4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4

Analysis

max time kernel
136s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4.exe
Size

113KB
MD5

c3a5ebf421b21d30bdee6f379e0a9807
SHA1

567b3fa798641c95f0344a52f2fcb4f95c3fd394
SHA256

4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4
SHA512

a9ffac0eaaa4bccdf9bf9c86818893e0b9a85c2fdaf2d95e05341cbe501b1bcfcbdcc352251e6a02fa7d93613989a49aa7782188c13056b87941cbd9a9d3815c
SSDEEP

1536:pydmy0DwGj20iHtoO617DWkZFfScD7SzCbHWrAW8wTWiliX:p+mXH2ZoOuGkZFfFSebHWrH8wTW0

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efmiigdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebdjnijq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eipopb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfcfcilg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbmdmjpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efkmchfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enmgiinb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enmgiinb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiblfbmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbjghjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eikfeccp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Einbkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekjbaobd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eknkmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dibcod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkpokp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekgelodf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebfgchhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efdpjfnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebdjnijq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eohkgmij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekjbaobd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebfgchhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiblfbmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chdfnfhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbohll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfcfcilg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnjien32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eminkajf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnhegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnhegl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogaqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dibcod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eikfeccp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cahakmbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chajhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpldbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdppael.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cobhepkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojnfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efkmchfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdfnfhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddicdeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbmdmjpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbcjbgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdkgbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cobhepkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkpokp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkmicmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blkicfdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbcjbgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbohll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhpfienm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dekpjeol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eipopb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbkpog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkicfdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkgbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpldbl32.exe

Executes dropped EXE 45 IoCs

pid	Process
3524	Bkkmicmf.exe
1300	Bnjien32.exe
2608	Blkicfdi.exe
5104	Cahakmbq.exe
3076	Chajhg32.exe
988	Cnnbqn32.exe
4384	Chdfnfhk.exe
3992	Ckbcjbgo.exe
392	Cdkgbg32.exe
4552	Ckdppael.exe
2720	Cbohll32.exe
1504	Chipif32.exe
2940	Cobhepkb.exe
2164	Clfiodjl.exe
4472	Dnhegl32.exe
5004	Dmiedd32.exe
3764	Dogaqo32.exe
2332	Dhpfienm.exe
3124	Dojnfo32.exe
4564	Dfcfcilg.exe
4576	Dibcod32.exe
3784	Dkpokp32.exe
5036	Dbjghjbk.exe
2872	Ddicdeao.exe
1672	Dbmdmjpi.exe
884	Dekpjeol.exe
3044	Efkmchfo.exe
4540	Ekgelodf.exe
3860	Efmiigdl.exe
4340	Eikfeccp.exe
4264	Ekjbaobd.exe
1188	Ebdjnijq.exe
1924	Einbkb32.exe
4520	Eminkajf.exe
3420	Eohkgmij.exe
1356	Ebfgchhn.exe
4224	Eipopb32.exe
2716	Eknkmn32.exe
5000	Enmgiinb.exe
4144	Efdpjfnd.exe
2212	Eiblfbmh.exe
3268	Ekahbnll.exe
4932	Fpldbl32.exe
4448	Fbkpog32.exe
4852	Feimkc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bnjien32.exe	Bkkmicmf.exe
File opened for modification	C:\Windows\SysWOW64\Cahakmbq.exe	Blkicfdi.exe
File opened for modification	C:\Windows\SysWOW64\Cbohll32.exe	Ckdppael.exe
File created	C:\Windows\SysWOW64\Efmiigdl.exe	Ekgelodf.exe
File opened for modification	C:\Windows\SysWOW64\Enmgiinb.exe	Eknkmn32.exe
File created	C:\Windows\SysWOW64\Jhinfa32.dll	Eknkmn32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbcjbgo.exe	Chdfnfhk.exe
File created	C:\Windows\SysWOW64\Nobkllfa.dll	Chipif32.exe
File created	C:\Windows\SysWOW64\Dhpfienm.exe	Dogaqo32.exe
File opened for modification	C:\Windows\SysWOW64\Efkmchfo.exe	Dekpjeol.exe
File created	C:\Windows\SysWOW64\Hiking32.dll	Dekpjeol.exe
File created	C:\Windows\SysWOW64\Ekjbaobd.exe	Eikfeccp.exe
File created	C:\Windows\SysWOW64\Jiglpb32.dll	Eiblfbmh.exe
File created	C:\Windows\SysWOW64\Gklldhgm.dll	Cahakmbq.exe
File created	C:\Windows\SysWOW64\Dbjghjbk.exe	Dkpokp32.exe
File created	C:\Windows\SysWOW64\Mipgikda.dll	Ekgelodf.exe
File opened for modification	C:\Windows\SysWOW64\Eikfeccp.exe	Efmiigdl.exe
File created	C:\Windows\SysWOW64\Hbkood32.dll	Ebfgchhn.exe
File opened for modification	C:\Windows\SysWOW64\Feimkc32.exe	Fbkpog32.exe
File created	C:\Windows\SysWOW64\Cahakmbq.exe	Blkicfdi.exe
File opened for modification	C:\Windows\SysWOW64\Clfiodjl.exe	Cobhepkb.exe
File opened for modification	C:\Windows\SysWOW64\Dkpokp32.exe	Dibcod32.exe
File created	C:\Windows\SysWOW64\Negegkdo.dll	Dbjghjbk.exe
File opened for modification	C:\Windows\SysWOW64\Eknkmn32.exe	Eipopb32.exe
File opened for modification	C:\Windows\SysWOW64\Cobhepkb.exe	Chipif32.exe
File created	C:\Windows\SysWOW64\Dbgjcofe.dll	Dojnfo32.exe
File created	C:\Windows\SysWOW64\Fbkpog32.exe	Fpldbl32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnbqn32.exe	Chajhg32.exe
File created	C:\Windows\SysWOW64\Hllgle32.dll	Cbohll32.exe
File created	C:\Windows\SysWOW64\Dkpokp32.exe	Dibcod32.exe
File created	C:\Windows\SysWOW64\Ebdjnijq.exe	Ekjbaobd.exe
File created	C:\Windows\SysWOW64\Pjkpefdm.dll	Dhpfienm.exe
File created	C:\Windows\SysWOW64\Dfcfcilg.exe	Dojnfo32.exe
File created	C:\Windows\SysWOW64\Heeanidk.dll	Enmgiinb.exe
File created	C:\Windows\SysWOW64\Cnnbqn32.exe	Chajhg32.exe
File created	C:\Windows\SysWOW64\Ckbcjbgo.exe	Chdfnfhk.exe
File opened for modification	C:\Windows\SysWOW64\Chipif32.exe	Cbohll32.exe
File opened for modification	C:\Windows\SysWOW64\Dmiedd32.exe	Dnhegl32.exe
File created	C:\Windows\SysWOW64\Eeklmjmc.dll	Eipopb32.exe
File created	C:\Windows\SysWOW64\Gbabpmin.dll	Ekahbnll.exe
File opened for modification	C:\Windows\SysWOW64\Chdfnfhk.exe	Cnnbqn32.exe
File created	C:\Windows\SysWOW64\Dbbmff32.dll	Cdkgbg32.exe
File opened for modification	C:\Windows\SysWOW64\Dekpjeol.exe	Dbmdmjpi.exe
File opened for modification	C:\Windows\SysWOW64\Efdpjfnd.exe	Enmgiinb.exe
File created	C:\Windows\SysWOW64\Fpibqq32.dll	Fpldbl32.exe
File created	C:\Windows\SysWOW64\Emdjha32.dll	4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4.exe
File created	C:\Windows\SysWOW64\Dapkok32.dll	Ckdppael.exe
File created	C:\Windows\SysWOW64\Dojnfo32.exe	Dhpfienm.exe
File created	C:\Windows\SysWOW64\Chajhg32.exe	Cahakmbq.exe
File created	C:\Windows\SysWOW64\Chdfnfhk.exe	Cnnbqn32.exe
File created	C:\Windows\SysWOW64\Cbohll32.exe	Ckdppael.exe
File created	C:\Windows\SysWOW64\Obmonife.dll	Dbmdmjpi.exe
File opened for modification	C:\Windows\SysWOW64\Eminkajf.exe	Einbkb32.exe
File created	C:\Windows\SysWOW64\Oiahfh32.dll	Einbkb32.exe
File opened for modification	C:\Windows\SysWOW64\Eohkgmij.exe	Eminkajf.exe
File created	C:\Windows\SysWOW64\Ekahbnll.exe	Eiblfbmh.exe
File created	C:\Windows\SysWOW64\Ociamn32.dll	Fbkpog32.exe
File created	C:\Windows\SysWOW64\Chipif32.exe	Cbohll32.exe
File opened for modification	C:\Windows\SysWOW64\Dojnfo32.exe	Dhpfienm.exe
File opened for modification	C:\Windows\SysWOW64\Dbjghjbk.exe	Dkpokp32.exe
File created	C:\Windows\SysWOW64\Ddicdeao.exe	Dbjghjbk.exe
File created	C:\Windows\SysWOW64\Bomceg32.dll	Eminkajf.exe
File created	C:\Windows\SysWOW64\Bnjien32.exe	Bkkmicmf.exe
File opened for modification	C:\Windows\SysWOW64\Blkicfdi.exe	Bnjien32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3380	4852	WerFault.exe	131

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbkpog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dibcod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbjghjbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eknkmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eminkajf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eohkgmij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebfgchhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekahbnll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdppael.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cobhepkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbmdmjpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebdjnijq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eipopb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiblfbmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dekpjeol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efmiigdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eikfeccp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhpfienm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekgelodf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekjbaobd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efdpjfnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feimkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chajhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnbqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chipif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efkmchfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbohll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnhegl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpokp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfcfcilg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Einbkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpldbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkkmicmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnjien32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clfiodjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbcjbgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddicdeao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkicfdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdfnfhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogaqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojnfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enmgiinb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cahakmbq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkgbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmiedd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clfiodjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbkood32.dll"	Ebfgchhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiblfbmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blkicfdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cahakmbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnhegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obmonife.dll"	Dbmdmjpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekgelodf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eminkajf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgfkmeb.dll"	Dkpokp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnadgl.dll"	Efkmchfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpipg32.dll"	Bnjien32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobkllfa.dll"	Chipif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chipif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahfh32.dll"	Einbkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dojnfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnjien32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnjien32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chdfnfhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdkgbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllgle32.dll"	Cbohll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbgjcofe.dll"	Dojnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiking32.dll"	Dekpjeol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekjbaobd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbkpog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbfiga32.dll"	Dmiedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eipopb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekahbnll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpldbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpldbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnhegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebfgchhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkkmicmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdhciaop.dll"	Dogaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdfnfhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfcfcilg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efmiigdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpibqq32.dll"	Fpldbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnbqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbohll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mipgikda.dll"	Ekgelodf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dibcod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enmgiinb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbabpmin.dll"	Ekahbnll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioebpif.dll"	Clfiodjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjnhbpf.dll"	Dnhegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmpbam32.dll"	Dibcod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgheoh32.dll"	Efmiigdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bomceg32.dll"	Eminkajf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eknkmn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbkpog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chipif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cobhepkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dekpjeol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dekpjeol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efkmchfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkpac32.dll"	Efdpjfnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdkgbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbjghjbk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3524	2896	4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4.exe	84
PID 2896 wrote to memory of 3524	2896	4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4.exe	84
PID 2896 wrote to memory of 3524	2896	4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4.exe	84
PID 3524 wrote to memory of 1300	3524	Bkkmicmf.exe	85
PID 3524 wrote to memory of 1300	3524	Bkkmicmf.exe	85
PID 3524 wrote to memory of 1300	3524	Bkkmicmf.exe	85
PID 1300 wrote to memory of 2608	1300	Bnjien32.exe	86
PID 1300 wrote to memory of 2608	1300	Bnjien32.exe	86
PID 1300 wrote to memory of 2608	1300	Bnjien32.exe	86
PID 2608 wrote to memory of 5104	2608	Blkicfdi.exe	87
PID 2608 wrote to memory of 5104	2608	Blkicfdi.exe	87
PID 2608 wrote to memory of 5104	2608	Blkicfdi.exe	87
PID 5104 wrote to memory of 3076	5104	Cahakmbq.exe	89
PID 5104 wrote to memory of 3076	5104	Cahakmbq.exe	89
PID 5104 wrote to memory of 3076	5104	Cahakmbq.exe	89
PID 3076 wrote to memory of 988	3076	Chajhg32.exe	90
PID 3076 wrote to memory of 988	3076	Chajhg32.exe	90
PID 3076 wrote to memory of 988	3076	Chajhg32.exe	90
PID 988 wrote to memory of 4384	988	Cnnbqn32.exe	91
PID 988 wrote to memory of 4384	988	Cnnbqn32.exe	91
PID 988 wrote to memory of 4384	988	Cnnbqn32.exe	91
PID 4384 wrote to memory of 3992	4384	Chdfnfhk.exe	92
PID 4384 wrote to memory of 3992	4384	Chdfnfhk.exe	92
PID 4384 wrote to memory of 3992	4384	Chdfnfhk.exe	92
PID 3992 wrote to memory of 392	3992	Ckbcjbgo.exe	93
PID 3992 wrote to memory of 392	3992	Ckbcjbgo.exe	93
PID 3992 wrote to memory of 392	3992	Ckbcjbgo.exe	93
PID 392 wrote to memory of 4552	392	Cdkgbg32.exe	94
PID 392 wrote to memory of 4552	392	Cdkgbg32.exe	94
PID 392 wrote to memory of 4552	392	Cdkgbg32.exe	94
PID 4552 wrote to memory of 2720	4552	Ckdppael.exe	96
PID 4552 wrote to memory of 2720	4552	Ckdppael.exe	96
PID 4552 wrote to memory of 2720	4552	Ckdppael.exe	96
PID 2720 wrote to memory of 1504	2720	Cbohll32.exe	97
PID 2720 wrote to memory of 1504	2720	Cbohll32.exe	97
PID 2720 wrote to memory of 1504	2720	Cbohll32.exe	97
PID 1504 wrote to memory of 2940	1504	Chipif32.exe	98
PID 1504 wrote to memory of 2940	1504	Chipif32.exe	98
PID 1504 wrote to memory of 2940	1504	Chipif32.exe	98
PID 2940 wrote to memory of 2164	2940	Cobhepkb.exe	99
PID 2940 wrote to memory of 2164	2940	Cobhepkb.exe	99
PID 2940 wrote to memory of 2164	2940	Cobhepkb.exe	99
PID 2164 wrote to memory of 4472	2164	Clfiodjl.exe	100
PID 2164 wrote to memory of 4472	2164	Clfiodjl.exe	100
PID 2164 wrote to memory of 4472	2164	Clfiodjl.exe	100
PID 4472 wrote to memory of 5004	4472	Dnhegl32.exe	101
PID 4472 wrote to memory of 5004	4472	Dnhegl32.exe	101
PID 4472 wrote to memory of 5004	4472	Dnhegl32.exe	101
PID 5004 wrote to memory of 3764	5004	Dmiedd32.exe	103
PID 5004 wrote to memory of 3764	5004	Dmiedd32.exe	103
PID 5004 wrote to memory of 3764	5004	Dmiedd32.exe	103
PID 3764 wrote to memory of 2332	3764	Dogaqo32.exe	104
PID 3764 wrote to memory of 2332	3764	Dogaqo32.exe	104
PID 3764 wrote to memory of 2332	3764	Dogaqo32.exe	104
PID 2332 wrote to memory of 3124	2332	Dhpfienm.exe	105
PID 2332 wrote to memory of 3124	2332	Dhpfienm.exe	105
PID 2332 wrote to memory of 3124	2332	Dhpfienm.exe	105
PID 3124 wrote to memory of 4564	3124	Dojnfo32.exe	106
PID 3124 wrote to memory of 4564	3124	Dojnfo32.exe	106
PID 3124 wrote to memory of 4564	3124	Dojnfo32.exe	106
PID 4564 wrote to memory of 4576	4564	Dfcfcilg.exe	107
PID 4564 wrote to memory of 4576	4564	Dfcfcilg.exe	107
PID 4564 wrote to memory of 4576	4564	Dfcfcilg.exe	107
PID 4576 wrote to memory of 3784	4576	Dibcod32.exe	108

C:\Users\Admin\AppData\Local\Temp\4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4.exe
"C:\Users\Admin\AppData\Local\Temp\4d0e758aa900c6ac6f34a5a98d7711016c0e30fd3e8484ecb6e0ebc3ade21ce4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\Bkkmicmf.exe
  C:\Windows\system32\Bkkmicmf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\SysWOW64\Bnjien32.exe
    C:\Windows\system32\Bnjien32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\SysWOW64\Blkicfdi.exe
      C:\Windows\system32\Blkicfdi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\Cahakmbq.exe
        
        C:\Windows\system32\Cahakmbq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Windows\SysWOW64\Chajhg32.exe
        
        C:\Windows\system32\Chajhg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Cnnbqn32.exe
        
        C:\Windows\system32\Cnnbqn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Chdfnfhk.exe
        
        C:\Windows\system32\Chdfnfhk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ckbcjbgo.exe
        
        C:\Windows\system32\Ckbcjbgo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Cdkgbg32.exe
        
        C:\Windows\system32\Cdkgbg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Ckdppael.exe
        
        C:\Windows\system32\Ckdppael.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Cbohll32.exe
        
        C:\Windows\system32\Cbohll32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Chipif32.exe
        
        C:\Windows\system32\Chipif32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Cobhepkb.exe
        
        C:\Windows\system32\Cobhepkb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Clfiodjl.exe
        
        C:\Windows\system32\Clfiodjl.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Dnhegl32.exe
        
        C:\Windows\system32\Dnhegl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Dmiedd32.exe
        
        C:\Windows\system32\Dmiedd32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Dogaqo32.exe
        
        C:\Windows\system32\Dogaqo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Dhpfienm.exe
        
        C:\Windows\system32\Dhpfienm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Dojnfo32.exe
        
        C:\Windows\system32\Dojnfo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Dfcfcilg.exe
        
        C:\Windows\system32\Dfcfcilg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Dibcod32.exe
        
        C:\Windows\system32\Dibcod32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Dkpokp32.exe
        
        C:\Windows\system32\Dkpokp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Dbjghjbk.exe
        
        C:\Windows\system32\Dbjghjbk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Ddicdeao.exe
        
        C:\Windows\system32\Ddicdeao.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Dbmdmjpi.exe
        
        C:\Windows\system32\Dbmdmjpi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Dekpjeol.exe
        
        C:\Windows\system32\Dekpjeol.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Efkmchfo.exe
        
        C:\Windows\system32\Efkmchfo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Ekgelodf.exe
        
        C:\Windows\system32\Ekgelodf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Efmiigdl.exe
        
        C:\Windows\system32\Efmiigdl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Eikfeccp.exe
        
        C:\Windows\system32\Eikfeccp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Ekjbaobd.exe
        
        C:\Windows\system32\Ekjbaobd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Ebdjnijq.exe
        
        C:\Windows\system32\Ebdjnijq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\Einbkb32.exe
        
        C:\Windows\system32\Einbkb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Eminkajf.exe
        
        C:\Windows\system32\Eminkajf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Eohkgmij.exe
        
        C:\Windows\system32\Eohkgmij.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\Ebfgchhn.exe
        
        C:\Windows\system32\Ebfgchhn.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Eipopb32.exe
        
        C:\Windows\system32\Eipopb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Eknkmn32.exe
        
        C:\Windows\system32\Eknkmn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Enmgiinb.exe
        
        C:\Windows\system32\Enmgiinb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Efdpjfnd.exe
        
        C:\Windows\system32\Efdpjfnd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Eiblfbmh.exe
        
        C:\Windows\system32\Eiblfbmh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Ekahbnll.exe
        
        C:\Windows\system32\Ekahbnll.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Fpldbl32.exe
        
        C:\Windows\system32\Fpldbl32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Fbkpog32.exe
        
        C:\Windows\system32\Fbkpog32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Feimkc32.exe
        
        C:\Windows\system32\Feimkc32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 400
        47⤵
        Program crash
        
        PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4852 -ip 4852
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bkkmicmf.exe

Filesize
113KB

MD5
c2bd65350377fa63ff09d84514786c52

SHA1
17eba34f9dcc15d3d0a080f5a7893d308ddc1fd2

SHA256
2d28014abccb562cde1a075ee4dbbeb6d0a75bfefa95360d73ef5455d477ebfc

SHA512
3834983cb87a4ed5cd33cad7eaa9b7240d7ceaf5e68e1c544559c8d7e9776f7095e0997d67660b771d552c4910a490b3e6bd6dd4f8441eabaa453846579d40c8

Download Submit
C:\Windows\SysWOW64\Blkicfdi.exe

Filesize
113KB

MD5
6d21521b3d4c6e5212c6f24f51cfe355

SHA1
07f980d3c44d61be735463a5099f64b07caadfea

SHA256
f6ae7167c999ac3d9fb86543fd00fb1c7d05c9a5e010d99d3df4347073f72f27

SHA512
4668d7f3246718206e74f5a36b7e7097b1fdc17803444e8940fe265daf7adbf6e1730e04b9638dc90fd10e518733dbd229cbc7b88c2f4c3d37f3b0055559f71a

Download Submit
C:\Windows\SysWOW64\Bnjien32.exe

Filesize
113KB

MD5
ee985137159545cdfafd004951948d1d

SHA1
fd4cd22cf3660ef0bd654743f4460bbbfa575cc3

SHA256
654ff7d28b66c0cd9c06670d3d33c2fd94815567a1844ca47a3613f9b483e201

SHA512
68fe76acfb3459b625c1c423699b30af22e086cfc39bde00d0a047d54b4f4d6bd348e7ee5452b498a48a6f18da3b359af4ebef8e411dd006a02e9d6ea7e05063

Download Submit
C:\Windows\SysWOW64\Cahakmbq.exe

Filesize
113KB

MD5
b6f3d2d4819ef0bca709e7bd0a26ab0d

SHA1
c16bf318e6962c45f4649652819c4ac3a0fcd923

SHA256
9975d41b1c693a862d2058f5a81e16f584bbe6aecc37ae911242fd6456e4f05a

SHA512
f88f7b15ea05711d7c7db54304094101438a319c686b84a5923954eb4346444637367391bd0b2d7195a1e1ee65465c4a806a2341f3469018abc6939c61be03c9

Download Submit
C:\Windows\SysWOW64\Cbohll32.exe

Filesize
113KB

MD5
58977d4edba640a8e95be871ca18e312

SHA1
25999aac81cd8f0fadf8b2d2b6b8d2da3a43cc7c

SHA256
8e8e1e7fa9796726a1468d3679d1070841fe65efa2db305c152b4c7682c63b6f

SHA512
e6e5fa774050e048ec16c1ed17a4a7da8de48ff53ad3ada182ce7232a6888e5081cd88112eb2c2d0cfae0b2416368aebef37466dc810eabe16002106803645be

Download Submit
C:\Windows\SysWOW64\Cdkgbg32.exe

Filesize
113KB

MD5
e0f6fe3bdbb177dcb43b5fd1575596f4

SHA1
1d924433b784a365662a138c37403e561aad2542

SHA256
e4046066531b1333cff84233b4771a21d16a271a16c5b73b27a9d374f8259ba0

SHA512
7f06bf9d7cb0b350245e2e9fe8293053f47ae7102e0d6d872184572299e442ca683e7bfa212a1afe688d2431388e6e914f3aee2c0a6664f27a00acd82ec7c740

Download Submit
C:\Windows\SysWOW64\Chajhg32.exe

Filesize
113KB

MD5
e871c1dbe7c47a9c32c0100af4bb009b

SHA1
704704ce80c12fdf321dfd6fe0102b8c3e3e6d75

SHA256
fd5398c3e7378464b879c95d5677552e5bf7cd543a8b59547b9ddd9ccec712f0

SHA512
dd429c22334552edbb338fb8af57b84dc1ca1b1737012316b9590f7e7d1aaabd5e1b75180833ce8fddc1097a7caff4a4cafaf755da7643c1daa6bd1e30961126

Download Submit
C:\Windows\SysWOW64\Chdfnfhk.exe

Filesize
113KB

MD5
30e76f57b7e57383a093d4e096881bb0

SHA1
864835853f93e9bafe66c2b2bb898d728d4f0bd1

SHA256
114b7505e46def66bae9abb4a30e706064d488bfde2c36ba6696a50082552f9c

SHA512
22734648ccde90169480d1620984ada3b8295fc4585970ac4b71a85e6c96167f3bc57b6733573d20f4e6ad997925af6083366d7a000919d1fcfd599a38357f04

Download Submit
C:\Windows\SysWOW64\Chipif32.exe

Filesize
113KB

MD5
e600e1cd8bf4b248a20d22a2eb6125c4

SHA1
70217f0bb5aaad4a8c082d76025ce04b2598f2d0

SHA256
5d85e73e1d679f86939ee9a31745632abed6b53ad2346d9759d43857ba7c6504

SHA512
6340c5a9eb3475fbd51ad916d676efc90febee88a0dbba3676e24f0a6a56c205cc882d4fb0a54ebcf171ad414de4aa7f03e276b0b7fde85047f1f0b85b5c2d40

Download Submit
C:\Windows\SysWOW64\Ckbcjbgo.exe

Filesize
113KB

MD5
e30bf541cea5a85891f6fc06d6b0ae3e

SHA1
a3eb2c5d81968f49c403d30863c93f93dc095aef

SHA256
7f3b03251c57d2083cbe97f3f3a1cb7bebecc5a3adae2feea5dd5cbf027b3d89

SHA512
aa81f381a4fe375d3fa8655cacb57095205f95d3a75899d41bc6b54cfb8980b9bcbf82ec22abb51c19578bb2985618b3f4b60b4010f3e60327983f355ced5978

Download Submit
C:\Windows\SysWOW64\Ckdppael.exe

Filesize
113KB

MD5
15c6b4d625db83e57930bf4a393ddac9

SHA1
ad033aa9ad90a4aee1da5b9bef68d27e204c6ded

SHA256
c51d9f7cb57b531ea754140df373c1aae5ef686814652d829a5414740376765f

SHA512
49386c0cfd15582054abba7ed0160c24481657a8d545d3880088b408818a740534562b657f76b12f926a677f8c8b5ba7a6dc8473f19ae9c880c33156bfa97804

Download Submit
C:\Windows\SysWOW64\Clfiodjl.exe

Filesize
113KB

MD5
4c7e89ee778823ce1ebf5a5110ca962b

SHA1
d38c572a714126c0076993992fd4f2eda18870f4

SHA256
944422210e409ca5a4f7a203e0818ab33d56b250e3648e024101f71accd479cf

SHA512
3d9f514936863ebc780d146178289ea48dd9b1f6241730113e0c39ec0bc9d6d450c32ce5267c3f1f6a2f115025a84f8768941170ec617e237e90f79b99676517

Download Submit
C:\Windows\SysWOW64\Cnnbqn32.exe

Filesize
113KB

MD5
4736be2dbb41a06e9c37080a9f32628c

SHA1
030e08b16f169710bbcee571c13d1f094b64e725

SHA256
6397d6175c533a968fe604a28d5c947d1dea7cc6d7a3bbbac8e7599b054cbe70

SHA512
4ae4fc226809916af87cf234281d3dcfe95ce2c2a96902d9f256b8d05e458e9f63b9a9b4f0ef93d509c4855bd8521008a04055e02a0e5b47ff3c1ad34536fcae

Download Submit
C:\Windows\SysWOW64\Cobhepkb.exe

Filesize
113KB

MD5
1511218d4deab650ba896e8c8deff3c5

SHA1
b098894bc8851478a792785bd2042b0a241937f4

SHA256
250ada57d666de97bca7af2fb34ea0a166b887938d7232a772bdefef0a9d6143

SHA512
a57496bf69c19f3d75adf2e6dfe2a86b97bd7e6a58d76700d84969541c2645929de87c956cba1b84df12ba22b71afd835eec8c3369f7622bb59b3c2d28f388ee

Download Submit
C:\Windows\SysWOW64\Dbjghjbk.exe

Filesize
113KB

MD5
bd8b86b729cd5e813dab27ca045c19f1

SHA1
6d09e1e52008595489a7b73c5a1b0dd14117e383

SHA256
5b1a125488f99d1a6cb447289facabef1011679037bf927ca109c89e03eef6e7

SHA512
3ab64258c21c5fa8a019453101a0db79c0f3c883850f59d3823b94b9a54c16308b731ec30e546f32fe33cf3a6c5fd50dc36857416dce479ff57df22d2b6e2924

Download Submit
C:\Windows\SysWOW64\Dbmdmjpi.exe

Filesize
113KB

MD5
da023be6acafdef3e66e19d1b45ad273

SHA1
e8f0e816b626df550314767886d596d623cebab9

SHA256
6b611f0b9dac76000535513e0631c2be38277e2c7f75b7bdadf3f662b4cd8ba3

SHA512
6dc7ed9af130cf2e45993bf48e4a4e1f2cc52d62d7ec86200f2045389794ac762d0819e90dc0828dab6e46cfefe6d7a5a8a6d3a3f5d92eceb040e12a5f9a11ac

Download Submit
C:\Windows\SysWOW64\Ddicdeao.exe

Filesize
113KB

MD5
4908035b983bffca7b93b91e8113679b

SHA1
0b1949cf9a9201e0f5a507766d5cbcc903fef0a3

SHA256
deda70a294edfc860f82a39821c70376c06d4f8d4def60fd4f242560dc94574d

SHA512
0e6f32976bff44820f739f2c17f632a014848a448460f159dc73c99a47dea253636458fd790b5ab388a082d4d1e2e92e373771be077c7ee31d67c92e66ab51d9

Download Submit
C:\Windows\SysWOW64\Dekpjeol.exe

Filesize
113KB

MD5
00799730e3998de5ebb855cb058e365a

SHA1
06cc9e92e78018b528d8df959a30441948f7142e

SHA256
de4155e7a6fd24a20559e3c5ab8eb240e0a729add3c089612f35aab2168fda6d

SHA512
155705b144a566814200cb523b698d8b1f919ff6f96abfb6daadb9627522d991e58241cd97411cd5a1e14ac6fad419d5afe2696925da16fbbbe2de7b48e176a8

Download Submit
C:\Windows\SysWOW64\Dfcfcilg.exe

Filesize
113KB

MD5
5dea738abf7cceab011e1cde3f2c2774

SHA1
2303bbc5b67957fd0df1f70bd31cb94784879f87

SHA256
d6df17da7b746508855434f7f9904ca122cf06a7da166d8dd8b8b1e384fca22b

SHA512
4623a574ebb8f556684a1abae74e0ed32d46511be7438b7a3af5afa72b1d326475e1d475623daf8de13a3cfa95ae6793918505b89f828373b7ed524ab7c1f2b9

Download Submit
C:\Windows\SysWOW64\Dhpfienm.exe

Filesize
113KB

MD5
c39e646b69ee8aae5828f0962745f2a5

SHA1
d0862039fc0a095be73533e61f70cd5615743018

SHA256
b9d26adb3bed20fc239910b6b2a3b42f85d660b245c37dbeec2a04b520a2cd19

SHA512
ac70827844616dbd1e5410fde6371264137445dfbc54f90d79687b5ecd029748980ad69889c910495b84e023b1e40ccd8f7ff6c671a18b7f4505c6794826938a

Download Submit
C:\Windows\SysWOW64\Dibcod32.exe

Filesize
113KB

MD5
b499879b9022724f5274229573682a1f

SHA1
7fa5c7d05d2a5874d7833d976b0d6fca4c1be95a

SHA256
400ebe417343f400b8f22d799985d75a2780245f90c14583b2376ced4ea90857

SHA512
cc5dd6531bcb3315f99d0ff5909e11061bbef237659eb52647250cc799c9fe78f1fe0c36274d64679955a1b650cc09f27bb3fc3cd7a08722f5e82e05635554de

Download Submit
C:\Windows\SysWOW64\Dkpokp32.exe

Filesize
113KB

MD5
d63dafc3f5ffe82f2550c6b3d7f6ce6b

SHA1
6628c91e05b87cde6bc761b2477263074efddb48

SHA256
f8bb865a69cfe377c5366bff8da409bced5fb03296212fe9ad21fca339127e4c

SHA512
b1f76170f7d739b5fefa9940259dff6371db42e8798b232bc2f0bfd8ddcf66b1beff4d7f93c54b1d985f5740a926fcd6802c6b824f13f666cfc22965c604cf54

Download Submit
C:\Windows\SysWOW64\Dmiedd32.exe

Filesize
113KB

MD5
4267ea211792be651ecc8a0222a7d784

SHA1
9ea4684f156779162269b5dab0f173be92e08081

SHA256
a5a41337e8433bb6e66b1566c51a8bc80bda3804498fff2fca6dc27595d66f79

SHA512
318202f4522cb288b9465485182fb46852fa1621a1954a2ed1c884d8e2384fd3125964d7a1c4153d1c27ea9f99ab2cb26e839128bdc1661dbf6eea8f098b3308

Download Submit
C:\Windows\SysWOW64\Dnhegl32.exe

Filesize
113KB

MD5
58eaddd38e73a4fa94197e89c9992337

SHA1
df6d760943c5afcf1dadabe597fe57ee92567d68

SHA256
8af5c685eb0ed091882246be9c012faa1c7c2ce011c43757f9dea32c1fa8ae95

SHA512
80aff83d0388b17ef0bc8672353792ecf23267d772f2cd4cb3035fefee51a2991ad7d2576396598b878b4227064643f2f3979792a8cb52eee5f55d8268265cf4

Download Submit
C:\Windows\SysWOW64\Dogaqo32.exe

Filesize
113KB

MD5
4a2448cee3296b5a411c9ed1cc62b895

SHA1
a39446442d05c11f819f7fb4a92c03b007bbbece

SHA256
6b177208bc410aaf7f0e2a67b8cde87f65391533e070307d9e379fa7612eeb4e

SHA512
bb8cf97c8c0bbbadb574a30c0b5a25a59ec70369b8ddf25cb85961f583e29b7c25018fe8af0f99d29224617b92a081fbfa58cc425f06466b27ae6c608ee2703d

Download Submit
C:\Windows\SysWOW64\Dojnfo32.exe

Filesize
113KB

MD5
461e242d168823933687f0d10dc31975

SHA1
37069e5d68fd1bd10b1d0af1b370f49cef6d69ff

SHA256
0ea14cf25e8f7fb55fc2ff713b18c6ddaae76815c28dceefa25ae1cdacec73f6

SHA512
c3cca513e09e190aa39214639a18ac2756bedec11b2821955facdb91764ef1f81cdf0b92d3d438d7529edd14ba032529c1c884a82938a7c9f6a80f71a93be843

Download Submit
C:\Windows\SysWOW64\Ebdjnijq.exe

Filesize
113KB

MD5
488c31a96d4475c8b977704da49f113f

SHA1
947348f5a6b12285409991b21fa81a8f45006800

SHA256
8a9c493a435b0268e89eed4747f70dcb223d37f32128fd865495345395b05b33

SHA512
7e7ab2ee4c2817600d5f54c80a26b8c4f0d9f24063e2b0e7d72185fc539a827f67e0bee8303042365363c26b00541f821ddbdc116fa26d324d13cfccce72f352

Download Submit
C:\Windows\SysWOW64\Efkmchfo.exe

Filesize
113KB

MD5
da9f0830801d2ead97da7063e6bd08df

SHA1
7efe384d69eb9a556b2a095a913178fcb58a7c91

SHA256
86b5950769bf0123327feee03ba5bc75d6080ba9732acc65e52b2ef09c7b5143

SHA512
4e0872467160580eecc2fb07f3012fb3c9386d1ac5745b3a8e79ddc6c1aa078743e2966440905eb3a128c2f7df51f5a08b6438fcd790e1154af52122ffae9768

Download Submit
C:\Windows\SysWOW64\Efmiigdl.exe

Filesize
113KB

MD5
cf779e43d9748464148c00f2f43ebd6f

SHA1
cf978d7096dd7020c30da34e9398e6fe3348468e

SHA256
f89d1a0aef7fe8ea89258f6243b8f358489e3b5aba8a0abd9db7d9ca0d80b735

SHA512
17cdbd6f3dc9c2dab319edc6b5efe31c0a1d94289bc292e904915363745790b66c3f06f6b97ef0d06bdc9587a58d9b1a8b7a0a4638082814249936366a726a18

Download Submit
C:\Windows\SysWOW64\Eikfeccp.exe

Filesize
113KB

MD5
3397a37270e77ff87d32ba6783463f57

SHA1
669cd109b9a5b1a8fcfb7088b267ccd89680c7c7

SHA256
dbdfa568ee85c72cba581f7bd1d6808e5b57ff749c0685e7c55c7fd00bf53d7d

SHA512
2e5955a5eabb0583dc68d2c8026fc9849b4875b39862866fc275aef45c5be853dbd8dcb98962e6651b6bb22a64e59897c13c8fb0d25c3eedc4808f346880a318

Download Submit
C:\Windows\SysWOW64\Ekgelodf.exe

Filesize
113KB

MD5
797e0b5bcd14be35ee814d732d3ed6ea

SHA1
8aa9bb2514298b6b5f40e36aa410e6dd0585c594

SHA256
d7f3fd17b97d88c4a7c1f318c428f4d8ae7e94ed4f583d017146180e6177b9bf

SHA512
cf2c0c718398eff8a3eac9741283cb2064dc96c05c24d05fd5e7f4c4422087be27051dc64ccf40b49b2d59fe86bebc66d5105cbb5b1f284716d2bdb61e7809f8

Download Submit
C:\Windows\SysWOW64\Ekjbaobd.exe

Filesize
113KB

MD5
ecce0215c11e46fa0d3ea01aaaedf7ab

SHA1
c0e9d180f0bba8c7568d34d0f9e07374a631b8d2

SHA256
4e73175510c04b20a5e8a5bb29265f3fd9ca8b26752f3827dcaa110f941a6179

SHA512
ec8c54cc43cf8037f0dce2c13c70367462cad6ba0bf6a323b16afb0457fc970265a3be237d87baca2df561b3c1a652a12bcb972de673a837dedc21b5929e2328

Download Submit
memory/392-71-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/392-362-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/884-349-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/884-207-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/988-47-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/988-365-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1188-343-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1188-255-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1300-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1300-369-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1356-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1356-341-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1504-96-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1504-359-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-350-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-200-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1924-266-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2164-112-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2164-357-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2212-314-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2332-353-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2332-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-368-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2608-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2716-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2716-339-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2720-360-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2720-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2872-351-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2872-192-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2896-371-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2896-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2940-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2940-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3044-348-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3044-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3076-366-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3076-39-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3124-151-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3124-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3268-316-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3268-337-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3420-278-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3524-370-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3524-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3764-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3764-354-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3784-181-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3860-236-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3860-346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3992-363-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3992-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4144-338-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4144-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4224-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4224-290-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4264-247-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4264-344-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4340-240-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4340-345-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4384-364-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4384-56-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4448-332-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4472-356-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4472-119-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4520-342-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4520-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4540-224-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4540-347-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4552-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4552-361-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4564-164-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4576-172-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4852-334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4852-335-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4932-336-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4932-322-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5000-302-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5004-355-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5004-128-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5036-189-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5104-367-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5104-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads