a0615b608424699f4596cd5097efa8aeded58e13e95e6a564e165f7f604468f0

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778064177787b05db67c90d1b9eb23e0N.exe
Size

128KB
MD5

778064177787b05db67c90d1b9eb23e0
SHA1

5e971b63dba0268784a1af36cb9d58ef0e1f1fec
SHA256

a0615b608424699f4596cd5097efa8aeded58e13e95e6a564e165f7f604468f0
SHA512

d4808e7e47e4025876960360d69271feab76deb468113bc2149e75cd4b8f364ac8d92b232e4b678b208870589ead3e3b3a70fb89ab7e0034fbcfa5b6d871680e
SSDEEP

3072:bPcJQZ2c8+KYsEXNjShihrEEznYfzB9BSwW:bH2wXdShurEYOzLc

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djoeki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egcfdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Albjnplq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejcofica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqmpkfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boobki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgqion32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efjpkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emgdmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajamfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbqkeioh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbjnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgqion32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emdhhdqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfkclf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnjalhpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajamfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boobki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccqhdmbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnckki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkjhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emdhhdqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eepmlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enhaeldn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjeejep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Albjnplq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbqkeioh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bojipjcj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eclcon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emgdmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boeoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bknmok32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnckki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eepmlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abjeejep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhdjno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blniinac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efoifiep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnflae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahelebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccqhdmbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdkkcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjhckg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnhhge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlpbna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djoeki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egcfdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejcofica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blipno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjhckg32.exe

Executes dropped EXE 59 IoCs

pid	Process
2248	Abjeejep.exe
2712	Afeaei32.exe
2116	Ajamfh32.exe
1780	Albjnplq.exe
2584	Aldfcpjn.exe
2184	Bhkghqpb.exe
1144	Boeoek32.exe
2532	Bbqkeioh.exe
1316	Blipno32.exe
1460	Beadgdli.exe
2952	Bknmok32.exe
2192	Bojipjcj.exe
1372	Bahelebm.exe
2224	Blniinac.exe
1308	Bhdjno32.exe
1672	Boobki32.exe
1596	Cdkkcp32.exe
980	Chggdoee.exe
2804	Cjhckg32.exe
2384	Ccqhdmbc.exe
1324	Ckhpejbf.exe
2016	Cnflae32.exe
2008	Cjmmffgn.exe
2752	Cnhhge32.exe
1580	Cgqmpkfg.exe
2588	Cjoilfek.exe
2576	Cbjnqh32.exe
2656	Dlpbna32.exe
2668	Donojm32.exe
1724	Dkeoongd.exe
852	Dnckki32.exe
2268	Dfkclf32.exe
2792	Dhiphb32.exe
1636	Dbadagln.exe
308	Dkjhjm32.exe
1156	Dgqion32.exe
2300	Djoeki32.exe
2108	Dnjalhpp.exe
2084	Egcfdn32.exe
2932	Efffpjmk.exe
640	Ecjgio32.exe
1980	Egebjmdn.exe
1180	Ejcofica.exe
2284	Embkbdce.exe
1716	Eclcon32.exe
2496	Efjpkj32.exe
2788	Emdhhdqb.exe
2684	Ekghcq32.exe
2764	Ebappk32.exe
2724	Eepmlf32.exe
2720	Emgdmc32.exe
3032	Enhaeldn.exe
1072	Efoifiep.exe
1812	Eebibf32.exe
2748	Fllaopcg.exe
1988	Fnjnkkbk.exe
1052	Fbfjkj32.exe
2988	Fedfgejh.exe
2340	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
3000	778064177787b05db67c90d1b9eb23e0N.exe
3000	778064177787b05db67c90d1b9eb23e0N.exe
2248	Abjeejep.exe
2248	Abjeejep.exe
2712	Afeaei32.exe
2712	Afeaei32.exe
2116	Ajamfh32.exe
2116	Ajamfh32.exe
1780	Albjnplq.exe
1780	Albjnplq.exe
2584	Aldfcpjn.exe
2584	Aldfcpjn.exe
2184	Bhkghqpb.exe
2184	Bhkghqpb.exe
1144	Boeoek32.exe
1144	Boeoek32.exe
2532	Bbqkeioh.exe
2532	Bbqkeioh.exe
1316	Blipno32.exe
1316	Blipno32.exe
1460	Beadgdli.exe
1460	Beadgdli.exe
2952	Bknmok32.exe
2952	Bknmok32.exe
2192	Bojipjcj.exe
2192	Bojipjcj.exe
1372	Bahelebm.exe
1372	Bahelebm.exe
2224	Blniinac.exe
2224	Blniinac.exe
1308	Bhdjno32.exe
1308	Bhdjno32.exe
1672	Boobki32.exe
1672	Boobki32.exe
1596	Cdkkcp32.exe
1596	Cdkkcp32.exe
980	Chggdoee.exe
980	Chggdoee.exe
2804	Cjhckg32.exe
2804	Cjhckg32.exe
2384	Ccqhdmbc.exe
2384	Ccqhdmbc.exe
1324	Ckhpejbf.exe
1324	Ckhpejbf.exe
2016	Cnflae32.exe
2016	Cnflae32.exe
2008	Cjmmffgn.exe
2008	Cjmmffgn.exe
2752	Cnhhge32.exe
2752	Cnhhge32.exe
1580	Cgqmpkfg.exe
1580	Cgqmpkfg.exe
2588	Cjoilfek.exe
2588	Cjoilfek.exe
2576	Cbjnqh32.exe
2576	Cbjnqh32.exe
2656	Dlpbna32.exe
2656	Dlpbna32.exe
2668	Donojm32.exe
2668	Donojm32.exe
1724	Dkeoongd.exe
1724	Dkeoongd.exe
852	Dnckki32.exe
852	Dnckki32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ojdlmb32.dll	Djoeki32.exe
File created	C:\Windows\SysWOW64\Fakmpf32.dll	Enhaeldn.exe
File opened for modification	C:\Windows\SysWOW64\Fllaopcg.exe	Eebibf32.exe
File created	C:\Windows\SysWOW64\Ckinbali.dll	Ccqhdmbc.exe
File opened for modification	C:\Windows\SysWOW64\Cnhhge32.exe	Cjmmffgn.exe
File created	C:\Windows\SysWOW64\Bafmhm32.dll	Cbjnqh32.exe
File created	C:\Windows\SysWOW64\Egbigm32.dll	Dlpbna32.exe
File created	C:\Windows\SysWOW64\Embkbdce.exe	Ejcofica.exe
File opened for modification	C:\Windows\SysWOW64\Blipno32.exe	Bbqkeioh.exe
File created	C:\Windows\SysWOW64\Ccqhdmbc.exe	Cjhckg32.exe
File opened for modification	C:\Windows\SysWOW64\Cbjnqh32.exe	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Dkeoongd.exe	Donojm32.exe
File opened for modification	C:\Windows\SysWOW64\Dnjalhpp.exe	Djoeki32.exe
File created	C:\Windows\SysWOW64\Ajamfh32.exe	Afeaei32.exe
File opened for modification	C:\Windows\SysWOW64\Ccqhdmbc.exe	Cjhckg32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhpejbf.exe	Ccqhdmbc.exe
File opened for modification	C:\Windows\SysWOW64\Donojm32.exe	Dlpbna32.exe
File created	C:\Windows\SysWOW64\Gmaonc32.dll	Dkeoongd.exe
File created	C:\Windows\SysWOW64\Dgqion32.exe	Dkjhjm32.exe
File created	C:\Windows\SysWOW64\Eepmlf32.exe	Ebappk32.exe
File opened for modification	C:\Windows\SysWOW64\Bknmok32.exe	Beadgdli.exe
File opened for modification	C:\Windows\SysWOW64\Bhdjno32.exe	Blniinac.exe
File opened for modification	C:\Windows\SysWOW64\Bhkghqpb.exe	Aldfcpjn.exe
File created	C:\Windows\SysWOW64\Chggdoee.exe	Cdkkcp32.exe
File created	C:\Windows\SysWOW64\Cbjnqh32.exe	Cjoilfek.exe
File opened for modification	C:\Windows\SysWOW64\Djoeki32.exe	Dgqion32.exe
File created	C:\Windows\SysWOW64\Eclcon32.exe	Embkbdce.exe
File created	C:\Windows\SysWOW64\Abjeejep.exe	778064177787b05db67c90d1b9eb23e0N.exe
File created	C:\Windows\SysWOW64\Aldfcpjn.exe	Albjnplq.exe
File created	C:\Windows\SysWOW64\Fbfjkj32.exe	Fnjnkkbk.exe
File created	C:\Windows\SysWOW64\Fiakeijo.dll	Fnjnkkbk.exe
File created	C:\Windows\SysWOW64\Fedfgejh.exe	Fbfjkj32.exe
File created	C:\Windows\SysWOW64\Ejnbekph.dll	Dnckki32.exe
File created	C:\Windows\SysWOW64\Efoifiep.exe	Enhaeldn.exe
File opened for modification	C:\Windows\SysWOW64\Efffpjmk.exe	Egcfdn32.exe
File opened for modification	C:\Windows\SysWOW64\Emdhhdqb.exe	Efjpkj32.exe
File created	C:\Windows\SysWOW64\Enhaeldn.exe	Emgdmc32.exe
File created	C:\Windows\SysWOW64\Bhkghqpb.exe	Aldfcpjn.exe
File created	C:\Windows\SysWOW64\Imcplf32.dll	Bhkghqpb.exe
File opened for modification	C:\Windows\SysWOW64\Ecjgio32.exe	Efffpjmk.exe
File created	C:\Windows\SysWOW64\Gkbokl32.dll	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Mgnedp32.dll	Embkbdce.exe
File created	C:\Windows\SysWOW64\Gbmiha32.dll	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Cjoilfek.exe	Cgqmpkfg.exe
File opened for modification	C:\Windows\SysWOW64\Dlpbna32.exe	Cbjnqh32.exe
File opened for modification	C:\Windows\SysWOW64\Dkjhjm32.exe	Dbadagln.exe
File created	C:\Windows\SysWOW64\Cgkqcb32.dll	Boobki32.exe
File opened for modification	C:\Windows\SysWOW64\Dhiphb32.exe	Dfkclf32.exe
File created	C:\Windows\SysWOW64\Bdajpkkj.dll	Beadgdli.exe
File created	C:\Windows\SysWOW64\Necdin32.dll	Cjoilfek.exe
File opened for modification	C:\Windows\SysWOW64\Eclcon32.exe	Embkbdce.exe
File created	C:\Windows\SysWOW64\Beadgdli.exe	Blipno32.exe
File opened for modification	C:\Windows\SysWOW64\Beadgdli.exe	Blipno32.exe
File created	C:\Windows\SysWOW64\Egcfdn32.exe	Dnjalhpp.exe
File opened for modification	C:\Windows\SysWOW64\Ejcofica.exe	Egebjmdn.exe
File opened for modification	C:\Windows\SysWOW64\Enhaeldn.exe	Emgdmc32.exe
File opened for modification	C:\Windows\SysWOW64\Afeaei32.exe	Abjeejep.exe
File created	C:\Windows\SysWOW64\Dnjalhpp.exe	Djoeki32.exe
File opened for modification	C:\Windows\SysWOW64\Chggdoee.exe	Cdkkcp32.exe
File created	C:\Windows\SysWOW64\Ngbpoo32.dll	Ecjgio32.exe
File created	C:\Windows\SysWOW64\Eebibf32.exe	Efoifiep.exe
File created	C:\Windows\SysWOW64\Olqdoelc.dll	Ajamfh32.exe
File created	C:\Windows\SysWOW64\Lebbqn32.dll	Blipno32.exe
File created	C:\Windows\SysWOW64\Ckpmmabh.dll	Cjmmffgn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
568	2340	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boeoek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbqkeioh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnckki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhaeldn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhhge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqmpkfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Donojm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emgdmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blipno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkeoongd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgqion32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afeaei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egebjmdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efoifiep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfjkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Embkbdce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajamfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjnqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecjgio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fedfgejh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkghqpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beadgdli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boobki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egcfdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclcon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjnkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djoeki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fllaopcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejcofica.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efjpkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eepmlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chggdoee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlpbna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albjnplq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjhckg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnflae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emdhhdqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eebibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjeejep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknmok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccqhdmbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhpejbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfkclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbadagln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bojipjcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjoilfek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhiphb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnjalhpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efffpjmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkkcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aldfcpjn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahelebm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blniinac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdjno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkjhjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	778064177787b05db67c90d1b9eb23e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmmffgn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmiha32.dll"	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akomon32.dll"	Eepmlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eepmlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emgdmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enhaeldn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bknmok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boobki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippdloip.dll"	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnngnk32.dll"	Efffpjmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpcfn32.dll"	Egcfdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efoifiep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eenfifcn.dll"	Abjeejep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahbkogl.dll"	Bojipjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqplf32.dll"	Dbadagln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnjalhpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeelon32.dll"	Bbqkeioh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnmcojmg.dll"	Efoifiep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efoifiep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fedfgejh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aldfcpjn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccqhdmbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpmmabh.dll"	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbpoo32.dll"	Ecjgio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blipno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bojipjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blniinac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjhckg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnhhge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blniinac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icaipj32.dll"	Boeoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckhpejbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhkghqpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boeoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiakeijo.dll"	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aldfcpjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blipno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnknlm32.dll"	Chggdoee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgqion32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almpdj32.dll"	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfk32.dll"	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopffl32.dll"	Bahelebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpokpklp.dll"	Dnjalhpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Donojm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkeoongd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbokl32.dll"	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enhaeldn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkljm32.dll"	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafmhm32.dll"	Cbjnqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnjnkkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	778064177787b05db67c90d1b9eb23e0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2248	3000	778064177787b05db67c90d1b9eb23e0N.exe	30
PID 3000 wrote to memory of 2248	3000	778064177787b05db67c90d1b9eb23e0N.exe	30
PID 3000 wrote to memory of 2248	3000	778064177787b05db67c90d1b9eb23e0N.exe	30
PID 3000 wrote to memory of 2248	3000	778064177787b05db67c90d1b9eb23e0N.exe	30
PID 2248 wrote to memory of 2712	2248	Abjeejep.exe	31
PID 2248 wrote to memory of 2712	2248	Abjeejep.exe	31
PID 2248 wrote to memory of 2712	2248	Abjeejep.exe	31
PID 2248 wrote to memory of 2712	2248	Abjeejep.exe	31
PID 2712 wrote to memory of 2116	2712	Afeaei32.exe	32
PID 2712 wrote to memory of 2116	2712	Afeaei32.exe	32
PID 2712 wrote to memory of 2116	2712	Afeaei32.exe	32
PID 2712 wrote to memory of 2116	2712	Afeaei32.exe	32
PID 2116 wrote to memory of 1780	2116	Ajamfh32.exe	33
PID 2116 wrote to memory of 1780	2116	Ajamfh32.exe	33
PID 2116 wrote to memory of 1780	2116	Ajamfh32.exe	33
PID 2116 wrote to memory of 1780	2116	Ajamfh32.exe	33
PID 1780 wrote to memory of 2584	1780	Albjnplq.exe	34
PID 1780 wrote to memory of 2584	1780	Albjnplq.exe	34
PID 1780 wrote to memory of 2584	1780	Albjnplq.exe	34
PID 1780 wrote to memory of 2584	1780	Albjnplq.exe	34
PID 2584 wrote to memory of 2184	2584	Aldfcpjn.exe	35
PID 2584 wrote to memory of 2184	2584	Aldfcpjn.exe	35
PID 2584 wrote to memory of 2184	2584	Aldfcpjn.exe	35
PID 2584 wrote to memory of 2184	2584	Aldfcpjn.exe	35
PID 2184 wrote to memory of 1144	2184	Bhkghqpb.exe	36
PID 2184 wrote to memory of 1144	2184	Bhkghqpb.exe	36
PID 2184 wrote to memory of 1144	2184	Bhkghqpb.exe	36
PID 2184 wrote to memory of 1144	2184	Bhkghqpb.exe	36
PID 1144 wrote to memory of 2532	1144	Boeoek32.exe	37
PID 1144 wrote to memory of 2532	1144	Boeoek32.exe	37
PID 1144 wrote to memory of 2532	1144	Boeoek32.exe	37
PID 1144 wrote to memory of 2532	1144	Boeoek32.exe	37
PID 2532 wrote to memory of 1316	2532	Bbqkeioh.exe	38
PID 2532 wrote to memory of 1316	2532	Bbqkeioh.exe	38
PID 2532 wrote to memory of 1316	2532	Bbqkeioh.exe	38
PID 2532 wrote to memory of 1316	2532	Bbqkeioh.exe	38
PID 1316 wrote to memory of 1460	1316	Blipno32.exe	39
PID 1316 wrote to memory of 1460	1316	Blipno32.exe	39
PID 1316 wrote to memory of 1460	1316	Blipno32.exe	39
PID 1316 wrote to memory of 1460	1316	Blipno32.exe	39
PID 1460 wrote to memory of 2952	1460	Beadgdli.exe	40
PID 1460 wrote to memory of 2952	1460	Beadgdli.exe	40
PID 1460 wrote to memory of 2952	1460	Beadgdli.exe	40
PID 1460 wrote to memory of 2952	1460	Beadgdli.exe	40
PID 2952 wrote to memory of 2192	2952	Bknmok32.exe	41
PID 2952 wrote to memory of 2192	2952	Bknmok32.exe	41
PID 2952 wrote to memory of 2192	2952	Bknmok32.exe	41
PID 2952 wrote to memory of 2192	2952	Bknmok32.exe	41
PID 2192 wrote to memory of 1372	2192	Bojipjcj.exe	42
PID 2192 wrote to memory of 1372	2192	Bojipjcj.exe	42
PID 2192 wrote to memory of 1372	2192	Bojipjcj.exe	42
PID 2192 wrote to memory of 1372	2192	Bojipjcj.exe	42
PID 1372 wrote to memory of 2224	1372	Bahelebm.exe	43
PID 1372 wrote to memory of 2224	1372	Bahelebm.exe	43
PID 1372 wrote to memory of 2224	1372	Bahelebm.exe	43
PID 1372 wrote to memory of 2224	1372	Bahelebm.exe	43
PID 2224 wrote to memory of 1308	2224	Blniinac.exe	44
PID 2224 wrote to memory of 1308	2224	Blniinac.exe	44
PID 2224 wrote to memory of 1308	2224	Blniinac.exe	44
PID 2224 wrote to memory of 1308	2224	Blniinac.exe	44
PID 1308 wrote to memory of 1672	1308	Bhdjno32.exe	45
PID 1308 wrote to memory of 1672	1308	Bhdjno32.exe	45
PID 1308 wrote to memory of 1672	1308	Bhdjno32.exe	45
PID 1308 wrote to memory of 1672	1308	Bhdjno32.exe	45

C:\Users\Admin\AppData\Local\Temp\778064177787b05db67c90d1b9eb23e0N.exe
"C:\Users\Admin\AppData\Local\Temp\778064177787b05db67c90d1b9eb23e0N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\Abjeejep.exe
  C:\Windows\system32\Abjeejep.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\Afeaei32.exe
    C:\Windows\system32\Afeaei32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Ajamfh32.exe
      C:\Windows\system32\Ajamfh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\SysWOW64\Albjnplq.exe
        
        C:\Windows\system32\Albjnplq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1780
      - C:\Windows\SysWOW64\Aldfcpjn.exe
        
        C:\Windows\system32\Aldfcpjn.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Bhkghqpb.exe
        
        C:\Windows\system32\Bhkghqpb.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Boeoek32.exe
        
        C:\Windows\system32\Boeoek32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Bbqkeioh.exe
        
        C:\Windows\system32\Bbqkeioh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Blipno32.exe
        
        C:\Windows\system32\Blipno32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Beadgdli.exe
        
        C:\Windows\system32\Beadgdli.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Bknmok32.exe
        
        C:\Windows\system32\Bknmok32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Bojipjcj.exe
        
        C:\Windows\system32\Bojipjcj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Bahelebm.exe
        
        C:\Windows\system32\Bahelebm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Blniinac.exe
        
        C:\Windows\system32\Blniinac.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Bhdjno32.exe
        
        C:\Windows\system32\Bhdjno32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Boobki32.exe
        
        C:\Windows\system32\Boobki32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Cdkkcp32.exe
        
        C:\Windows\system32\Cdkkcp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Chggdoee.exe
        
        C:\Windows\system32\Chggdoee.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Cjhckg32.exe
        
        C:\Windows\system32\Cjhckg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Ccqhdmbc.exe
        
        C:\Windows\system32\Ccqhdmbc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Ckhpejbf.exe
        
        C:\Windows\system32\Ckhpejbf.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Cnflae32.exe
        
        C:\Windows\system32\Cnflae32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Cjmmffgn.exe
        
        C:\Windows\system32\Cjmmffgn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Cnhhge32.exe
        
        C:\Windows\system32\Cnhhge32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Cgqmpkfg.exe
        
        C:\Windows\system32\Cgqmpkfg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Cjoilfek.exe
        
        C:\Windows\system32\Cjoilfek.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Cbjnqh32.exe
        
        C:\Windows\system32\Cbjnqh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Dlpbna32.exe
        
        C:\Windows\system32\Dlpbna32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Donojm32.exe
        
        C:\Windows\system32\Donojm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Dkeoongd.exe
        
        C:\Windows\system32\Dkeoongd.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Dnckki32.exe
        
        C:\Windows\system32\Dnckki32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\Dfkclf32.exe
        
        C:\Windows\system32\Dfkclf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\Dhiphb32.exe
        
        C:\Windows\system32\Dhiphb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Dbadagln.exe
        
        C:\Windows\system32\Dbadagln.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Dkjhjm32.exe
        
        C:\Windows\system32\Dkjhjm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:308
        
        C:\Windows\SysWOW64\Dgqion32.exe
        
        C:\Windows\system32\Dgqion32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Djoeki32.exe
        
        C:\Windows\system32\Djoeki32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Dnjalhpp.exe
        
        C:\Windows\system32\Dnjalhpp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Egcfdn32.exe
        
        C:\Windows\system32\Egcfdn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Efffpjmk.exe
        
        C:\Windows\system32\Efffpjmk.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Ecjgio32.exe
        
        C:\Windows\system32\Ecjgio32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Egebjmdn.exe
        
        C:\Windows\system32\Egebjmdn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Ejcofica.exe
        
        C:\Windows\system32\Ejcofica.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\Embkbdce.exe
        
        C:\Windows\system32\Embkbdce.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Eclcon32.exe
        
        C:\Windows\system32\Eclcon32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Efjpkj32.exe
        
        C:\Windows\system32\Efjpkj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Emdhhdqb.exe
        
        C:\Windows\system32\Emdhhdqb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Eepmlf32.exe
        
        C:\Windows\system32\Eepmlf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Emgdmc32.exe
        
        C:\Windows\system32\Emgdmc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Enhaeldn.exe
        
        C:\Windows\system32\Enhaeldn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Efoifiep.exe
        
        C:\Windows\system32\Efoifiep.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Eebibf32.exe
        
        C:\Windows\system32\Eebibf32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Fllaopcg.exe
        
        C:\Windows\system32\Fllaopcg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Fnjnkkbk.exe
        
        C:\Windows\system32\Fnjnkkbk.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Fbfjkj32.exe
        
        C:\Windows\system32\Fbfjkj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Fedfgejh.exe
        
        C:\Windows\system32\Fedfgejh.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 140
        61⤵
        Program crash
        
        PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afeaei32.exe

Filesize
128KB

MD5
48adea4c3bbdef273eec41e31011eb29

SHA1
acf13c1c7c8245d2fe7be17eaae6004f6ce274d0

SHA256
36b8c6698c8ef2d6c77e3646975a398f70aa692c1398c98934ff3a74c57f836d

SHA512
51a641c830a393978881a2f4159165d1d906bb1cd86403ba5355e951206901df559b38dea41a883a5d9535b13e8cd1aa53340dac2bcd13389fdc891e79a36d48

Download Submit
C:\Windows\SysWOW64\Ajamfh32.exe

Filesize
128KB

MD5
7f7127b67c1815184375c89cee79ad1d

SHA1
f2406feebe8c79ac0f6c36e72e4e91b58745fd9b

SHA256
978de6718cc89d047bf28251c1486dd42c7424b6a3e8ca39da5e7bf512b2e51e

SHA512
791dd46cf91d8c959674daf80826be72ec251b28262d59fafda287ff4fc8e11608dfc3507d708ba207834dce3d3a0a89cdbf15acdfd20601ccef38873b5c34f7

Download Submit
C:\Windows\SysWOW64\Aldfcpjn.exe

Filesize
128KB

MD5
384431c981e448ebddf769e07243c596

SHA1
48e2178792c0039a2a2b7d9c1735baa0e082498d

SHA256
ab77410234c4eaa415f4514d3607d059d587a2b86d67c0a90a20e32fb1139615

SHA512
c4b21a9be364ecf0aab93d8598308bd120aea5072d3bb630051e53b6e76c6b92807a20e9b7e845863697419f3f88b234d2fcc317e06e6ac20302acfc2711d679

Download Submit
C:\Windows\SysWOW64\Beadgdli.exe

Filesize
128KB

MD5
457d6fc22e960f70470ac77902d43568

SHA1
3d7783a7cbfdd2e63c709ad016846a36f9a60b03

SHA256
8a4f979784345a63f0160021369359973f0f29ca9e89a11aea30168eae5ab1b1

SHA512
3e0d4e9e0d6e951a090fd4203589f2b43690db9fc80c12765289c29554eac71997a5b8225f2eccbb101a18e9ec1414788dbb3b7679b671c306c3e076bf3bc3fc

Download Submit
C:\Windows\SysWOW64\Boobki32.exe

Filesize
128KB

MD5
ad85fbaf1ae484707873fb84af604ad8

SHA1
b72c518379a2a51260f5bc4eedfbb6f6c89c1f4a

SHA256
14a34a79e64fbb11f8f29c009afd1a58670ee1a157a973126f0f9c827479cfe8

SHA512
82519e5797214797c744d9fab1182b62be5b5f19c122c1e5a6a70003a2965768da7bbf99bbef4715b5da1415c1ee2964ec7169adf738b0b16a31422fa8c8cfe4

Download Submit
C:\Windows\SysWOW64\Cbjnqh32.exe

Filesize
128KB

MD5
b61419b7c7b400c6782f0b81a48ea07d

SHA1
e0ccb238e590b32d3945edb56e01963ee555093f

SHA256
99787cd92b326f76e21e6ee4cb3b7045f97faa0c24fadccc5eea3d4f8d42c89a

SHA512
cf4eb38afc6385d61d382cb74c7671035e4e1879561e91093815cc2cf2faf7020064a5aa7e5e5cdbf81f10efb02292f73fa735a72447de7d14b88e94eb20de3c

Download Submit
C:\Windows\SysWOW64\Ccqhdmbc.exe

Filesize
128KB

MD5
72b957e57806ac195b7ea33f643753e2

SHA1
b9938dc2e66b164b75f70356d6a9597942338d72

SHA256
0712310233b6a71c72a72281bde92e68567eba76c557e9b5fe6de33c43a51338

SHA512
f447d9264711fa64949162183373f092b6c60a90b2354ac376aba54aeab7b69ec1e348996532868ad250eecff9b4e314bd2607982dd6738ef72cd6624fe7996f

Download Submit
C:\Windows\SysWOW64\Cdkkcp32.exe

Filesize
128KB

MD5
3472d43fba3e6b96f3f94b26209732ed

SHA1
18d2d42fb6c0f2ba3ba772c6f70435278a34f661

SHA256
751e4f13763accdfcd0a1ac4e88ebdf136410a47929faf147786c370198b69d7

SHA512
7f711dd40b824b301d69039273c009125bcb807c484f6e43553f7f24e644b0442966bd6e6af627584bc157eee3638e8007e4f9aef5ace8dd459e6936b05c8182

Download Submit
C:\Windows\SysWOW64\Cgqmpkfg.exe

Filesize
128KB

MD5
4cbded209319a9635a1b51dd5de054ab

SHA1
14aea32364fda26f69f90ddc695347a2a7ddc1e0

SHA256
2dd6d13b0a7ea9e3dd7c2cba03620433870d97946ee50b9e9033687ade448098

SHA512
88d2b9b241cfa8f9de0dbbcd788a3c88d2b8d8f1be125f7151136ee0c7611603993111a5bd00289e5e380a8ddac3f51c4066e034852446bc6282d4eb8e69f0b4

Download Submit
C:\Windows\SysWOW64\Chggdoee.exe

Filesize
128KB

MD5
d095d5c17c7e0bb6e1b3fa5d63d6af70

SHA1
b70bd7a335680f1d284769b6175fc02200d3f56d

SHA256
937240e94f859b67af591030d258ccb1af12380f7b80894e80d9dd8f8d495eed

SHA512
6b75c388084733bc6f43fb565ed6ea6cee35d657cc1bc79c975ada96df1f0aeeb2318a6dac5733c38824d0dc2fd48507791c4272a6ba42617af2af979a0d1cf9

Download Submit
C:\Windows\SysWOW64\Cjhckg32.exe

Filesize
128KB

MD5
59ba24f19cc7654de6ab60efbdb4eb20

SHA1
6d9c5373412113933c97e21e2d326fe11d73f783

SHA256
14aff6bda18aca4802b9129aade1ecd40cb66431f8b965c02d7e2a06abfc891d

SHA512
9471a2464d1ed2b5b44ed7e52638157949f51efa16c46f49b5ebec3f6c50cf2c3868c67c384f8d9744da5cc09e0362f0722c5f9354c46aa366e278e776922de1

Download Submit
C:\Windows\SysWOW64\Cjmmffgn.exe

Filesize
128KB

MD5
22555ed970ea65d4c950f7247f8518c1

SHA1
07791c55fdbeb463d5bfe68d2fe22780d66967db

SHA256
21bf829a53fc9b81014395c8e6e24fe64b1a14e424cf449bc71d0d9f4a0807a5

SHA512
dde7ce8190c09cee5a1c09994fa4e373ce4ebd5a4f22339c5c188fd860cd52408ec1d8c7cb055d8f2c141f21acfe19f27ea50baeee9b21deba81268ca47a4bab

Download Submit
C:\Windows\SysWOW64\Cjoilfek.exe

Filesize
128KB

MD5
ad0f9697ea5bd2604f0516f8632d5777

SHA1
d2a048be4ac8fac595d5788478d6e9e1766c76a4

SHA256
e0a9c6f5943c141ed9cce6348e3615feae04ef9d36b10b4d7fecdd448432b46c

SHA512
ed9de2ce6a2b71ab9542e59159f52cbfe95848392577011e4f35182c3591630d39d83f62aab319559998d643626f4f875360a6935de009e1af6a66b651c11c80

Download Submit
C:\Windows\SysWOW64\Ckhpejbf.exe

Filesize
128KB

MD5
8dc2a1bc5f633b132ecd3fb8d0e34dbd

SHA1
bc20083a56ea1d3b906868c4490a6cb1375fe177

SHA256
ae7dba033ec46efcd42f13de574c5f2b8b43a2321c16b57f9c5b510337f604ba

SHA512
ae9d66f482cec060ef83b3deb7a47034da970753d683a2fc158a6bcaf7567b85a97b16930ba15866e600684888148b3cceed7a9a75046b6fce6fc7ef12bfa1f7

Download Submit
C:\Windows\SysWOW64\Cnflae32.exe

Filesize
128KB

MD5
248095b1eec58292ce9b7e3671972b36

SHA1
054c13989a7f0cf3f5acf544682961fe6960d39a

SHA256
8e18b2a15bf4740643eee9e47e097f245fe885e1d63c3afc6da8de555d5c7f6c

SHA512
f8e0be067c189155aae53c688acbfa3e4ac025bdec4ea1008aa825732bc94fd84408c862a6dc9ca2c2cd1da0fdc4d14ee50789477a350cc8190c968279f3ec54

Download Submit
C:\Windows\SysWOW64\Cnhhge32.exe

Filesize
128KB

MD5
685dfcbe77762ae5308090cac48cf8eb

SHA1
7cb0e0ae4534ffd210388c5af1af57947b68e4ee

SHA256
5bd4d065389ca6483d6e21964abbbde79aa2614601cb8d7900d286d6228ea267

SHA512
f1f987707b1d87b2c81af62206f2c3316c20415ec00e0a234e3af935e630f4e9bc407fd7a360f9574999b0c3041aafc90f644f959ed8cf3a2eff472ad17079bb

Download Submit
C:\Windows\SysWOW64\Dbadagln.exe

Filesize
128KB

MD5
3809684f9a44be4c29b8b339a5c0d187

SHA1
bc2135ad5af975dd3cc4539f4995793145b14243

SHA256
1f99ebe75f78d948b55bfd9f12e56a3e81df7f8b4c604ca86f731c23bfca4467

SHA512
74ef6eef9de35e9da47532fa53f1c008165e323b90b94003c8cbce9ddc34858ec86a2e6720aec0cb2a1671093dbc797a627118c36ec6db74634920d8ab9020bc

Download Submit
C:\Windows\SysWOW64\Dfkclf32.exe

Filesize
128KB

MD5
b5947da9b380a799d4f6c02ae2df7a5a

SHA1
38d19678541a9dee1a56dc6a588763583e0b8e64

SHA256
8d037cf2dff8cfa683d4e28fbdd064400aab53e00d5b717ae8f1a11c4f63d314

SHA512
52aee5e4a3e8947e5c94eeb518a2a9250c3c4a2d3226f95a87b22a8549eafc06a8c1d4cf8a2586b8a824c8ca0a26dc8debe7ca36cdfa44990a180820d5f8a910

Download Submit
C:\Windows\SysWOW64\Dgqion32.exe

Filesize
128KB

MD5
8eb946dfaa19404c8b3375e160c9c78b

SHA1
e6d5c4dc073a64e0ad8f4c37ba8d8f0ae7d015a2

SHA256
227dd3a14d08aa1159fc42af56b28cb944afe5d558805d17e77f7220817325e7

SHA512
f97f7acfb83606754eb1b4ec4e2a0ffe4c06cb8e1dc892054248c4b095d1767ca7b2af731396663c1d960996a66b1634b719ee17689819dc55f5277c3ea95c70

Download Submit
C:\Windows\SysWOW64\Dhiphb32.exe

Filesize
128KB

MD5
f91137213cd756196ed5b59a682dc0bc

SHA1
a67220799cd2f0b3f8faf8e0ba6e0bb1faf63acf

SHA256
7111ab41716c86f9eafa80c245653239c27752c802186e44680f5e8fac968fa8

SHA512
1734e0a1c73e21588609ea9817e4b0f4119bcb00959d421fe6bab1a73500a8d38e662e6063180b8b120cdbad52993bce27db8db57634fc45f424b7d5cb72232b

Download Submit
C:\Windows\SysWOW64\Djoeki32.exe

Filesize
128KB

MD5
cc77a71f471900f95634df4ccbab78a4

SHA1
8ce9852520781ad6fb763b0d56c8d39378c42712

SHA256
af0c1e0fc2aca5855862b0816c63b35c0108211413bcebab62fd2f2f37089a5d

SHA512
4a40c71153497d8f4e37e83a142ad96178b1f6e6ae315a3b0ba2e778c5b3d62a957407add5b484867ad907fbd9da11043a42b33df507b998d5b383e62aad221c

Download Submit
C:\Windows\SysWOW64\Dkeoongd.exe

Filesize
128KB

MD5
4305a069f612cd07e6e804048f55a58b

SHA1
c2d4e09991279188977ca75be12160141bc318c9

SHA256
0ca8eba7703243ab9d894696a625867dde4ea8369614a915784027eec6e40422

SHA512
b1942daadf6f88bbfbbcabf6928843aac690c2a0b9ca0554eb38ff1886940e238066ffddd32c75e4526ea40f6ccf830fdac1e5f9b0100766db110579fe22e24b

Download Submit
C:\Windows\SysWOW64\Dkjhjm32.exe

Filesize
128KB

MD5
a6f35ac4b0db3e2ee14fc4e992acc627

SHA1
7dc015db5485f939d7f755d2b6a7678fa06abdad

SHA256
d804b3fa7bce7b55555cb9d972edc4948a394855417d64a59981d8b9a4a0aaa2

SHA512
58a0291b6f2dec599b6179bf2a0a3d8944cbcb204301689f1560af85c8d952398fa84d7f6db0bbc67f6ec3d2acb4fdc22a97cdb4648fd6753580bbcf28726cd3

Download Submit
C:\Windows\SysWOW64\Dlpbna32.exe

Filesize
128KB

MD5
a3ae6def869f67a008fb6bcea9141276

SHA1
e994d6ddb55bd6d012a436cb57d5fdb1a666c464

SHA256
cd168a8f3e0c23de95cc90af1d145cc66d698034a071c6f18303e68511ca39d0

SHA512
7ac455ae6c43c7276bee6b101e982d257c077ea0ed70415d5a52214d443593bfc40c3d05e3b5255c1a2f147c7600d596e1e9130db2494add402e8dc1703bea7f

Download Submit
C:\Windows\SysWOW64\Dnckki32.exe

Filesize
128KB

MD5
e0b5a36e1ed986b6f341a5c1ca839da8

SHA1
25772dfe1609753f5db8a43a7b06d1f4652b7ecc

SHA256
7def336f812c60c2078a8490b8b7544f9b7118e3686d446fa0ce9b9fe0355be7

SHA512
8cab0a9962f4cde80fe63362f3cd7b51fe6ab0f65893218b885c180ed796b4054f93f68df04d2bb9af8842a71aa8260b25075f0f37343cbf258ee71c30fe53c4

Download Submit
C:\Windows\SysWOW64\Dnjalhpp.exe

Filesize
128KB

MD5
912d412675e7b679ba994d3d0e4dd7a1

SHA1
a9dc4c552b5c579b336fb3de13e77efffce68ad2

SHA256
49e8180c6d4466008e2f5d8c3fcfa31c53752a2d794c980198177fa6c1597786

SHA512
dc2df4fd8d8886e85f84899a3a9dd6a607cda9eec14de074ca0fbd9f1a5d1a5de52d432c607e5963fa6913943e72d1df9988715de1a5c28fb9d33919d1325f93

Download Submit
C:\Windows\SysWOW64\Donojm32.exe

Filesize
128KB

MD5
1838f9efdb5cb48798730f60798445dc

SHA1
7b804c33bd9651f6a2de4e8b8703d54aa82c3044

SHA256
3ebfa844b8b3e191e20eff6bf6f3ea1e541a2fb3ae4d2bd4b6d2400f4351ef08

SHA512
ba945649065a4a1ed171d5cca781db3378802a84307dd0070147e4e8500b640deb4584e386ba880598d4f7e2fe0529ec6090ec80b30dd1f9ae28d682e6d3885d

Download Submit
C:\Windows\SysWOW64\Ebappk32.exe

Filesize
128KB

MD5
bf3fee3e146b3c66f6449eb536c8341f

SHA1
aae02b1419102cde42ed270d816e67a59f2541c1

SHA256
59f6297b0a945c206cf19595948fc266f73efb32019c8cde0be79786b934b5b0

SHA512
547285cc87b0e677fcf071b64eff175c0b8f698163f0fa20a0f2407fda764953d969f591f91c522c689d380aa50cad3491145212e834c9e2c8ad77af824dd111

Download Submit
C:\Windows\SysWOW64\Ecjgio32.exe

Filesize
128KB

MD5
be9dac71552ab55d8fdf3ad1ba1e5540

SHA1
e4a0b6d10c6fcdab6b601d644b470e1be740bba3

SHA256
9d3f8b2d69ceed18a3f4bbe3963ec6475371399fe9cbe41d66385ffbe274d485

SHA512
4f64d8a31d969d3d294ec90e125eefd7f23db06f5e7c0f2dd99cab383e0931269cc03139fe4c43bf54ee9ce910721230f8b774a08124bcf8361e22e898670a7a

Download Submit
C:\Windows\SysWOW64\Eclcon32.exe

Filesize
128KB

MD5
8eca7069863a8ef48c38ecc59f222c59

SHA1
dc3bae04d4f7114f9065acb142343907a2892f19

SHA256
491fe02ca74d51d69d75ded2258de6dfb7392bf4371c29f19f75db668b1a5f67

SHA512
00c579c77fea5f04a4fa9b3e0bb02f4a1f9698030431693fe6d628e271d6cc4062bf44c5a8e6745c33665ed0a355a47597d6d9403be447544c55d36cdfcd3700

Download Submit
C:\Windows\SysWOW64\Eebibf32.exe

Filesize
128KB

MD5
0d7cc87d4b7f874c42b157e9dcbfafc3

SHA1
25729e40eac0b750f0c020e661371af04a945818

SHA256
b459ce177a8b386d986e7c63c9db40bd633fd3b32f92288ee34e75855ed3c0b9

SHA512
b4a8115238770b9e49ba0a3f241d0ca72f98e41655f6bee98d3967236e983946ea61f96079eb4ebb0c08acd0ec66d905330f82d6262c86cd62e6e6f60f8974d3

Download Submit
C:\Windows\SysWOW64\Eepmlf32.exe

Filesize
128KB

MD5
6f8b0eccc8ef9f078696800f76474062

SHA1
54a99f7580f1cfb301cdc8e504327b056c64438a

SHA256
fdca9146c4fc24429b6c0cc5a7f15c99612b5af5b2ffe50614c1e023e1f90206

SHA512
af3876f4c28f1902243ea48eddc82592bbcd5e1e94b1b50bdd83b43442093b88db80c44183ee3ff65b6be5529f6a551e6d27ec2dfd7b9d6be291f7126068e120

Download Submit
C:\Windows\SysWOW64\Efffpjmk.exe

Filesize
128KB

MD5
9f8b342cbf4bbfba8c7ce0897d9dadf1

SHA1
f6e23788dd10c455f12b93ba93d70d0a01a17c4c

SHA256
0047b9fc43a1e1f126cf5988f3657ba853bb4b8e1cf0d6accc59b90646400a1e

SHA512
5daba8b5c1a4e898b1dab7c2ebd595b112a4cc9ab3dba27efc7c88b36157c3b1875af3ab1999369b096fe589e9ec19af6a86665ecd62d3edb630152d50569490

Download Submit
C:\Windows\SysWOW64\Efjpkj32.exe

Filesize
128KB

MD5
479866e2954754e1dd5d889d32f5cdcb

SHA1
6080c449c944091738a5225de9023c2e650928c0

SHA256
bd08fd23f2307b4d6ea71a6b7499a1ae803274038b638fdb7e6b3842cd815065

SHA512
85099ceeb82ee01f1c28ffb9f92964f4c209f29f5f753dd5087a2fc609a347881ad5e0034bff903a06e51d2a5604e371d568fffd532db26f86b4aac6f6ef52a8

Download Submit
C:\Windows\SysWOW64\Efoifiep.exe

Filesize
128KB

MD5
edd4d1286a0c69853aa967a8e9123571

SHA1
7b5885aeb2f2c0afef3e4f1885ded4b7451fb5a3

SHA256
7ae0160d067644800c00d4d0fc0837d3d3cf0bba8efd7823d17c2831aa2daf51

SHA512
92d7882d4c7789f7e7b388385f92a05be843be7c8ae3e0bee1aa72cd120d88cd2b50751f159b6766b8f6b68754a4566a9abbc7c87a2e4e09c2178e2838f64bcc

Download Submit
C:\Windows\SysWOW64\Egcfdn32.exe

Filesize
128KB

MD5
867c8fafe60ef0a7af4533a879191ad1

SHA1
fed0eaeda5e5a153f97928fab9163ea024e37438

SHA256
801feab01867d1a3ad9bd0accfc31b4beb5c84cb9cdecc9a2fe606c3a7dcc6da

SHA512
6dd6772751008ebb05740c124cac48c503e36b655d0ad22113db2941555d92f270e80cbff09a9a61797bde7200fa8aab7484744ca5b01568a94de819f406517e

Download Submit
C:\Windows\SysWOW64\Egebjmdn.exe

Filesize
128KB

MD5
5ebeaa59fcefaa5caf7c842f02b9131e

SHA1
cb0d9414692335d6267d8d5108dbd98467f8aa18

SHA256
73c715feeac223528de56806771fc5867b9b594e7ffa5cae1b1bf79bf4a938a1

SHA512
4e3a36223800a378420b8b54f81c71d58b2dfd0744d60b567866305b166e29d89e55e95a0324b9a1844c65e509deed273d637bfb74364b1cc9208d49f231c19a

Download Submit
C:\Windows\SysWOW64\Ejcofica.exe

Filesize
128KB

MD5
0ee7b9f589193993bf9f35f01de76cfe

SHA1
dd2e1c77d5c94ee070180253be1032d0e127191d

SHA256
413f572921520ab94644b7b0ba3ebded9faee7ef0cd62bf5fdca542a6168b2d7

SHA512
f428106f933eec061bb0ec12190efb95a844651f6f371707133648fe9976b99771485138e0fe1b31a7910f8260f3de45e6c1f4def5582bcee19c0da4ad911f7a

Download Submit
C:\Windows\SysWOW64\Ekghcq32.exe

Filesize
128KB

MD5
23dbd03b9ea58bf16f87225b7c8d09d9

SHA1
fc031747799840e9708cbe42b117864ecde4fb0f

SHA256
2af48ac58e1851e34f932222244db634566f958142714ee6b9186830d9625ae3

SHA512
4bdb9b64a63a56dad3621f240622dc194f1d4a471b5638ca2aac66edf856ff067bc2859804bffed0e38aa7cbfabc419d11345ae46d2aa1301604bc173aa5a06c

Download Submit
C:\Windows\SysWOW64\Embkbdce.exe

Filesize
128KB

MD5
7669f21cc6fd21fbd633a070e21d01b9

SHA1
d2eec3440c237cf1cb456feae8333bbc576967bc

SHA256
999f710d92ba67121c505e19e0fd82008ba3596d4a78188a5ff9ea84359cd957

SHA512
59575ca26259b86405e4a4128202d611a1ebc86429e564f26289e9dd1d040cfaacbfe6b2143096a593a8e38418a1b8824350a424ca4fa07b7fd5d7305128f612

Download Submit
C:\Windows\SysWOW64\Emdhhdqb.exe

Filesize
128KB

MD5
3c2ddea6a1dc9b11651ea2684e439b49

SHA1
29735f019d76a66957ee8a11f0b2feaa55c0b1f9

SHA256
ac7b81b80d77a39fac701bc919215c505fc2d1952e30b898f9f78b7b13373693

SHA512
d7189c8bf8d672cda1d925af62cdc97113d7734b137e441666f35048e9e4fbdd2647a61b8a1967df98c068b2b7adad06a134f576cd0f90875be1340db3074a76

Download Submit
C:\Windows\SysWOW64\Emgdmc32.exe

Filesize
128KB

MD5
5b8383dfde886e93617d5f08a31a3341

SHA1
75d4d7bc12efcd56ecd3565590b5f84b34598b95

SHA256
dcbb7e832abd64473990564b8a1968c238463675f6a0ae8fa22a53cd66c3f3ee

SHA512
0d071f06a33637845a96150ea1c7a80d7a397d6995769feca9e3ce9d1628e716dd0467db63e955af8741e68a19171be8ad04c7f440e29ca607cd145d74b67dac

Download Submit
C:\Windows\SysWOW64\Enhaeldn.exe

Filesize
128KB

MD5
e71a1bf12e3df5d0bcd0d6a3f23069d4

SHA1
1a74ec1c4e783a46c8b6014e08a0ca28d1c0ee4b

SHA256
b7d5d7c806f50d877aae9f89f3f8b1b0359abd6d0100264ae6f870c502b6bb9a

SHA512
5f6940c14c2a332709444cce876d2e357cf63fb533c19010bd955bf9d611b1f091ff73343e5fce9e3859337bba21409b350bd287d328ac92e65a8ca297dc6bb6

Download Submit
C:\Windows\SysWOW64\Fbfjkj32.exe

Filesize
128KB

MD5
92e28bee817becaf61b788b0a90f88ab

SHA1
ce2843f5b4a47880e28e29132469bd746d41197c

SHA256
ca42e3631450cd22c040603b5e64a4ae9f8b0df5308508663711fde20a371fe3

SHA512
5a503101421df9c2b805ce0e210ba4d5b7cb574326a6a2d0ba6d278881d19dbc4c4f2a1d7b8a5469cb469f7e38aa0f2ca17f4f74a09ee28651a66a65f9ed090b

Download Submit
C:\Windows\SysWOW64\Fedfgejh.exe

Filesize
128KB

MD5
4a7e546aee3469bb5e088b5ea1a75d3d

SHA1
e2e0424d0269bda05e424f723702cc0a2a0fc23c

SHA256
d8cffcaa98ee7b81c83a69f3098a05341bfdeb3de550009b83bdcfa97f9b98c2

SHA512
b218130de5c7882a7ce724f3445a5e295dc96174e00e2cc79561121bcf84f3867f43942cc0a3db8366de9932238e12843e4e5d1f5d2646264a7ee7a5e997f419

Download Submit
C:\Windows\SysWOW64\Fllaopcg.exe

Filesize
128KB

MD5
5d69def5138d920318c4504c0f517abe

SHA1
8fecb057a54ce9dfc2a74ed659989ae9fada5ced

SHA256
7cee643b23376425ea673f00c871837c8514a4f8b0359e8f476ee91e937a9cec

SHA512
f7eb100f60771ec1888ce79b43de327e1cef12cd7331a51f43befd490be4cf10db893e49956df6fe6acfe694de02339f57c1500cfebbe579c32005ff95b88842

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
128KB

MD5
5272b817f671d006568ec0bc3eb5b893

SHA1
7a5ec88d81d805464e0a58fae078fee6926e8c87

SHA256
4e1f20fbad1cebd93a734a8dad750321bda2bd95f400e0cb87abcf23a28c1dbc

SHA512
08b3775500e13abaf49648a3de7850b6c62b7a15593d4d608fe8dd273e98b522810ecae0fe66adc732a4d015ab327984ac1a537f5dbcaa94957ed8a40c21fc15

Download Submit
C:\Windows\SysWOW64\Fnjnkkbk.exe

Filesize
128KB

MD5
19e57c240493466caa63345e050419ff

SHA1
a9599246568e17778a9790b315163283915d75a8

SHA256
db8f2332a939d9750969f0f1f4d653806710b215daa917657d639f1649d2d71b

SHA512
274274fa2b57696b43d0194c9308eb52e08a5da7e3dba872d1fdb3cc3bfe9517949cf6ccee5f7b65fb4fdc76229714224954cc843cd4f52a5f9e548fb07be535

Download Submit
C:\Windows\SysWOW64\Mbpmdgef.dll

Filesize
7KB

MD5
b14f03c25e540b08aae85c2569f4f23e

SHA1
04c96512a5d147ff4df8eda7bbbba81c9c657d6c

SHA256
d3c11cc1ea6a6f8e98cdc4b64aca5b78975cb446b571b2bf3968fba22dd0444a

SHA512
55656df298197f0b720bdb8a7db1bf8286ddbc173b6f32eecdc70058b6262137495c9da49400158cfb005a78c4b87c770a2fc5a1c7f3a220f857e23ac98cadd0

Download Submit
\Windows\SysWOW64\Abjeejep.exe

Filesize
128KB

MD5
e23638c0826b1106f8c22fc8d05a569a

SHA1
4ca7817cc9fce415b0228e02eecfd6b33888c6d6

SHA256
2f165f8b1a698aee4c68bcba269468a6fafef53695392dda7c4e1a808b888bec

SHA512
cdd868c8aa7418b34f30b28e7c1a5da3e0c6dd6678593eebe2e3624378427c159c454d83e1397999ffd267d881b5d5ab8369d39585ebd716bacafe05b5801122

Download Submit
\Windows\SysWOW64\Albjnplq.exe

Filesize
128KB

MD5
ddef39d86c1a3e97fab4b590c6305e53

SHA1
0e10c3330af779c5463b16e02a64a4f3da324ce5

SHA256
c3cc8c4a10aef47689f444d35e4ee9a973d0fbb555df942dabede0c7b420daf2

SHA512
c81fe49dd52325fa0dcad706ae93862068a0e88cd9f8a92943638a7f4d3b929d0d758691bbe262555892c3418db5adc81347db6053c29a490f3d2813c4a5af12

Download Submit
\Windows\SysWOW64\Bahelebm.exe

Filesize
128KB

MD5
b0f27ab69a57978d8b7af325242dd437

SHA1
c46e769ad6f9516102b8d306e6d0afe55ae38b68

SHA256
670db21474dbd68097fd81ed794066886ca84c36d592a182c1fb2ddf0ebb4e89

SHA512
b5716a3caf146ed551a24b1f24d58437dba5ebfd174c23705a4ac588f4b476d7419ae1ada296d000ee096b75c4072e8f947f4cf838440f0157c9688c3bedc587

Download Submit
\Windows\SysWOW64\Bbqkeioh.exe

Filesize
128KB

MD5
d25d9aa311454af33cac0b62a495dc3f

SHA1
b1cf8d42fb088f01f318f127813eaed84cfbe804

SHA256
b273382bdc7c64039821e60f7df884422cc187bdb37fdccef88e07314455b869

SHA512
632d3cb91ea071616828c3bc82bfc7b850a9d2e1a9047ba59d94e2ed87c753740aa7c1f31780dc8b4d4ecf46ac8d0ec9e7b792baacdc406ae03463e86ab2c51d

Download Submit
\Windows\SysWOW64\Bhdjno32.exe

Filesize
128KB

MD5
dec87fe64a361061a74d3f209e6bcaf7

SHA1
ee04d648f291c380eff2bdd4f356e539ccf32edf

SHA256
c3e2eb05de7f0bd18afc6cc384113966a3aeaf2d1d197e0105ec70165c31ae5e

SHA512
05bc2109c29faa3fd38ee8c763b9cb2bc89a2d095e0ac06f9eaf74c1e7825721bca60d361bcfdf4a725a1d063644e381a3d4791a446dd828f1b071cc2540ba6b

Download Submit
\Windows\SysWOW64\Bhkghqpb.exe

Filesize
128KB

MD5
02787e962a3e498f96b48c702c4db08c

SHA1
a85b518aea8b2e7ba39c706e32bb335cf4a1b840

SHA256
e7712cf365112f44c0ad5edb3bea01a21e67835e2f022b2dd9555f92dbea620a

SHA512
0265576312a7e0c7ff536293e1f7f271796111a5600ffd5d2673108abfba4ce86ee1eaa7a456fe06888c9321844b181b747a9d2aea5af91396cc4f4717bb5506

Download Submit
\Windows\SysWOW64\Bknmok32.exe

Filesize
128KB

MD5
b73cc2ed53b6763883907871e84ecef7

SHA1
768dd535c350d938ec133d74630e1226e15907c6

SHA256
5e98911abd9eb2b4081b8c70dbb899a778018151fda90a9c6de7116c5bbe3f01

SHA512
fdea1edd2f43d3f27339c6e795e090b3bc6e969a0d5fdf9ef07f4e812428fd95dba3dbc489c2fa5592857e9413cb11d0891e591f1f8b783cef29667ae0576dd0

Download Submit
\Windows\SysWOW64\Blipno32.exe

Filesize
128KB

MD5
90d464f2083c2213eda63b1d6c3bedd9

SHA1
24b1317a483a2b0b1988f98f49fd06c32b476b9e

SHA256
ceedc4b5e392e0cb1cf5d21b1adbaee0eb8c6c1e80c2be86189b6b8b74f365a9

SHA512
edf53e91d06b06f6e41c22992e0bc8390156e464c3313dcde955dfa2b733a4c3f8a0fde7d6d2932b4824d053aa43d2b216d2c317ec3fac8cd6b8c0755d0296b5

Download Submit
\Windows\SysWOW64\Blniinac.exe

Filesize
128KB

MD5
b94bd3e1b95cd5f79b52d48fd85639be

SHA1
7a5a326b19ecf1ff15c257250267b84986c52966

SHA256
fe7ce2214555f0b1a2c130efca65be944757cc262f3bd82db41bef2086a4c05f

SHA512
0bf40f04fac08571362b80f2123cfc2ccd7eb134bbc33667d3c7c0284781be62a27fe04f23d3d493d190a614e93ada520dfca65e87e1a68e19d2ef41d02dc581

Download Submit
\Windows\SysWOW64\Boeoek32.exe

Filesize
128KB

MD5
eb867522d90261258737fbc1865db9ce

SHA1
449c9b51fbd61c236149c499d967c7b20a538726

SHA256
77fd158c96ce09e6d7468179b241663aa83f943a0c398f72883e1746bc9ecd6b

SHA512
48ab14af6ea857a89f4062944bbd326cb8b795425f79150f00e4857e6b7f093773524f437fca26fb0c84a8a947cc4da3cc6c8f539118ce35f4be60aa4e7e62e6

Download Submit
\Windows\SysWOW64\Bojipjcj.exe

Filesize
128KB

MD5
736260f672056f3cb4d0823e0d64510b

SHA1
7c99b5587651be2688cf5c970f523d0a77639f46

SHA256
c6350009c1e75b33dd16225119fec72fb1a44179d9ae29c7cd57b59dd110dabe

SHA512
1044eae6543bf45d17c2bae96636864901b076070db898db6de2119dabf6b4c3d068e62e24d2db65e722a0c67eae8ab471343add00fc5bb1fb64a093c776533d

Download Submit
memory/308-423-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/308-432-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/640-497-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/640-498-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/852-393-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/852-387-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/852-377-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/980-244-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/980-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/980-245-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/1144-470-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1144-95-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1156-438-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1156-443-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1308-213-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1308-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1308-208-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1316-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-129-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1324-277-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1324-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1324-278-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1372-174-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1580-322-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/1580-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1580-321-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/1596-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1596-233-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1596-234-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1636-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1724-386-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1724-376-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1724-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1780-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1780-439-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2008-299-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/2008-300-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/2008-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2016-288-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2016-279-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2016-289-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2084-467-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2108-464-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2108-465-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2116-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2116-53-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2116-52-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2184-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2184-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2192-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2224-187-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2248-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2248-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2268-399-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2268-395-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2268-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-451-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/2384-265-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-267-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2384-266-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2532-113-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2576-344-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/2576-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2576-343-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/2584-68-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2584-459-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/2584-80-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/2584-444-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-333-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/2588-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-332-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/2656-354-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2656-349-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-355-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2668-356-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-365-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/2668-366-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/2712-38-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2752-311-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/2752-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2752-312-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/2792-401-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-411-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2792-412-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2804-252-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/2804-256-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/2804-246-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-481-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2952-155-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2952-148-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3000-413-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/3000-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3000-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3000-12-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/3000-13-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads