2578a0607d4386f96d1fc71cb7767b3bd632b51a1db4f17fef557aa2bc9c0852

Analysis

max time kernel
36s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
Size

128KB
MD5

ab8a8ab6013dd0505b7f5965e5ab2d90
SHA1

0c8c1815f1a4a14018d976ed1419b369fe4f9081
SHA256

2578a0607d4386f96d1fc71cb7767b3bd632b51a1db4f17fef557aa2bc9c0852
SHA512

6d5bc87853c48095dfcafcbec0b53082c5e813b13a3b44170d102b7058927ebf3b6500de0f8bdef7a8af3c73f62c2550436cd1330761ee4ab4b43884460ae644
SSDEEP

1536:SNtM/Id1Xbnt14+0kBYM/wwo5LidXQEbRRBBbrr1EznYiGzBn2rq15bLSwiHr/:iDXbvBDowqONNBbrJEznYfzB9BSwW

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fehodaqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhkakonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkahbkgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidlodkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpqaanqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eibbqmhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmkjjbhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhkakonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hohfmi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihedan32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebhjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fooghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdpikmci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaibpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpplfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihedan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhpjfoji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjman32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgjman32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jccjln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kidlodkj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpqaanqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebhjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikqcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijkjde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiiikq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igojmjgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebemnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehilgikj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fehodaqd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgdbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fadmenpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaibpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpplfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnpkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjjeid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kiifjd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lljolodf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgija32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiiikq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehilgikj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hohfmi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhpjfoji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikqcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkgdbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdpikmci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkjjbhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igojmjgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnpkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmdig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fadmenpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jccjln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagkebpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkahbkgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebemnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjeid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kiifjd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eibbqmhd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooghg32.exe

Executes dropped EXE 34 IoCs

pid	Process
2156	Ebemnc32.exe
2896	Ebhjdc32.exe
2644	Eibbqmhd.exe
2932	Ehilgikj.exe
1752	Fjjeid32.exe
3024	Fadmenpg.exe
1080	Fooghg32.exe
2388	Fehodaqd.exe
396	Gkgdbh32.exe
1728	Gdpikmci.exe
2728	Gmkjjbhg.exe
1792	Gaibpa32.exe
1132	Gkaghf32.exe
2412	Hpplfm32.exe
1660	Hhkakonn.exe
608	Hohfmi32.exe
2536	Hhpjfoji.exe
2948	Ikqcgj32.exe
1172	Ihedan32.exe
1816	Imgija32.exe
1748	Ijkjde32.exe
1984	Igojmjgf.exe
2192	Jmnpkp32.exe
652	Jbmdig32.exe
1784	Jgjman32.exe
2508	Jiiikq32.exe
2772	Jccjln32.exe
2892	Kagkebpb.exe
1608	Kidlodkj.exe
2884	Kpqaanqd.exe
2692	Kiifjd32.exe
2684	Lljolodf.exe
1276	Lkahbkgk.exe
1708	Mllhpb32.exe

Loads dropped DLL 64 IoCs

pid	Process
2052	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
2052	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
2156	Ebemnc32.exe
2156	Ebemnc32.exe
2896	Ebhjdc32.exe
2896	Ebhjdc32.exe
2644	Eibbqmhd.exe
2644	Eibbqmhd.exe
2932	Ehilgikj.exe
2932	Ehilgikj.exe
1752	Fjjeid32.exe
1752	Fjjeid32.exe
3024	Fadmenpg.exe
3024	Fadmenpg.exe
1080	Fooghg32.exe
1080	Fooghg32.exe
2388	Fehodaqd.exe
2388	Fehodaqd.exe
396	Gkgdbh32.exe
396	Gkgdbh32.exe
1728	Gdpikmci.exe
1728	Gdpikmci.exe
2728	Gmkjjbhg.exe
2728	Gmkjjbhg.exe
1792	Gaibpa32.exe
1792	Gaibpa32.exe
1132	Gkaghf32.exe
1132	Gkaghf32.exe
2412	Hpplfm32.exe
2412	Hpplfm32.exe
1660	Hhkakonn.exe
1660	Hhkakonn.exe
608	Hohfmi32.exe
608	Hohfmi32.exe
2536	Hhpjfoji.exe
2536	Hhpjfoji.exe
2948	Ikqcgj32.exe
2948	Ikqcgj32.exe
1172	Ihedan32.exe
1172	Ihedan32.exe
1816	Imgija32.exe
1816	Imgija32.exe
1748	Ijkjde32.exe
1748	Ijkjde32.exe
1984	Igojmjgf.exe
1984	Igojmjgf.exe
2192	Jmnpkp32.exe
2192	Jmnpkp32.exe
652	Jbmdig32.exe
652	Jbmdig32.exe
1784	Jgjman32.exe
1784	Jgjman32.exe
2508	Jiiikq32.exe
2508	Jiiikq32.exe
2772	Jccjln32.exe
2772	Jccjln32.exe
2892	Kagkebpb.exe
2892	Kagkebpb.exe
1608	Kidlodkj.exe
1608	Kidlodkj.exe
2884	Kpqaanqd.exe
2884	Kpqaanqd.exe
2692	Kiifjd32.exe
2692	Kiifjd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmkkpnfp.dll	Ihedan32.exe
File created	C:\Windows\SysWOW64\Lkahbkgk.exe	Lljolodf.exe
File opened for modification	C:\Windows\SysWOW64\Mllhpb32.exe	Lkahbkgk.exe
File created	C:\Windows\SysWOW64\Jngdfa32.dll	Ebhjdc32.exe
File created	C:\Windows\SysWOW64\Fkbqmd32.dll	Lkahbkgk.exe
File opened for modification	C:\Windows\SysWOW64\Kagkebpb.exe	Jccjln32.exe
File created	C:\Windows\SysWOW64\Fadmenpg.exe	Fjjeid32.exe
File opened for modification	C:\Windows\SysWOW64\Hhpjfoji.exe	Hohfmi32.exe
File created	C:\Windows\SysWOW64\Hjegbfin.dll	Jbmdig32.exe
File created	C:\Windows\SysWOW64\Pdopmade.dll	Jiiikq32.exe
File opened for modification	C:\Windows\SysWOW64\Kpqaanqd.exe	Kidlodkj.exe
File opened for modification	C:\Windows\SysWOW64\Fooghg32.exe	Fadmenpg.exe
File opened for modification	C:\Windows\SysWOW64\Gmkjjbhg.exe	Gdpikmci.exe
File created	C:\Windows\SysWOW64\Onpoob32.dll	Gmkjjbhg.exe
File created	C:\Windows\SysWOW64\Jiiikq32.exe	Jgjman32.exe
File created	C:\Windows\SysWOW64\Enniql32.dll	Eibbqmhd.exe
File opened for modification	C:\Windows\SysWOW64\Ikqcgj32.exe	Hhpjfoji.exe
File opened for modification	C:\Windows\SysWOW64\Jiiikq32.exe	Jgjman32.exe
File opened for modification	C:\Windows\SysWOW64\Kidlodkj.exe	Kagkebpb.exe
File created	C:\Windows\SysWOW64\Bahhpf32.dll	Kpqaanqd.exe
File opened for modification	C:\Windows\SysWOW64\Gkgdbh32.exe	Fehodaqd.exe
File opened for modification	C:\Windows\SysWOW64\Jmnpkp32.exe	Igojmjgf.exe
File created	C:\Windows\SysWOW64\Dgenpi32.dll	Kagkebpb.exe
File opened for modification	C:\Windows\SysWOW64\Eibbqmhd.exe	Ebhjdc32.exe
File created	C:\Windows\SysWOW64\Hohfmi32.exe	Hhkakonn.exe
File created	C:\Windows\SysWOW64\Ijkjde32.exe	Imgija32.exe
File opened for modification	C:\Windows\SysWOW64\Ebemnc32.exe	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
File created	C:\Windows\SysWOW64\Kiopjgdl.dll	Fehodaqd.exe
File created	C:\Windows\SysWOW64\Gkiiie32.dll	Gdpikmci.exe
File opened for modification	C:\Windows\SysWOW64\Hhkakonn.exe	Hpplfm32.exe
File created	C:\Windows\SysWOW64\Cokdcc32.dll	Jccjln32.exe
File created	C:\Windows\SysWOW64\Kqfgcf32.dll	Ehilgikj.exe
File opened for modification	C:\Windows\SysWOW64\Igojmjgf.exe	Ijkjde32.exe
File created	C:\Windows\SysWOW64\Dhpnlnon.dll	Fadmenpg.exe
File created	C:\Windows\SysWOW64\Cghangih.dll	Gkgdbh32.exe
File opened for modification	C:\Windows\SysWOW64\Gaibpa32.exe	Gmkjjbhg.exe
File opened for modification	C:\Windows\SysWOW64\Lljolodf.exe	Kiifjd32.exe
File created	C:\Windows\SysWOW64\Iahckl32.dll	Ebemnc32.exe
File created	C:\Windows\SysWOW64\Fjjeid32.exe	Ehilgikj.exe
File opened for modification	C:\Windows\SysWOW64\Fadmenpg.exe	Fjjeid32.exe
File created	C:\Windows\SysWOW64\Imgija32.exe	Ihedan32.exe
File created	C:\Windows\SysWOW64\Lljolodf.exe	Kiifjd32.exe
File created	C:\Windows\SysWOW64\Kiifjd32.exe	Kpqaanqd.exe
File created	C:\Windows\SysWOW64\Fehodaqd.exe	Fooghg32.exe
File created	C:\Windows\SysWOW64\Kfhjgh32.dll	Gaibpa32.exe
File created	C:\Windows\SysWOW64\Igojmjgf.exe	Ijkjde32.exe
File opened for modification	C:\Windows\SysWOW64\Jbmdig32.exe	Jmnpkp32.exe
File created	C:\Windows\SysWOW64\Mllhpb32.exe	Lkahbkgk.exe
File created	C:\Windows\SysWOW64\Jmnpkp32.exe	Igojmjgf.exe
File opened for modification	C:\Windows\SysWOW64\Fjjeid32.exe	Ehilgikj.exe
File created	C:\Windows\SysWOW64\Hhpjfoji.exe	Hohfmi32.exe
File opened for modification	C:\Windows\SysWOW64\Jgjman32.exe	Jbmdig32.exe
File created	C:\Windows\SysWOW64\Ebhjdc32.exe	Ebemnc32.exe
File created	C:\Windows\SysWOW64\Ehilgikj.exe	Eibbqmhd.exe
File created	C:\Windows\SysWOW64\Eefneh32.dll	Ikqcgj32.exe
File created	C:\Windows\SysWOW64\Gkaghf32.exe	Gaibpa32.exe
File opened for modification	C:\Windows\SysWOW64\Ihedan32.exe	Ikqcgj32.exe
File created	C:\Windows\SysWOW64\Bgaengmn.dll	Lljolodf.exe
File opened for modification	C:\Windows\SysWOW64\Hohfmi32.exe	Hhkakonn.exe
File opened for modification	C:\Windows\SysWOW64\Jccjln32.exe	Jiiikq32.exe
File created	C:\Windows\SysWOW64\Ikqcgj32.exe	Hhpjfoji.exe
File created	C:\Windows\SysWOW64\Ihedan32.exe	Ikqcgj32.exe
File created	C:\Windows\SysWOW64\Bffamejl.dll	Ijkjde32.exe
File created	C:\Windows\SysWOW64\Lbmgcb32.dll	Kidlodkj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1836	1708	WerFault.exe	62

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijkjde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehilgikj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjeid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdpikmci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjman32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkgdbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmnpkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidlodkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiifjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebemnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fadmenpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fehodaqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikqcgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihedan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpqaanqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkahbkgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fooghg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebhjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eibbqmhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkaghf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imgija32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbmdig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiiikq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllhpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmkjjbhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpplfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljolodf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaibpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhkakonn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hohfmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhpjfoji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igojmjgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jccjln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kagkebpb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiiikq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqfgcf32.dll"	Ehilgikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffppc32.dll"	Hhpjfoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igojmjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgjifff.dll"	Jmnpkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebemnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kagkebpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fadmenpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiiikq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lljolodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfdjdpm.dll"	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kidlodkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnaoldi.dll"	Hpplfm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpqaanqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhkakonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmdig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgpnn32.dll"	Kiifjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kiifjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahckl32.dll"	Ebemnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eibbqmhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckflh32.dll"	Fjjeid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebhjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghangih.dll"	Gkgdbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmkjjbhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhkakonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imgija32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaengmn.dll"	Lljolodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpoob32.dll"	Gmkjjbhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hohfmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelbl32.dll"	Igojmjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdopmade.dll"	Jiiikq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjegbfin.dll"	Jbmdig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jccjln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebhjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijkjde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kidlodkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkdakmp.dll"	Fooghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obopji32.dll"	Gkaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jgjman32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cokdcc32.dll"	Jccjln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fehodaqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hohfmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpplfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fadmenpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkgdbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebemnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjjeid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kiifjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lljolodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qabojbcg.dll"	Hohfmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ikqcgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpqaanqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fehodaqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhpjfoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmnpkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjjeid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bahhpf32.dll"	Kpqaanqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhpjfoji.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2156	2052	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe	29
PID 2052 wrote to memory of 2156	2052	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe	29
PID 2052 wrote to memory of 2156	2052	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe	29
PID 2052 wrote to memory of 2156	2052	ab8a8ab6013dd0505b7f5965e5ab2d90N.exe	29
PID 2156 wrote to memory of 2896	2156	Ebemnc32.exe	30
PID 2156 wrote to memory of 2896	2156	Ebemnc32.exe	30
PID 2156 wrote to memory of 2896	2156	Ebemnc32.exe	30
PID 2156 wrote to memory of 2896	2156	Ebemnc32.exe	30
PID 2896 wrote to memory of 2644	2896	Ebhjdc32.exe	31
PID 2896 wrote to memory of 2644	2896	Ebhjdc32.exe	31
PID 2896 wrote to memory of 2644	2896	Ebhjdc32.exe	31
PID 2896 wrote to memory of 2644	2896	Ebhjdc32.exe	31
PID 2644 wrote to memory of 2932	2644	Eibbqmhd.exe	32
PID 2644 wrote to memory of 2932	2644	Eibbqmhd.exe	32
PID 2644 wrote to memory of 2932	2644	Eibbqmhd.exe	32
PID 2644 wrote to memory of 2932	2644	Eibbqmhd.exe	32
PID 2932 wrote to memory of 1752	2932	Ehilgikj.exe	33
PID 2932 wrote to memory of 1752	2932	Ehilgikj.exe	33
PID 2932 wrote to memory of 1752	2932	Ehilgikj.exe	33
PID 2932 wrote to memory of 1752	2932	Ehilgikj.exe	33
PID 1752 wrote to memory of 3024	1752	Fjjeid32.exe	34
PID 1752 wrote to memory of 3024	1752	Fjjeid32.exe	34
PID 1752 wrote to memory of 3024	1752	Fjjeid32.exe	34
PID 1752 wrote to memory of 3024	1752	Fjjeid32.exe	34
PID 3024 wrote to memory of 1080	3024	Fadmenpg.exe	35
PID 3024 wrote to memory of 1080	3024	Fadmenpg.exe	35
PID 3024 wrote to memory of 1080	3024	Fadmenpg.exe	35
PID 3024 wrote to memory of 1080	3024	Fadmenpg.exe	35
PID 1080 wrote to memory of 2388	1080	Fooghg32.exe	36
PID 1080 wrote to memory of 2388	1080	Fooghg32.exe	36
PID 1080 wrote to memory of 2388	1080	Fooghg32.exe	36
PID 1080 wrote to memory of 2388	1080	Fooghg32.exe	36
PID 2388 wrote to memory of 396	2388	Fehodaqd.exe	37
PID 2388 wrote to memory of 396	2388	Fehodaqd.exe	37
PID 2388 wrote to memory of 396	2388	Fehodaqd.exe	37
PID 2388 wrote to memory of 396	2388	Fehodaqd.exe	37
PID 396 wrote to memory of 1728	396	Gkgdbh32.exe	38
PID 396 wrote to memory of 1728	396	Gkgdbh32.exe	38
PID 396 wrote to memory of 1728	396	Gkgdbh32.exe	38
PID 396 wrote to memory of 1728	396	Gkgdbh32.exe	38
PID 1728 wrote to memory of 2728	1728	Gdpikmci.exe	39
PID 1728 wrote to memory of 2728	1728	Gdpikmci.exe	39
PID 1728 wrote to memory of 2728	1728	Gdpikmci.exe	39
PID 1728 wrote to memory of 2728	1728	Gdpikmci.exe	39
PID 2728 wrote to memory of 1792	2728	Gmkjjbhg.exe	40
PID 2728 wrote to memory of 1792	2728	Gmkjjbhg.exe	40
PID 2728 wrote to memory of 1792	2728	Gmkjjbhg.exe	40
PID 2728 wrote to memory of 1792	2728	Gmkjjbhg.exe	40
PID 1792 wrote to memory of 1132	1792	Gaibpa32.exe	41
PID 1792 wrote to memory of 1132	1792	Gaibpa32.exe	41
PID 1792 wrote to memory of 1132	1792	Gaibpa32.exe	41
PID 1792 wrote to memory of 1132	1792	Gaibpa32.exe	41
PID 1132 wrote to memory of 2412	1132	Gkaghf32.exe	42
PID 1132 wrote to memory of 2412	1132	Gkaghf32.exe	42
PID 1132 wrote to memory of 2412	1132	Gkaghf32.exe	42
PID 1132 wrote to memory of 2412	1132	Gkaghf32.exe	42
PID 2412 wrote to memory of 1660	2412	Hpplfm32.exe	43
PID 2412 wrote to memory of 1660	2412	Hpplfm32.exe	43
PID 2412 wrote to memory of 1660	2412	Hpplfm32.exe	43
PID 2412 wrote to memory of 1660	2412	Hpplfm32.exe	43
PID 1660 wrote to memory of 608	1660	Hhkakonn.exe	44
PID 1660 wrote to memory of 608	1660	Hhkakonn.exe	44
PID 1660 wrote to memory of 608	1660	Hhkakonn.exe	44
PID 1660 wrote to memory of 608	1660	Hhkakonn.exe	44

C:\Users\Admin\AppData\Local\Temp\ab8a8ab6013dd0505b7f5965e5ab2d90N.exe
"C:\Users\Admin\AppData\Local\Temp\ab8a8ab6013dd0505b7f5965e5ab2d90N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\Ebemnc32.exe
  C:\Windows\system32\Ebemnc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\Ebhjdc32.exe
    C:\Windows\system32\Ebhjdc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\Eibbqmhd.exe
      C:\Windows\system32\Eibbqmhd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\Ehilgikj.exe
        
        C:\Windows\system32\Ehilgikj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\Fjjeid32.exe
        
        C:\Windows\system32\Fjjeid32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Fadmenpg.exe
        
        C:\Windows\system32\Fadmenpg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Fooghg32.exe
        
        C:\Windows\system32\Fooghg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Fehodaqd.exe
        
        C:\Windows\system32\Fehodaqd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Gkgdbh32.exe
        
        C:\Windows\system32\Gkgdbh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Gdpikmci.exe
        
        C:\Windows\system32\Gdpikmci.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Gmkjjbhg.exe
        
        C:\Windows\system32\Gmkjjbhg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Gaibpa32.exe
        
        C:\Windows\system32\Gaibpa32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Gkaghf32.exe
        
        C:\Windows\system32\Gkaghf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Hpplfm32.exe
        
        C:\Windows\system32\Hpplfm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Hhkakonn.exe
        
        C:\Windows\system32\Hhkakonn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Hohfmi32.exe
        
        C:\Windows\system32\Hohfmi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:608
        
        C:\Windows\SysWOW64\Hhpjfoji.exe
        
        C:\Windows\system32\Hhpjfoji.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Ikqcgj32.exe
        
        C:\Windows\system32\Ikqcgj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Ihedan32.exe
        
        C:\Windows\system32\Ihedan32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Imgija32.exe
        
        C:\Windows\system32\Imgija32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Ijkjde32.exe
        
        C:\Windows\system32\Ijkjde32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Igojmjgf.exe
        
        C:\Windows\system32\Igojmjgf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Jmnpkp32.exe
        
        C:\Windows\system32\Jmnpkp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Jbmdig32.exe
        
        C:\Windows\system32\Jbmdig32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Jgjman32.exe
        
        C:\Windows\system32\Jgjman32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Jiiikq32.exe
        
        C:\Windows\system32\Jiiikq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Jccjln32.exe
        
        C:\Windows\system32\Jccjln32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Kagkebpb.exe
        
        C:\Windows\system32\Kagkebpb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Kidlodkj.exe
        
        C:\Windows\system32\Kidlodkj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Kpqaanqd.exe
        
        C:\Windows\system32\Kpqaanqd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Kiifjd32.exe
        
        C:\Windows\system32\Kiifjd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Lljolodf.exe
        
        C:\Windows\system32\Lljolodf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Lkahbkgk.exe
        
        C:\Windows\system32\Lkahbkgk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\Mllhpb32.exe
        
        C:\Windows\system32\Mllhpb32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 140
        36⤵
        Program crash
        
        PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebemnc32.exe

Filesize
128KB

MD5
30a46fb9ca6a14ebbabd95853eb281c5

SHA1
b45a9539e767cc63f5ac647522d7d215cb774b7e

SHA256
d5f67d85726f32fa388acb8f72f105548420c4df899a96ebca67c8f24c273753

SHA512
460daef84c6026f9cc7857ce857f941b8141d2d7e55afab8cadfbbfb3bbfbcb116343cdaa56fa9776539d3c33ff1d1ef4dc86db6712d7d99c9c49499f3062fe0

Download Submit
C:\Windows\SysWOW64\Ebhjdc32.exe

Filesize
128KB

MD5
3e523b2aea4959072e2944c042b0620c

SHA1
c069178cb0387b92ba751eadc1df6c9200366a86

SHA256
3ea0ed3035be6af4c47559f1131b586158652431d642111872adf1e3f1c8a07f

SHA512
444abdce81d076fa02ea493e18b25e6a6ad5d49e78ad2e1722d2e0c9b56f5529b43a6cef4de9e4436ad96c857520b5d7933b2c9f6502da4ce6868f61afb31f09

Download Submit
C:\Windows\SysWOW64\Eibbqmhd.exe

Filesize
128KB

MD5
c92147c792b8fac3b7d130626c87771f

SHA1
2dfb3769f6fa9af9dfe00df503a37bbc576f0c1f

SHA256
4e1b44fd456487eae6924bf4813c7a5d5fdf4a199241d3945c5a842ddc16a11e

SHA512
914f68b223d6efcfb0dafd9b4b317d6f60a8664a13974ee65909b07c527a35f0fab550bf6ac961d140806a86d6b2196e6abdfe9c31a5e66effc8c8ae2d3af52c

Download Submit
C:\Windows\SysWOW64\Fooghg32.exe

Filesize
128KB

MD5
8bd95e6f5e32015428f15d2cac0ad732

SHA1
3b69a56c6ec959a39be9e222c8990ebd238cba0d

SHA256
c67fa104929d0bc50a39df4af7168c1ee170001dec38b4bdc9fecfcf143731dd

SHA512
d79e0feb28d33d3526b40754e1f468f851ad85e8c4baad1135ca10f5a25feece42c384d6493d0efde9b2e0f18506a5f839e76555454330a133c84d352f462562

Download Submit
C:\Windows\SysWOW64\Gkgdbh32.exe

Filesize
128KB

MD5
e171142a39ee28b70e12763c16d16ad4

SHA1
ac978ee8a98a00739246b79e73441748d8659952

SHA256
6016ad886ce3a920e2a4ba13b40722636c43b7dbfcbb78b5225060d5dcc7cb0c

SHA512
9717ac697f767736959aa576ebcd47789a824b7ea0cdb2fab8fdd77d897842930bae7d8087221c7e8f2eb1213a9446446ae9fabeabdad797c8b1b2b61c70935d

Download Submit
C:\Windows\SysWOW64\Hhpjfoji.exe

Filesize
128KB

MD5
b20bfa4d44cd6f5d816918a8d8279036

SHA1
8f374322a11b0351949f237dec5333d4964fc516

SHA256
cb043a579e3f3a84335327fd5d00a3107aa24737407e7d3f0387e2ab6d8fea61

SHA512
71990a5a6939f78ba23aea7e80bc3e178739e8cf5bf739249abebc3537b1bd6f90ac556a161332dcd25ac90ac46562d542c1e8c5e85b6ef2e2140e1ca5d9f688

Download Submit
C:\Windows\SysWOW64\Igojmjgf.exe

Filesize
128KB

MD5
010ddbb8aa8aca6cfb84e8e8dd421982

SHA1
4dc1560f3581d9f6c3831a25dc377a9cfc7e72ca

SHA256
d7177da286d9fec66debeec9b8d9771e9b1511b7f105ee9d9ab790eb4cff2ce6

SHA512
364bf81e0deac9cf060fa3e08f0a0e7bfe35471d2c2b39d630aa07e4374c6d9c30f99b0ed121b3e1c7ca920b0e41f4e761a6e9c3abebbabee66f0d3a73aea3d9

Download Submit
C:\Windows\SysWOW64\Ihedan32.exe

Filesize
128KB

MD5
5da9112aac8ac0c247db02b1d050a744

SHA1
0cba2563f4f6ae04431622d7c249743997d0fa2e

SHA256
ae7c6c3343fd378ed016e2533c07862b075a34d76a0ac659ce9c0233cadf8e48

SHA512
497e906ae25ccf038d39eed5cf151d225965acfd0cc01e2525396d7f3acc3ed1f5eebaec57163424628042a796b78d2373c7fe17f748ada786d0acdd8b47d955

Download Submit
C:\Windows\SysWOW64\Ijkjde32.exe

Filesize
128KB

MD5
5fd39d7a4ec4a551b8ef9faa20db5e97

SHA1
59a11f9936a1cb732a957609631a4732a94358ef

SHA256
54f8db1f4f9677db7ae238a84120112def8b18392d23595b45be110d4b389e26

SHA512
8030900161e5eec4adc3921f466d7c9b82fbfbf33fe3ec055b2bf293ae03570e46e53098feccf2fbf25c79d3717299f758b9b80c2e8aa2209932f64b32289334

Download Submit
C:\Windows\SysWOW64\Ikqcgj32.exe

Filesize
128KB

MD5
743f5461d65fd300bb1b44fa5690de9b

SHA1
f60981a2b32627206ee300fcc26bf7e2f25d08a3

SHA256
4f8bfa757dde7d231580906f108163277dfc1603c5ab38d86d0c744e0dd2592a

SHA512
823784f9a4ca8ff0e7d10bab5da7edd9ae798a112fd13fd498cc820e71588aceb131b1e80cb12b692e24e4917ecce511c34f2baaf3b440c2fe283a3f62f9ce10

Download Submit
C:\Windows\SysWOW64\Imgija32.exe

Filesize
128KB

MD5
fc3cb933b75d4a1267ade5918ba899c3

SHA1
e099b8951f6b4d39b0d20a6eb3e09a0457a51357

SHA256
19bb63f62b03cbcd2188fc49791c515ba7d976b3eadc7c4e6f60ef1b50101fdf

SHA512
5568194e6ce827eca9495563271d859aee255a3eb87f96dfd64b0e4494969d32482a912fd23c9918fb9d5c3ab8be6159b7eaf71496cd99e82842748bff226aa0

Download Submit
C:\Windows\SysWOW64\Jbmdig32.exe

Filesize
128KB

MD5
1c539a542c73223716f2b49df610815e

SHA1
69f2d6f7b6463cce20aaff4ee610b2211a6ec912

SHA256
b3f41d7c654667caa11e848e28b1ed81aa8ad55d0f6647668d996f8dbf2e376a

SHA512
58e53ced0c6f30056c96c87a1dca41662ab80ae78df0215f148e22d57b9a1681d2b850c8dd1d4ee439d33f2859d38c4e207783adafe9390b6fd49cfde8da8b9b

Download Submit
C:\Windows\SysWOW64\Jccjln32.exe

Filesize
128KB

MD5
abc0309e7c6f121e7df9592d4debfa94

SHA1
54922e41224053a563ffbaccaac6b36d6d7e8ea8

SHA256
d369495b86bc28af0ca854ef5702c9316c9179ccb7d0e482af6fbd181fd81027

SHA512
40b8c6fcbb4ba1a44e1a9b0d23c4d5052d60c8a5e1a4cf5af1fcf92327de1dccc1f709bddc39089cb5270687384e842c2a7ae02b2c15616bd715266dacaa52aa

Download Submit
C:\Windows\SysWOW64\Jgjman32.exe

Filesize
128KB

MD5
269c7ba7f316e8d70dd92b5f1f8615de

SHA1
4bedb555217b3a5c5e1b35945d852b2de956df16

SHA256
dd91a1823b40a7d7d3820cfeda4ab6da5a4196fe876622529fca95ff61fca524

SHA512
40ba900c71a0efe4eaac35a5fd0d310f31b88d837fcb64d893ebf6f0ac057af34770bd26979debadc933c398a146858ac5b65d74f6ce8b2ed910d18205256f8e

Download Submit
C:\Windows\SysWOW64\Jiiikq32.exe

Filesize
128KB

MD5
a6ecfb4a46ba5d27e70aaa6b1bfc365b

SHA1
f3421b07f9d3722419073f2a39c3d254dbe1a9b8

SHA256
9e069b14a2c37e259a79e76e554e896c1fe19c69dcc09e4d3c2cf4e4d770613e

SHA512
4773447986c4cb3c10689f31a1369d30f9c09fbed743134992b03abd76aefa0e6f0da90b9b74d7c858ef4062a268297d7e1bc9b1c3386c8bd748ed6d5d4017a0

Download Submit
C:\Windows\SysWOW64\Jmnpkp32.exe

Filesize
128KB

MD5
83e71f32662bf7c932482f4e0d274ab1

SHA1
0571b897c711b4b19379431f5c3a8dd8c849d86c

SHA256
4959878a3f00993efca05e70a132bc215dac34f2965e15bf882fde1a95b8d058

SHA512
ddef48e38bd418219ffbae8cd73ff0b9fa06e956fed5afe4ca027a20e87235d034a23d79ad83930dcd72ae78ec512e8b3951f5347c81df6598ec0fc136fffda0

Download Submit
C:\Windows\SysWOW64\Kagkebpb.exe

Filesize
128KB

MD5
8e2aff66c41a53c4a4219c1c19f9b40a

SHA1
92f256e382644180e580d4c527a92e2930aea6d2

SHA256
b3daa0bd5b7f4b087e7d94daa54565e3403910b3d6a83f748a7efb786ff80a45

SHA512
248e90bf0c1cdab7967b527ff44626f45e2445e6584dc98023a9fd91932190589368b7043930c3f4bdbb25eb42a45156275d296d02d3733c90e158b20a8a15e6

Download Submit
C:\Windows\SysWOW64\Kidlodkj.exe

Filesize
128KB

MD5
a4bfd3d12461a8598494effe8c6b9b49

SHA1
96fe745b5d05012639f2bf2a7cae6e783fda85c0

SHA256
d9da6ca01537d73625f0f99694aa926d393c4b45ac69a37e78dc0301d1d4d92e

SHA512
8b0a769b57dc2ff102f3c6a631697f7f169f9a56a26858b6a8fda13cf8c9cdab03ae4c68fff1422e6cf200c27d55e4e22eb831b143bb53fad3696ccc73d795d7

Download Submit
C:\Windows\SysWOW64\Kiifjd32.exe

Filesize
128KB

MD5
1eb588092f8364f5e5b061727e524c75

SHA1
c1fc9dcb78d7539844cf9c268d669d62dd704be4

SHA256
30229671aeb2a529872d8b280ca68b1aaef888bb6ef53c7858b78535c4383dde

SHA512
65a4560dbd898468afef6c666a3036685b1b362e420a568728e456ffb19368549cede5a017ec6e0006252953f092813fcc7b98d16e050fa4ae6f25a9aabeaa7c

Download Submit
C:\Windows\SysWOW64\Kpqaanqd.exe

Filesize
128KB

MD5
a43f9a15da29e7cad01baa62cbc9d65e

SHA1
451c4a1a57422c1d992ece30a013c887a9457466

SHA256
17e7dac0bd0ad23f309e8d5a509af245b7dac458e577c7918b87f767e9ca01f3

SHA512
28adcf774e37daccfbd76e353e08fb022781fd3adeb7c80d77d50f112c1303bc7da0aeb4707967fbbbe04124eeb09aa52f19fbfda8f53822c1499f1adf362ba0

Download Submit
C:\Windows\SysWOW64\Kqfgcf32.dll

Filesize
7KB

MD5
7ea02b51d680f77d84fdecc5bee80535

SHA1
fb9724102d19b671b5fe17a4f405ad424f5de642

SHA256
327caa1126e392efaa3b508bba6af5160772e301ff1c61bbc6f3b7ba252983a3

SHA512
1292b3df6bef3b5e718f528f2f6179375a739adf0ffcc333b0bbaa3f5b6ea7d508eddfdc6a1d01473c57767bbf3876b236382d07575bc7dfb91333f144cbba83

Download Submit
C:\Windows\SysWOW64\Lkahbkgk.exe

Filesize
128KB

MD5
9b3b88b3abe29d584017b7f5bd1b62d4

SHA1
4de8532666b0e2c0c279edcda226896a42645346

SHA256
edf1b8b74e677addebfe6a0b1d9d2027ce5fbce10a2ae21e76edfba5e04931ee

SHA512
5018e74d008d9fe2e4729c5fe3aac4faf798bf1131f912e4f995fb4ee83275ffbebc13b03270c34ff02580026e62697c18b0c53bf48b291ad26d2942b13180ce

Download Submit
C:\Windows\SysWOW64\Lljolodf.exe

Filesize
128KB

MD5
48d3dfa11ff59f2c31def821ea711c27

SHA1
92b7e7ddd593a9a77ca92cf5b29b7d92c6c41cbe

SHA256
bd5d087be00645f64334b29d86bcc7b696e9ba3c55f107f9c8057b6ef8094728

SHA512
03c9a291d2416a669bc1c4bf5d08290685cd61379d9ecdc68da74d01371d29d0be056b3b6e2e7ca544205d1ac48296398cf0f92bf5ebeb1097a1620638bef684

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
128KB

MD5
d70afe06160fdcdf623bea0f6951e0cc

SHA1
ace761ecd16c926b040288030a6264f6e5354d67

SHA256
fd048c0dc1998e094cd29fe2ded1034fda931deb98ffa5f50cf90ef0d455d5e8

SHA512
42febfba972022dfd28aed28514c83c808a8d3f6282b8289982684bb9969c9b632de99b27dd28e26952cf6a5c7b14fcdf1703957b5e4311cf744a4bd0f2ba715

Download Submit
\Windows\SysWOW64\Ehilgikj.exe

Filesize
128KB

MD5
8c03cbb4775a14fd75ea800e4694858b

SHA1
51d714ec294e082c879f65c9e95c516ebb259ef8

SHA256
ccff92ab14b031d04caecd1a1657ecf8403539ceaf4ed82f96e00356b18efc49

SHA512
a467b918137fa560c3c87e4f04ffca6dc66c5084de1e7cafeda73e61c073151c1034c1bdd4a9adcb54a0e3b951c7b472e3f7b0a211d91f7639c5659128bf9199

Download Submit
\Windows\SysWOW64\Fadmenpg.exe

Filesize
128KB

MD5
ff76ebc437486fe5c8a686b7db465196

SHA1
e88f7dc194d3373fff06d1a96f5a89169fa523a9

SHA256
68be581d82c67a71b860eb70e2cb94c13d698dbce214384696b024a866230389

SHA512
667eef0b68a20c7320b96d2a1eab71b3aee88be35bf4e69a3f6f8f5e706253563c8cfebe4665ec7a47213c6fe1a052cdc3327fcfb603dbf628b2b04bc01dbc38

Download Submit
\Windows\SysWOW64\Fehodaqd.exe

Filesize
128KB

MD5
707de2dd13f0a3e87002eb843375459b

SHA1
2ee69454dd0240e50fd071ad1cca2ef1d3f7e844

SHA256
b5776d5a8437ad0477f68b873fd6ddd48a9e345182f7f28ab7c82c7bf0626c93

SHA512
95cd334033936e510c8b8fcbed3ab36fcaa05604685e7e0e04930d816c0439997521a033be6bbf33c1061928e18c6ef5e5997477c99e9420a027dad864cd93a1

Download Submit
\Windows\SysWOW64\Fjjeid32.exe

Filesize
128KB

MD5
f7663e2edcdbab2947c76614e48088d8

SHA1
85a37dcef62f212f7d2309d852f3b1fb0c55b44d

SHA256
d9e0b322070ef90596ed11209de081938afcfef45ac7de18bb0a18112d465d69

SHA512
ed7db46974948d1bc0cde729f389e9c78c9d71ad3cf7f7a0a867110090acb7d44f13db82ad05b7a89d9508b006d3c9d517ece6decef25adc2abd5c1699e1c095

Download Submit
\Windows\SysWOW64\Gaibpa32.exe

Filesize
128KB

MD5
17cfaaccd543295245b1a850e5f21da4

SHA1
9c8bad595444db96e9e636fd1d7281f8a5bf84c0

SHA256
b22a7f4b31b2ab1ba89552d7fed6aaa38b7dbc3dd226d92aa8c332c9faa1df85

SHA512
a9c32b35c273b18d6e924833cb9a5163809ddee1328a7d2c768435e2893fe1ace5247caed6791bf36128054aa8a047a8ae32f550fe8c4e25f055e68166c0082f

Download Submit
\Windows\SysWOW64\Gdpikmci.exe

Filesize
128KB

MD5
58168e5297eca868416f634deb172758

SHA1
9739acbc447b044b4597d2653ed105c1f6ceb25d

SHA256
aeb19a53853606f74e202e3f3e280e8d4a40c1be10ccbcd1d09ee30f4e2349ef

SHA512
854dff0853ed27bcbf176818774ed3f22612ceaeeb4e32360d6193242d3076b263c732246e0750c3f0ee9763b64251435ea804ce98b021c7850c7616c4164ba8

Download Submit
\Windows\SysWOW64\Gkaghf32.exe

Filesize
128KB

MD5
a4cb17bbdec4a18f77f5f3e5d8705760

SHA1
0c9626581f8d715853abf982dc2b50c634326b3e

SHA256
8643a2e61840d2a70f60b1e51e0ee17780ed3ec825102299c588eee75ffdc587

SHA512
4f653365478f7e0e55a2a75c831f79057e7f81778eab9db9308072adc9bbf044eb91c7aa5fb4d02c23d3a1447b572aa9dd361eb98133b1c11f4fdab34920fd7d

Download Submit
\Windows\SysWOW64\Gmkjjbhg.exe

Filesize
128KB

MD5
7ffa948aed7a09031acf3eeb950084bf

SHA1
6588cfff73002bdce5717747b6593706714b6cc6

SHA256
58d885b23a9eb73e2997dda73516259a549da6105894df2ea203b890ba367c4d

SHA512
82ab3d146e75ec5ab464e0f3da25910b90b642321adce0c1052126fea7b0b6ffd2a247df376cda1ad32b1e843afdf94b924f2564dad5e0023edf288fb8dd93f5

Download Submit
\Windows\SysWOW64\Hhkakonn.exe

Filesize
128KB

MD5
8830e481270a8bd05297fcd96f09a5c5

SHA1
03c078fc114537aeaf0d57e8d3e43d79905704f0

SHA256
929665491a64faf4e2ec73bed0caae883f04ec3b1d1b428e3283b87499899822

SHA512
fd3319dd63d559274bce84259b179442b4fac0a1e07c8adc75484acf5fb8f7406455def650229efab5ad85292798a9e418042e7236d2e4c4b59d7f109a9b817d

Download Submit
\Windows\SysWOW64\Hohfmi32.exe

Filesize
128KB

MD5
404ec7d1e5577bdd8dab360623a38f53

SHA1
4f130a062e77d4c4d6b9aeaf7151abc8f638a461

SHA256
b54651e931fa95421170e0ffe67d7307dc36c298302aafabfd1cc35b734d6dba

SHA512
220eca4db5e1db861c3dece77b43d685b805956e229106ec52e5200dd2a0c1a923bc970ccb34d4459d44611d6ea3a09b4a45a98c91081c1ba36e21ab361646ed

Download Submit
\Windows\SysWOW64\Hpplfm32.exe

Filesize
128KB

MD5
d80a7d671e769574facac9474904ffc7

SHA1
d879c7befe34194e9cc5c643e0ff241fa4db9086

SHA256
81b9cc404daffc7491917e3df429c89f339a358e2a79bb39ee208ac9c4f62738

SHA512
fd199ab28edcf938881c7f94e561302b8911030f569d07aea9eebe81ed0346018b843e3c3a4bb83795f985e27115dbb4455a34f9bbd7cfa41afce7d39ce00c26

Download Submit
memory/396-414-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/396-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/396-131-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/608-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/608-421-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/652-313-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/652-307-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/652-303-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/652-429-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1080-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1080-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1132-175-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1132-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1172-253-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1172-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1172-254-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1276-398-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1608-362-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1608-361-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1608-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1660-201-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1660-420-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1708-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1728-415-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1748-266-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1748-272-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/1748-426-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1748-276-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/1752-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1752-83-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1752-409-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1752-77-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1784-318-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1784-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1784-312-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1784-319-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1792-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1792-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1816-425-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1816-264-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/1816-265-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/1816-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1984-286-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/1984-427-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1984-282-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/2052-12-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2052-13-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2052-377-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2052-381-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2052-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2156-38-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2156-387-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2156-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2156-380-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-428-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-296-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2192-297-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2192-287-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-110-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2412-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2412-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2508-329-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2508-324-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2536-422-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2536-233-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2536-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2644-53-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2644-399-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2644-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2644-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2684-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-386-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2728-149-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2772-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2772-338-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2772-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2772-336-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2884-378-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/2884-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-376-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/2892-350-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/2892-351-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/2892-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2896-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-68-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/2932-405-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2948-423-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2948-240-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/2948-244-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/2948-234-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3024-96-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/3024-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads