1f8cc2994750965ba1e85f20d5a9e101954e0370c386a4f2d4953d0577c01e51

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 10:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b6fca21a3ca8c5a90081e7a2c55cda80N.exe
Size

280KB
MD5

b6fca21a3ca8c5a90081e7a2c55cda80
SHA1

ad764dc7b5db7276007b3a6d560ccd6326ab82ac
SHA256

1f8cc2994750965ba1e85f20d5a9e101954e0370c386a4f2d4953d0577c01e51
SHA512

75e95b162c7ccf0dfa47625152df93d0e242034d700e947d6d78947a7f1d831844425b092d136388cd8d060c2e6909e4b0430aa1eb3b6583482d2353d5c8aca7
SSDEEP

6144:yusrTjZsfpn9hci/GOORjMmRUoooooooooooooooooooooooooy/G3:T6yn9+i//OVLCoooooooooooooooooo0

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bihgmdih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnjnkkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdngip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlboca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejfllhao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apnfno32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Befnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkjhjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmkdhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnckki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbookpp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbdagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkdhq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amafgc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaflgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnpjkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pglojj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaflgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Befnbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhgba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdpohodn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlboca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apnfno32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbookpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdpohodn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bihgmdih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cppobaeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbjnqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnfhqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbdagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amafgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eifobe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgnpjkhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pglojj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cppobaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhgba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjeejep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abjeejep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnfhqi32.exe

Executes dropped EXE 32 IoCs

pid	Process
2668	Pglojj32.exe
2312	Pmhgba32.exe
2436	Pcbookpp.exe
2664	Pmkdhq32.exe
2588	Qdpohodn.exe
3028	Aaflgb32.exe
1152	Abjeejep.exe
2332	Apnfno32.exe
2784	Amafgc32.exe
2868	Bihgmdih.exe
2336	Bceeqi32.exe
744	Befnbd32.exe
1724	Cppobaeb.exe
1892	Cdngip32.exe
2080	Cnflae32.exe
1688	Cgnpjkhj.exe
572	Cbjnqh32.exe
836	Dcjjkkji.exe
2236	Dlboca32.exe
1332	Dnckki32.exe
2432	Dnfhqi32.exe
1220	Dkjhjm32.exe
3064	Dbdagg32.exe
1084	Dmmbge32.exe
1088	Ecgjdong.exe
2148	Egebjmdn.exe
1980	Eifobe32.exe
2732	Ejfllhao.exe
1324	Ekghcq32.exe
2800	Fllaopcg.exe
2544	Fnjnkkbk.exe
3040	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2708	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
2708	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
2668	Pglojj32.exe
2668	Pglojj32.exe
2312	Pmhgba32.exe
2312	Pmhgba32.exe
2436	Pcbookpp.exe
2436	Pcbookpp.exe
2664	Pmkdhq32.exe
2664	Pmkdhq32.exe
2588	Qdpohodn.exe
2588	Qdpohodn.exe
3028	Aaflgb32.exe
3028	Aaflgb32.exe
1152	Abjeejep.exe
1152	Abjeejep.exe
2332	Apnfno32.exe
2332	Apnfno32.exe
2784	Amafgc32.exe
2784	Amafgc32.exe
2868	Bihgmdih.exe
2868	Bihgmdih.exe
2336	Bceeqi32.exe
2336	Bceeqi32.exe
744	Befnbd32.exe
744	Befnbd32.exe
1724	Cppobaeb.exe
1724	Cppobaeb.exe
1892	Cdngip32.exe
1892	Cdngip32.exe
2080	Cnflae32.exe
2080	Cnflae32.exe
1688	Cgnpjkhj.exe
1688	Cgnpjkhj.exe
572	Cbjnqh32.exe
572	Cbjnqh32.exe
836	Dcjjkkji.exe
836	Dcjjkkji.exe
2236	Dlboca32.exe
2236	Dlboca32.exe
1332	Dnckki32.exe
1332	Dnckki32.exe
2432	Dnfhqi32.exe
2432	Dnfhqi32.exe
1220	Dkjhjm32.exe
1220	Dkjhjm32.exe
3064	Dbdagg32.exe
3064	Dbdagg32.exe
1084	Dmmbge32.exe
1084	Dmmbge32.exe
1088	Ecgjdong.exe
1088	Ecgjdong.exe
2148	Egebjmdn.exe
2148	Egebjmdn.exe
1980	Eifobe32.exe
1980	Eifobe32.exe
2732	Ejfllhao.exe
2732	Ejfllhao.exe
1324	Ekghcq32.exe
1324	Ekghcq32.exe
2800	Fllaopcg.exe
2800	Fllaopcg.exe
2544	Fnjnkkbk.exe
2544	Fnjnkkbk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oamcoejo.dll	Dkjhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Dmmbge32.exe	Dbdagg32.exe
File opened for modification	C:\Windows\SysWOW64\Pmkdhq32.exe	Pcbookpp.exe
File created	C:\Windows\SysWOW64\Eaflfbko.dll	Qdpohodn.exe
File created	C:\Windows\SysWOW64\Dbdagg32.exe	Dkjhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Dkjhjm32.exe	Dnfhqi32.exe
File created	C:\Windows\SysWOW64\Dmmbge32.exe	Dbdagg32.exe
File opened for modification	C:\Windows\SysWOW64\Ekghcq32.exe	Ejfllhao.exe
File opened for modification	C:\Windows\SysWOW64\Fnjnkkbk.exe	Fllaopcg.exe
File created	C:\Windows\SysWOW64\Bihgmdih.exe	Amafgc32.exe
File opened for modification	C:\Windows\SysWOW64\Bihgmdih.exe	Amafgc32.exe
File created	C:\Windows\SysWOW64\Bpmoggbh.dll	Cbjnqh32.exe
File opened for modification	C:\Windows\SysWOW64\Ecgjdong.exe	Dmmbge32.exe
File created	C:\Windows\SysWOW64\Ejfllhao.exe	Eifobe32.exe
File created	C:\Windows\SysWOW64\Hmcqik32.dll	Aaflgb32.exe
File created	C:\Windows\SysWOW64\Dkjhjm32.exe	Dnfhqi32.exe
File created	C:\Windows\SysWOW64\Khqplf32.dll	Dnfhqi32.exe
File created	C:\Windows\SysWOW64\Bceeqi32.exe	Bihgmdih.exe
File created	C:\Windows\SysWOW64\Cppobaeb.exe	Befnbd32.exe
File opened for modification	C:\Windows\SysWOW64\Cbjnqh32.exe	Cgnpjkhj.exe
File created	C:\Windows\SysWOW64\Gmaonc32.dll	Dlboca32.exe
File created	C:\Windows\SysWOW64\Fnjnkkbk.exe	Fllaopcg.exe
File created	C:\Windows\SysWOW64\Pglojj32.exe	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
File created	C:\Windows\SysWOW64\Abjeejep.exe	Aaflgb32.exe
File opened for modification	C:\Windows\SysWOW64\Apnfno32.exe	Abjeejep.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fnjnkkbk.exe
File opened for modification	C:\Windows\SysWOW64\Pglojj32.exe	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
File opened for modification	C:\Windows\SysWOW64\Dlboca32.exe	Dcjjkkji.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fnjnkkbk.exe
File created	C:\Windows\SysWOW64\Akbieg32.dll	Bceeqi32.exe
File opened for modification	C:\Windows\SysWOW64\Cdngip32.exe	Cppobaeb.exe
File created	C:\Windows\SysWOW64\Dnfhqi32.exe	Dnckki32.exe
File opened for modification	C:\Windows\SysWOW64\Dnfhqi32.exe	Dnckki32.exe
File created	C:\Windows\SysWOW64\Hehaja32.dll	Ejfllhao.exe
File created	C:\Windows\SysWOW64\Kbbinm32.dll	Pmhgba32.exe
File created	C:\Windows\SysWOW64\Pmkdhq32.exe	Pcbookpp.exe
File created	C:\Windows\SysWOW64\Befnbd32.exe	Bceeqi32.exe
File opened for modification	C:\Windows\SysWOW64\Befnbd32.exe	Bceeqi32.exe
File opened for modification	C:\Windows\SysWOW64\Cppobaeb.exe	Befnbd32.exe
File created	C:\Windows\SysWOW64\Eifobe32.exe	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Gipjkn32.dll	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
File created	C:\Windows\SysWOW64\Pcbookpp.exe	Pmhgba32.exe
File opened for modification	C:\Windows\SysWOW64\Abjeejep.exe	Aaflgb32.exe
File created	C:\Windows\SysWOW64\Dnckki32.exe	Dlboca32.exe
File created	C:\Windows\SysWOW64\Egebjmdn.exe	Ecgjdong.exe
File opened for modification	C:\Windows\SysWOW64\Ejfllhao.exe	Eifobe32.exe
File created	C:\Windows\SysWOW64\Ogadek32.dll	Eifobe32.exe
File created	C:\Windows\SysWOW64\Ekghcq32.exe	Ejfllhao.exe
File created	C:\Windows\SysWOW64\Hhfnqbdc.dll	Pglojj32.exe
File created	C:\Windows\SysWOW64\Cnflae32.exe	Cdngip32.exe
File created	C:\Windows\SysWOW64\Dlboca32.exe	Dcjjkkji.exe
File created	C:\Windows\SysWOW64\Fpkljm32.dll	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Amafgc32.exe	Apnfno32.exe
File created	C:\Windows\SysWOW64\Cefllkej.dll	Bihgmdih.exe
File created	C:\Windows\SysWOW64\Cgnpjkhj.exe	Cnflae32.exe
File created	C:\Windows\SysWOW64\Ieoeff32.dll	Egebjmdn.exe
File opened for modification	C:\Windows\SysWOW64\Pmhgba32.exe	Pglojj32.exe
File created	C:\Windows\SysWOW64\Fimelc32.dll	Pcbookpp.exe
File created	C:\Windows\SysWOW64\Ffemqioj.dll	Abjeejep.exe
File created	C:\Windows\SysWOW64\Cbjnqh32.exe	Cgnpjkhj.exe
File created	C:\Windows\SysWOW64\Necdin32.dll	Cgnpjkhj.exe
File opened for modification	C:\Windows\SysWOW64\Dcjjkkji.exe	Cbjnqh32.exe
File created	C:\Windows\SysWOW64\Aoqbnfda.dll	Dnckki32.exe
File created	C:\Windows\SysWOW64\Ecgjdong.exe	Dmmbge32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2592	3040	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceeqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Befnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdngip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkdhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdpohodn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apnfno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnpjkhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcjjkkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnckki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmmbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egebjmdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifobe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fllaopcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaflgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnflae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlboca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnfhqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbdagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhgba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amafgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjnqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjnkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbookpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjeejep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bihgmdih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cppobaeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkjhjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejfllhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pglojj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgjdong.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Befnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlboca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdpohodn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlboca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbpoo32.dll"	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqbnfda.dll"	Dnckki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbdagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjkn32.dll"	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnjnkkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abjeejep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefllkej.dll"	Bihgmdih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bihgmdih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimelc32.dll"	Pcbookpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienjoljk.dll"	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqplf32.dll"	Dnfhqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmhgba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmkdhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffemqioj.dll"	Abjeejep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgnpjkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpfjap32.dll"	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necdin32.dll"	Cgnpjkhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnfhqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pglojj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fnjnkkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgnpjkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaalggp.dll"	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amafgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bihgmdih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaflgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll"	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkljm32.dll"	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cppobaeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apnfno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofoebc32.dll"	Cppobaeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnfhqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogadek32.dll"	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abjeejep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcqik32.dll"	Aaflgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geogecdd.dll"	Apnfno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	b6fca21a3ca8c5a90081e7a2c55cda80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfk32.dll"	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmoggbh.dll"	Cbjnqh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2668	2708	b6fca21a3ca8c5a90081e7a2c55cda80N.exe	30
PID 2708 wrote to memory of 2668	2708	b6fca21a3ca8c5a90081e7a2c55cda80N.exe	30
PID 2708 wrote to memory of 2668	2708	b6fca21a3ca8c5a90081e7a2c55cda80N.exe	30
PID 2708 wrote to memory of 2668	2708	b6fca21a3ca8c5a90081e7a2c55cda80N.exe	30
PID 2668 wrote to memory of 2312	2668	Pglojj32.exe	31
PID 2668 wrote to memory of 2312	2668	Pglojj32.exe	31
PID 2668 wrote to memory of 2312	2668	Pglojj32.exe	31
PID 2668 wrote to memory of 2312	2668	Pglojj32.exe	31
PID 2312 wrote to memory of 2436	2312	Pmhgba32.exe	32
PID 2312 wrote to memory of 2436	2312	Pmhgba32.exe	32
PID 2312 wrote to memory of 2436	2312	Pmhgba32.exe	32
PID 2312 wrote to memory of 2436	2312	Pmhgba32.exe	32
PID 2436 wrote to memory of 2664	2436	Pcbookpp.exe	33
PID 2436 wrote to memory of 2664	2436	Pcbookpp.exe	33
PID 2436 wrote to memory of 2664	2436	Pcbookpp.exe	33
PID 2436 wrote to memory of 2664	2436	Pcbookpp.exe	33
PID 2664 wrote to memory of 2588	2664	Pmkdhq32.exe	34
PID 2664 wrote to memory of 2588	2664	Pmkdhq32.exe	34
PID 2664 wrote to memory of 2588	2664	Pmkdhq32.exe	34
PID 2664 wrote to memory of 2588	2664	Pmkdhq32.exe	34
PID 2588 wrote to memory of 3028	2588	Qdpohodn.exe	35
PID 2588 wrote to memory of 3028	2588	Qdpohodn.exe	35
PID 2588 wrote to memory of 3028	2588	Qdpohodn.exe	35
PID 2588 wrote to memory of 3028	2588	Qdpohodn.exe	35
PID 3028 wrote to memory of 1152	3028	Aaflgb32.exe	36
PID 3028 wrote to memory of 1152	3028	Aaflgb32.exe	36
PID 3028 wrote to memory of 1152	3028	Aaflgb32.exe	36
PID 3028 wrote to memory of 1152	3028	Aaflgb32.exe	36
PID 1152 wrote to memory of 2332	1152	Abjeejep.exe	37
PID 1152 wrote to memory of 2332	1152	Abjeejep.exe	37
PID 1152 wrote to memory of 2332	1152	Abjeejep.exe	37
PID 1152 wrote to memory of 2332	1152	Abjeejep.exe	37
PID 2332 wrote to memory of 2784	2332	Apnfno32.exe	38
PID 2332 wrote to memory of 2784	2332	Apnfno32.exe	38
PID 2332 wrote to memory of 2784	2332	Apnfno32.exe	38
PID 2332 wrote to memory of 2784	2332	Apnfno32.exe	38
PID 2784 wrote to memory of 2868	2784	Amafgc32.exe	39
PID 2784 wrote to memory of 2868	2784	Amafgc32.exe	39
PID 2784 wrote to memory of 2868	2784	Amafgc32.exe	39
PID 2784 wrote to memory of 2868	2784	Amafgc32.exe	39
PID 2868 wrote to memory of 2336	2868	Bihgmdih.exe	40
PID 2868 wrote to memory of 2336	2868	Bihgmdih.exe	40
PID 2868 wrote to memory of 2336	2868	Bihgmdih.exe	40
PID 2868 wrote to memory of 2336	2868	Bihgmdih.exe	40
PID 2336 wrote to memory of 744	2336	Bceeqi32.exe	41
PID 2336 wrote to memory of 744	2336	Bceeqi32.exe	41
PID 2336 wrote to memory of 744	2336	Bceeqi32.exe	41
PID 2336 wrote to memory of 744	2336	Bceeqi32.exe	41
PID 744 wrote to memory of 1724	744	Befnbd32.exe	42
PID 744 wrote to memory of 1724	744	Befnbd32.exe	42
PID 744 wrote to memory of 1724	744	Befnbd32.exe	42
PID 744 wrote to memory of 1724	744	Befnbd32.exe	42
PID 1724 wrote to memory of 1892	1724	Cppobaeb.exe	43
PID 1724 wrote to memory of 1892	1724	Cppobaeb.exe	43
PID 1724 wrote to memory of 1892	1724	Cppobaeb.exe	43
PID 1724 wrote to memory of 1892	1724	Cppobaeb.exe	43
PID 1892 wrote to memory of 2080	1892	Cdngip32.exe	44
PID 1892 wrote to memory of 2080	1892	Cdngip32.exe	44
PID 1892 wrote to memory of 2080	1892	Cdngip32.exe	44
PID 1892 wrote to memory of 2080	1892	Cdngip32.exe	44
PID 2080 wrote to memory of 1688	2080	Cnflae32.exe	45
PID 2080 wrote to memory of 1688	2080	Cnflae32.exe	45
PID 2080 wrote to memory of 1688	2080	Cnflae32.exe	45
PID 2080 wrote to memory of 1688	2080	Cnflae32.exe	45

C:\Users\Admin\AppData\Local\Temp\b6fca21a3ca8c5a90081e7a2c55cda80N.exe
"C:\Users\Admin\AppData\Local\Temp\b6fca21a3ca8c5a90081e7a2c55cda80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\Pglojj32.exe
  C:\Windows\system32\Pglojj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\Pmhgba32.exe
    C:\Windows\system32\Pmhgba32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\Pcbookpp.exe
      C:\Windows\system32\Pcbookpp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\SysWOW64\Pmkdhq32.exe
        
        C:\Windows\system32\Pmkdhq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\SysWOW64\Qdpohodn.exe
        
        C:\Windows\system32\Qdpohodn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Aaflgb32.exe
        
        C:\Windows\system32\Aaflgb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Abjeejep.exe
        
        C:\Windows\system32\Abjeejep.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Apnfno32.exe
        
        C:\Windows\system32\Apnfno32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Amafgc32.exe
        
        C:\Windows\system32\Amafgc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Bihgmdih.exe
        
        C:\Windows\system32\Bihgmdih.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Bceeqi32.exe
        
        C:\Windows\system32\Bceeqi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Befnbd32.exe
        
        C:\Windows\system32\Befnbd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Cppobaeb.exe
        
        C:\Windows\system32\Cppobaeb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Cdngip32.exe
        
        C:\Windows\system32\Cdngip32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Cnflae32.exe
        
        C:\Windows\system32\Cnflae32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Cgnpjkhj.exe
        
        C:\Windows\system32\Cgnpjkhj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Cbjnqh32.exe
        
        C:\Windows\system32\Cbjnqh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Dcjjkkji.exe
        
        C:\Windows\system32\Dcjjkkji.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Dlboca32.exe
        
        C:\Windows\system32\Dlboca32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Dnckki32.exe
        
        C:\Windows\system32\Dnckki32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Dnfhqi32.exe
        
        C:\Windows\system32\Dnfhqi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Dkjhjm32.exe
        
        C:\Windows\system32\Dkjhjm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Dbdagg32.exe
        
        C:\Windows\system32\Dbdagg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Dmmbge32.exe
        
        C:\Windows\system32\Dmmbge32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Ecgjdong.exe
        
        C:\Windows\system32\Ecgjdong.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Egebjmdn.exe
        
        C:\Windows\system32\Egebjmdn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Eifobe32.exe
        
        C:\Windows\system32\Eifobe32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Ejfllhao.exe
        
        C:\Windows\system32\Ejfllhao.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Fllaopcg.exe
        
        C:\Windows\system32\Fllaopcg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Fnjnkkbk.exe
        
        C:\Windows\system32\Fnjnkkbk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 140
        34⤵
        Program crash
        
        PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amafgc32.exe

Filesize
280KB

MD5
20990a4dcd714864f3a7b0aaef1467a8

SHA1
d647d8a6e6791a0e4649da7e8dd3886153ce084e

SHA256
cba95c5dd0afd9504a274840bf89e8ef2893b0d174d4091a457831f8e9311bb4

SHA512
5f935936a3396acdcb2a55fa18e1996be25c315eb48b965af91e1db3e40898119b4cc9b98ab849f2788cabff826720bbcfb42f2ef26736b6e41a239472f4a443

Download Submit
C:\Windows\SysWOW64\Cbjnqh32.exe

Filesize
280KB

MD5
12784a91705b5233d153190607d8be8e

SHA1
6727e0464ffa5e457a8b9a0eaee2d8142a4fe201

SHA256
8242175b225696b1ceed8057e2b5140671ec86a5f951c7b605ee0dbf5717de08

SHA512
549eabadff14b98b82b86be4cb1df42e27601bedfe90dc781b99452628359d070cec99c45631e67dd87cc40418e25bafb66601c2b552c6f28e53a1b71e410f15

Download Submit
C:\Windows\SysWOW64\Cgnpjkhj.exe

Filesize
280KB

MD5
46815be09ded72b1ef33f75968ce2b1a

SHA1
d9dd880bb6f72a3c24a12f788f336ba14f9e0358

SHA256
652c14862c0acf9b18c014a34cd8025330aad34443de312fec68df8140c52109

SHA512
e64a1972cfec33a4b428189ade6fa0952316edfb2bc4fb3fe7ef6cd3f20ef303f32f4a7d873e19286a576d0ab269f30ede9b00cfdf4efb59c7f51b5fde0e16d8

Download Submit
C:\Windows\SysWOW64\Cnflae32.exe

Filesize
280KB

MD5
4a2e95e0312298824dec72d4425f4029

SHA1
f5b1560f692c88c18b72efedc357f31eaf4a7239

SHA256
aa26c60e82b67f57a59e32cb5f7e64f38e33ccaa165ba16694e545973fd990ad

SHA512
3fa1f7cdaa99bb96bfa857b0e2e8ccd1ef6e33a0ca4b9e46d384dbbfaccc0e0fda7ad19a3230886d553e43e65f91b233d8b6168bce5ad8a142a15600a510518b

Download Submit
C:\Windows\SysWOW64\Dbdagg32.exe

Filesize
280KB

MD5
3fd052df138a7a9cd0269dc82477cb3a

SHA1
cd2e912f30198445d4d280868106c37ca1ff4864

SHA256
a12d98e6a1e1c12869a835c4d2f7afcfae1b01550c15348ae385d3711aaade77

SHA512
f8adfee20852439feea7ac0f2c5ce1cd0640cff4146811acaa6652a5f558626c0c17894a30678c3cc7d2d5b8dbe45a09fc1fe6ac584c8f3bd1aaa3ddd41840ba

Download Submit
C:\Windows\SysWOW64\Dcjjkkji.exe

Filesize
280KB

MD5
1841dabe8fcf4113f091c434b3fc6746

SHA1
ff97711582459ce6d845ada2fef3e6ea38dc069b

SHA256
1ae4050b5301dc3c2f28a81acf3d9862091c9475aaed15596b66bd806e676b39

SHA512
32c0f07ecdc9c76ebce72ab2b346287029c87243e77fb53cb56c51006c88f7942766c682dbe7cf167f094cbec9709dd9afb6c670347674e7bb84c74c0c546700

Download Submit
C:\Windows\SysWOW64\Dkjhjm32.exe

Filesize
280KB

MD5
56c3a8b3e50772185539c406daafbc16

SHA1
43de5d7d4b3b3c991cdc0c7c087aa017b1d4f223

SHA256
25ff7e9c25da5675c4a79e6be7025249764532bce1611e7d5837dd47c27200c9

SHA512
0b3c4003439530661346e03e65d295b938352420664f53956dd67c433403be994fd9b5e920d75f3f7eec5f38600669c1da6e5f13976a84a95504ba46432d872f

Download Submit
C:\Windows\SysWOW64\Dlboca32.exe

Filesize
280KB

MD5
d1620e398db924c253b3085479a0160a

SHA1
967e112cc17d67820fbd173902e4758f7df2e60c

SHA256
9e5e772f297a95f3d8632caeefdb98b69a45bd24e5bc0e2227f2ad6406a98633

SHA512
d77a65b9d85f946fe5cfdd4ad897f9dbcb8e7262616223491b7c346ca694d842a1e72ae917358cf692186460fc63b76c162ef7bed122aab3432807b509c50224

Download Submit
C:\Windows\SysWOW64\Dmmbge32.exe

Filesize
280KB

MD5
3d3c924cecd1d6d0f5a6986578555d31

SHA1
e7522ae1ad9c544412f0ec9b919ac4ed3309eb93

SHA256
285ea60a9ad050f85d98ce0d8a44189ae8c9f2ab9b1a0dab37b28bba92491dd0

SHA512
23a0593474e4a857c826161e68d853d29d1683551ca76928533eae044d1ff0deee50ac3ae435fdf0f7ed8e1a8425138da195607c37cdb699ed2611a8aefff94b

Download Submit
C:\Windows\SysWOW64\Dnckki32.exe

Filesize
280KB

MD5
ce20cb4866e75bf84306543918e9eb18

SHA1
9e68089b9e8b9f8f5a4a8dff292308fe1b96695d

SHA256
42979f01621f686a5ec688ca2765c1eeff570f8d21f2142174d2f9d24b2ad2c0

SHA512
11be04f02a484459996b7aac07a82b8640fd3fa866f524879f2d519df641a85ae04df59f38e6de174ad58dc686bfc3c0a08ed3773a8bd43b0d3bf602da6990cc

Download Submit
C:\Windows\SysWOW64\Dnfhqi32.exe

Filesize
280KB

MD5
b01ceb1a4bd29fbab5d8b33c22787b1c

SHA1
f25735cc11d2e30875acab1e303934833c4c852e

SHA256
f28c6c20496a82b7a32a80b4e16147a66d0f513ea571dc030f43bb00ab689f57

SHA512
419d3ef2a046995120f8e88dc6fa7fb8b12e9adef6e4d7adf774fe30c664cf8b17977f5611992e4ccd187f19f4f69179054dc4cc98fea46b321fbc1c37e186ca

Download Submit
C:\Windows\SysWOW64\Ecgjdong.exe

Filesize
280KB

MD5
cb209bbae4c189b9d4ebab7f1592df75

SHA1
bf8091eebb6b9be9c8516513fbe1bd8c5a898127

SHA256
680416910c3628ed72bd555192d40cca981e5cf318b664bcca7c2536f24be7de

SHA512
3285b6be8c29f433fa9fed5b6e0b64b88c04a2b058fd745da51f287b0d93a0ae73a94226bcc53b1ff73505ae4a35d034bd33cc879dd1cdb04a629ffd2f297785

Download Submit
C:\Windows\SysWOW64\Egebjmdn.exe

Filesize
280KB

MD5
223dd52501cf83a708009ebfd3a5c2b5

SHA1
37b93047abb5bc7ef30de92893f863e1dd12cbcd

SHA256
6ee20482712c27ae336675c1ac7b5743381f331d19fa35ecff25cc7dc8b71a72

SHA512
21eb0b1797f161872b84bd601f89b39c25db8c906ede70cf0f83dcd8fa4a3127eefcd4f1bc4da1a7df06a7de214ca0956ef091dce540934318ece48af8327341

Download Submit
C:\Windows\SysWOW64\Eifobe32.exe

Filesize
280KB

MD5
567cf1306deb3cc581507538367bd72c

SHA1
45a6c3f32e910c288a32b1dd740e93709f847c6e

SHA256
0d4a413ce607245207d6693346f99556d826a46111afde1640f903a837101443

SHA512
6f6df34e4844ce89edd68322354cffd9f6a762e1da4d2dc3b5d86cf69563a17582d74fcb0361f39831ca7dd15eb6518cbb6da5249b76ed1224db5f29dfc03a40

Download Submit
C:\Windows\SysWOW64\Ejfllhao.exe

Filesize
280KB

MD5
7f0ff422aef9fea5ed246d7564ecf7c9

SHA1
ea0a019f56efbbd93baca84de9013e84ced3e497

SHA256
caefb9a47d0d308d170f31adfba4637204f2bb6dc2409830897a03585131daf3

SHA512
567ea868b633bba8591cd95aee83a4eaaea4eb1ba031e6bca20791f05eb74504ecd9330143e0e15219c9117f499ed9215cd2814345757e9b62c9e1541ff50ca6

Download Submit
C:\Windows\SysWOW64\Ekghcq32.exe

Filesize
280KB

MD5
b80a618cae5e957b4be25828a88b2153

SHA1
1bbe944c0b136529492452668b8e3438d9761b54

SHA256
434d238efabd6cbf26b2920066cd264e9e4f0ba5f7090c2851e33246f0de5fa5

SHA512
ae06726e13775fbdc43648d8b565f36a497a8665bca708f3e5309af93e56e19d2334dbcbb1f7fba9e73f2f602fac733c39a97b7b43f07e5bda4fe145a85a0f77

Download Submit
C:\Windows\SysWOW64\Fllaopcg.exe

Filesize
280KB

MD5
31ca1218434a6c50b72ac318d493687f

SHA1
072f26b3eb55d5546c3fe3fabe5d8a46c7d65e56

SHA256
82e99461434ce74afa2af56133cfa554efe2909830724fd9151bd1a7085564f9

SHA512
468a42057f4262aab2996ad673cff2fa2fbab3535be40f163187c074962b0b9beb603f99eac9c5f99d0cb213fb05e1a91e926077f6246708f5323440a79e540c

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
280KB

MD5
3ee9d3b881d6e46ac1e907faba475178

SHA1
8785b0f9815127f474756c9ed1320b95f780e5d9

SHA256
74632464763083767c1024b4c6b1d9d69db46ddd01689867d908be5cb23f262c

SHA512
6e6695f286b6a2f337d27a0a6d3ef57e47e42af2658595c8e0d239646397c4d664eb7fdfd3f90d0280faad8f4b9ba32b2fbd9b4001af950b831bc47cbe1e4830

Download Submit
C:\Windows\SysWOW64\Fnjnkkbk.exe

Filesize
280KB

MD5
94ccc376e0de1f1515c15b5335380e52

SHA1
75d0a77a9ac2a358a834669acaa02995ecbefe6b

SHA256
fa9260b7562511f371afe0d343738ac48aa731cb845b3039910e61b479d75999

SHA512
dd5874e3132e4fec86097a09da666f0564f330287c174e6b15dab83b93c469080d265b6c74b0b31adb7816638c66fd3d3910757e7f16ce7874c55a0de9d618f0

Download Submit
C:\Windows\SysWOW64\Pcbookpp.exe

Filesize
280KB

MD5
b294b3766c64dccf92a41fa6569b37b4

SHA1
007dfff031569b8b5cd745516f5c292bc1228afe

SHA256
432ff53bf2ba6d3e9e60f841142f5a1e216ed0af5dd100e32e7688f278781cd6

SHA512
e2ca20d6ff2eb6db37d2af4f2f8ff9aa4a3406b56e992a346c93ac5956ca061d54e4ebfcbc633ee8a5a2b42cb1a50a42b44f23517182b0c97f79ccd43520d4e9

Download Submit
C:\Windows\SysWOW64\Pglojj32.exe

Filesize
280KB

MD5
ec3b2b665c92a9f13b2a6688d2fca4a4

SHA1
7bdc1018f73b92799463687e47b22b394ed49c4f

SHA256
43732816b2989cf06e3f5b632b5b3a4f69f9630a79583fc8c8e0a4532a517d39

SHA512
e0d21d0749e2929d07e8bb678bfa56a6a69bd849a4a443d227721dd48571b8dae544701f32b04c3146a42c3641b3614100e9e09ae4bff1b1a29d86989cc72118

Download Submit
C:\Windows\SysWOW64\Pjcpccaf.dll

Filesize
7KB

MD5
d0f37c241d53b888a1cf512c0b69571e

SHA1
07adf2056dbd91b21687a01b4ec5d587ae163942

SHA256
b70449bcc41020f2e09f3bb37cfcbf997fedd5c6670fc61ac4c11abbc17492bf

SHA512
0cf2a11883cad4b5dfb2660618a8f2191ae80274497754d6d13addc96bbf05fe0cd96ae4480b9951220fe2c73bdd1a9a03aef6558ee03bc1172f82fb7d2814c9

Download Submit
C:\Windows\SysWOW64\Pmhgba32.exe

Filesize
280KB

MD5
d05c1b6575e08b9f972e8ede46b684df

SHA1
73446d80601f12d8d7491aaaf3571c916ebeafed

SHA256
e38f81f7eecea2011c19e5606fe1c5c508323822521dca1ca923dc24f504b7bb

SHA512
929b37b0f9924adab7f275d406bba91091a55fb8cfabbc6ae2acfeca565e5b3e7b4ac50680482f4c46f3c73f73f466eb798f4f1b9fa7c02767348c3fd455ce9b

Download Submit
\Windows\SysWOW64\Aaflgb32.exe

Filesize
280KB

MD5
b87756fa6b8986ed0c1327279a55b224

SHA1
c9991342f7ec487d1d67813fc10bd5f8a0a208c3

SHA256
b9f4679bf8c1b92172e3fcee62823e2c26e5bacf52c88fdebc0bfc0f2acd2326

SHA512
a766f8a4dd7e991a61e9dab103734f6c48cb3e0930e1603b8803c5306b644c92d59f9b3a4b4adb5cf8bf54bae7ec4fceb047078cda431e6d53c22349f7909415

Download Submit
\Windows\SysWOW64\Abjeejep.exe

Filesize
280KB

MD5
564a52808e477b62b4b6b0ccef941686

SHA1
1df59b40c8422dcd4048d8956048ebbb4d4628b9

SHA256
00cf7add4a0304762d0a6875a63094312fe463535066c20e99f5f9eb3929e392

SHA512
29e9240443d07e0ada722decad0e0134b5703642c8c4ce867865d86eb380179f4be893cb196598616e94c7cca9c11ac1741bb7c3cfd0bbc1e4fe7a7638045f09

Download Submit
\Windows\SysWOW64\Apnfno32.exe

Filesize
280KB

MD5
33c3b3951d68339d5d0b48928238d006

SHA1
9e86fe753257c09bca64202c0a8deef86fc9ce68

SHA256
72a6af9f512d12ae2e4071a16825e07c3d5f5aff064829acd135384ea7877b7b

SHA512
e1c76fa42ad03359bdb4e2589c4a401fc53bd426a42d7930c08b6e220109a43db39541eff13e5854b2ab37f10f9d9935472b64131a7fb91f0d4ddd584ee6899f

Download Submit
\Windows\SysWOW64\Bceeqi32.exe

Filesize
280KB

MD5
d20c9d629a84af76b1f2454d5b55531f

SHA1
a8250e58c68ce99b65aa51e29183b3ebf8713ccb

SHA256
90f324b3971673c4a4c2f99325cfe28e6dfbf0f36cb2e67401e00c98c59817f1

SHA512
402d7023ce09b66042d6c1045039347488c160407050f7874d32deb07d25d265af13668735df883d4aa42fdb653e78b9f1feb3d3761dba418ab4fb6af0c95f45

Download Submit
\Windows\SysWOW64\Befnbd32.exe

Filesize
280KB

MD5
e982187ffb2562d580d7b84fabff00e4

SHA1
e075c90fda869c2cbae71041c1684ca91430bc33

SHA256
d7a2a3a7eba93d0716156f65210eca98df670d7d2d638e74d2d6091acc2cd1d3

SHA512
47bf69c1be16e7d143af67f650eaef849312075df59fe058542118698bee67a086d899a52349a3c241adfbc1f4bb639a4a8999864edbd0bed27d41bf5ae191dc

Download Submit
\Windows\SysWOW64\Bihgmdih.exe

Filesize
280KB

MD5
4e30decba58808f2a26ae9516be3004c

SHA1
88547a2a9d3daef6d9084cc90ae974174150cc6d

SHA256
671456d4ecce8a4524d61d2835b5e8bcad08b26fe87cdb6da83d4e954ce04d2f

SHA512
f977ec7849f57bfc41b4c82d1d58a16d75e40715fea8c1987c301a33ddc80eaf5175c52e3b12f82e11b98f3b274f338f0d0ee030afb142965022a97988fe5e38

Download Submit
\Windows\SysWOW64\Cdngip32.exe

Filesize
280KB

MD5
a6c2eed81cb40cbf517288778a0b0894

SHA1
40b79375bba8cfd8718058cb7c4f924ec9222025

SHA256
ebfd054b3191ae55ad25e29bd84209a535a5c6d6a866fd2b97076d4e3d185157

SHA512
fd39496e7a1a899f3b4920cf4e5c13a945b47b4f38003431e09a076ac08e68e5fe60fed5b3fac9661285962c9f4c2f6fb53f22d0f167581658773b6cb6b0d672

Download Submit
\Windows\SysWOW64\Cppobaeb.exe

Filesize
280KB

MD5
4390c2bbb98b02107746e344e191e957

SHA1
5dfe8a59ddf3611e8ea3e4ede97a52011a0a8663

SHA256
e24e36b3f0e10034039addc98fe813c56aec058ea51d06e3b1cd5f2ed9e0ed7a

SHA512
bc787d6002ea10f9a136bdc7604792b59a76fb97692ea52f280c9c8084a1c69124a9e67ffdffcdf2ecf31334a333c0313ef03f199952e40a6449f23cbedb4117

Download Submit
\Windows\SysWOW64\Pmkdhq32.exe

Filesize
280KB

MD5
90fa204172ec59734d794d6c03751ffc

SHA1
ba938ca5dd31a2eb856fae8bb59d618b41ddeab4

SHA256
39263729257989aece0e3625f6192acf35f2f78e3571eb049caf8788e4fb26ab

SHA512
5067d3d8e4026bed458c5b6e4f08258085ee4e5dea1d4203febb04df18e17a6e5062dae740fe73ff02f566fdf87d411d03f63f7e46feccb7baf38d3e149d4cf3

Download Submit
\Windows\SysWOW64\Qdpohodn.exe

Filesize
280KB

MD5
d8851541a700c97eb2f78962926f3997

SHA1
c3913447f91e43ac82dea7ad4583c435bf10c4f1

SHA256
a3c21336ee9df9ef0be4c6ceb29926c823ff47c129e62c8a8e474ce8428a346c

SHA512
af4292c0d3e0a26dadd0b099988b08bc4027f6f51863245de1dc5dc2e906104d8a6f358bb80624f00702fac8ef0c42b46fc1f7aecf5812d1a3a543c6640961d9

Download Submit
memory/572-240-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/572-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/572-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-177-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/744-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-250-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/836-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-309-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1084-308-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1088-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-316-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1088-320-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1152-107-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1152-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-102-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1220-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-288-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1324-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-369-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1324-367-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1332-269-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1332-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-231-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1688-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-189-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1724-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-206-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1980-341-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1980-343-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1980-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-219-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2148-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-331-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2148-330-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2148-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-257-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2236-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-123-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2332-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-124-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2336-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-159-0x0000000000390000-0x00000000003C4000-memory.dmp

Filesize
208KB

Download
memory/2336-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-278-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2432-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-47-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2436-54-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2544-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-385-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2544-386-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2588-76-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2588-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-67-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2668-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-12-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2708-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-13-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2708-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-352-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2732-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-353-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2784-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2784-132-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2800-375-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2800-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-374-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2868-150-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2868-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-298-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3064-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads