfjbd.exe
3344	Eaceghcg.exe
3656	Ecdbop32.exe
3140	Ekljpm32.exe
400	Enjfli32.exe
368	Ejagaj32.exe
2488	Ecikjoep.exe
1812	Ekqckmfb.exe
444	Fggdpnkf.exe
2260	Famhmfkl.exe
4884	Fdkdibjp.exe
2256	Fqbeoc32.exe
1408	Fglnkm32.exe
756	Fqdbdbna.exe
2884	Fkjfakng.exe
3404	Fqfojblo.exe
1604	Fgqgfl32.exe
1520	Gcghkm32.exe
3916	Gjaphgpl.exe
912	Gqkhda32.exe
4532	Gcjdam32.exe
2060	Gnohnffc.exe
5064	Gbkdod32.exe
2476	Gclafmej.exe
824	Gnaecedp.exe
1840	Gqpapacd.exe
4520	Gkefmjcj.exe
4040	Gbpnjdkg.exe
2460	Gdnjfojj.exe
1404	Gglfbkin.exe
3428	Gkhbbi32.exe
4580	Hqdkkp32.exe
1620	Hkjohi32.exe
1720	Hjmodffo.exe
3248	Hqghqpnl.exe
4016	Hcedmkmp.exe
2568	Hjolie32.exe
4180	Heepfn32.exe
4120	Hkohchko.exe
4440	Hbiapb32.exe
2840	Hegmlnbp.exe
1116	Hgeihiac.exe
3600	Hbknebqi.exe
4044	Hejjanpm.exe
4780	Hkcbnh32.exe
4996	Iapjgo32.exe
4312	Icogcjde.exe
980	Indkpcdk.exe
4024	Iabglnco.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Odljjo32.exe	Okceaikl.exe
File created	C:\Windows\SysWOW64\Pmejnpqp.dll	Qifbll32.exe
File opened for modification	C:\Windows\SysWOW64\Dcnlnaom.exe	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Ejagaj32.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Aofbkbfe.dll	Pkholi32.exe
File created	C:\Windows\SysWOW64\Mcoepkdo.exe	Mhiabbdi.exe
File created	C:\Windows\SysWOW64\Gdnjfojj.exe	Gbpnjdkg.exe
File created	C:\Windows\SysWOW64\Eqfnqg32.dll	Kdmlkfjb.exe
File created	C:\Windows\SysWOW64\Maoifh32.exe	Mclhjkfa.exe
File opened for modification	C:\Windows\SysWOW64\Ohncdobq.exe	Nbdkhe32.exe
File created	C:\Windows\SysWOW64\Jhkljfok.exe	Jnbgaa32.exe
File created	C:\Windows\SysWOW64\Lggfcd32.dll	Memalfcb.exe
File opened for modification	C:\Windows\SysWOW64\Pecpknke.exe	Pcbdcf32.exe
File created	C:\Windows\SysWOW64\Dcphdqmj.exe	Dpalgenf.exe
File opened for modification	C:\Windows\SysWOW64\Hjolie32.exe	Hcedmkmp.exe
File created	C:\Windows\SysWOW64\Iabglnco.exe	Indkpcdk.exe
File opened for modification	C:\Windows\SysWOW64\Inidkb32.exe	Iccpniqp.exe
File created	C:\Windows\SysWOW64\Jldkeeig.exe	Janghmia.exe
File opened for modification	C:\Windows\SysWOW64\Acppddig.exe	Qihoak32.exe
File opened for modification	C:\Windows\SysWOW64\Gcjdam32.exe	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Hjmodffo.exe	Hkjohi32.exe
File created	C:\Windows\SysWOW64\Iccpniqp.exe	Ilhkigcd.exe
File opened for modification	C:\Windows\SysWOW64\Dpopbepi.exe	Dnqcfjae.exe
File opened for modification	C:\Windows\SysWOW64\Iapjgo32.exe	Hkcbnh32.exe
File opened for modification	C:\Windows\SysWOW64\Pfbmdabh.exe	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Mkhpmopi.dll	Fqfojblo.exe
File opened for modification	C:\Windows\SysWOW64\Lajokiaa.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Acppddig.exe
File created	C:\Windows\SysWOW64\Loopdmpk.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Oflfdbip.exe	Odljjo32.exe
File created	C:\Windows\SysWOW64\Lapmnano.dll	Hjmodffo.exe
File opened for modification	C:\Windows\SysWOW64\Memalfcb.exe	Mcoepkdo.exe
File created	C:\Windows\SysWOW64\Pfncia32.exe	Pkholi32.exe
File opened for modification	C:\Windows\SysWOW64\Idhiii32.exe	Ibgmaqfl.exe
File created	C:\Windows\SysWOW64\Jlanpfkj.exe	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Mghekd32.dll	Laffpi32.exe
File created	C:\Windows\SysWOW64\Dodfed32.dll	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Flpbbbdk.dll	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Hbknebqi.exe	Hgeihiac.exe
File created	C:\Windows\SysWOW64\Jjfaml32.dll	Maoifh32.exe
File created	C:\Windows\SysWOW64\Okmpqjad.exe	Ohncdobq.exe
File created	C:\Windows\SysWOW64\Odedipge.exe	Okmpqjad.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Fdkdibjp.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Jlbngnmk.dll	Jnbgaa32.exe
File created	C:\Windows\SysWOW64\Lkqgno32.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Mhnjna32.exe	Mdbnmbhj.exe
File opened for modification	C:\Windows\SysWOW64\Dgdncplk.exe	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Fqbeoc32.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Fglnkm32.exe	Fqbeoc32.exe
File opened for modification	C:\Windows\SysWOW64\Fgqgfl32.exe	Fqfojblo.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Klmnkdal.exe
File opened for modification	C:\Windows\SysWOW64\Hejjanpm.exe	Hbknebqi.exe
File created	C:\Windows\SysWOW64\Icfmci32.exe	Inidkb32.exe
File created	C:\Windows\SysWOW64\Hkohchko.exe	Heepfn32.exe
File created	C:\Windows\SysWOW64\Dhfhohgp.dll	Kdkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Mlbpma32.exe	Ldkhlcnb.exe
File opened for modification	C:\Windows\SysWOW64\Mafofggd.exe	Mohbjkgp.exe
File opened for modification	C:\Windows\SysWOW64\Mllccpfj.exe	Mebkge32.exe
File created	C:\Windows\SysWOW64\Fdaleh32.dll	Eaceghcg.exe
File opened for modification	C:\Windows\SysWOW64\Jlanpfkj.exe	Jbijgp32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedmkmp.exe	Hqghqpnl.exe
File created	C:\Windows\SysWOW64\Mebkge32.exe	Mafofggd.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhknhabf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdnjfojj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Indkpcdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldkhlcnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhfek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdolgfbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckidcpjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccdihbgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllccpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkjohi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hegmlnbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lamlphoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlqloo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acppddig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daeifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekqckmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcjdam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlgbon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obidcdfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaaiahei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heepfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inidkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbkdod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqghqpnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoepkdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkapelka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkohchko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilhkigcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqfojblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcedmkmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icfmci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofdqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fglnkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkefmjcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjmodffo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhnjna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mclhjkfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjaphgpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gclafmej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhiabbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdbnmbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijbbfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjihfbno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkholi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gglfbkin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icogcjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahlk32.dll"	Icogcjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nneilmna.dll"	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbdkhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgpcnpb.dll"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlcd32.dll"	Iccpniqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgilho32.dll"	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfhni32.dll"	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbpnjdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmehgibj.dll"	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekqckmfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daphho32.dll"	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhegp32.dll"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjkdkibk.dll"	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbiapb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikifc32.dll"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkhbbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekljpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkefmjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbejblj.dll"	Hkohchko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbknebqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honmnc32.dll"	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkhfek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjijdf32.dll"	Loopdmpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obidcdfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lamlphoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghekd32.dll"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbqbe32.dll"	Gdnjfojj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmgbngb.dll"	Hegmlnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Indkpcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okcfidmn.dll"	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdnjfojj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 2424	4500	023f3235cd857f6904f6151a63d03460N.exe	90
PID 4500 wrote to memory of 2424	4500	023f3235cd857f6904f6151a63d03460N.exe	90
PID 4500 wrote to memory of 2424	4500	023f3235cd857f6904f6151a63d03460N.exe	90
PID 2424 wrote to memory of 3584	2424	Cdolgfbp.exe	91
PID 2424 wrote to memory of 3584	2424	Cdolgfbp.exe	91
PID 2424 wrote to memory of 3584	2424	Cdolgfbp.exe	91
PID 3584 wrote to memory of 776	3584	Ckidcpjl.exe	92
PID 3584 wrote to memory of 776	3584	Ckidcpjl.exe	92
PID 3584 wrote to memory of 776	3584	Ckidcpjl.exe	92
PID 776 wrote to memory of 3604	776	Ccdihbgg.exe	93
PID 776 wrote to memory of 3604	776	Ccdihbgg.exe	93
PID 776 wrote to memory of 3604	776	Ccdihbgg.exe	93
PID 3604 wrote to memory of 3200	3604	Daeifj32.exe	95
PID 3604 wrote to memory of 3200	3604	Daeifj32.exe	95
PID 3604 wrote to memory of 3200	3604	Daeifj32.exe	95
PID 3200 wrote to memory of 2096	3200	Dcffnbee.exe	96
PID 3200 wrote to memory of 2096	3200	Dcffnbee.exe	96
PID 3200 wrote to memory of 2096	3200	Dcffnbee.exe	96
PID 2096 wrote to memory of 4328	2096	Dnljkk32.exe	97
PID 2096 wrote to memory of 4328	2096	Dnljkk32.exe	97
PID 2096 wrote to memory of 4328	2096	Dnljkk32.exe	97
PID 4328 wrote to memory of 5016	4328	Dgdncplk.exe	98
PID 4328 wrote to memory of 5016	4328	Dgdncplk.exe	98
PID 4328 wrote to memory of 5016	4328	Dgdncplk.exe	98
PID 5016 wrote to memory of 4664	5016	Dajbaika.exe	99
PID 5016 wrote to memory of 4664	5016	Dajbaika.exe	99
PID 5016 wrote to memory of 4664	5016	Dajbaika.exe	99
PID 4664 wrote to memory of 4792	4664	Dnqcfjae.exe	100
PID 4664 wrote to memory of 4792	4664	Dnqcfjae.exe	100
PID 4664 wrote to memory of 4792	4664	Dnqcfjae.exe	100
PID 4792 wrote to memory of 4296	4792	Dpopbepi.exe	102
PID 4792 wrote to memory of 4296	4792	Dpopbepi.exe	102
PID 4792 wrote to memory of 4296	4792	Dpopbepi.exe	102
PID 4296 wrote to memory of 2848	4296	Dcnlnaom.exe	103
PID 4296 wrote to memory of 2848	4296	Dcnlnaom.exe	103
PID 4296 wrote to memory of 2848	4296	Dcnlnaom.exe	103
PID 2848 wrote to memory of 2428	2848	Dpalgenf.exe	104
PID 2848 wrote to memory of 2428	2848	Dpalgenf.exe	104
PID 2848 wrote to memory of 2428	2848	Dpalgenf.exe	104
PID 2428 wrote to memory of 1716	2428	Dcphdqmj.exe	105
PID 2428 wrote to memory of 1716	2428	Dcphdqmj.exe	105
PID 2428 wrote to memory of 1716	2428	Dcphdqmj.exe	105
PID 1716 wrote to memory of 4508	1716	Eaaiahei.exe	106
PID 1716 wrote to memory of 4508	1716	Eaaiahei.exe	106
PID 1716 wrote to memory of 4508	1716	Eaaiahei.exe	106
PID 4508 wrote to memory of 3992	4508	Egnajocq.exe	108
PID 4508 wrote to memory of 3992	4508	Egnajocq.exe	108
PID 4508 wrote to memory of 3992	4508	Egnajocq.exe	108
PID 3992 wrote to memory of 3344	3992	Ejlnfjbd.exe	109
PID 3992 wrote to memory of 3344	3992	Ejlnfjbd.exe	109
PID 3992 wrote to memory of 3344	3992	Ejlnfjbd.exe	109
PID 3344 wrote to memory of 3656	3344	Eaceghcg.exe	110
PID 3344 wrote to memory of 3656	3344	Eaceghcg.exe	110
PID 3344 wrote to memory of 3656	3344	Eaceghcg.exe	110
PID 3656 wrote to memory of 3140	3656	Ecdbop32.exe	111
PID 3656 wrote to memory of 3140	3656	Ecdbop32.exe	111
PID 3656 wrote to memory of 3140	3656	Ecdbop32.exe	111
PID 3140 wrote to memory of 400	3140	Ekljpm32.exe	112
PID 3140 wrote to memory of 400	3140	Ekljpm32.exe	112
PID 3140 wrote to memory of 400	3140	Ekljpm32.exe	112
PID 400 wrote to memory of 368	400	Enjfli32.exe	113
PID 400 wrote to memory of 368	400	Enjfli32.exe	113
PID 400 wrote to memory of 368	400	Enjfli32.exe	113
PID 368 wrote to memory of 2488	368	Ejagaj32.exe	114

C:\Users\Admin\AppData\Local\Temp\023f3235cd857f6904f6151a63d03460N.exe
"C:\Users\Admin\AppData\Local\Temp\023f3235cd857f6904f6151a63d03460N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\Cdolgfbp.exe
  C:\Windows\system32\Cdolgfbp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\Ckidcpjl.exe
    C:\Windows\system32\Ckidcpjl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\SysWOW64\Ccdihbgg.exe
      C:\Windows\system32\Ccdihbgg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\Ekqckmfb.exe
        
        C:\Windows\system32\Ekqckmfb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Fqfojblo.exe
        
        C:\Windows\system32\Fqfojblo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        34⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        41⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Windows\SysWOW64\Gqpapacd.exe
        
        C:\Windows\system32\Gqpapacd.exe
        42⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Gkefmjcj.exe
        
        C:\Windows\system32\Gkefmjcj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Gbpnjdkg.exe
        
        C:\Windows\system32\Gbpnjdkg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Gdnjfojj.exe
        
        C:\Windows\system32\Gdnjfojj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Gkhbbi32.exe
        
        C:\Windows\system32\Gkhbbi32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Hqdkkp32.exe
        
        C:\Windows\system32\Hqdkkp32.exe
        48⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Hkjohi32.exe
        
        C:\Windows\system32\Hkjohi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Hjmodffo.exe
        
        C:\Windows\system32\Hjmodffo.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Hcedmkmp.exe
        
        C:\Windows\system32\Hcedmkmp.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        53⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Heepfn32.exe
        
        C:\Windows\system32\Heepfn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Hkohchko.exe
        
        C:\Windows\system32\Hkohchko.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Hbiapb32.exe
        
        C:\Windows\system32\Hbiapb32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Hegmlnbp.exe
        
        C:\Windows\system32\Hegmlnbp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Hgeihiac.exe
        
        C:\Windows\system32\Hgeihiac.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\Hbknebqi.exe
        
        C:\Windows\system32\Hbknebqi.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        60⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Hkcbnh32.exe
        
        C:\Windows\system32\Hkcbnh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Indkpcdk.exe
        
        C:\Windows\system32\Indkpcdk.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Icfmci32.exe
        
        C:\Windows\system32\Icfmci32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        72⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        75⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        77⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        79⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        90⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Loopdmpk.exe
        
        C:\Windows\system32\Loopdmpk.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Lamlphoo.exe
        
        C:\Windows\system32\Lamlphoo.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Mlbpma32.exe
        
        C:\Windows\system32\Mlbpma32.exe
        101⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Mclhjkfa.exe
        
        C:\Windows\system32\Mclhjkfa.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        106⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Mhknhabf.exe
        
        C:\Windows\system32\Mhknhabf.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        108⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        109⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Mdbnmbhj.exe
        
        C:\Windows\system32\Mdbnmbhj.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        116⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        121⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6172
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:6216
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        126⤵
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        128⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:6476
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        131⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        132⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        135⤵
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6744
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        137⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6868
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6912
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6956
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7000
        
        C:\Windows\SysWOW64\Qifbll32.exe
        
        C:\Windows\system32\Qifbll32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7048
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7136
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        146⤵
        
        PID:6148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1016,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
1⤵
PID:6292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
128KB

MD5
63ff0984184639d24e2f603e01b18a71

SHA1
4770bc7c08f35b4f790bf7e63f6cdf682392a4de

SHA256
a38a53310708bf42cfb44480453b758604de15ca2559d34d67736c5a09f8ec75

SHA512
8d3026c2a24b0781dca39b3b21f02b4e524215c65aa6ac288119bdd089a2ce86c71f6b457a275ff4460f7ae25498a66110479aefba4d17d1df9df51ede1d6510

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
128KB

MD5
07331ebc2bd59b93f7a667d7d6245b1a

SHA1
948db094d1076f66d648fbed8d92ea451407685b

SHA256
2b11d437945f915bbb4374bd3e58a499b0eec514f20e5a797ceb828816580683

SHA512
9edeb345a8eec9a00f363c147fe2163b52861934d304efd6db9da852434e2f27170d9acd4194c5d74f47440ac6138e828cc095a06b3dab8fa89488d1259638d9

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
128KB

MD5
97417b460ba1ce83f66265d51c816925

SHA1
404372c2e60e65f909c05d364be405e1d4d514d5

SHA256
e6be108a24479418860d8de803daac042027f17cf6087f38780e191756e92514

SHA512
e35263958bdc6387980f11c09503e4b4536923d2802f9794c7ae89a1c4d949639542c05c1dadd3bb8703e7adb1815e1e0df4d25c947d329b0e0a52d39ff48c86

Download Submit
C:\Windows\SysWOW64\Daeifj32.exe

Filesize
128KB

MD5
cca86fbea5a9fb11a3b72037005f7500

SHA1
2d1489b221ebdff2a591fceb42c3eddb47b20b6f

SHA256
342c2461c581c1540ef0efedf5ffa4b892ce9acf8c2d2e46ae9e8e41004f59fa

SHA512
6d3d047cbbb31c68206a857d62789991d64ea5bc701fc346fa068865c8993d2df40b701947f61d81577412a642701f8c7128c93876b4598919ada51e04d1dc1d

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
128KB

MD5
b243d8f53eebc28bf2b33d40b32de424

SHA1
bf8f9d239e5353a46fca347a5a5b6b9869665c17

SHA256
bb92991288267ebf153694600c3fcc7723da62ca82b247faa82a985c69a3c311

SHA512
ad51ffd035b41234b73efc56701c344a4d0b74454e7a36f7da5ad4501c2ad649ff3beaf57f546dc7fc17f4dcfbdc18e51d2d9c769d9b9089b9730904ef8d2d42

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
128KB

MD5
6a3f4ded7aabd6aa902b9c1e2087e564

SHA1
5534c7aebca52fb29eacfd299346b53ac4ea8062

SHA256
37844b5c8de801ad143d44d9fba4f0e6c93cfa3bb6bb0bc486e1c677db94bda1

SHA512
bd5762f1dded240e155c04ea6dac9c61b6dfafe3c0f52645fc135f821bd1973fa18be97e84a1f140b73266627894e4151d7e6ab820c8d2f576dc626f37278f2c

Download Submit
C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
128KB

MD5
cdaf489c069552fd06565b42e728624f

SHA1
e3d9cd0e72e0daf0fe64015e0713f0935487dda6

SHA256
315c5205c43a75327aaf53501acfc8642aa111424a8901fbd2a82412fc0685f5

SHA512
c058f3cbc6b70e628d264ffdc1d5e04b9a2cf693dc48799e92071581e7e380927412bb18c8d4981e00b640f75e8fec7580fb5ee7a72545d6d88e6b9db607eda8

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
128KB

MD5
565a8c25826eb3c40e9402e445689b7d

SHA1
0dfb1a351c75dac39f90012534884eb1610469d8

SHA256
04bdf19de8cf5fd9f3716fabd3e7e7b322a1238b829e04289f7ffd33ee39ec54

SHA512
6a2b1a4cccf8fdeef5f2f1c6daa6682ab7ad7fc6f68f5a4599646f88fd7c9a315c264dd6c7400be1375b89ff94d10476962e847bbfc9ec6c5d7e8f2286bd18bb

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
128KB

MD5
9a9d0bfb6560436afc4db120a7e83710

SHA1
de94fa8e3e47ca332ec2a599eee4acdba3de351c

SHA256
b66fdd62eb23d22c6570667c46bb6b76ecd903397163b78887348f471fffb09f

SHA512
d900be501d0f18adfdc3765e42e21b1ea8b7d1fd9e9a106f4e567f52d78525922aff759e430209605d8e21feb977d7d70aa78c4fc38fc08ad1af889a8d4054ff

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
128KB

MD5
702581be5d3a3e4820fb6e5dd50f06ea

SHA1
470145a0ca246c4e4f568c60d55ff15f3b1d33ac

SHA256
bb67e5bac54b4ea15d4198367dbdcee0b40d0bb1a180598d2b12497e280b31f0

SHA512
23741703900565df2d4415da850d16cba58c0733ec2832f0779ed5e7eceacaf34cbfb858b72a10034a3dcc162069696289d1fa219da50a86459184aa5ce1dc28

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
128KB

MD5
02c3151fcbc6282e53d39e36f814979d

SHA1
af2d172616899b30cb373172844a48af5b94c617

SHA256
9b00b223421573b7928f5ceb0c8b4aa6fbdb46481c3a18640b866def8b905ff3

SHA512
d5856b34e0daa910483d9093a6c01fd4352790ecd6846c274683acebeae2ab2f8e17fbe62f917c2d8a7a40c07f3965f0811dabe34e332856f42501bb158ef9dd

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
128KB

MD5
fb037a6e1d672b91f8852b1deecfaedd

SHA1
d5902461955628ffeea8916f07991c39c0b80c9c

SHA256
b4c28b95c6e8c02a46d53b1fd414ad5f5533445d72c558207463912da8a6c133

SHA512
9a3b384aae5765a5fdcc8b62fb6fec8956a93d657dd3b285397270403bd69b887b09818b6cf8f77413c9dad2c335d9ee387896d42aab2831b22fac1baa66cfd4

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
128KB

MD5
4fa5dddf94fdf393ab3713370849f331

SHA1
7e3d562262d73f03035a65abfe816efd76eec288

SHA256
3125ad2173db638079969a72463cc1c66b78bcbf224bf81248234715e1916709

SHA512
251dd3791e8cca02bc77513978ec52b623f1ea9aabad8db5ea816b1628b4068adf3845644026f50b191cd0910ff488b502d2e82bf96cdfe886f891bf16d3e794

Download Submit
C:\Windows\SysWOW64\Eaaiahei.exe

Filesize
128KB

MD5
75b3c0387abd7856c5cc232191bd2324

SHA1
5b73f032040a1b40bb3aebc60f06f3dcebd34692

SHA256
19c7778f4ed19629522ab20564968caf775a0cb59054f952a013884463ae5b7b

SHA512
4f953322afb956548e11305207850a19b0deb3ff53c8b9c9850cfed0ae735d6015fe6317661327c416fcc1111899253f744def7bf6df70a1ec5acba4de51a41c

Download Submit
C:\Windows\SysWOW64\Eaceghcg.exe

Filesize
128KB

MD5
3e9e20ec5f57a647732809be893d831a

SHA1
cbe45c09a96a33d9bd2cc1b837d1f8aa919f09ba

SHA256
66e3b655c370d3301fe4809c217878bf0ebf0d1b994b312d2e4dd36cedae3798

SHA512
6ab8e01d6ff5b683045b69229e6a4bac59ad6edaa1c12d4e21397d321ab52ad9292d122e240c1a9e71dcc557c0e67d998150be3eb07c80b0e2b155d34db8c04e

Download Submit
C:\Windows\SysWOW64\Ecdbop32.exe

Filesize
128KB

MD5
908bd92fe37432f9a875ef91e3d3ed56

SHA1
295d38aef3949583d4164bcc9d14dbed967164ea

SHA256
85fa743737ba351d3910fc26bdcd2dd7d4a981e4372913f26811c7a6c3ed1e57

SHA512
20f12a7bb4218cba82fea822c8ca6253c840f192b22cbe954bb4e462264f076701c7091ad4f64b4b3cb4ad2612076e619d49bb5dcbd5b1bc145febe6fb074130

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
128KB

MD5
61c65df82608df3975261902bc40c117

SHA1
7ecea62249aa4154cd945520cf58cbd7aba0444c

SHA256
320fb1f20f53f34dc8f84506d381cd0ff5119bf222e594d6c2f6066bdbcc9fc9

SHA512
fb556fce327d1f9ee53c721c2c9c0200d9e09c8cc451fb10df24394f963adfbacf8c05fe909e2888eb28c3554ee8a22276c1f6a0053c7826a6bcfa734a577ec0

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
128KB

MD5
387d65bfaa985df8bd019b807169052a

SHA1
1edb0c07a541f2a55a21aeda9e947a3d52d576b9

SHA256
febc40ecc6c21e9386bde865f7ebd8558d95333cb5b29cce6939ff84275aee34

SHA512
0e660a1b6e9cc5730d82b5f509d98f6a73d78a4a378803feaaeb9d007f140a829495d82f9d671aad3866708ea88aab39934fadcd7a1cb1db8e47057e796dfa0f

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
128KB

MD5
e04cff20ad726912421d86e045a281d2

SHA1
55895f58f3c79c1220f0751a6bf8d463841d215f

SHA256
2f175632d3bacfffcb68655ae9c604c140f5595e53931113ccc0e3c84a4b5786

SHA512
37f9611f8089901b610526c525d2fc034caed5e72a979257fdcd83f69e327c00ec123ef451e487db7db7bac300324e771ab28b405feaa3794a2d64b376fc1f7a

Download Submit
C:\Windows\SysWOW64\Ejlnfjbd.exe

Filesize
128KB

MD5
a06e7919ff2131eae115516811357fe7

SHA1
d6da4478d9bf6861910140139ea3a1d566614190

SHA256
1ae5ac9d18508cc2837f739190d3287d61e6d896dbe784216f4839b90cb3f8d4

SHA512
167193dc801a87b81c1bbbc3a29f63925da31734695e01e8e8450bb1b4863842295c2e4e41070813bcedfbc53c4f22acb292216c748e31fc172605128866dc07

Download Submit
C:\Windows\SysWOW64\Ekljpm32.exe

Filesize
128KB

MD5
5e7395f106de8f9ad3876e7989852d30

SHA1
68234d918d04c159b7e83e7a8a59082077746e64

SHA256
fb0f76cc83266339bdeb472969e9bdea5ca2e207075e87b7cefc4387a0724c3f

SHA512
585d7b250c7575c3baca1acc383bd587399e14894eefa335443f80b223e7c402fa0651fddacf174c4415894ef5590e5489994355a220b28051a6a698000c470c

Download Submit
C:\Windows\SysWOW64\Ekqckmfb.exe

Filesize
128KB

MD5
154afb76de8bbb54eb1a74f9759f0263

SHA1
ecc895bc4a1d0db5567aed1d5feb02104e35998a

SHA256
f67bca2555a3211cc1966d6124555ed46f0e724d489d71b0ca98d7f68d7514d3

SHA512
46d6d62a28402d7167eb7482b57f6eeb7c79bb8f7ae46fd303ef79e1c289d83e1c6fcf9c9405171208b7bcefc0cff8c5ed069a6c0850763375dfc890b2e67f92

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
128KB

MD5
86d38ed8bf4d78adea78653472e91e6a

SHA1
56323437f2a604fd2cf350da56585863477f1a28

SHA256
186b0ba047d863c523a06b3cd05f09032988e05f666964807de5af42f3ea253b

SHA512
e6a1bd0e25589fc051d3e5c71bcb24dfd5655bab580c9e5ad89e2e47a051471b20328c0e536a04c493bb5bcb18d1c068a8725e1ec839dee1b68556d1e77097f3

Download Submit
C:\Windows\SysWOW64\Famhmfkl.exe

Filesize
128KB

MD5
26e304ff193426af6f0dc50fd66863de

SHA1
f482d9e2d6485e56399a3cc07f8f0e5c5cd53efa

SHA256
dee7e4baf91ff1aed6db7f81ae86dbe8720d3eae8cec546b7e67ea0ae69de759

SHA512
a446f18d8f5f53d2f9cb5639e61d12cd21e2ce2022a53ecaebf0db44bc9b6a1491c003e659760b86a01215ff1a4e5d7df244e0b193680b7443357114a5ac4e16

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
128KB

MD5
f5b3665dffe9cad72fb3f5640c02aadd

SHA1
a839801edeb454826d8da34bb4db9cad2791bce0

SHA256
2739fa37b2380f2016c037b502b01cc4a25f63b2eaf66e694f2ca4453310e474

SHA512
ceeb9f44a63a2b55e4b231fbae7ce8b890b580011e05b889cfc6d869022ae7f8321ae9349cfff2f5af0443206317cf1a11afe57d9dfefcbd09019e1b5671600b

Download Submit
C:\Windows\SysWOW64\Fggdpnkf.exe

Filesize
128KB

MD5
9bf193a73e5693d55a59969a53a028f5

SHA1
fdef678848e67a864e23c239734cec2d215e4b21

SHA256
19759f79326c1206cd530bb1d097445f2144f1c97e244a19d30b672b129c3760

SHA512
0bf9a607e173f1fc5fa653fd4ecba0b71e48d6516c549e6c9953c176ea581b21290ac25b070bdc4fbc320075f0eb2e0236cbf89b4e09c5ad5a30af16ba00aace

Download Submit
C:\Windows\SysWOW64\Fglnkm32.exe

Filesize
128KB

MD5
5434081177f83c07f45dc2a010176c21

SHA1
39100f6d652d4ac8566076c5697aa6a980c59e02

SHA256
343e743171e9ff584ef0fb28ecd49a6a239aa1bfe9271e23082df41620cc362a

SHA512
5a1f4f054438326049626b9c96a449d1f89372a01f4d13a315d0905b74f0d697369ee13fca5baa56c155f0f5f35458f68b513a6d33461764af40458bbff9b6e3

Download Submit
C:\Windows\SysWOW64\Fgqgfl32.exe

Filesize
128KB

MD5
a902a1e5399021bb8f5a04ac3cf357f4

SHA1
bb778e1c3b16c295141f4d63c084aea6e9d5b327

SHA256
751cfaa0602f324a249fe08decf2638ef27b5dadf09348591d0cb037df88953e

SHA512
6f98d49323df1e11c277b053278acdce1459ab8d7632388e5570ddd46ddbe016583aa00e63225fe794f51d65249b9ea07a6e41f6ecbde71d49d31b4c098fdd3f

Download Submit
C:\Windows\SysWOW64\Fkjfakng.exe

Filesize
128KB

MD5
5e98e97b4d9f0ee42825c0cdfcd165dc

SHA1
755838bed37b98706f2167b82002eb4507426302

SHA256
1184865a7a1ccb72ffea4f7f23273d7ed15c55b8e53785eeb15d6e94764e30d1

SHA512
e5fcf4722503f04002ff0a1c87efa82ca70db0303c87d9c0a33315d75217f4c43586eccabb613873096be0dbddd7425ea640bbf6da78bdf8423471996274e5b8

Download Submit
C:\Windows\SysWOW64\Fqbeoc32.exe

Filesize
128KB

MD5
caaad27dadd0b3b12d0ecb0712b1026d

SHA1
646c43bf0b87714fb0831def94cf8ca33e00c8e2

SHA256
7c2d036f2ac38cca410c1d01b0d4a4c6ab992b55535b068cc48143ada3738f6e

SHA512
3efbd3c21e5fc677b275009a8178384e2e49e9402b0b288b680648460d89ea6a2fa84a845d27bb6fc867df2bb64652c0c064142c51b5a09a33ae1438d537430f

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
128KB

MD5
d4c0d23536ddecab1850fdc7fdba9547

SHA1
f9f290c53076bba1baed21108598317bcd511243

SHA256
372e9fec37450889962a938cd8ec0c19363d512f3eb8def665f5c17855969a18

SHA512
8880a28a985e4f6d908c63380d2241afc3e07d83e0d374f43024be8bf9bc22f809b6cb9dbdfcecd6602b1697ba28c57213a7cbca85e085b9f97be1178a23e475

Download Submit
C:\Windows\SysWOW64\Fqfojblo.exe

Filesize
128KB

MD5
a60cc88a156e3e68ccbbba50bc33a8b6

SHA1
ebc60821177b67ff200f2d497268a768f984cea9

SHA256
85f719a2b62dbf4d89f5c1cefc9c5f8cb39e5d4a2d67d0484b7e9605e57cf0a5

SHA512
0d3c192d00eb33f62b6de2460a561991c08b345d1495405ed9fde936d78a7e085c5763ff59d1c8dc81b9998ec287b452864ff0192a501f89b1b3615366a195b0

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
128KB

MD5
73c08a32fd35d57ddf8219e59e8d647b

SHA1
7b18a481e8ccbf1da4a4b696997d33eb793fbfe8

SHA256
fe29a4d4e2ce69dd343c5536977bdb4ca07e4d0c6a48af0b13783a90a2850839

SHA512
692c78892532745917eeb994dbd633942f71d5dd3d32dbd4ef731f42e637d2a8d8e3227ae323363739d031067cbc6a8e16a6d9cd485a0aa2f34de6e119987d35

Download Submit
C:\Windows\SysWOW64\Nkhfek32.exe

Filesize
128KB

MD5
40d8ac410a0d7d73f2cfe05443840b94

SHA1
81c0e28e76a2b7e51f02d1b407e61cc7ba9bc948

SHA256
bfd58e26873c8a495265e845dbc3fda4923ed0aebc26769a17a81614efb29fe6

SHA512
6aac5f2a73a1521fc43c9c37cab41206e8f1cc258bbfc904453c89915bcdae27e7bc33350e01f3c879cc747d54b5b3230a6af1f8210a2b3fa1326911acef1cae

Download Submit
C:\Windows\SysWOW64\Pehjfm32.exe

Filesize
128KB

MD5
d2ae831b940b5e72fda447f3326215fb

SHA1
9e9a65704cd6edda636057eea9b317e58657abcf

SHA256
783fd1486f524e0dfa0dd2e5e04ab677d6ae882764bf94d33672eaefadbc51d8

SHA512
84dfc759accbe25a0ad903de274b30282fcb9463e2aefef8f737624731af959b9db9f13fb5f8da0aa073d040ac546a5bbe72375fc0f9764a589b6b7f8087d218

Download Submit
C:\Windows\SysWOW64\Qihoak32.exe

Filesize
128KB

MD5
fe1cffe7649682d38cb7a4d1607a2a60

SHA1
4675ec78bda6bddf5346b53376338ce653317ad4

SHA256
86467931e453c6c77020c6ceecf4b6cb8c935d8c3891305173a06158c5d920e7

SHA512
4396e4fbadd4f5343f8dcf0832020bc5e7babfb97b4b360c282e1c8d8a6f49f130d2a5d53dd2d35fd451479802a64e234b3942bdd00912408399a8bcb6f012d4

Download Submit
memory/368-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/444-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/756-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/776-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/776-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/824-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/912-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/980-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1204-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1812-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1840-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2460-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3200-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3200-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3248-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3344-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3404-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3656-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4024-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4044-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4180-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4324-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4456-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4500-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4500-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4616-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4664-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5132-501-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5172-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5212-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5252-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5292-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5332-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5372-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5412-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5464-550-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5504-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5548-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5596-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5648-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5720-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5780-592-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads