74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973

Analysis

max time kernel
145s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 00:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe
Size

890KB
MD5

efb74537a9643b820ba4c8882f518677
SHA1

8d0df0bc8b36f6935c11552d229c1a2985a2c938
SHA256

74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973
SHA512

02424fbaa33a4c274d041783846ceda4cd90954b458657410631d0e61b374408d0318666709ad1edac55d1c1c175ba9fa73421adb49b39d061714fc5ffbc5023
SSDEEP

6144:xwtHOkr7JPQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NR5fKj:x/Ng1/Nmr/Ng1/Nblt01PBNkEG

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oggeokoq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Padccpal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aifjgdkj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbjnqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecjgio32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dklepmal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpena32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbkhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebockkal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfhgggim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eikimeff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnqjkh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgein32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjhckg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecjgio32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elieipej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfqlkfoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Padccpal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdpdnpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dklepmal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dglpdomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anecfgdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofaolcmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnabffeo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkkcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfkclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgein32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coladm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ooidei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oggeokoq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnabffeo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nobndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfqlkfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ablbjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbjnqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Einebddd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqojhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdldknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbkhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnhefh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Einebddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdkkcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpdnpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epcddopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakaaepk.exe

Executes dropped EXE 57 IoCs

pid	Process
2760	Nhhehpbc.exe
2788	Nobndj32.exe
2644	Ofaolcmh.exe
2612	Ooidei32.exe
2968	Oggeokoq.exe
2860	Oqojhp32.exe
1160	Padccpal.exe
2736	Pfqlkfoc.exe
2828	Pcdldknm.exe
776	Qnqjkh32.exe
480	Anecfgdc.exe
2000	Ahngomkd.exe
2024	Adgein32.exe
3012	Amoibc32.exe
1356	Ablbjj32.exe
956	Aifjgdkj.exe
1820	Bceeqi32.exe
2404	Bdfahaaa.exe
1856	Bkqiek32.exe
2480	Bakaaepk.exe
2484	Cnabffeo.exe
1760	Cdkkcp32.exe
2504	Cjhckg32.exe
900	Cpbkhabp.exe
1492	Cnflae32.exe
2780	Cpdhna32.exe
2888	Cdpdnpif.exe
2656	Cpgecq32.exe
2668	Coladm32.exe
2608	Cbjnqh32.exe
576	Donojm32.exe
2276	Dfhgggim.exe
2084	Dhgccbhp.exe
1132	Dnckki32.exe
860	Dfkclf32.exe
2108	Dglpdomh.exe
1996	Dkjhjm32.exe
532	Dnhefh32.exe
2152	Dklepmal.exe
1940	Dqinhcoc.exe
1508	Ejabqi32.exe
1536	Eqkjmcmq.exe
2500	Ecjgio32.exe
1628	Eifobe32.exe
2304	Ebockkal.exe
1012	Ejfllhao.exe
544	Eiilge32.exe
888	Epcddopf.exe
1568	Eikimeff.exe
2688	Elieipej.exe
2584	Ebcmfj32.exe
2552	Einebddd.exe
2816	Egpena32.exe
2256	Fpgnoo32.exe
2368	Fbfjkj32.exe
1852	Fipbhd32.exe
2544	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2236	74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe
2236	74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe
2760	Nhhehpbc.exe
2760	Nhhehpbc.exe
2788	Nobndj32.exe
2788	Nobndj32.exe
2644	Ofaolcmh.exe
2644	Ofaolcmh.exe
2612	Ooidei32.exe
2612	Ooidei32.exe
2968	Oggeokoq.exe
2968	Oggeokoq.exe
2860	Oqojhp32.exe
2860	Oqojhp32.exe
1160	Padccpal.exe
1160	Padccpal.exe
2736	Pfqlkfoc.exe
2736	Pfqlkfoc.exe
2828	Pcdldknm.exe
2828	Pcdldknm.exe
776	Qnqjkh32.exe
776	Qnqjkh32.exe
480	Anecfgdc.exe
480	Anecfgdc.exe
2000	Ahngomkd.exe
2000	Ahngomkd.exe
2024	Adgein32.exe
2024	Adgein32.exe
3012	Amoibc32.exe
3012	Amoibc32.exe
1356	Ablbjj32.exe
1356	Ablbjj32.exe
956	Aifjgdkj.exe
956	Aifjgdkj.exe
1820	Bceeqi32.exe
1820	Bceeqi32.exe
2404	Bdfahaaa.exe
2404	Bdfahaaa.exe
1856	Bkqiek32.exe
1856	Bkqiek32.exe
2480	Bakaaepk.exe
2480	Bakaaepk.exe
2484	Cnabffeo.exe
2484	Cnabffeo.exe
1760	Cdkkcp32.exe
1760	Cdkkcp32.exe
2504	Cjhckg32.exe
2504	Cjhckg32.exe
900	Cpbkhabp.exe
900	Cpbkhabp.exe
1492	Cnflae32.exe
1492	Cnflae32.exe
2780	Cpdhna32.exe
2780	Cpdhna32.exe
2888	Cdpdnpif.exe
2888	Cdpdnpif.exe
2656	Cpgecq32.exe
2656	Cpgecq32.exe
2668	Coladm32.exe
2668	Coladm32.exe
2608	Cbjnqh32.exe
2608	Cbjnqh32.exe
576	Donojm32.exe
576	Donojm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qnqjkh32.exe	Pcdldknm.exe
File opened for modification	C:\Windows\SysWOW64\Anecfgdc.exe	Qnqjkh32.exe
File created	C:\Windows\SysWOW64\Cgkqcb32.dll	Cnabffeo.exe
File opened for modification	C:\Windows\SysWOW64\Cjhckg32.exe	Cdkkcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfhgggim.exe	Donojm32.exe
File opened for modification	C:\Windows\SysWOW64\Dhgccbhp.exe	Dfhgggim.exe
File opened for modification	C:\Windows\SysWOW64\Aifjgdkj.exe	Ablbjj32.exe
File created	C:\Windows\SysWOW64\Bceeqi32.exe	Aifjgdkj.exe
File opened for modification	C:\Windows\SysWOW64\Cpdhna32.exe	Cnflae32.exe
File created	C:\Windows\SysWOW64\Jhibakgh.dll	Cnflae32.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fipbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Nhhehpbc.exe	74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe
File opened for modification	C:\Windows\SysWOW64\Pfqlkfoc.exe	Padccpal.exe
File created	C:\Windows\SysWOW64\Dhgccbhp.exe	Dfhgggim.exe
File created	C:\Windows\SysWOW64\Dnckki32.exe	Dhgccbhp.exe
File opened for modification	C:\Windows\SysWOW64\Dfkclf32.exe	Dnckki32.exe
File created	C:\Windows\SysWOW64\Qhalbm32.dll	Dfkclf32.exe
File created	C:\Windows\SysWOW64\Ojoligof.dll	Pfqlkfoc.exe
File opened for modification	C:\Windows\SysWOW64\Qnqjkh32.exe	Pcdldknm.exe
File created	C:\Windows\SysWOW64\Bdfahaaa.exe	Bceeqi32.exe
File created	C:\Windows\SysWOW64\Jcngcc32.dll	Fbfjkj32.exe
File opened for modification	C:\Windows\SysWOW64\Pcdldknm.exe	Pfqlkfoc.exe
File opened for modification	C:\Windows\SysWOW64\Ahngomkd.exe	Anecfgdc.exe
File opened for modification	C:\Windows\SysWOW64\Eqkjmcmq.exe	Ejabqi32.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fipbhd32.exe
File created	C:\Windows\SysWOW64\Heiebkoj.dll	Pcdldknm.exe
File created	C:\Windows\SysWOW64\Ppaloola.dll	Cjhckg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdpdnpif.exe	Cpdhna32.exe
File created	C:\Windows\SysWOW64\Oomjld32.dll	Eiilge32.exe
File created	C:\Windows\SysWOW64\Eikimeff.exe	Epcddopf.exe
File created	C:\Windows\SysWOW64\Okobem32.dll	Dkjhjm32.exe
File created	C:\Windows\SysWOW64\Jhpgpkho.dll	Elieipej.exe
File created	C:\Windows\SysWOW64\Dnknlm32.dll	Cdkkcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cnflae32.exe	Cpbkhabp.exe
File created	C:\Windows\SysWOW64\Aankboko.dll	Cpdhna32.exe
File created	C:\Windows\SysWOW64\Coladm32.exe	Cpgecq32.exe
File created	C:\Windows\SysWOW64\Khqplf32.dll	Dglpdomh.exe
File opened for modification	C:\Windows\SysWOW64\Dnhefh32.exe	Dkjhjm32.exe
File created	C:\Windows\SysWOW64\Nmkmnp32.dll	Ebcmfj32.exe
File opened for modification	C:\Windows\SysWOW64\Egpena32.exe	Einebddd.exe
File created	C:\Windows\SysWOW64\Amoibc32.exe	Adgein32.exe
File created	C:\Windows\SysWOW64\Aifjgdkj.exe	Ablbjj32.exe
File opened for modification	C:\Windows\SysWOW64\Dglpdomh.exe	Dfkclf32.exe
File created	C:\Windows\SysWOW64\Eqkjmcmq.exe	Ejabqi32.exe
File created	C:\Windows\SysWOW64\Fipbhd32.exe	Fbfjkj32.exe
File created	C:\Windows\SysWOW64\Egbigm32.dll	Cbjnqh32.exe
File created	C:\Windows\SysWOW64\Ejnbekph.dll	Dnckki32.exe
File opened for modification	C:\Windows\SysWOW64\Dqinhcoc.exe	Dklepmal.exe
File created	C:\Windows\SysWOW64\Fiakeijo.dll	Fpgnoo32.exe
File created	C:\Windows\SysWOW64\Iifpfl32.dll	Ooidei32.exe
File opened for modification	C:\Windows\SysWOW64\Coladm32.exe	Cpgecq32.exe
File created	C:\Windows\SysWOW64\Dkjhjm32.exe	Dglpdomh.exe
File created	C:\Windows\SysWOW64\Ogadek32.dll	Ebockkal.exe
File opened for modification	C:\Windows\SysWOW64\Ebcmfj32.exe	Elieipej.exe
File created	C:\Windows\SysWOW64\Adgein32.exe	Ahngomkd.exe
File created	C:\Windows\SysWOW64\Nobndj32.exe	Nhhehpbc.exe
File created	C:\Windows\SysWOW64\Pfqlkfoc.exe	Padccpal.exe
File created	C:\Windows\SysWOW64\Bkqiek32.exe	Bdfahaaa.exe
File created	C:\Windows\SysWOW64\Donojm32.exe	Cbjnqh32.exe
File created	C:\Windows\SysWOW64\Gmaonc32.dll	Dhgccbhp.exe
File created	C:\Windows\SysWOW64\Eifobe32.exe	Ecjgio32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfahaaa.exe	Bceeqi32.exe
File created	C:\Windows\SysWOW64\Cnfnhaca.dll	Nhhehpbc.exe
File created	C:\Windows\SysWOW64\Deafohkc.dll	Nobndj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
568	2544	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkkcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglpdomh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfjkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpdnpif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpgecq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqinhcoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eikimeff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anecfgdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfahaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakaaepk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dklepmal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdldknm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgein32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifobe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnabffeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnflae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjnqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfkclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elieipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfqlkfoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aifjgdkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkqiek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiilge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnckki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Einebddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgnoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oggeokoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqojhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padccpal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnqjkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Donojm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejfllhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhhehpbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahngomkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhgccbhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amoibc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjhckg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ablbjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfhgggim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnhefh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecjgio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nobndj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbkhabp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkjhjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epcddopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebcmfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofaolcmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejabqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebockkal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooidei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceeqi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhhehpbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahngomkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhdkakc.dll"	Cpgecq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhgccbhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anecfgdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ablbjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdkkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpgpkho.dll"	Elieipej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Padccpal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcdldknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgein32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnabffeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnknlm32.dll"	Cdkkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deafohkc.dll"	Nobndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofaolcmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfkclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okobem32.dll"	Dkjhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebockkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Einebddd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnngnk32.dll"	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eifobe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daagjapn.dll"	74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdkq32.dll"	Egpena32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ooidei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ooidei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amoibc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dglpdomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiakeijo.dll"	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnabffeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfkclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnqe32.dll"	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeackjhh.dll"	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eikimeff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegaol32.dll"	Anecfgdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ablbjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilmaf32.dll"	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpajjg32.dll"	Ahngomkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmaonc32.dll"	Dhgccbhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjdobp.dll"	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bakaaepk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdkkcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbigm32.dll"	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdkip32.dll"	Dklepmal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkmnp32.dll"	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll"	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnqjkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedehamj.dll"	Amoibc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2760	2236	74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe	30
PID 2236 wrote to memory of 2760	2236	74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe	30
PID 2236 wrote to memory of 2760	2236	74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe	30
PID 2236 wrote to memory of 2760	2236	74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe	30
PID 2760 wrote to memory of 2788	2760	Nhhehpbc.exe	31
PID 2760 wrote to memory of 2788	2760	Nhhehpbc.exe	31
PID 2760 wrote to memory of 2788	2760	Nhhehpbc.exe	31
PID 2760 wrote to memory of 2788	2760	Nhhehpbc.exe	31
PID 2788 wrote to memory of 2644	2788	Nobndj32.exe	32
PID 2788 wrote to memory of 2644	2788	Nobndj32.exe	32
PID 2788 wrote to memory of 2644	2788	Nobndj32.exe	32
PID 2788 wrote to memory of 2644	2788	Nobndj32.exe	32
PID 2644 wrote to memory of 2612	2644	Ofaolcmh.exe	33
PID 2644 wrote to memory of 2612	2644	Ofaolcmh.exe	33
PID 2644 wrote to memory of 2612	2644	Ofaolcmh.exe	33
PID 2644 wrote to memory of 2612	2644	Ofaolcmh.exe	33
PID 2612 wrote to memory of 2968	2612	Ooidei32.exe	34
PID 2612 wrote to memory of 2968	2612	Ooidei32.exe	34
PID 2612 wrote to memory of 2968	2612	Ooidei32.exe	34
PID 2612 wrote to memory of 2968	2612	Ooidei32.exe	34
PID 2968 wrote to memory of 2860	2968	Oggeokoq.exe	35
PID 2968 wrote to memory of 2860	2968	Oggeokoq.exe	35
PID 2968 wrote to memory of 2860	2968	Oggeokoq.exe	35
PID 2968 wrote to memory of 2860	2968	Oggeokoq.exe	35
PID 2860 wrote to memory of 1160	2860	Oqojhp32.exe	36
PID 2860 wrote to memory of 1160	2860	Oqojhp32.exe	36
PID 2860 wrote to memory of 1160	2860	Oqojhp32.exe	36
PID 2860 wrote to memory of 1160	2860	Oqojhp32.exe	36
PID 1160 wrote to memory of 2736	1160	Padccpal.exe	37
PID 1160 wrote to memory of 2736	1160	Padccpal.exe	37
PID 1160 wrote to memory of 2736	1160	Padccpal.exe	37
PID 1160 wrote to memory of 2736	1160	Padccpal.exe	37
PID 2736 wrote to memory of 2828	2736	Pfqlkfoc.exe	38
PID 2736 wrote to memory of 2828	2736	Pfqlkfoc.exe	38
PID 2736 wrote to memory of 2828	2736	Pfqlkfoc.exe	38
PID 2736 wrote to memory of 2828	2736	Pfqlkfoc.exe	38
PID 2828 wrote to memory of 776	2828	Pcdldknm.exe	39
PID 2828 wrote to memory of 776	2828	Pcdldknm.exe	39
PID 2828 wrote to memory of 776	2828	Pcdldknm.exe	39
PID 2828 wrote to memory of 776	2828	Pcdldknm.exe	39
PID 776 wrote to memory of 480	776	Qnqjkh32.exe	40
PID 776 wrote to memory of 480	776	Qnqjkh32.exe	40
PID 776 wrote to memory of 480	776	Qnqjkh32.exe	40
PID 776 wrote to memory of 480	776	Qnqjkh32.exe	40
PID 480 wrote to memory of 2000	480	Anecfgdc.exe	41
PID 480 wrote to memory of 2000	480	Anecfgdc.exe	41
PID 480 wrote to memory of 2000	480	Anecfgdc.exe	41
PID 480 wrote to memory of 2000	480	Anecfgdc.exe	41
PID 2000 wrote to memory of 2024	2000	Ahngomkd.exe	42
PID 2000 wrote to memory of 2024	2000	Ahngomkd.exe	42
PID 2000 wrote to memory of 2024	2000	Ahngomkd.exe	42
PID 2000 wrote to memory of 2024	2000	Ahngomkd.exe	42
PID 2024 wrote to memory of 3012	2024	Adgein32.exe	43
PID 2024 wrote to memory of 3012	2024	Adgein32.exe	43
PID 2024 wrote to memory of 3012	2024	Adgein32.exe	43
PID 2024 wrote to memory of 3012	2024	Adgein32.exe	43
PID 3012 wrote to memory of 1356	3012	Amoibc32.exe	44
PID 3012 wrote to memory of 1356	3012	Amoibc32.exe	44
PID 3012 wrote to memory of 1356	3012	Amoibc32.exe	44
PID 3012 wrote to memory of 1356	3012	Amoibc32.exe	44
PID 1356 wrote to memory of 956	1356	Ablbjj32.exe	45
PID 1356 wrote to memory of 956	1356	Ablbjj32.exe	45
PID 1356 wrote to memory of 956	1356	Ablbjj32.exe	45
PID 1356 wrote to memory of 956	1356	Ablbjj32.exe	45

C:\Users\Admin\AppData\Local\Temp\74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe
"C:\Users\Admin\AppData\Local\Temp\74ed45a48f410c00e8754c7dee7e19cf0c503af6e14cf1fb8889882b51149973.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\Nhhehpbc.exe
  C:\Windows\system32\Nhhehpbc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\Nobndj32.exe
    C:\Windows\system32\Nobndj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\Ofaolcmh.exe
      C:\Windows\system32\Ofaolcmh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\Ooidei32.exe
        
        C:\Windows\system32\Ooidei32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\SysWOW64\Oggeokoq.exe
        
        C:\Windows\system32\Oggeokoq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Oqojhp32.exe
        
        C:\Windows\system32\Oqojhp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Padccpal.exe
        
        C:\Windows\system32\Padccpal.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Pfqlkfoc.exe
        
        C:\Windows\system32\Pfqlkfoc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Pcdldknm.exe
        
        C:\Windows\system32\Pcdldknm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Qnqjkh32.exe
        
        C:\Windows\system32\Qnqjkh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Anecfgdc.exe
        
        C:\Windows\system32\Anecfgdc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Windows\SysWOW64\Ahngomkd.exe
        
        C:\Windows\system32\Ahngomkd.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Adgein32.exe
        
        C:\Windows\system32\Adgein32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Amoibc32.exe
        
        C:\Windows\system32\Amoibc32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Ablbjj32.exe
        
        C:\Windows\system32\Ablbjj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Aifjgdkj.exe
        
        C:\Windows\system32\Aifjgdkj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Bceeqi32.exe
        
        C:\Windows\system32\Bceeqi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Bdfahaaa.exe
        
        C:\Windows\system32\Bdfahaaa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Bkqiek32.exe
        
        C:\Windows\system32\Bkqiek32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Bakaaepk.exe
        
        C:\Windows\system32\Bakaaepk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Cnabffeo.exe
        
        C:\Windows\system32\Cnabffeo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Cdkkcp32.exe
        
        C:\Windows\system32\Cdkkcp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Cjhckg32.exe
        
        C:\Windows\system32\Cjhckg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\Cpbkhabp.exe
        
        C:\Windows\system32\Cpbkhabp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\Cnflae32.exe
        
        C:\Windows\system32\Cnflae32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Cpdhna32.exe
        
        C:\Windows\system32\Cpdhna32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Cdpdnpif.exe
        
        C:\Windows\system32\Cdpdnpif.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Cpgecq32.exe
        
        C:\Windows\system32\Cpgecq32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Coladm32.exe
        
        C:\Windows\system32\Coladm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Cbjnqh32.exe
        
        C:\Windows\system32\Cbjnqh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Donojm32.exe
        
        C:\Windows\system32\Donojm32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\SysWOW64\Dfhgggim.exe
        
        C:\Windows\system32\Dfhgggim.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Dhgccbhp.exe
        
        C:\Windows\system32\Dhgccbhp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Dnckki32.exe
        
        C:\Windows\system32\Dnckki32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Dfkclf32.exe
        
        C:\Windows\system32\Dfkclf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Dglpdomh.exe
        
        C:\Windows\system32\Dglpdomh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Dkjhjm32.exe
        
        C:\Windows\system32\Dkjhjm32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Dnhefh32.exe
        
        C:\Windows\system32\Dnhefh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Dklepmal.exe
        
        C:\Windows\system32\Dklepmal.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Dqinhcoc.exe
        
        C:\Windows\system32\Dqinhcoc.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Ejabqi32.exe
        
        C:\Windows\system32\Ejabqi32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Ecjgio32.exe
        
        C:\Windows\system32\Ecjgio32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Eifobe32.exe
        
        C:\Windows\system32\Eifobe32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Ebockkal.exe
        
        C:\Windows\system32\Ebockkal.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Ejfllhao.exe
        
        C:\Windows\system32\Ejfllhao.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Eiilge32.exe
        
        C:\Windows\system32\Eiilge32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\Epcddopf.exe
        
        C:\Windows\system32\Epcddopf.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Eikimeff.exe
        
        C:\Windows\system32\Eikimeff.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Ebcmfj32.exe
        
        C:\Windows\system32\Ebcmfj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Einebddd.exe
        
        C:\Windows\system32\Einebddd.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Fpgnoo32.exe
        
        C:\Windows\system32\Fpgnoo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Fbfjkj32.exe
        
        C:\Windows\system32\Fbfjkj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 140
        59⤵
        Program crash
        
        PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amoibc32.exe

Filesize
890KB

MD5
b0434cbe9749cf0fe87545c0d12e87e4

SHA1
66e3c7e1f478c5bc8976f850134ea21913c2c6a2

SHA256
11181acf47e696fb8ae77102ccbdf5ba5cdcb41a397291060a0bddb9b8d581bc

SHA512
67b7a629140ed2ae50cc15dcaf28d01ba867fae157467b499a16aa17c04e9abbba377cdd567f1508227707a614735a3b178d298dd55b7fa4151419cb1b670735

Download Submit
C:\Windows\SysWOW64\Bakaaepk.exe

Filesize
890KB

MD5
bb78976f0718dc6d6134930500dd890a

SHA1
3f86d4b4fb199d9e7dc1e40ef8677e37b05a2742

SHA256
09cb8820c6e8be3a9c0437feec518bd0f8492c688a6e8e5969680af86c6a5692

SHA512
659b37435429187066e718beb3340a36965c5c643727078da00bcb0b970b4671655bfaa86fb7e121408554e00351e653b223851c157f115113b7074b9005927b

Download Submit
C:\Windows\SysWOW64\Bceeqi32.exe

Filesize
890KB

MD5
892b327c662f01043d1625f28059340a

SHA1
95783979e4fa82183278588c53e0f860d7cc40c9

SHA256
d7cd43b62df4547b57e30c4928e270b8a90b079dafdfa0783ea0f9c7c13da29f

SHA512
c862b9d83bf64fa10de78aef63ed92d02573443787da7f5639f37e3c0aeeeae94179b2a2edcd2c280807e93df70618542e8c796746187a63c0342ab4795bcbe6

Download Submit
C:\Windows\SysWOW64\Bdfahaaa.exe

Filesize
890KB

MD5
91564b0d852f478aff26fd7cf942d273

SHA1
75606e53eaa99062b91dcf72c9caf5a18044caf0

SHA256
b1686885f641e4c1f19f496ca7652a3174e824e5bd7a46ac658f5b3eb5883ee8

SHA512
66ff2482b9fe6a0531f135f3d4d1f84df74c753857b86cda744861f519390ca62175b39daa49e7553ff97addb9d78d20a5394362556de5e366aa5654964ee5e0

Download Submit
C:\Windows\SysWOW64\Bkqiek32.exe

Filesize
890KB

MD5
4107e812b06e7bdb015b132b0cf8fa6a

SHA1
3d6838f0da377c5d6b350d529a0f1a5472f00e12

SHA256
b86382d29a75aed20125162e701bbfbd095f8291b4519d5f487a7f163826d8a5

SHA512
31f3fa4dd52a0d5b62d6d95604eb32c9a1afb214f5518014326af95f6bb1d46e614e761fdad0490a01224b182b4dc0a9209e8a869138cc6c31623cc9f6f05a65

Download Submit
C:\Windows\SysWOW64\Cbjnqh32.exe

Filesize
890KB

MD5
91b2b00754888f7a2bbc2ba9fa984f0e

SHA1
1a795b92cf6de2fe2109de21f348c69137d9a00d

SHA256
883cdc10f66277253e169cf58d4e13352e753670403dffcb81e5e277b8a2dc87

SHA512
a096981b6fad1f78b048b711713436a93d75ecf33987530e895157457ce3c60786079ad959a2cbd74f0afe073f648250afc455bd5126f4a301dbfa07b15eb368

Download Submit
C:\Windows\SysWOW64\Cdkkcp32.exe

Filesize
890KB

MD5
cc125b5af63c2c23e895637f80fde252

SHA1
ad8db21172dccc6979d553db3c7450e146bdc275

SHA256
80c57d5cf2d6667126de5965c95d7d6223ae8f0d2e33b2a78d5bbd78f6decc36

SHA512
f704f5e74e1206928930f6087285ca88f1d704d594161bb6431bf430d2615c5b289fd259eaea2501b857fd13440009c5c29ec386ed05fa38fcfd8ed88fa6d585

Download Submit
C:\Windows\SysWOW64\Cdpdnpif.exe

Filesize
890KB

MD5
509d98a395d7818003910b6345bf45e8

SHA1
918990bebe2a3e99e1cac55226c5d99899c85a52

SHA256
26be07c5f409e318fb1cff8281444141a061a5b3849d894fb266045915aa3ba7

SHA512
df6c0edb895e462d70422a9a4e3d510a4dac93ea5ad8a3e86808ae57d5ee35fad7df45996e6d04ebbf8f66350412b69e2d128def7a631eefdad05b06eb2cb618

Download Submit
C:\Windows\SysWOW64\Cjhckg32.exe

Filesize
890KB

MD5
7d5cc5fce5d81367437b2dea043df23d

SHA1
e0f556e120ff6eef14afd9303e396f46cd6b8747

SHA256
77a0e82a007e4327c31e5cf3d1d165f25e41277aa247d37aa9223dc856d09e69

SHA512
cc64f5b2e97f49af665ad5beba4c4bee72a9c4648f6ea1e64f99321ef2af9608e0fb13b17d73180b581d5390a98f725be545620cd129a845a6c2296406f281f2

Download Submit
C:\Windows\SysWOW64\Cnabffeo.exe

Filesize
890KB

MD5
a2a5c421dfb7c62641dc49349c6cb1db

SHA1
81b84cc6afe38a8485a35fbb8fe872b8718ed26d

SHA256
ccbbd6423e9e686302046182cdf0514733f3fa3ace35eeb23d7faa7ad085f9c5

SHA512
ae8e8331b03b6a5e3f7ad6f0e9fa14eccebefedc038dfa18eacb382e13eec4dd354abc1c0d6dea199955629dc8f384a5c2f6c6f78b46f780f56447d96baa7ded

Download Submit
C:\Windows\SysWOW64\Cnflae32.exe

Filesize
890KB

MD5
a3164a3575bada3055876301fcebe95b

SHA1
d75de4df4f52ae776a92b8d6bf7614bfd952fa56

SHA256
1cd4242c417bf89d29f3550b5eedfaa2b3829543a686bbe30c3fefe5ff95fbcb

SHA512
83b0342a063c78f011d96c0c8e2427059dfb3f69e25fa66c252883c80afb69fd4a6ffc2e9336726c54a3f89679b1298437fb62496449dda8f8dbe380ddb70d95

Download Submit
C:\Windows\SysWOW64\Coladm32.exe

Filesize
890KB

MD5
8d2f5ca93b0f642da891b008a421456d

SHA1
aed96ceed62a652defac20bcdeabca70643143b7

SHA256
c9e2c265eb632d1f515bfff96bd721a2dea375966ba78dd5557d0ae1648471c2

SHA512
6a6dfa844288ca2f4dd9aceecfbddc246340ea6bb3d37833aca3db870dda88af681abf3ce317b653b196538a94d2a81f3e1b58e0cc8b52c445aaf54e4393a178

Download Submit
C:\Windows\SysWOW64\Cpbkhabp.exe

Filesize
890KB

MD5
1a1f9ce577c84fd62e26373ee1ecb7ee

SHA1
cffd9dc3df9fea49ad17343e97f6661cb40517bd

SHA256
86079babf5f93d809d46fd3009569c04f1988bfc7fbe12e52e89e1a07f1f5e68

SHA512
f2f52522f3dd9062f6e26d05b96cfaa1d46b5007d44427587c56eee27d3fcc2bff77f9f474a1f21c1d66f7fab9d65882972b047d6a39c4c709c4a39d41194912

Download Submit
C:\Windows\SysWOW64\Cpdhna32.exe

Filesize
890KB

MD5
654db46fb26de1805e10665ed2938140

SHA1
d62c0cf3432bdf2a68c79037afbb024cf725c494

SHA256
ade0030eff2ae35d6e97d42840e94125630f57e27656c7a6dbbc84f970bcc326

SHA512
07dd4684f009b7aac3c6cd96ecf49a0d3d329ca2439ae95dc3cef7eb16ed2bbc840edf180cfdc6f1f8f9883d80b4fe388b4837b5afd6469d895ab4f72f817a3d

Download Submit
C:\Windows\SysWOW64\Cpgecq32.exe

Filesize
890KB

MD5
faa23256aeff2ed6ac66d3405da12c22

SHA1
8ac52c37eb87626f98f3191fa4324644fd72ac3d

SHA256
66770b081dc827d26cf204e32920a057cfbcd18879577ee20f553afda7afeeb5

SHA512
c7ff680db8e55ff51b232b9e040e4660df7f4240d516b40fed9d725a596513b570296773d88e7f333a5902d3e508d723b541c7823cc03a874a08b8cca1d12494

Download Submit
C:\Windows\SysWOW64\Dfhgggim.exe

Filesize
890KB

MD5
46a8a1e70f12b3c3aacb851c2438bbed

SHA1
a3b16f65d4538de6b17cea3af1135502db37d74d

SHA256
c48cb9e443ad6b63753cbf850b6d26372429cc486ad114a101655ffbff3d2399

SHA512
b2761771439a9edd654ef4ec11a18295857a900def1d82bf424c5bd69a21a4ce31b5866d8956573949cbb7911157498a9e943a31b3c7a3d7870765cc7f84ac9a

Download Submit
C:\Windows\SysWOW64\Dfkclf32.exe

Filesize
890KB

MD5
679fc1a58201367aff9242bd49c18091

SHA1
245cec80ace6b02714811d737f35b160355df074

SHA256
3a794b1a133f7f464f70723f49e5f3281103e360575d9ac4d5f6211e182f8eeb

SHA512
a34827e0ae5824a65dd32b09e1a3f04275238bb6fd0e570236e824ed1aba690c6434dc828d6b6cf4a53cc006799ccbd3892637db164d1861825fd4b8383396c1

Download Submit
C:\Windows\SysWOW64\Dglpdomh.exe

Filesize
890KB

MD5
1bc75720937b9801fcaf3ca504111c5b

SHA1
02c7ac8fbfe2cdd99d42f6e0dfe1a7b130fea403

SHA256
4a9a21e401254dc7a4922bb58f43936b201cd9f4fffcaaa81a13367c553e9ade

SHA512
2bb987543846703e1e09ef0ebbe750e585b792888d922b5c754796ab7297eafc5b6450c6fcb856786119be71a72121336e61e781b207420c634b361480d5d764

Download Submit
C:\Windows\SysWOW64\Dhgccbhp.exe

Filesize
890KB

MD5
7a2a2485b570c8c7e1db34835b19915f

SHA1
91e247942762061db82d2a1f04eb3f2024cca054

SHA256
ec3e97ffe459a0442bd7caf107bad6fb6d549de90054409f5968d1fbe2938bb8

SHA512
98fff73b570b8f702861e77709f6178dabfacf392768697f1ba0b3137680aa75337ae69e927814cdac1e187401ad264f33d5c9fbb2a1fcdf682dd8ca53f753a2

Download Submit
C:\Windows\SysWOW64\Dkjhjm32.exe

Filesize
890KB

MD5
363a9646e99c3e24e1d3d50ce8148830

SHA1
f5b9945cbadac86925f1346a40adfd24c11c202b

SHA256
f3c2748e696653c495111f86a86584833082763543d4f6d140c4dcf8cd6a2838

SHA512
b317e47fa3f1323096e266a6b5c7e7f1103e5a9a9d278c513787897ea6338190f1207e9c90a4f3a3908108dcbabc218c37b13e221e6678d7bc655268e5cb4d7c

Download Submit
C:\Windows\SysWOW64\Dklepmal.exe

Filesize
890KB

MD5
8488e87b97d63ecf7f28d27b9a988559

SHA1
e2557eb78f6ca2b9cf6bf10faf21955f3919d03d

SHA256
fd5d9781574a0740bec55379a393e02d7336066f6b676e4c26b0a4a3ec4aa475

SHA512
96732b4047add78ada4a901e6e89bf35f9af482208b6111f6882eedbf7d8ce4f895b2518db59dd1b3e85cdfc82ff18f2b9423861e768e52323192bb504417d45

Download Submit
C:\Windows\SysWOW64\Dnckki32.exe

Filesize
890KB

MD5
662ec64c971c4fd3e527ca8b6c77b187

SHA1
0c470b1274a5e894455e40974fffe4b899a4dc25

SHA256
9aad8c812a396d76635fed2aca8d13fc6da4fee2031260b245199ea72288d785

SHA512
be91d388ac8f1355344bd535484874b14048c1dfdf2ff645e4adb8bab2b51128c011695c068286c03f0eb283aaccde098a53f8767e25f5b1b792071174b3072b

Download Submit
C:\Windows\SysWOW64\Dnhefh32.exe

Filesize
890KB

MD5
8ec16f6a2a24cfe4bd6ced79a0d1e7ec

SHA1
64630adad73f06bdbfc4fd3aaf923d1e6a21b411

SHA256
1f2272e8c40dbcb5a4ff201669bbd38d16732f2320a80a2451eed51e512a0679

SHA512
37a68cf236f3b9ff416786a769411b817dcc3a4f614a81c31eef3696232683162dd33236289676b0bbe34fe7e078203d5b98d8d29c40ee832a208a545a25bb31

Download Submit
C:\Windows\SysWOW64\Donojm32.exe

Filesize
890KB

MD5
42f59ce610c08ecd4d1ec51908547ac0

SHA1
57d17dc459cfe180bbb02720953c709cab3700bd

SHA256
cc337b4d485138742f5b3a40f18d67f4cfdb4ccaa4454406d6d5cf69cfe3ed77

SHA512
77106fbced4730e979573d191cb84e4abd182b7666f6394f52be1058d0c84877a0790606445f502464d1cbba16fa043fa9382a3f37053f305c676293108285d0

Download Submit
C:\Windows\SysWOW64\Dqinhcoc.exe

Filesize
890KB

MD5
11e4f9fdbdc83427a0ab8f2b7ace384e

SHA1
994040eae0b3afd2b1442b5e6e149d0d52c01dff

SHA256
bf88afaf2c8bcc1ca6b9336e186b505d85bbec77daceb245adb56d854d55454d

SHA512
e41f779afbe3728fc73081c6998cc269e0f6e2c2c661413632e58e61452e05f0c0da089f3631798f72e38db1c11dc185aefc7c2062f60d503fc5999c65b77369

Download Submit
C:\Windows\SysWOW64\Ebcmfj32.exe

Filesize
890KB

MD5
458fbf9084d91101c6c4540b83bbf4ac

SHA1
b9293f1800ad12b1354587918399044d4fbcb6ac

SHA256
3674d715ed404e944a7027a4e2b638d2a7b1def773768f2955e759216215548d

SHA512
5d9489e7e0252632df417ec5ea459b6a7f0f0b2d980746a34868c01991e4816ef86616d425259a6bc0080f650e799cb2b837cc630cab1d048b3e4916ef9757b0

Download Submit
C:\Windows\SysWOW64\Ebockkal.exe

Filesize
890KB

MD5
eb49421245e4bd469ab6221e62158a10

SHA1
3ca0306ee6607d26c9de2db3fba6d462aaf31cc9

SHA256
e404c0f3a625f54e4b0fff5a1f14c825fe069440f00a658ba993142e66d862ea

SHA512
01a6ed9af730cd8eafff4c511e576bfc9f1f484dd745065896782fbe90cf38e4d746c8a367045608e2289fb9c051beb2997b1ab2ac43d48b4a3aafc6b0422afd

Download Submit
C:\Windows\SysWOW64\Ecjgio32.exe

Filesize
890KB

MD5
7cbee55c2fe5270ff7cb4db662f56cfb

SHA1
c649ea24a15bbf19bc19a18ed5039988a5fe4e9f

SHA256
dcc1cbb81e437c184fffafbf803647d42b62979be21b749b74403f6d01d1edb3

SHA512
128b3baee2ec1060d4d7cb77ff7ebe8f378f55c4abb0124b47c54fad7a03463552bf3667f278c29bfb0b6c837d68d359c192660a90afdbeba915b7c79a84d8c6

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
890KB

MD5
b20ac06917c11a347071dbe6fed64b14

SHA1
bb021320a6998570d66cf43b120763f7701dd5ca

SHA256
3f80cb0a8e44c053284839c26631811fb8c377fbd2288057323383ab6f28f5c8

SHA512
6e8b3837bcddc3933abe9a66988246f4ebccc3b39259375abc6d9ff8b0800957e4a7ff75dcc56ffb8449008ca0668c2b3373bb1ed5914c25f85232c0815bd341

Download Submit
C:\Windows\SysWOW64\Eifobe32.exe

Filesize
890KB

MD5
d2d5543779325af842d49cf1c3ae92ce

SHA1
6facab3dc5757435156379dacbb7472e544bf77d

SHA256
83320e4b8371b8426080cf78c6961beb47344ccb44b8136d8c9c1d0047e186eb

SHA512
5c73b66590997801ba4012db847d00c8d802e0a1478f43f5da4ad41ed02d1dd501ed7b14117fce544777cfe643cf138df64b801153efe926de3ffa75f0776fd4

Download Submit
C:\Windows\SysWOW64\Eiilge32.exe

Filesize
890KB

MD5
94cb7985a2841c0b534b09c41eeb35cd

SHA1
1b3c5453e13c9c8d354c94ed809ad643aa81fe48

SHA256
87ff845c8681dcaabba91eb6a6a59f8830e6e4b4d76f1b30a21f832a1a40878e

SHA512
d6bb3abc96ea4a83da2468b085db719507e50722435760b37a0161e8de0bd018361f4036334593df26f0b564ba433874854fc9d6a3fc3d6c9dd8b78380d1efa0

Download Submit
C:\Windows\SysWOW64\Eikimeff.exe

Filesize
890KB

MD5
6fa776f64df42317a6be852f0dc602b2

SHA1
7c67f020f69a8f830e2f08d699e801aed33c249d

SHA256
714533a754893bf9136aa37d8759f9008543759f75a8ac2f5cf14e855b73f92c

SHA512
b61b40b8028be8346bfaf7a01b8052b29a54e45af804dcde35cc4341b8e2aff502a1d7e796c8df63da41fd8ee403827e78ed4a4b677cdecd3b7bc0cd2362df4e

Download Submit
C:\Windows\SysWOW64\Einebddd.exe

Filesize
890KB

MD5
3edf2d80c11613c5fb20127b643a1ff3

SHA1
21e781f181c02689a52e92fe46038ab391270fd1

SHA256
61fa5c902ea538923179c9e4d64f4b80ef34e67345c370ad5a0ab39f266dd228

SHA512
cde8f5768567c3262f994779cd82e781ef5920275d07bd0a42b16efd64ed320b0141aa3fe396c6512976a82ab40545a30772cf009a52f21d6d6bbce3f811d0af

Download Submit
C:\Windows\SysWOW64\Ejabqi32.exe

Filesize
890KB

MD5
c88d31f0306c9e4d13871d8adec1c40b

SHA1
c352c8079e26138c8548c795cc0b4c592df00bdd

SHA256
322721a9c5e81a7ef5ee4d1a742aa75931dd3a8d85d7b24fe3e953a792b9d9be

SHA512
13bea6abde7aa8612a922040da1b17bdc05bb6d80dced3bf1dad43c24b845355f9f432a717abbff8cd989d88011c25bb2d91a7ebc66e6dc46af3df54ede2291d

Download Submit
C:\Windows\SysWOW64\Ejfllhao.exe

Filesize
890KB

MD5
78b552a91b84e9616111e39a031ae033

SHA1
911be168a508bd43251e702e598bc2aa0062fc24

SHA256
e5b3295a16827f59f17a3ae07030f51a3ab255314d9611ac8e0332c7f1080f56

SHA512
f69c2a7736dab1510c21c722485d7130586bb8892211d60ecaafff4ca84b975156d9caa377484dddedf9838208279773deb8db6ec4c98a7a3c240761f99717b4

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
890KB

MD5
6563961e8d52b90eae7c5f77651698fe

SHA1
64adcf084b117600b6a4c527187fdc829c9fbf41

SHA256
c543bce6c4ea630d3b5ccb7bb716604ebe28f1afcfa0c6d11e28edd108867cc3

SHA512
69472210c9105db7998fbf8df47e73827189256fc640417ade2b03dd2df3f579e869cce9b8ea6175323ab32be40e9162e6770505ed988e16449d61b8cf43083f

Download Submit
C:\Windows\SysWOW64\Epcddopf.exe

Filesize
890KB

MD5
d9f6d98ee11f81dba3903e86b6144113

SHA1
b588e357c8bdb34b6d7d6300f22f0fa15823d03a

SHA256
db89bff19cc460a327613ed5c7776a605bb02ebc57a2e10a20631e515224a81f

SHA512
5bfccc51984ed8585977751ec4ea3599d41ba718a99e213a97ac7866cbba16d591ce5f1a0b164487a9beade27f168834ce1439c148e4e899e11b69cff6958891

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
890KB

MD5
63be7cc61fb7360d613d539753321086

SHA1
125584bc1449a9c126caddb3b300593ae54e5be5

SHA256
56d51968e1b708fa829b142118aef368d01bd37235866f225b3b54d246b414bd

SHA512
1afe16b5ac41ee81fd1637b089448214aae2cec968c34104eb7b1d4d7e4c526316cfe0b047d45371b6f635ce49a671c38b81698f48fc6e84428ecff4458bb931

Download Submit
C:\Windows\SysWOW64\Fbfjkj32.exe

Filesize
890KB

MD5
f1fbb6d5094e2625ffd0f481fc75f3de

SHA1
e4c85e9418db5f40a8efb7dab80e1b3b07781da8

SHA256
9b4d67b19a590ba220d8982ed1d4f658edcb19e46d2514cc391036c1b4488bff

SHA512
b711614de7532daa942ebeaeda236c09a6c614abdf33a8e2be63fc7b2057848f65293c609d928d7cfb57b6cab3617dd10aa1448001ede157966ccef860e4f9e5

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
890KB

MD5
a70db19775e386b77062646141242174

SHA1
b7eac703e280053367b08663744de87964179b81

SHA256
613e872f2cdef35030f1ea7cf0270c855be9baa45e1681cc4acaa4d035b5f353

SHA512
7f3b47fe2ee37d706bd7ca41d5f8995cd89e573905ef3c64de9230fb2d53255b21a405da929c552ad240d5f385b3ec238dbae035da2499371f6ad0e6729622d8

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
890KB

MD5
0e37de26d3a9de435b042ad0fabfedc8

SHA1
ac05eb6e0404f2743c2cc380bac85add5c42801c

SHA256
82a8b06f3fbd2ade00242946bbd9887fe06d6567a8ee9fbb87cae2a37c0f49a3

SHA512
4ec86a5a4c6c23d306fbd8f476051f6bb775d821b8a36e9156c68733b932417784a18f33e9473f7c91790ddfc908da5a4eb2ce5783928a5f7dae3f56aeed220d

Download Submit
C:\Windows\SysWOW64\Fpgnoo32.exe

Filesize
890KB

MD5
9791579d0e0559e19f35c8620e2a21b4

SHA1
6cf7c6cd4b48b00cfd3a7a1d34744fabd107a510

SHA256
ebf4573dd8abf4218ed398ac9fad195b3545ce44d784d6ab58b9137f119174c6

SHA512
7de1a31c954c6b9c071178dfdd3dd302f868a938ee6cccd1b3104527cf0eda22bfdc13478b3d7469e747927487ae090f015050f82a7207e01a14ae57c506bdaf

Download Submit
C:\Windows\SysWOW64\Nobndj32.exe

Filesize
890KB

MD5
c16948ada7c131e92424a591529c8ef3

SHA1
e5fd1f9cc48b00718817538aa5d3d8d2d7e9559b

SHA256
60910ca58abb903c608640f9714f4bd581e637d03b5f210ca304d1246dabb948

SHA512
88721cd862a84f454cf020236627c5eecff91a2407917ae85d30387b9fc72c59138897a6ef305cfe1f274dda9d32399de53de5ec4d537836b8d648987d8c00f9

Download Submit
C:\Windows\SysWOW64\Oqojhp32.exe

Filesize
890KB

MD5
73baeea5ec168a4bf84d9608de10ab0c

SHA1
3d36a9035fe1ea79dd8473d237179d6c0a3fe6e6

SHA256
d602fd4ea84ee36143d50391e7c3889f107eef97bab6241279a36e3cefa52356

SHA512
0c4b93327047ca34ef6a2baa01322af18e5f65c618f8e6282c1e7df0226f1a3361c4bfda1587643361610a5303a7f575c8104eb3c4bfe937ad884740d68a0a7d

Download Submit
\Windows\SysWOW64\Ablbjj32.exe

Filesize
890KB

MD5
92f3beb5c31c2ef26ed66e71b9aac7aa

SHA1
5ce3d97771637ea31780e8a2fcad1a8934db6f7d

SHA256
7296177287a19e34f1a9ee69bf0cbfebaa44e9100fb9a7ab83bf17912092dfff

SHA512
8841b909d2d0e50c590f8536a1e62320d0128da57aa62d852572420d8324c9a9c3b8825f75136deef81ce91077eaf68f020d07e90a2f1783f48b6ae40bba819d

Download Submit
\Windows\SysWOW64\Adgein32.exe

Filesize
890KB

MD5
8051d76ca31a53ab6accf399f9aec74c

SHA1
a2081ef578e86e7d1fc5ffbfb15d108fb932bf33

SHA256
a5da24d4dfec90d37e1b8860d78f2dcde980e971a4c097e2788fe308429725d5

SHA512
fe554ec5e93895d6720636ba2222ea378091a9c8b47d6f862e08500b486913b04d7705652410a9605097f90c2273993e72b5587a5aafd7265002d40be6dde829

Download Submit
\Windows\SysWOW64\Ahngomkd.exe

Filesize
890KB

MD5
4168118b7688ca8b951e92d64a60a036

SHA1
c2bfc50c4fb5c2ac7b3cfabb06fd65d58eb2eec2

SHA256
031d07868c03d9be0f86b821d71ac8932e13ae81bbdae635f6e2602e2fa1f9b8

SHA512
0a50966a3519bb2b11a15b5afab93ad5bec72b4a242381c1dbe20f914d01d84b5674d1d0792490df846519692711b7566cbe1e855df082cf57af9f1df2acc219

Download Submit
\Windows\SysWOW64\Aifjgdkj.exe

Filesize
890KB

MD5
f140977aa405634b0c938e121e678c9f

SHA1
fe205a785eb4c8eae739059086d04a795cd09ec5

SHA256
5f1baeb69d2f66450736799783abd349d6fa89b938f6329cf3045c476695709a

SHA512
ab50284ebfd5ef7e05b2405e79e08e2c55b8cfbd25323ecfcbe88826740a6db90a869bd088cea905e803e4be2a78de7164443000e5f52b3de40cabd4a19d0998

Download Submit
\Windows\SysWOW64\Anecfgdc.exe

Filesize
890KB

MD5
6b2a8bae17acd70e832035a9f50ba297

SHA1
695e77e1d328e57cbd8fbd170bc7cbaf7f533065

SHA256
406fe1e4efba86ab0cee58e9e2abe8b8d8109b0e7fb4bdc98f728fc6e26f4654

SHA512
dc4bb0622dcfd18f24332f432b4c92ededf96711652551209f6f7384a4850e69688d10d1ea0ac70d4a1fa8d82a3ae7bd3765a3a7f6a4b267658774576d7a00fb

Download Submit
\Windows\SysWOW64\Nhhehpbc.exe

Filesize
890KB

MD5
d4a3b408ae9a1c3e75059523d710d0d4

SHA1
1545cd7a464f587dc91706cbed3fd0a860073599

SHA256
bcd5ab08a7376f5efdd8e947475b654e6e5b07f5c47a58d5dea7877dd1908c14

SHA512
d69e28fb7e3cc88d843920bf1e1166635bd19ce31b44b18740ff2f22c7f5c5585e788e76be9790986eb547385c2c038cf8b0f1f7b5fbbd6d4da4d6848c180c68

Download Submit
\Windows\SysWOW64\Ofaolcmh.exe

Filesize
890KB

MD5
f024d7d2c92dd3e7024a45daf8a120ed

SHA1
ccf8bedc6635de048914f3b677f9348ae31c7bf6

SHA256
b13fbcb591709b6bb2967aeebbc214aa5526757866cb0bea6e12e97a85f5c863

SHA512
c8368d0b5c44f7829ca4d87683374008d1bb9fc0f539a9f6b643826719c6275fe840b3ae7ab54cc7241b188d66a5514359e242011c00d75b43eaa329e3cfcabc

Download Submit
\Windows\SysWOW64\Oggeokoq.exe

Filesize
890KB

MD5
063f0d903044af23cb581d31ea383f79

SHA1
f3bb7d1348d6cd19665b0d7151dff571a2b06137

SHA256
978a008236fde9947cdbc21cefc79290d8ba71af9cf483f39be201b836d14401

SHA512
7270a8fff2403765fb7b31398e7c7beeda5cfc0d80f8dd740b539f93349c134f15f047796d83a2fa1836ab402c672f4898b9117b62ac60cbf0f9c868935c439f

Download Submit
\Windows\SysWOW64\Ooidei32.exe

Filesize
890KB

MD5
a78430cffce79962fe59b3f521c42143

SHA1
19faaf257c21b2cc342ce77aa4fbdaa192cf1fb5

SHA256
55edcd5fc30b360a00730bf196d3dab3a88d89909e554415e81c472de3ccb5ce

SHA512
22420f6addfe0ba1923e2ed9d37b176983efa382230c27770886a54c09d770eeed2bdbdc29a7f5ef6bf06373d4a39abee509d428460c4db7791760d37950ea5a

Download Submit
\Windows\SysWOW64\Padccpal.exe

Filesize
890KB

MD5
7be9f96015a4f7e761f3f2418270d52d

SHA1
67cc242266ed085f3d50921f004bdeb973e9fbd6

SHA256
3208455c26a08062e8f69288a883c5cafb8dc674b95b41d28b48468e86e12d78

SHA512
581cc8bbf341d2436e7bf3d14ee949b0c22a4fb7007b77e86d4771fde8e0f7d7a3cba9e464fa9eb6b7d9122634cc6a6f3cc4ab50d2dce9e656a7950b1b1a6355

Download Submit
\Windows\SysWOW64\Pcdldknm.exe

Filesize
890KB

MD5
2b35216f71bd0d2f33056ac10030d7d0

SHA1
876e008f22b0cf1ccba67d73e7fb679ccbd0b6d4

SHA256
bc22b18d6b99e651356a6526b363a6e46399380bbb78bb486da01742e0f6c6b1

SHA512
9c93ddb8ee92ee6981fa172e63cc1eda0346cc384c1bcbb34a2de00f61e572db71e4f99da1164c5a7aa3e82dad619ce1f9d70c76079388ede06ee5718e12d637

Download Submit
\Windows\SysWOW64\Pfqlkfoc.exe

Filesize
890KB

MD5
6749b704b9ef2f4e43a2891bc1e21e8f

SHA1
f5ae8d77311aea05b2d712d773e98743cffcacb5

SHA256
0f343dadb2d9742fa3f163cde91fde6b9ec3f3dd1bf7a7a11286796adc266c9e

SHA512
ca653f46b5905f78c86f94928deda6cf91d9b08d1660fa71a6fbfd53fb06804ab4674bc6e112134ce4a92360c3af37e4986926384987c7d8bd9a405c24049381

Download Submit
\Windows\SysWOW64\Qnqjkh32.exe

Filesize
890KB

MD5
f849cc9afb689fc7f2cfba4e5b70baa2

SHA1
4e284968ca59c8a7f561877fe902f4bedc53a3b8

SHA256
b8ed7e0dc74a2b0ef493df73cf0874c3993fc670cb5f0ce5e66e7d81409c6c54

SHA512
0c8ac4a1bde77a3b7a98841043d8e121ee930ef3a39bbebb736d7207665623e10a65530c9172bcf51716e27fec37d4963713b6d796d8a983b166fea1c5e646d3

Download Submit
memory/480-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/480-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/480-163-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/532-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/576-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/776-461-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/776-149-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/860-438-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/860-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-314-0x0000000001F70000-0x0000000001FA4000-memory.dmp

Filesize
208KB

Download
memory/900-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-315-0x0000000001F70000-0x0000000001FA4000-memory.dmp

Filesize
208KB

Download
memory/956-235-0x0000000001F60000-0x0000000001F94000-memory.dmp

Filesize
208KB

Download
memory/956-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-427-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1132-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-107-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1160-426-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1160-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-223-0x0000000001F30000-0x0000000001F64000-memory.dmp

Filesize
208KB

Download
memory/1356-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-222-0x0000000001F30000-0x0000000001F64000-memory.dmp

Filesize
208KB

Download
memory/1492-326-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1492-325-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1492-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-289-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1760-293-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1820-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-460-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2000-177-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2000-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-191-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2024-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-449-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2108-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-17-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2236-18-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2276-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-254-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2404-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-270-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2480-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-282-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2504-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-304-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2504-303-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2608-379-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2608-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-64-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2612-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-390-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2644-372-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2644-50-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2644-55-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2644-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-356-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2668-371-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2668-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-439-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2736-121-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2736-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-349-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2760-26-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2760-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-337-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2780-333-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2788-35-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2788-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-370-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2828-135-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2828-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-450-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2860-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-92-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2860-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-416-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2888-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-348-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2968-83-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2968-82-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2968-404-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2968-409-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2968-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-208-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads