7e4e14a450e8b904fd58af8cafb84215bd6c2ac0726522a9f7bb2588d2cf95e7

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5ff1791824e903b28da0061506ec3c0N.exe
Size

448KB
MD5

f5ff1791824e903b28da0061506ec3c0
SHA1

9b841af97790fec5f7f8a0d2c73914324f7a4300
SHA256

7e4e14a450e8b904fd58af8cafb84215bd6c2ac0726522a9f7bb2588d2cf95e7
SHA512

35461dd6328661a896c48b4939a9e01c41d076370b98b80816c0a884c4c66ced806258cff05993707c567177aabd8eb35de37203f2803801299319ab796058ff
SSDEEP

6144:UE48MET6s21L7/s50z/Wa3/PNlP59ENQdgrb8X6SJqGaPonZh/nr0xuIKjyAH9S7:w5705kWM/9J6gqGBf/sAHZHbgdhgi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clnehado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhgccbhp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhgba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjifgcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anecfgdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfaqfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhaeldn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oehicoom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckecpjdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbjifgcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnabffeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cojeomee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgjdong.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efoifiep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afgnkilf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnqjkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhbmip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckecpjdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqinhcoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eclcon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onoqfehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aicmadmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bikcbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bimphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejcofica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajldkhjh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Einebddd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnehado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chggdoee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbkhabp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfchqf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eclcon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdfmbjc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicmadmm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnofaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnabffeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chggdoee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqinhcoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajldkhjh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dklepmal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhklna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afgnkilf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bimphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkcfjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbobaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjjpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjoilfek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anecfgdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebappk32.exe

Executes dropped EXE 59 IoCs

pid	Process
2200	Onoqfehp.exe
2312	Oehicoom.exe
2752	Pcnfdl32.exe
2572	Pmhgba32.exe
2412	Pfchqf32.exe
1624	Pbjifgcd.exe
2344	Qnqjkh32.exe
2504	Qbobaf32.exe
2920	Anecfgdc.exe
2620	Ajldkhjh.exe
2880	Ajnqphhe.exe
2168	Aicmadmm.exe
1892	Afgnkilf.exe
2080	Bhkghqpb.exe
236	Bikcbc32.exe
1704	Bimphc32.exe
1380	Bojipjcj.exe
1652	Bhbmip32.exe
988	Bnofaf32.exe
2104	Bhdjno32.exe
2908	Bkcfjk32.exe
2988	Cnabffeo.exe
1084	Chggdoee.exe
1756	Ckecpjdh.exe
2484	Cpbkhabp.exe
2636	Clilmbhd.exe
2672	Cfaqfh32.exe
2548	Clkicbfa.exe
2700	Cojeomee.exe
2524	Cjoilfek.exe
3024	Clnehado.exe
872	Dhdfmbjc.exe
2356	Dcjjkkji.exe
2184	Dhgccbhp.exe
2628	Dkeoongd.exe
2704	Doqkpl32.exe
2128	Dqddmd32.exe
540	Dhklna32.exe
1176	Ddbmcb32.exe
928	Dklepmal.exe
800	Dqinhcoc.exe
2944	Ecgjdong.exe
1252	Ejabqi32.exe
3012	Eqkjmcmq.exe
2408	Egebjmdn.exe
3060	Ejcofica.exe
580	Embkbdce.exe
2984	Eclcon32.exe
1584	Ekghcq32.exe
2760	Ecnpdnho.exe
2936	Ebappk32.exe
2404	Efmlqigc.exe
2060	Enhaeldn.exe
1152	Efoifiep.exe
1160	Einebddd.exe
2584	Egpena32.exe
2848	Fpgnoo32.exe
3016	Fedfgejh.exe
2900	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2708	f5ff1791824e903b28da0061506ec3c0N.exe
2708	f5ff1791824e903b28da0061506ec3c0N.exe
2200	Onoqfehp.exe
2200	Onoqfehp.exe
2312	Oehicoom.exe
2312	Oehicoom.exe
2752	Pcnfdl32.exe
2752	Pcnfdl32.exe
2572	Pmhgba32.exe
2572	Pmhgba32.exe
2412	Pfchqf32.exe
2412	Pfchqf32.exe
1624	Pbjifgcd.exe
1624	Pbjifgcd.exe
2344	Qnqjkh32.exe
2344	Qnqjkh32.exe
2504	Qbobaf32.exe
2504	Qbobaf32.exe
2920	Anecfgdc.exe
2920	Anecfgdc.exe
2620	Ajldkhjh.exe
2620	Ajldkhjh.exe
2880	Ajnqphhe.exe
2880	Ajnqphhe.exe
2168	Aicmadmm.exe
2168	Aicmadmm.exe
1892	Afgnkilf.exe
1892	Afgnkilf.exe
2080	Bhkghqpb.exe
2080	Bhkghqpb.exe
236	Bikcbc32.exe
236	Bikcbc32.exe
1704	Bimphc32.exe
1704	Bimphc32.exe
1380	Bojipjcj.exe
1380	Bojipjcj.exe
1652	Bhbmip32.exe
1652	Bhbmip32.exe
988	Bnofaf32.exe
988	Bnofaf32.exe
2104	Bhdjno32.exe
2104	Bhdjno32.exe
2908	Bkcfjk32.exe
2908	Bkcfjk32.exe
2988	Cnabffeo.exe
2988	Cnabffeo.exe
1084	Chggdoee.exe
1084	Chggdoee.exe
1756	Ckecpjdh.exe
1756	Ckecpjdh.exe
1296	Cjjpag32.exe
1296	Cjjpag32.exe
2636	Clilmbhd.exe
2636	Clilmbhd.exe
2672	Cfaqfh32.exe
2672	Cfaqfh32.exe
2548	Clkicbfa.exe
2548	Clkicbfa.exe
2700	Cojeomee.exe
2700	Cojeomee.exe
2524	Cjoilfek.exe
2524	Cjoilfek.exe
3024	Clnehado.exe
3024	Clnehado.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bjcmdmiq.dll	Dhgccbhp.exe
File opened for modification	C:\Windows\SysWOW64\Dqddmd32.exe	Doqkpl32.exe
File created	C:\Windows\SysWOW64\Eiabmg32.dll	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Qnqjkh32.exe	Pbjifgcd.exe
File created	C:\Windows\SysWOW64\Gdcdgpcj.dll	Ajldkhjh.exe
File opened for modification	C:\Windows\SysWOW64\Afgnkilf.exe	Aicmadmm.exe
File created	C:\Windows\SysWOW64\Ajnqphhe.exe	Ajldkhjh.exe
File opened for modification	C:\Windows\SysWOW64\Chggdoee.exe	Cnabffeo.exe
File created	C:\Windows\SysWOW64\Endjeihi.dll	Clilmbhd.exe
File created	C:\Windows\SysWOW64\Clnehado.exe	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Dqddmd32.exe	Doqkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Onoqfehp.exe	f5ff1791824e903b28da0061506ec3c0N.exe
File created	C:\Windows\SysWOW64\Fdjcfm32.dll	Onoqfehp.exe
File created	C:\Windows\SysWOW64\Pfchqf32.exe	Pmhgba32.exe
File created	C:\Windows\SysWOW64\Mjpdkq32.dll	Egpena32.exe
File opened for modification	C:\Windows\SysWOW64\Bhbmip32.exe	Bojipjcj.exe
File opened for modification	C:\Windows\SysWOW64\Ecgjdong.exe	Dqinhcoc.exe
File opened for modification	C:\Windows\SysWOW64\Ecnpdnho.exe	Ekghcq32.exe
File opened for modification	C:\Windows\SysWOW64\Anecfgdc.exe	Qbobaf32.exe
File created	C:\Windows\SysWOW64\Ajldkhjh.exe	Anecfgdc.exe
File created	C:\Windows\SysWOW64\Afgnkilf.exe	Aicmadmm.exe
File created	C:\Windows\SysWOW64\Ihpfbd32.dll	Cfaqfh32.exe
File created	C:\Windows\SysWOW64\Bgjond32.dll	Dhklna32.exe
File opened for modification	C:\Windows\SysWOW64\Clnehado.exe	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Gkbokl32.dll	Egebjmdn.exe
File opened for modification	C:\Windows\SysWOW64\Ajldkhjh.exe	Anecfgdc.exe
File created	C:\Windows\SysWOW64\Bikcbc32.exe	Bhkghqpb.exe
File opened for modification	C:\Windows\SysWOW64\Bimphc32.exe	Bikcbc32.exe
File opened for modification	C:\Windows\SysWOW64\Egpena32.exe	Einebddd.exe
File opened for modification	C:\Windows\SysWOW64\Bnofaf32.exe	Bhbmip32.exe
File opened for modification	C:\Windows\SysWOW64\Dhdfmbjc.exe	Clnehado.exe
File opened for modification	C:\Windows\SysWOW64\Eclcon32.exe	Embkbdce.exe
File opened for modification	C:\Windows\SysWOW64\Clilmbhd.exe	Cjjpag32.exe
File created	C:\Windows\SysWOW64\Cojeomee.exe	Clkicbfa.exe
File created	C:\Windows\SysWOW64\Dcjjkkji.exe	Dhdfmbjc.exe
File created	C:\Windows\SysWOW64\Dklepmal.exe	Ddbmcb32.exe
File created	C:\Windows\SysWOW64\Efoifiep.exe	Enhaeldn.exe
File created	C:\Windows\SysWOW64\Anecfgdc.exe	Qbobaf32.exe
File created	C:\Windows\SysWOW64\Idcoaaei.dll	Bikcbc32.exe
File created	C:\Windows\SysWOW64\Fopknnaa.dll	Bnofaf32.exe
File created	C:\Windows\SysWOW64\Bkcfjk32.exe	Bhdjno32.exe
File created	C:\Windows\SysWOW64\Hhfnqbdc.dll	Pcnfdl32.exe
File opened for modification	C:\Windows\SysWOW64\Qnqjkh32.exe	Pbjifgcd.exe
File opened for modification	C:\Windows\SysWOW64\Bhkghqpb.exe	Afgnkilf.exe
File opened for modification	C:\Windows\SysWOW64\Cojeomee.exe	Clkicbfa.exe
File created	C:\Windows\SysWOW64\Aiheodlg.dll	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Booqgija.dll	Clnehado.exe
File created	C:\Windows\SysWOW64\Ebappk32.exe	Ecnpdnho.exe
File opened for modification	C:\Windows\SysWOW64\Bojipjcj.exe	Bimphc32.exe
File created	C:\Windows\SysWOW64\Clilmbhd.exe	Cjjpag32.exe
File created	C:\Windows\SysWOW64\Clkicbfa.exe	Cfaqfh32.exe
File created	C:\Windows\SysWOW64\Dqinhcoc.exe	Dklepmal.exe
File opened for modification	C:\Windows\SysWOW64\Efoifiep.exe	Enhaeldn.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Fedfgejh.exe
File opened for modification	C:\Windows\SysWOW64\Bkcfjk32.exe	Bhdjno32.exe
File created	C:\Windows\SysWOW64\Bdohpb32.dll	Chggdoee.exe
File created	C:\Windows\SysWOW64\Apafhqnp.dll	Dkeoongd.exe
File opened for modification	C:\Windows\SysWOW64\Ejcofica.exe	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Ekghcq32.exe	Eclcon32.exe
File created	C:\Windows\SysWOW64\Cpbkhabp.exe	Ckecpjdh.exe
File created	C:\Windows\SysWOW64\Cfaqfh32.exe	Clilmbhd.exe
File created	C:\Windows\SysWOW64\Jbaajccm.dll	Doqkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Ddbmcb32.exe	Dhklna32.exe
File created	C:\Windows\SysWOW64\Mgnedp32.dll	Embkbdce.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	2900	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbobaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clilmbhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cojeomee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqinhcoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclcon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhaeldn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhgba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfchqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajldkhjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Einebddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clnehado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efoifiep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oehicoom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnabffeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bojipjcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddbmcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejabqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicmadmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkghqpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5ff1791824e903b28da0061506ec3c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdjno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clkicbfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkcfjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efmlqigc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onoqfehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnqjkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjjpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfaqfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjoilfek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcjjkkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejcofica.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhbmip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckecpjdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dklepmal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecnpdnho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fedfgejh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhklna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bikcbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkeoongd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajnqphhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Embkbdce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chggdoee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbkhabp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egebjmdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgnoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnofaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doqkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anecfgdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgjdong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgnkilf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdfmbjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhgccbhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcnfdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbjifgcd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjjpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmoggbh.dll"	Dhdfmbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efoifiep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfbgoj32.dll"	f5ff1791824e903b28da0061506ec3c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bojipjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejabqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecnpdnho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhaeldn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bojipjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clilmbhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfaqfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clkicbfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mofapq32.dll"	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enhaeldn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkmnp32.dll"	Efoifiep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f5ff1791824e903b28da0061506ec3c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldjck32.dll"	Qbobaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpgnoqb.dll"	Afgnkilf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpbkhabp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cojeomee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejcofica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjcfm32.dll"	Onoqfehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcnfdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhgba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmhgba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnofaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaalggp.dll"	Dqinhcoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejcofica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clilmbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaaie32.dll"	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fedfgejh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajnqphhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhklna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmiha32.dll"	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egpena32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfchqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heiebkoj.dll"	Pbjifgcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipodji32.dll"	Bojipjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doejph32.dll"	Cjjpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihpfbd32.dll"	Cfaqfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjoilfek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhdfmbjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbjifgcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajldkhjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alakfjbc.dll"	Bkcfjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkdaemk.dll"	Cpbkhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiheodlg.dll"	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onoqfehp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aicmadmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhbmip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cojeomee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onoqfehp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afgnkilf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdohpb32.dll"	Chggdoee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjjpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dklepmal.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2200	2708	f5ff1791824e903b28da0061506ec3c0N.exe	30
PID 2708 wrote to memory of 2200	2708	f5ff1791824e903b28da0061506ec3c0N.exe	30
PID 2708 wrote to memory of 2200	2708	f5ff1791824e903b28da0061506ec3c0N.exe	30
PID 2708 wrote to memory of 2200	2708	f5ff1791824e903b28da0061506ec3c0N.exe	30
PID 2200 wrote to memory of 2312	2200	Onoqfehp.exe	31
PID 2200 wrote to memory of 2312	2200	Onoqfehp.exe	31
PID 2200 wrote to memory of 2312	2200	Onoqfehp.exe	31
PID 2200 wrote to memory of 2312	2200	Onoqfehp.exe	31
PID 2312 wrote to memory of 2752	2312	Oehicoom.exe	32
PID 2312 wrote to memory of 2752	2312	Oehicoom.exe	32
PID 2312 wrote to memory of 2752	2312	Oehicoom.exe	32
PID 2312 wrote to memory of 2752	2312	Oehicoom.exe	32
PID 2752 wrote to memory of 2572	2752	Pcnfdl32.exe	33
PID 2752 wrote to memory of 2572	2752	Pcnfdl32.exe	33
PID 2752 wrote to memory of 2572	2752	Pcnfdl32.exe	33
PID 2752 wrote to memory of 2572	2752	Pcnfdl32.exe	33
PID 2572 wrote to memory of 2412	2572	Pmhgba32.exe	34
PID 2572 wrote to memory of 2412	2572	Pmhgba32.exe	34
PID 2572 wrote to memory of 2412	2572	Pmhgba32.exe	34
PID 2572 wrote to memory of 2412	2572	Pmhgba32.exe	34
PID 2412 wrote to memory of 1624	2412	Pfchqf32.exe	35
PID 2412 wrote to memory of 1624	2412	Pfchqf32.exe	35
PID 2412 wrote to memory of 1624	2412	Pfchqf32.exe	35
PID 2412 wrote to memory of 1624	2412	Pfchqf32.exe	35
PID 1624 wrote to memory of 2344	1624	Pbjifgcd.exe	36
PID 1624 wrote to memory of 2344	1624	Pbjifgcd.exe	36
PID 1624 wrote to memory of 2344	1624	Pbjifgcd.exe	36
PID 1624 wrote to memory of 2344	1624	Pbjifgcd.exe	36
PID 2344 wrote to memory of 2504	2344	Qnqjkh32.exe	37
PID 2344 wrote to memory of 2504	2344	Qnqjkh32.exe	37
PID 2344 wrote to memory of 2504	2344	Qnqjkh32.exe	37
PID 2344 wrote to memory of 2504	2344	Qnqjkh32.exe	37
PID 2504 wrote to memory of 2920	2504	Qbobaf32.exe	38
PID 2504 wrote to memory of 2920	2504	Qbobaf32.exe	38
PID 2504 wrote to memory of 2920	2504	Qbobaf32.exe	38
PID 2504 wrote to memory of 2920	2504	Qbobaf32.exe	38
PID 2920 wrote to memory of 2620	2920	Anecfgdc.exe	39
PID 2920 wrote to memory of 2620	2920	Anecfgdc.exe	39
PID 2920 wrote to memory of 2620	2920	Anecfgdc.exe	39
PID 2920 wrote to memory of 2620	2920	Anecfgdc.exe	39
PID 2620 wrote to memory of 2880	2620	Ajldkhjh.exe	40
PID 2620 wrote to memory of 2880	2620	Ajldkhjh.exe	40
PID 2620 wrote to memory of 2880	2620	Ajldkhjh.exe	40
PID 2620 wrote to memory of 2880	2620	Ajldkhjh.exe	40
PID 2880 wrote to memory of 2168	2880	Ajnqphhe.exe	41
PID 2880 wrote to memory of 2168	2880	Ajnqphhe.exe	41
PID 2880 wrote to memory of 2168	2880	Ajnqphhe.exe	41
PID 2880 wrote to memory of 2168	2880	Ajnqphhe.exe	41
PID 2168 wrote to memory of 1892	2168	Aicmadmm.exe	42
PID 2168 wrote to memory of 1892	2168	Aicmadmm.exe	42
PID 2168 wrote to memory of 1892	2168	Aicmadmm.exe	42
PID 2168 wrote to memory of 1892	2168	Aicmadmm.exe	42
PID 1892 wrote to memory of 2080	1892	Afgnkilf.exe	43
PID 1892 wrote to memory of 2080	1892	Afgnkilf.exe	43
PID 1892 wrote to memory of 2080	1892	Afgnkilf.exe	43
PID 1892 wrote to memory of 2080	1892	Afgnkilf.exe	43
PID 2080 wrote to memory of 236	2080	Bhkghqpb.exe	44
PID 2080 wrote to memory of 236	2080	Bhkghqpb.exe	44
PID 2080 wrote to memory of 236	2080	Bhkghqpb.exe	44
PID 2080 wrote to memory of 236	2080	Bhkghqpb.exe	44
PID 236 wrote to memory of 1704	236	Bikcbc32.exe	45
PID 236 wrote to memory of 1704	236	Bikcbc32.exe	45
PID 236 wrote to memory of 1704	236	Bikcbc32.exe	45
PID 236 wrote to memory of 1704	236	Bikcbc32.exe	45

C:\Users\Admin\AppData\Local\Temp\f5ff1791824e903b28da0061506ec3c0N.exe
"C:\Users\Admin\AppData\Local\Temp\f5ff1791824e903b28da0061506ec3c0N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\Onoqfehp.exe
  C:\Windows\system32\Onoqfehp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\Oehicoom.exe
    C:\Windows\system32\Oehicoom.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\Pcnfdl32.exe
      C:\Windows\system32\Pcnfdl32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\Pmhgba32.exe
        
        C:\Windows\system32\Pmhgba32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\SysWOW64\Pfchqf32.exe
        
        C:\Windows\system32\Pfchqf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Pbjifgcd.exe
        
        C:\Windows\system32\Pbjifgcd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Qnqjkh32.exe
        
        C:\Windows\system32\Qnqjkh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Qbobaf32.exe
        
        C:\Windows\system32\Qbobaf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Anecfgdc.exe
        
        C:\Windows\system32\Anecfgdc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Ajldkhjh.exe
        
        C:\Windows\system32\Ajldkhjh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Ajnqphhe.exe
        
        C:\Windows\system32\Ajnqphhe.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Aicmadmm.exe
        
        C:\Windows\system32\Aicmadmm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Afgnkilf.exe
        
        C:\Windows\system32\Afgnkilf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Bhkghqpb.exe
        
        C:\Windows\system32\Bhkghqpb.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Bikcbc32.exe
        
        C:\Windows\system32\Bikcbc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:236
        
        C:\Windows\SysWOW64\Bimphc32.exe
        
        C:\Windows\system32\Bimphc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Bojipjcj.exe
        
        C:\Windows\system32\Bojipjcj.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Bhbmip32.exe
        
        C:\Windows\system32\Bhbmip32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Bnofaf32.exe
        
        C:\Windows\system32\Bnofaf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Bhdjno32.exe
        
        C:\Windows\system32\Bhdjno32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Bkcfjk32.exe
        
        C:\Windows\system32\Bkcfjk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Cnabffeo.exe
        
        C:\Windows\system32\Cnabffeo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Chggdoee.exe
        
        C:\Windows\system32\Chggdoee.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Ckecpjdh.exe
        
        C:\Windows\system32\Ckecpjdh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\Cpbkhabp.exe
        
        C:\Windows\system32\Cpbkhabp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Cjjpag32.exe
        
        C:\Windows\system32\Cjjpag32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Clilmbhd.exe
        
        C:\Windows\system32\Clilmbhd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Cfaqfh32.exe
        
        C:\Windows\system32\Cfaqfh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Clkicbfa.exe
        
        C:\Windows\system32\Clkicbfa.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Cojeomee.exe
        
        C:\Windows\system32\Cojeomee.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Cjoilfek.exe
        
        C:\Windows\system32\Cjoilfek.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Clnehado.exe
        
        C:\Windows\system32\Clnehado.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Dhdfmbjc.exe
        
        C:\Windows\system32\Dhdfmbjc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Dcjjkkji.exe
        
        C:\Windows\system32\Dcjjkkji.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Dhgccbhp.exe
        
        C:\Windows\system32\Dhgccbhp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Dkeoongd.exe
        
        C:\Windows\system32\Dkeoongd.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Doqkpl32.exe
        
        C:\Windows\system32\Doqkpl32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Dhklna32.exe
        
        C:\Windows\system32\Dhklna32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Ddbmcb32.exe
        
        C:\Windows\system32\Ddbmcb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Dklepmal.exe
        
        C:\Windows\system32\Dklepmal.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Dqinhcoc.exe
        
        C:\Windows\system32\Dqinhcoc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Ecgjdong.exe
        
        C:\Windows\system32\Ecgjdong.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Ejabqi32.exe
        
        C:\Windows\system32\Ejabqi32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Egebjmdn.exe
        
        C:\Windows\system32\Egebjmdn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Ejcofica.exe
        
        C:\Windows\system32\Ejcofica.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Embkbdce.exe
        
        C:\Windows\system32\Embkbdce.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\Eclcon32.exe
        
        C:\Windows\system32\Eclcon32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Ecnpdnho.exe
        
        C:\Windows\system32\Ecnpdnho.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Efmlqigc.exe
        
        C:\Windows\system32\Efmlqigc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Enhaeldn.exe
        
        C:\Windows\system32\Enhaeldn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Efoifiep.exe
        
        C:\Windows\system32\Efoifiep.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Einebddd.exe
        
        C:\Windows\system32\Einebddd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Fpgnoo32.exe
        
        C:\Windows\system32\Fpgnoo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Fedfgejh.exe
        
        C:\Windows\system32\Fedfgejh.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 140
        62⤵
        Program crash
        
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bhbmip32.exe

Filesize
448KB

MD5
99e90851495df7f3f7bced3fd7c7d0b4

SHA1
c7619d5760dc19f9803d2cbcd6174103a7c48f0c

SHA256
12fb4ecfe6ed641abf7a38fbe33dec1e9754b3c85df1af1ced11cec7a1502ce7

SHA512
d06122f5c3b5a8b061e6deb07caf476e20f8bdf0462bb2d9cfb15fabbb6ab4fd92f35ea74fedabfbc57e666869a023f08eac5c98cb102a8b87f7cf30a6d8da56

Download Submit
C:\Windows\SysWOW64\Bhdjno32.exe

Filesize
448KB

MD5
e93b0ab59110da15f52a1627911d0626

SHA1
bc8dba171bde04d17f1779176333280bd7952e75

SHA256
a4dc0b43c7cc55f4809f1ee11604f1ef80896cf626819e072441bf145bb5bf57

SHA512
4a5407874dcc4627274f01f6c6539d6b134c00f153f2ff3ef63e47f0d56b49cc36d33113c6abcc525af81f6793538ce605ec808fa91c73d230d2643c846fb56f

Download Submit
C:\Windows\SysWOW64\Bkcfjk32.exe

Filesize
448KB

MD5
b93da0c50a3f27542efad0f84e6fcdfa

SHA1
a2af22c889c61593794d222fe159e978c4bb3fe5

SHA256
8da4065efdf447058d9d398952ba14f695458812cfe6b32710d71d1b64f03abb

SHA512
3a5b3514341aa46851ae5fe19fecfdf13877eb5217e25195b42de13ba51a6faefe2b0e883b964aaa121f2540df5acc314520cd51673d8e19a6e6cbbb2e22671b

Download Submit
C:\Windows\SysWOW64\Bnofaf32.exe

Filesize
448KB

MD5
01fdd3e4210152b75cc9cfc3640431ec

SHA1
00c6fcb49ad22d41b705fa7118a741d4081a18bc

SHA256
0eb12fbdc601b5696b71e35d1b73bb6f9fad65537493e2f3644e1a07df6e53a1

SHA512
689ae17081e523fe7cacf54f9374882587ef1b18e344861afdc8fdb106c1e9fbbc15abb5b181c55bf74c5b9dbd6ad18ed4488a0d31413053bee63e7c0a22854a

Download Submit
C:\Windows\SysWOW64\Bojipjcj.exe

Filesize
448KB

MD5
560ae5bd25e2884aa567e3f977b809d0

SHA1
d262bebba2656ac2001c994433300c75197fc7bf

SHA256
622d53027853a4c45d965210c3a75200d069d515f0ffb488b66a03423c8612d7

SHA512
9a56ac81997becaf0d28fbf54af227b2230093cfc299df4d7a2989a0c2a14563581636720b0b5bdae0218e1f701c01fd58076ceb7aa73d500efbc528d4db0b18

Download Submit
C:\Windows\SysWOW64\Cfaqfh32.exe

Filesize
448KB

MD5
25dd3d24dc26ee1b9f86ad9ec554ff64

SHA1
40c6354e932ce8ab75ccccd208d1bb105a212009

SHA256
5f7f052fa52dfea1c8aa226180904226408143591b1639c06847182be6b64372

SHA512
d34ce7d48b76d29ec562532b8ce80984c0311c7f1116adf5404f24dfcc5f90b5e760f14cfd6410376a25345aa71b41b66b679f1dac2c48767048dd8ea2a50c71

Download Submit
C:\Windows\SysWOW64\Chggdoee.exe

Filesize
448KB

MD5
b115c6789571c01ee2e573dd0464d431

SHA1
bf901a77cd19a41852b8961bd96d9dcd394a7ac9

SHA256
efc362a55e69e4036123cce4b5fecfdce3db0c3e3c0a26da9f539ef0ee7adcc5

SHA512
7daf68b411608c9e076d169d5887150894494e025de1fb84f7eea79c378c5baf3a8ac571e1330bee7e3fce3c606b576e6e3b52b5f4023e2f4c345524c8c72aff

Download Submit
C:\Windows\SysWOW64\Cjoilfek.exe

Filesize
448KB

MD5
0ccc1d222214096bc91fbb7c60a51167

SHA1
97aa807dd630860cbf2840f75400c2d24a5f980e

SHA256
e9b91ba0e177e9d89e308b5f4498b4183982fcf1cc3aaaf062063287c6676256

SHA512
a336cbeeb2e72aefc48d4670c41c057f8b583966e5c642da53cc6e8e3be3a2046edc1c2b1e5e655b39b6b1caff512be9cbc4752030f63e6a05f03302009487fa

Download Submit
C:\Windows\SysWOW64\Ckecpjdh.exe

Filesize
448KB

MD5
377f4e43e51a88a347400d9d979e9871

SHA1
67e1253b10e72ce5d9f2e471a3195a7cca1c9ac1

SHA256
2da6592b8527aeef8f7845a26510f9ac22fd301ba3afdb01dc5d293c54764c7c

SHA512
3bf19c38fe00939e914374aa967f26a818f7dae147804c1e24a50e8e3284fce218c0d86648830806fec2f7127d3d3421149b6a54095e8d4c68b5f4c7a78fd6f2

Download Submit
C:\Windows\SysWOW64\Clilmbhd.exe

Filesize
448KB

MD5
dedee6bad740fc7c604d5abb10e1945e

SHA1
6cbac37bbc6548aa2585969a87ff69f8470e923a

SHA256
b0aabe7a5df375f6cb059f8a9e0e2f55fadde66fccbdc00cf751ec4da651fe42

SHA512
205b179c6b0ed2478277495b9c06da74a72bb3b376bbee803468d0ffa8281d1dd79338bf9b86dab337f882107a38f8b5537e883e9a7bb12283315193c766aa7a

Download Submit
C:\Windows\SysWOW64\Clkicbfa.exe

Filesize
448KB

MD5
76a9ac01be6852248a9faeb20fa3585e

SHA1
319bc3f1b99c61e53bad7c93a5f500d59040e671

SHA256
feb129d3bd084b57a8f13db359cbaee50ed7cdc57cf33dc54a969344987796c2

SHA512
a0f9fa57b5909e69a6e043aabfcfbb49591183c53b583a5ac2035c2aa24e330620c43213e6c12ce56cb3ba9fa833ba71247fd2050edf1d9ebc789d69b462c2d1

Download Submit
C:\Windows\SysWOW64\Clnehado.exe

Filesize
448KB

MD5
85d4bbb0cf9fc8c972dde1a43bdd23b1

SHA1
ed51863a99db5dcbedda00f5971822f43c415b1f

SHA256
73b157dbf1d2a765c526d3b1f657cba23b2e4eb2164f2c9c596d5a8c41079218

SHA512
26e8e93b7a8b06544d24c8686d108edea6d5954607d328e2109abdfa8b5889b22ddb9671b2a03b4aa4ad67d83d121fac9f7f8c60573d81bee808e671ff1ef827

Download Submit
C:\Windows\SysWOW64\Cnabffeo.exe

Filesize
448KB

MD5
72ee89ac9a9c0feb577f3e95389193e4

SHA1
c54706ced97ed3bae06aeb039f9f8b2cea1f1274

SHA256
46267b329c403ec568310b9654075d9b7cae67d6d03dd9039530b33b0ea3b91f

SHA512
eb76a435a37d1977f3361eaaa38b31de4fb1b647b571b02bbdd93da53e69e5a0ed2766fcb9a69b92e3a7e7c8731e42f294f206f122bbfcae0fd7e57a5f90328f

Download Submit
C:\Windows\SysWOW64\Cojeomee.exe

Filesize
448KB

MD5
063614e62816b4da3ca91b419ef3546b

SHA1
30b0638a120ed39bea4df380b2932490caa1cc28

SHA256
82024bc9a6ab176aa293cb7cc9d2815fe6b81fa288af84c14be0111215ed2210

SHA512
1f52cbe71ab4be97afc03e66ebd1690de00e560a544e873852dff3f8f07a8fea5a4042e668cc892da228198d003acaa1f61961d577212d58a455dcb9385af66d

Download Submit
C:\Windows\SysWOW64\Cpbkhabp.exe

Filesize
448KB

MD5
37c60843dd48616cffb2b060d89ee014

SHA1
bb192490b59a4e66969c1e269f5bd52194398461

SHA256
fd8535bb8461c20082d235cab88a4f178031b05b8cc72493031f9cd49fc44f55

SHA512
767fdb6c02d8ff93a6eea5b8df09582ef52393f85f309fba5a948cfed54a218db286849f78456bbb2e514144bd3de4a1caaa6e6ed3bb31e936f315f55d094b59

Download Submit
C:\Windows\SysWOW64\Dcjjkkji.exe

Filesize
448KB

MD5
e2162067c1bd13f5d5cdd081d639da0d

SHA1
957b3d02e2f025b75589075267a6999540c5825d

SHA256
63cc481f3bd0c426c5c933d744c7e211f6e74f4c1912e418dde1dfb336cd9d1f

SHA512
6d52a7228a1fcba23f50f0ae1636d201d759f9024baadde13a2d7697f56fc25a6429cd63835659992e90eb5e21e22d4b747d25f48128845d75709a90dd04d9f3

Download Submit
C:\Windows\SysWOW64\Ddbmcb32.exe

Filesize
448KB

MD5
632d1f0a2947a1137153141a4f9778ca

SHA1
e9f05e215ab7b8b197bde8da9fa580163fb8079a

SHA256
c826ac425fe80198a51a0f3269a200177cac56fb6e43e561770dfc7436ec088e

SHA512
7008f9301602de9a18b7605c24d8b7dca1ebe7286a8eb0a4110f3495e4598d1e0f2dfd7a5756e307439ef7a208253a338833fa1a2de862f1e0af82ee1b144143

Download Submit
C:\Windows\SysWOW64\Dhdfmbjc.exe

Filesize
448KB

MD5
401c4989941e7ae8a416073e0f41dd5d

SHA1
1d352fd540e533bf7b2d25fbcf843a4faf24e120

SHA256
ad051a6ad3bc5abdb5cdc69331e136874494d2b433fce061c31c0b24d84b4be5

SHA512
c7854782a02cfd2cdf4cc294b572dc44af8b7a60ce78235fbcff9f7f2a2f1eda6bf7b20bbb9841c49804b59ab0c492e5914b03af2125ca2439b68b5f6035c2cf

Download Submit
C:\Windows\SysWOW64\Dhgccbhp.exe

Filesize
448KB

MD5
36920da925d2d7fb5b4128a352c3487e

SHA1
a693c1b138fca972f65501d64e477cc89f5fe03d

SHA256
2c7e51b2f9129cc44e67b2bd56d870bdb20a2d85220bf2448628a51930c8e42a

SHA512
6b33f7f1bdc595e13051fce3af3cceabb0b8a945318836288b99a4a837c51bcf0972d528942c7836bb3e157f87ed65a26bef38657fb43309bc727b7547833ab6

Download Submit
C:\Windows\SysWOW64\Dhklna32.exe

Filesize
448KB

MD5
8d8116a5333f8560a49f0c427abcd148

SHA1
c29f92ba5d0ec580f9589f701243a8fb3e91db89

SHA256
d2bd728a31d31d03d259f3a58294be4fccd329eb2eb514550b4d48605bfe437e

SHA512
68623df6abdc4ea1795e0ce35834101725b634a47d22291efec430179d3bd3a8882240a02dd1fec5c4517d186839308f92ae6aba75c38109780e951076d95a93

Download Submit
C:\Windows\SysWOW64\Dkeoongd.exe

Filesize
448KB

MD5
70cedd2d4c5f9d598db45e8aa3b8c356

SHA1
574ee342334d981a0112940307b5b0b23a0a74c1

SHA256
4da5999502d8b0a5482bb0d28fabcab9571592c63d78e18b48f2be2c00016131

SHA512
aa1a8cf14c76ba1d09b128e7059e52d1be195c488bd229cef126d5a1d3e9891347fd6147c25d2143f14b342557af7c6e93e5c30b5e16b42f2ff0ad84d3424e13

Download Submit
C:\Windows\SysWOW64\Dklepmal.exe

Filesize
448KB

MD5
ba3330a7f68899fdaff40bc88d5d46ee

SHA1
726664db2b0da47534c3d357cebee2894fcba367

SHA256
e23ca349d16c0ad09b3d26aeaeba7fcafe058b0c9dd56f2589c1b77ab9ee14ce

SHA512
2a8d685e9e84b9f42ba128e30991065b85af76cabe13ae40f741249cf849e9ed4de373fe3efdab06db9ec8f1e12d12f6a6e169f535ef5d34275418371f03ca3c

Download Submit
C:\Windows\SysWOW64\Doqkpl32.exe

Filesize
448KB

MD5
8e0c61e61f889a7361787ad3075bbdaf

SHA1
5ff27667a71497824392567a191253ba674411e4

SHA256
f6ebeca7343ef49ecc7d58c3b745400a63432c8f3c1045d4fedc8ea8a1cfcf91

SHA512
76fd68078a7098a9d757d564bd3be2cb333dd4d23fb47126ee9e259a6b72e8180dc9e3d0467681a35f33c1f67021ddcc63487cb4e92bf196c9e3deb38173848f

Download Submit
C:\Windows\SysWOW64\Dqddmd32.exe

Filesize
448KB

MD5
280b224d526b97d36c93e86383a8bb5e

SHA1
9bb1b731c1c1b6f6111cdd412f20eac691313974

SHA256
16bdb7cce72d4c0789fafe6b69c2042482e8a1ae9da1e3165a55fa070e7bbf8e

SHA512
edd5bbe55bebd1a0f9f8c199593266d1c9d6e147e2fca8ae816893df450b00a867bd9d07e6845632bdbe12f6806109cd4c7e8bba0cca934e6f68615842a8770c

Download Submit
C:\Windows\SysWOW64\Dqinhcoc.exe

Filesize
448KB

MD5
c5d432bb9547b155ae39bbfbbd257c9d

SHA1
ded74aaf5b17819f1ae468438045eea9c73d9c71

SHA256
50120cf0b4a07a072974dbfab1666d9a6dfc78cd473f3c626bea3e79d3930eb7

SHA512
325d5aa3ae622cc43accdded7f9759b1a6fef299d457f85b3ee0b464fdae09434ac81ecf83d8d29380d2b9f4d461b0a6d7aedb788257dc0bbb90a36fcb2bb5f1

Download Submit
C:\Windows\SysWOW64\Ebappk32.exe

Filesize
448KB

MD5
fdd9e7a46d7dbf669398acfa2ce5e0aa

SHA1
afb202eb8a576a5ca31717826298fa6858e433c0

SHA256
47020f411ce21a3d1c72744f0b14e0007e3513aedb1d9808910766501023a4b7

SHA512
e73c21b50c65caa658d88e099742def3b191b92db6d24717d3fc892f6ce60d9c04c64c4cdce9a546b62897db103f5efd0d11343dd74f66e60afb7731b6c02ed2

Download Submit
C:\Windows\SysWOW64\Ecgjdong.exe

Filesize
448KB

MD5
7c6d864dd4d5e4ffc3b7f1f52ddc7171

SHA1
3df42cfe6809a4a8d76d65c479b4150e7739577f

SHA256
ebb53130a6f1a18f29d9df9c024b44ea4db11a8be0b1e188a22bef57035f33d6

SHA512
03ab1d3d9ae5c0ba3658872d6be393bd806957899699ade365f006037073514916dff7cc7f3424a9e52d3678bb07f92e2960447dd5c4adf3bd421812bd4785a4

Download Submit
C:\Windows\SysWOW64\Eclcon32.exe

Filesize
448KB

MD5
5f33ff44db75ebea1d5acec4735027fa

SHA1
96ce11026bf581dff0ccc28f8ff2562fe7bbac3a

SHA256
730631e8e24fd55a4a050c55a6d0eb955e957bc6c8df6a4fb5e6728123b90516

SHA512
0a46d44ec79cb3d301c2b331cd15bf4847167601368347b8963f123ff87720c951d588f7a0897ae7c3058119cc11793a900ae52d566053d66a0d0b0d52011d02

Download Submit
C:\Windows\SysWOW64\Ecnpdnho.exe

Filesize
448KB

MD5
3828b124c3ddd91904ed08fcc755274f

SHA1
49092068f76a67ee39f6cfd5746c37f7e80123df

SHA256
2cfa2482dbd2cab3e47daa9ae32abd7131887c1c678491797e4045fbce350cee

SHA512
31b85daa5b056660190c964c12031857a935122ca353b864ef327056717bb421028d734ab2078c358567d34af98f62845a2998acf64ccdb5b337b343e0490292

Download Submit
C:\Windows\SysWOW64\Efmlqigc.exe

Filesize
448KB

MD5
a310a9368684752298cf9eb8957b596c

SHA1
2c79982e489e49816fc8dbbf6f27340838daea22

SHA256
902fbfca85ce32ad9153599189897c101d957481486f785cb1b9e231a5b7c13e

SHA512
d1d106dfbb3367067b0bb0065d48bc1f25707379daebb2e89de75b8f8850415df0c421264b66dc8f8003a03e34a01161dae44f40a7a9505a12ba6c50846592cf

Download Submit
C:\Windows\SysWOW64\Efoifiep.exe

Filesize
448KB

MD5
de4ed3a14bbd45a7947769a5ad814ebd

SHA1
61692c0003bb2a1cfc225aa068451b6099d9aa9f

SHA256
5c2b04ce3620236143d5192531f0420486027b759ce590a0e970afc20b9c0b30

SHA512
b7fefb6aa52079fbc6e8c214346cd4f665860cf94b8bfa31e845ec05553e48fc92d44806beb872a246a11d369d77479b4801e31c63b0b252a0173bd00adb23c7

Download Submit
C:\Windows\SysWOW64\Egebjmdn.exe

Filesize
448KB

MD5
ccad4f9f7b34962d77c01fe00ac1eb74

SHA1
ecd73403183ce7bbfc3e3818d95e627957eb46a7

SHA256
b14fe636565a05f086c2dfd6ff87f32601bb68924c86073ec7507901dc269010

SHA512
d0861a0ef57021d9a739dbd8b4851bc2e0f0cfe41f620fbe738acc452699d7bb182c504dbd7dc927f9c1a162d610a99e8e7d69dbb0fe24d2e9a19c42800488a3

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
448KB

MD5
c573ded0de854a94a3b2bdf6690f3967

SHA1
d65d01dcd358cd353bb6c6d3bae8affe0f85b460

SHA256
9f62c3996b69b99bcfba175b3ca2cddca397738e6ddfdb7172dd95cb65fa1beb

SHA512
ff038fd012e39842a9bb6ea88030a109dd64da9486d1e0203836d0f9d8b900feb8b563e4f64a44910c085e41c4754fe120df578be696e3cad380c2a568ef246e

Download Submit
C:\Windows\SysWOW64\Einebddd.exe

Filesize
448KB

MD5
24814aa45f761bfb8da3573436f69be0

SHA1
021d60933f32f1e993d57c7de08e0fb4bd350bb9

SHA256
70a2eeaa326e8deb53255afafb796c1eb5473eb5a947c4505f1c5f6f34acc999

SHA512
fa3e5ff61b72b3b12bd3e65e573a54b894ef34afdc4a2567bba68d0074eacfbee8d4d9a06d6f75298f5f3ba50ccd984cf88619094762b9c339269dc0ccd4ed5d

Download Submit
C:\Windows\SysWOW64\Ejabqi32.exe

Filesize
448KB

MD5
efb74edf9cadcf020ae489d8b78b4023

SHA1
a29c85a8758cc71e80738af807cf6439bd376a6e

SHA256
ebe58cea8054ae5c146aa5e96723443bf995ea6f091216fd98b5e20c33168e6f

SHA512
1cb7449acb3ab4f9ae985a853774ff04f2bcb76eef33a96ac23bf5bc06576858aee9b19998881f5cb6cb52e457d72f363af5fa66aac05aa4d7575a0b91012bd1

Download Submit
C:\Windows\SysWOW64\Ejcofica.exe

Filesize
448KB

MD5
1c8fa048df9b672d0b3fc1474274dcf5

SHA1
d31209e61294a26fd7b636c5e2fc13e098ebdc1a

SHA256
2796f6b8b98ea5af804a35de08d3f4cb7241c66c9d9b0537ac76ce3f494f5dc4

SHA512
d416e651123960c7cd2427bed784293901e4483f82c3e0216edccb293e1076af699d541d11aded799d7159b850bd59cdaf7b656f01d767df03a665a6a2a24c16

Download Submit
C:\Windows\SysWOW64\Ekghcq32.exe

Filesize
448KB

MD5
f4151579bb979a8a1e34d5d750197362

SHA1
4d51e62d50d9c6638e4c9384602da8fe10c35c05

SHA256
33b08820248e76212b2eebde4d7db32bbec26542ad72be4d67ef5b6dbe1cc58d

SHA512
70bbe4871dd8576b225514599264d5a91cc380ac3737480f490b971183cf64331dd0b7ec515a184e5d547056d4aef57b23ad887713faac5f607604279aa1381b

Download Submit
C:\Windows\SysWOW64\Embkbdce.exe

Filesize
448KB

MD5
4ff342488cc22c0d497b2e45aeb1da38

SHA1
8ddb493cea7b9d24fcf7774eb15f619bc619d5f2

SHA256
81e6484c7e583524e57e24160998d6acc52dae8d90adada0de6537efcc631fdc

SHA512
2ae21ebc659847ea8f7b71b399789126bd65a34b5f261aae9fb08bda5f0e5c25aa7694e7ea33517f6cc97ef6e69925e37b5e39727e67e7a8192fed1f2a4bf4c9

Download Submit
C:\Windows\SysWOW64\Enhaeldn.exe

Filesize
448KB

MD5
57b8df1948787e8dd03b3e48a3445b50

SHA1
7b340b64be156c47e3a96ebfe2f3e4c45f113d24

SHA256
eb68e8ed51c15aa97ff252fbf1d1905e61f0e9795cdf2426761d4a7c14664696

SHA512
5cbe725ae25a743cc5d93331941a33482875b98938c5ba66f01c36de51b95bb8297fd57dc9f44376718c2c53b30c5e3460673f0aedaf00c4ba808370c165e56e

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
448KB

MD5
f42f31d66e56b5bd43f48ad68ad38ec5

SHA1
f2450aa76655956b60b53123e77b650f2b44e84a

SHA256
7d1979dfca5b0d0151ffe901a97fd7a74a329883cbf9627c7eca8d9a5aca11b5

SHA512
25cb28277b62ffc8597a8f15735bbf3177f24614a99cf3df4bfe36ae7c169ad828a1a238eac1bdd286cb5972a75b5a70951c9f40598fadd5f4fc99705d3bf608

Download Submit
C:\Windows\SysWOW64\Fedfgejh.exe

Filesize
448KB

MD5
04adb853770f44d162fa31870ace59f3

SHA1
8998da7f3e5d5fced09c598c970353e3e3461b0e

SHA256
418e7ff5ce65caa848575ee7806262bc3a42d44ca8494968141ddb86461fa42c

SHA512
3513a45de4d5a82203eb42cdc8098300105ae7901d69da57fea8420378f8fd783dfeaedc0a22126cb7e16966b77a3ba2dbbdbd11677f42c2f0ae35b32796bebe

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
448KB

MD5
82b83b19f6a9dc61137ffe1fcae3ed2a

SHA1
48cc3ba51f59a18386f0cd4c2c59481252e0c425

SHA256
ed2e5369ac44c2113ee9b6f1029221890c82f69fbf1acb1efe622dde08283c20

SHA512
a6fe282776c1b6794c418fd90bc06ce149b784423e5758b64c3d582569588c3f9d5f6aefa8694be2dbad0195f0a3a096e430a3dcd4a9ea5c4e715e38bd1d8fbf

Download Submit
C:\Windows\SysWOW64\Fpgnoo32.exe

Filesize
448KB

MD5
c0514101a554f0bc9068d4661df75da7

SHA1
053f6ccc25564e1f4b195125f03ce84387a316d5

SHA256
d73e407c79927f2d9281149aef350e9d3d30ad7fd9d40bade3f4b76c6fae6692

SHA512
95b26da8d91f8359712fa06eaedc9fe757f22b0ab1b1ddd5a5382c8e405507c3fce8d96fa7500ab11ea8ab318b1bcd802f46155c1bbdaa48c5949119d22f79a5

Download Submit
C:\Windows\SysWOW64\Pcnfdl32.exe

Filesize
448KB

MD5
6973f19689dbce30d5a0e6d51202ab6c

SHA1
801c7616bc8f499799916d745dc84cf4d64e164c

SHA256
86560d97f600c9097c6411d48135e8dd0093103db56b2d690c3c3686c418fec4

SHA512
143425caf854fb794fe0aef4b5c3e50115c9a4b8af97d468773870f1df28335fd456a0d037d7f128e23eb0a2a177aae2617d14bb4e154466c498828af7d3e2e8

Download Submit
\Windows\SysWOW64\Afgnkilf.exe

Filesize
448KB

MD5
8ea348f025cf49f4c88f16e50b41ae35

SHA1
1b2e3d111c4a7c6cd7016851c9972b8435686b93

SHA256
b242de2336ff68266cc1bf6061b555eacaa8cdddad9f3076f619ca0d1aba160f

SHA512
c1ee858a799f2e38bdc4db19d6af7e9cfc30c1dffa176b43607ea3b7db0eb0faa58cc68fe769d7127828a34c3b34c3883bec64325b3f0de21b05fa1b314dd53b

Download Submit
\Windows\SysWOW64\Aicmadmm.exe

Filesize
448KB

MD5
952d47d7dc18d52e0c8f063c62379c3a

SHA1
8488dda6461aaa747b7ca9650370cda8a2d1af24

SHA256
0b63a650905309f5e43d65d88d312b0c5bd48c027ce08ec488dd778ff0450ea4

SHA512
16514f48b7a8f147e95998cff314058c0f6d20ff3717ac4c864a17d6611cee4a0b52271dd23af4a571e0693752e38c1a089caaacc313f68fa3e1568095ac8666

Download Submit
\Windows\SysWOW64\Ajldkhjh.exe

Filesize
448KB

MD5
db53e6839c5811611ac26d5c71c1dfa2

SHA1
87bd7363ddf1b36a0be11a659df16a27b79d9df0

SHA256
524aaa3bfb1785b02e9b336abee81efcb1b1b6ae321818d3091f70b886bb94ae

SHA512
2966a55abcd1532d876e733f2cb6d80b07dfede9ad8945f2f92d3121531e9a7365dca769d52f21c8ffbec00cc8157cbc8a4e92c8dedb5a7c346fe8e66b130302

Download Submit
\Windows\SysWOW64\Ajnqphhe.exe

Filesize
448KB

MD5
34e30085293ab8fb6a527e5a1b088df2

SHA1
fa44a3e23ad6daeaeeffa743b996ab25ce82806c

SHA256
b2aa664742347dd467e4b791332d0673e2e8d0327e0fa1f8ecc5a0f268dc5692

SHA512
c33b364b9f144835d125bc0675c501466dcaa706078b7baf3f8a227edf174c549d0f82818155bc43d7d751ba0c1eba0e7089b5a73d06f561648bdaffbbca8bfc

Download Submit
\Windows\SysWOW64\Anecfgdc.exe

Filesize
448KB

MD5
c1b4816d457ec747f5cad29d259531f9

SHA1
bd0aa1b9f0eeb2ebc50b615c8010e8b73bdbd5c5

SHA256
9e8dcd47748263b4b3da88d564516ffa3d2e4535f72a0ecd1cef004308ff2c69

SHA512
3c5244ba7b0911de461d70b9c5b3f74124ccd918d6b74f5031ad2b868e55b22ff6bfbc8ad1283bec64d6e5ba301198dc009d4f29ed85d07fd2026ea5c94df026

Download Submit
\Windows\SysWOW64\Bhkghqpb.exe

Filesize
448KB

MD5
358efa257c1c6878aadb96e6bd0b993c

SHA1
4e72f624ff36b0dc4cf05b56aa553dc41667afa4

SHA256
8e25e0b9a8a3f76e09d970a9ef0070c70fcd8a06f8118688377351569649b6db

SHA512
b71cb954a5a77fa5b25b637c6ed2ddb4122f639546b0296188d33988e2501d35103b8ed3ceb0b2e6083d2e6eab13f74caf530d5b8331d90e9f916ba80f2a84bb

Download Submit
\Windows\SysWOW64\Bikcbc32.exe

Filesize
448KB

MD5
0a2ece62fd8680876343038069142f27

SHA1
a342b63b9c66f56e9edad1b778e8f9f7d40f820d

SHA256
1622a339146d230be0a024216cc70563be63b18228adc40ad9a0170217d150c9

SHA512
100f34e4b1bfc831d84a5b84bc256627c7ea0613ed6d67b42d91b095ca6ad96e1e8dc6c14a7b63626bfdf9533cdcb099f1088247739ecfd8eeacc6b05dcc998b

Download Submit
\Windows\SysWOW64\Bimphc32.exe

Filesize
448KB

MD5
5aed5f6ced28a75cad42425b10e16577

SHA1
c181bbe51f28fd2e035bc608f5e4917935705eb8

SHA256
4712c81cdfb648d699fb7a93bde94c9d7f6a6d1afc498d36d44473e39d72f81b

SHA512
8301e47f2f00a41c4b44ca988b71e310220dfde982f12922fc0a83ff581dde7debfe5dbbb612db311ec6615fa8223d1e739c242cacf8c41dcb9bbc9ed4abb741

Download Submit
\Windows\SysWOW64\Oehicoom.exe

Filesize
448KB

MD5
220015bbf111974ba322c45c670f4056

SHA1
71715165cdb944067be80849108bfacc3efbd9d2

SHA256
2520b27984c973e1d80f7a3746e74ad0164e43239f727309bba61b66fcfa379c

SHA512
2e30fd6018ee4d818ccb65c19feacd573298c799dca111300b147613e6b6fc7a632272daf508ab6c79ed1bd77c952abc2815d9746e9cc81f75175c4a43c84f83

Download Submit
\Windows\SysWOW64\Onoqfehp.exe

Filesize
448KB

MD5
197741c09d3e5b289932c990bc21ec4b

SHA1
7824646b3c50a3a4628892301ada98937ad73718

SHA256
1a9513828c36f8cf14d972268f92f8b59e74e419175a2ca38ba74805b445c892

SHA512
900b2393bd03cd156ab7a16ffedb6b5385fee2a6a90c5c4bf153c32dbeb280acebb0b00da08492418c1c3ba52777b5331e2beb8427ecd0abfe15b83ca746e597

Download Submit
\Windows\SysWOW64\Pbjifgcd.exe

Filesize
448KB

MD5
cba66d8554407f9252076b7b49db6ffc

SHA1
fe044cbf7a675409f1fac2b024ec936bc3ca0e26

SHA256
6d0b6e46a6997747940798190c092f8022f3b6bc258eeebc3b8eca59877d6ca8

SHA512
f70fa48c71d62359aac79fbecbe26949a19506514501ec3bedd5e6e9fc9b809679b15ec55ae181d1e099670310e884234434877defd2ca9eda7dc51029ab0f51

Download Submit
\Windows\SysWOW64\Pfchqf32.exe

Filesize
448KB

MD5
c091f843f6ccad16986033d7398b9a6d

SHA1
ebaeec2773920e78010b6d08cc1c58a3ea561270

SHA256
85accfd3be5a3e0b116515b24c813c0d263886a196edb20e2f6cfdde8e1af0b0

SHA512
e0b8dad01b80fc7abf90022e508c565b2fbb685e1ec7049158490ce3ad709bc2b2abc72cc80de18350d81f6d927a48f373e40cf20501c3e6eb2580e23edf7afa

Download Submit
\Windows\SysWOW64\Pmhgba32.exe

Filesize
448KB

MD5
f4be2bcc710a53d0238f426b7a95e385

SHA1
54a79ec8e2d8a4ed4a49e25589faf3b89071489f

SHA256
28dd0bb4772973ae0963debb3dee7059cbaed746f7068978f4f3e73ec544c949

SHA512
41476cdb750749bf6c213fd879023685fb3342162b1b57fb172ec1868ec483d172cb06dd695822ce66a72b8c5718e67448a7049996c5bed97c4cc2bd3fbf6c40

Download Submit
\Windows\SysWOW64\Qbobaf32.exe

Filesize
448KB

MD5
65abfd6569afb04c5728881558f7ffc4

SHA1
62fa7e2ec4c43858eb9978bec2a1f78b9514cd8d

SHA256
9b9582d75c0a0bc19450320c30be1479b06c6df76cfe2be473673e272dbf9e3e

SHA512
a575bcd648dbae1d7ddb7a8251646e865665133db48b787c038f4b1d829f1072e2b8cd5b5040f33bb2e96a2018c9e5eb1befadfcf4facd451c67139380d0e3f2

Download Submit
\Windows\SysWOW64\Qnqjkh32.exe

Filesize
448KB

MD5
b10e8536ed3b30e8d302e44daf05d207

SHA1
67c69ead1a07ab25607885584d2b51083d9d97c9

SHA256
ae7f466092e6aa1cfac534c427fc01be282ca7c85744b437a338297d0bd1d036

SHA512
b7452393738d08382cce64681e10d3773c18f9d77d888496487bc033094a6a2661c1c5dc5c38818ec865423f5188877b3aa29bbffa6569509b02c23054c5d217

Download Submit
memory/236-216-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/236-209-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-469-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/540-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-395-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/988-257-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/988-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-302-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1176-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-321-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/1296-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-317-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/1380-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-97-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1624-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-436-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1652-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-189-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2080-207-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2104-269-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2128-458-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2128-456-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2128-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-181-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2168-175-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2184-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-424-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2184-421-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2200-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-26-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2200-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-376-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2312-387-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2312-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2312-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2312-41-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2312-36-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2344-111-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2344-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-457-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2356-412-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2356-411-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2412-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-423-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2412-79-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2412-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2484-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2484-309-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2484-310-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2504-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-113-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-470-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2504-121-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2524-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-736-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-358-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2548-357-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2572-409-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2572-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-153-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2628-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-432-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2636-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-328-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2636-332-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2672-342-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2672-341-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2700-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-366-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2704-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-364-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2708-13-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2708-12-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2708-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-51-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2752-43-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-57-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2752-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-399-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2880-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-163-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2908-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-276-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2920-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-134-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2988-288-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3024-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads