6d91d7132bad679de600891d3d228a87d08516e5cbebeb18a888e1eb370c8e20

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 20:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f611647a77ae5a07cd8af00374a3c6e0N.exe
Size

464KB
MD5

f611647a77ae5a07cd8af00374a3c6e0
SHA1

9f19e90ea246c49622b38c5ba14daf9fc5d26120
SHA256

6d91d7132bad679de600891d3d228a87d08516e5cbebeb18a888e1eb370c8e20
SHA512

88375453324921e1d3c0718b253d31bb00512f3f35882dd03c4290531ceedf7f3c293966d8f9aad0c70691092af62995412f1f986b3ad01c761a51d339246c36
SSDEEP

12288:A9je2ftPh2kkkkK4kXkkkkkkkkl888888888888888888nI:A962lPh2kkkkK4kXkkkkkkkki

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddhomdje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egbken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgqgfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f611647a77ae5a07cd8af00374a3c6e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egegjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcjdam32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddfbgelh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkoplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egkddo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enopghee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djegekil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnqcfjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcghkm32.exe

Executes dropped EXE 64 IoCs

pid	Process
4472	Bagmdllg.exe
2088	Bdeiqgkj.exe
2932	Ckbncapd.exe
960	Calfpk32.exe
4752	Ccmcgcmp.exe
4948	Ciihjmcj.exe
3212	Cildom32.exe
1532	Dkkaiphj.exe
1820	Dphiaffa.exe
1644	Dgbanq32.exe
2536	Dnljkk32.exe
4396	Dahfkimd.exe
3588	Ddfbgelh.exe
3700	Dcibca32.exe
1168	Dgdncplk.exe
4864	Dkpjdo32.exe
512	Dnngpj32.exe
1656	Dajbaika.exe
4108	Ddhomdje.exe
2984	Dckoia32.exe
4648	Dggkipii.exe
2804	Djegekil.exe
3940	Dnqcfjae.exe
3412	Dpopbepi.exe
5112	Dcnlnaom.exe
2020	Dgihop32.exe
1008	Djgdkk32.exe
948	Dncpkjoc.exe
2844	Dpalgenf.exe
3288	Ddmhhd32.exe
3396	Egkddo32.exe
4160	Ejjaqk32.exe
3736	Eaaiahei.exe
3160	Epdime32.exe
4064	Ecbeip32.exe
2596	Ekimjn32.exe
1516	Ejlnfjbd.exe
4416	Eaceghcg.exe
2436	Epffbd32.exe
3664	Ecdbop32.exe
4836	Ekljpm32.exe
2928	Enjfli32.exe
5148	Eafbmgad.exe
5188	Eddnic32.exe
5228	Egbken32.exe
5268	Ekngemhd.exe
5312	Enlcahgh.exe
5352	Eqkondfl.exe
5388	Edfknb32.exe
5428	Egegjn32.exe
5468	Ejccgi32.exe
5512	Enopghee.exe
5548	Eqmlccdi.exe
5596	Fclhpo32.exe
5636	Fggdpnkf.exe
5668	Fnalmh32.exe
5708	Fqphic32.exe
5748	Fcneeo32.exe
5788	Fkemfl32.exe
5828	Fncibg32.exe
5872	Fqbeoc32.exe
5908	Fcpakn32.exe
5948	Fkgillpj.exe
5988	Fnffhgon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fdpnda32.exe	Fqdbdbna.exe
File opened for modification	C:\Windows\SysWOW64\Dajbaika.exe	Dnngpj32.exe
File created	C:\Windows\SysWOW64\Dgihop32.exe	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Egkddo32.exe	Ddmhhd32.exe
File created	C:\Windows\SysWOW64\Bopnkd32.dll	Dckoia32.exe
File created	C:\Windows\SysWOW64\Klfhhpnk.dll	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Iffahdpm.dll	Fnalmh32.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Eafbmgad.exe
File created	C:\Windows\SysWOW64\Emjnfn32.dll	Gqnejaff.exe
File created	C:\Windows\SysWOW64\Dkpjdo32.exe	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Dpopbepi.exe	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Ddmhhd32.exe	Dpalgenf.exe
File opened for modification	C:\Windows\SysWOW64\Gnohnffc.exe	Gkalbj32.exe
File opened for modification	C:\Windows\SysWOW64\Fjmfmh32.exe	Fgnjqm32.exe
File created	C:\Windows\SysWOW64\Gqkhda32.exe	Gnmlhf32.exe
File created	C:\Windows\SysWOW64\Lifcnk32.dll	Gnmlhf32.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gjficg32.exe
File created	C:\Windows\SysWOW64\Gdmkfp32.dll	Dncpkjoc.exe
File opened for modification	C:\Windows\SysWOW64\Ekimjn32.exe	Ecbeip32.exe
File created	C:\Windows\SysWOW64\Flpbbbdk.dll	Ejlnfjbd.exe
File created	C:\Windows\SysWOW64\Djegekil.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Dnhpfk32.dll	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Ecdbop32.exe	Epffbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	Ccmcgcmp.exe
File created	C:\Windows\SysWOW64\Enopghee.exe	Ejccgi32.exe
File opened for modification	C:\Windows\SysWOW64\Gnmlhf32.exe	Gkoplk32.exe
File opened for modification	C:\Windows\SysWOW64\Dgihop32.exe	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Camgolnm.dll	Epdime32.exe
File created	C:\Windows\SysWOW64\Ojimfh32.dll	Enopghee.exe
File created	C:\Windows\SysWOW64\Fdpnda32.exe	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Kcpcgc32.dll	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Ajgqdaoi.dll	Fqphic32.exe
File created	C:\Windows\SysWOW64\Fqbeoc32.exe	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Dpopbepi.exe
File created	C:\Windows\SysWOW64\Eclbio32.dll	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Gcjdam32.exe	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Fbcolk32.dll	Calfpk32.exe
File created	C:\Windows\SysWOW64\Hhdebqbi.dll	Dnqcfjae.exe
File created	C:\Windows\SysWOW64\Egbken32.exe	Eddnic32.exe
File opened for modification	C:\Windows\SysWOW64\Eafbmgad.exe	Enjfli32.exe
File opened for modification	C:\Windows\SysWOW64\Enlcahgh.exe	Ekngemhd.exe
File created	C:\Windows\SysWOW64\Ejccgi32.exe	Egegjn32.exe
File opened for modification	C:\Windows\SysWOW64\Ejccgi32.exe	Egegjn32.exe
File created	C:\Windows\SysWOW64\Kminigbj.dll	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Ddfbgelh.exe	Dahfkimd.exe
File created	C:\Windows\SysWOW64\Dnqcfjae.exe	Djegekil.exe
File created	C:\Windows\SysWOW64\Dncpkjoc.exe	Djgdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Mjbaohka.dll	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Dahfkimd.exe	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Gkalbj32.exe	Gcjdam32.exe
File created	C:\Windows\SysWOW64\Gfchag32.dll	f611647a77ae5a07cd8af00374a3c6e0N.exe
File created	C:\Windows\SysWOW64\Ckbncapd.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Nlkppnab.dll	Dphiaffa.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhda32.exe	Gnmlhf32.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gjficg32.exe
File created	C:\Windows\SysWOW64\Eafbmgad.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Eqmlccdi.exe	Enopghee.exe
File opened for modification	C:\Windows\SysWOW64\Fcneeo32.exe	Fqphic32.exe
File created	C:\Windows\SysWOW64\Fdbkja32.exe	Fbdnne32.exe
File opened for modification	C:\Windows\SysWOW64\Gcghkm32.exe	Fqikob32.exe
File opened for modification	C:\Windows\SysWOW64\Dnljkk32.exe	Dgbanq32.exe

Program crash 1 IoCs

pid	pid_target	Process
6044	5860	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbncapd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnngpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnffhgon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajbaika.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggkipii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecbeip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dckoia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egkddo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejjaqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epffbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqphic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnohnffc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkgillpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmcgcmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eafbmgad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagmdllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcjdam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cildom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dahfkimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enlcahgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fggdpnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epdime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egbken32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnalmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgqgfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f611647a77ae5a07cd8af00374a3c6e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejlnfjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdncplk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgihop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaaiahei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkalbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dncpkjoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enjfli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edfknb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjficg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaceghcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enopghee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbdnne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djegekil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddnic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnmlhf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egkddo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agecdgmk.dll"	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epdime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbjnc32.dll"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fbdnne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll"	Dncpkjoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhaiafem.dll"	Eaceghcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enjfli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjinnekj.dll"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgnjqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnffhgon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apocmn32.dll"	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binfdh32.dll"	Ekljpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kamonn32.dll"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekngemhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enopghee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iffahdpm.dll"	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeqinf.dll"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll"	Ecbeip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgqgfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkoplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikpndppf.dll"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgihop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmfbkh32.dll"	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfaapfi.dll"	Gnohnffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoefe32.dll"	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epffbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcjdam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplqhmfl.dll"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfhhpnk.dll"	Fgnjqm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 4472	1376	f611647a77ae5a07cd8af00374a3c6e0N.exe	91
PID 1376 wrote to memory of 4472	1376	f611647a77ae5a07cd8af00374a3c6e0N.exe	91
PID 1376 wrote to memory of 4472	1376	f611647a77ae5a07cd8af00374a3c6e0N.exe	91
PID 4472 wrote to memory of 2088	4472	Bagmdllg.exe	92
PID 4472 wrote to memory of 2088	4472	Bagmdllg.exe	92
PID 4472 wrote to memory of 2088	4472	Bagmdllg.exe	92
PID 2088 wrote to memory of 2932	2088	Bdeiqgkj.exe	93
PID 2088 wrote to memory of 2932	2088	Bdeiqgkj.exe	93
PID 2088 wrote to memory of 2932	2088	Bdeiqgkj.exe	93
PID 2932 wrote to memory of 960	2932	Ckbncapd.exe	94
PID 2932 wrote to memory of 960	2932	Ckbncapd.exe	94
PID 2932 wrote to memory of 960	2932	Ckbncapd.exe	94
PID 960 wrote to memory of 4752	960	Calfpk32.exe	95
PID 960 wrote to memory of 4752	960	Calfpk32.exe	95
PID 960 wrote to memory of 4752	960	Calfpk32.exe	95
PID 4752 wrote to memory of 4948	4752	Ccmcgcmp.exe	97
PID 4752 wrote to memory of 4948	4752	Ccmcgcmp.exe	97
PID 4752 wrote to memory of 4948	4752	Ccmcgcmp.exe	97
PID 4948 wrote to memory of 3212	4948	Ciihjmcj.exe	99
PID 4948 wrote to memory of 3212	4948	Ciihjmcj.exe	99
PID 4948 wrote to memory of 3212	4948	Ciihjmcj.exe	99
PID 3212 wrote to memory of 1532	3212	Cildom32.exe	100
PID 3212 wrote to memory of 1532	3212	Cildom32.exe	100
PID 3212 wrote to memory of 1532	3212	Cildom32.exe	100
PID 1532 wrote to memory of 1820	1532	Dkkaiphj.exe	101
PID 1532 wrote to memory of 1820	1532	Dkkaiphj.exe	101
PID 1532 wrote to memory of 1820	1532	Dkkaiphj.exe	101
PID 1820 wrote to memory of 1644	1820	Dphiaffa.exe	102
PID 1820 wrote to memory of 1644	1820	Dphiaffa.exe	102
PID 1820 wrote to memory of 1644	1820	Dphiaffa.exe	102
PID 1644 wrote to memory of 2536	1644	Dgbanq32.exe	103
PID 1644 wrote to memory of 2536	1644	Dgbanq32.exe	103
PID 1644 wrote to memory of 2536	1644	Dgbanq32.exe	103
PID 2536 wrote to memory of 4396	2536	Dnljkk32.exe	104
PID 2536 wrote to memory of 4396	2536	Dnljkk32.exe	104
PID 2536 wrote to memory of 4396	2536	Dnljkk32.exe	104
PID 4396 wrote to memory of 3588	4396	Dahfkimd.exe	105
PID 4396 wrote to memory of 3588	4396	Dahfkimd.exe	105
PID 4396 wrote to memory of 3588	4396	Dahfkimd.exe	105
PID 3588 wrote to memory of 3700	3588	Ddfbgelh.exe	106
PID 3588 wrote to memory of 3700	3588	Ddfbgelh.exe	106
PID 3588 wrote to memory of 3700	3588	Ddfbgelh.exe	106
PID 3700 wrote to memory of 1168	3700	Dcibca32.exe	107
PID 3700 wrote to memory of 1168	3700	Dcibca32.exe	107
PID 3700 wrote to memory of 1168	3700	Dcibca32.exe	107
PID 1168 wrote to memory of 4864	1168	Dgdncplk.exe	108
PID 1168 wrote to memory of 4864	1168	Dgdncplk.exe	108
PID 1168 wrote to memory of 4864	1168	Dgdncplk.exe	108
PID 4864 wrote to memory of 512	4864	Dkpjdo32.exe	109
PID 4864 wrote to memory of 512	4864	Dkpjdo32.exe	109
PID 4864 wrote to memory of 512	4864	Dkpjdo32.exe	109
PID 512 wrote to memory of 1656	512	Dnngpj32.exe	110
PID 512 wrote to memory of 1656	512	Dnngpj32.exe	110
PID 512 wrote to memory of 1656	512	Dnngpj32.exe	110
PID 1656 wrote to memory of 4108	1656	Dajbaika.exe	111
PID 1656 wrote to memory of 4108	1656	Dajbaika.exe	111
PID 1656 wrote to memory of 4108	1656	Dajbaika.exe	111
PID 4108 wrote to memory of 2984	4108	Ddhomdje.exe	112
PID 4108 wrote to memory of 2984	4108	Ddhomdje.exe	112
PID 4108 wrote to memory of 2984	4108	Ddhomdje.exe	112
PID 2984 wrote to memory of 4648	2984	Dckoia32.exe	113
PID 2984 wrote to memory of 4648	2984	Dckoia32.exe	113
PID 2984 wrote to memory of 4648	2984	Dckoia32.exe	113
PID 4648 wrote to memory of 2804	4648	Dggkipii.exe	114

C:\Users\Admin\AppData\Local\Temp\f611647a77ae5a07cd8af00374a3c6e0N.exe
"C:\Users\Admin\AppData\Local\Temp\f611647a77ae5a07cd8af00374a3c6e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\Bagmdllg.exe
  C:\Windows\system32\Bagmdllg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\SysWOW64\Bdeiqgkj.exe
    C:\Windows\system32\Bdeiqgkj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\Ckbncapd.exe
      C:\Windows\system32\Ckbncapd.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Dahfkimd.exe
        
        C:\Windows\system32\Dahfkimd.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Djegekil.exe
        
        C:\Windows\system32\Djegekil.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Egkddo32.exe
        
        C:\Windows\system32\Egkddo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Ecbeip32.exe
        
        C:\Windows\system32\Ecbeip32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Eaceghcg.exe
        
        C:\Windows\system32\Eaceghcg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Enlcahgh.exe
        
        C:\Windows\system32\Enlcahgh.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5748
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        60⤵
        Executes dropped EXE
        
        PID:5788
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3240
        
        C:\Windows\SysWOW64\Fgqgfl32.exe
        
        C:\Windows\system32\Fgqgfl32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Gkoplk32.exe
        
        C:\Windows\system32\Gkoplk32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Gkalbj32.exe
        
        C:\Windows\system32\Gkalbj32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        85⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 412
        86⤵
        Program crash
        
        PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5860 -ip 5860
1⤵
PID:6012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
1⤵
PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
464KB

MD5
a2fdac35d57984c40aad36f7e4d6312d

SHA1
66485943f65bd0cb09c95db47f69f7d84976e07c

SHA256
4dba31daa9c1e429b6711369b9be961285fa774fcdfca2077323eefb483db5d7

SHA512
e3448c56fa00206e9af9a12d89e630097d7dcc706fe5d7844d029c041b940610a9fe4f550b626f0015e39fa4030f53aed2ed0551c64588a5b64cc7aa4a0c5a34

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
464KB

MD5
14cb87403b1b2d643df7f9a42207f1d0

SHA1
7c3fc14c05a76072bb6655f582f34edf9a39867c

SHA256
e5760ea340899c9c196eb167bb4fca38fad434cc386b8a3291f65e1eb12240d8

SHA512
91a04f68c5c3bb47aff30c24905c4d5721d7d3f9af3c79e660677faa8a89e8762b133487bc7e6b3143e42e4406d6d0fe88005665b40862ba3aeb19cb5fa45f75

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
464KB

MD5
14403b8b8fb3133c144b228393ed5635

SHA1
39005a1941546f6d429da9ae675f917af6d6a01c

SHA256
7bebb468f3291ad0326163a6bb4ee9145bdd217963d15890339e4157cd488b0c

SHA512
47d842c9e2f1b42cde9e0e326b68252f1a3a20919e8523ee627ef7c09aad06fc8e716b4f34df5397b04d8f88b273c88b80349b4eb9fa6dccebe819daf4d758a6

Download Submit
C:\Windows\SysWOW64\Ccmcgcmp.exe

Filesize
464KB

MD5
ead3c8940a7c9969a7e4e978dfea8ad3

SHA1
7689fa53cd35a9708573f474e9e1c5512bbe2616

SHA256
bfb962e6c420f4c0edf3d1fe06d3378518847e0566674ada9b3628339bcf297d

SHA512
0753d9f7a1dd301bdbd3f9e2abfe398a21111dd36d9a88c3add6cb339594e756f9ae5768fa2e7622c8f7df0e6d459818906f478f7936f7433158196757ea6855

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
464KB

MD5
e7c0c77538ac49eefaf08feaa77e3ff5

SHA1
fc5ad0e60f1d274b39b819fbe3ce77500cf47489

SHA256
4ed80fe8edbaa3a45f060282921996dbda5f60a3233ebf885f1102f1214b8ca1

SHA512
60cb4e5cb6f14a56cd4795791ff2163c73ee035fbb1c9a4ad71cd51b9a1de3d1fcc3141d40c6467eca0ab4ff40e469b01de18344273329afa20ecc5695c0b09e

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
464KB

MD5
d56c91561708ae0f06f9ef9c5d201938

SHA1
4524d1459b93b37d0b1c596eed41e24c10c1f65e

SHA256
539f89feaa7f13290d1b7d584aecb69e61a3287b4e827147c3ae850eb0138542

SHA512
66c2785343b647a48af1241d3f463c0ca7b176af54fb9990322f8847699fd4765aaa607d6ea6fdf019c5a3b72f7ed72c2d1abdbe2883f67ff2f12e1edd8b2dc9

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
464KB

MD5
a52c96c19956981c67e5f2a4c7a35c3e

SHA1
d2fa21ddf267f37c2a8b8efd8e3550ef4a7cd093

SHA256
70be47bc5694310431df67d35012649cf1d833137ef48ff132ad636531eb3dc1

SHA512
c607b655c04c591787dea83cc7e0fa9645cf3b572a723ac22af0b636a90471864ef32abf52d59b99ea5d58096e8a2e1cea1746d2cba3a7715d3c3f22611ff6e8

Download Submit
C:\Windows\SysWOW64\Ckbncapd.exe

Filesize
464KB

MD5
a911526afbc493935cadd991eb127ca7

SHA1
70f7be10e40d85f5e891079fc815eadd98755f00

SHA256
2b8d56e766bdb1c4aa36412ad562e5157236367da7f0e551c659e5b68f9865e3

SHA512
3cc7324c54283a5cf19fc298bada6bd38f5d0ddbdf50234a1d896f0bbb150702cea371646ff2b1e56f189f0f18773c43acdb0db4ea1df2694eb61ac393e5b312

Download Submit
C:\Windows\SysWOW64\Dahfkimd.exe

Filesize
464KB

MD5
98bc0200bf91a96a09466aaa00affa8b

SHA1
5937acc198ed10ceaade6fdedbd42e7e6a28aa62

SHA256
8266fd039a088efd2698ae4cd59af5b4bc1dc37a41fd4d2008bbaad190792190

SHA512
8838d9f6ec043f7e4ea88572dfd27b6160786ed16fc8074978e4d85caa6f201cd0f10691c44d7db9d7dc9dbc639fcc088648c650a06ec829e2418457ed5a5e60

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
464KB

MD5
30e2208881847f26bc483a46d3116d36

SHA1
f274e9e7e2cf23b58c4b6d6f3d39b5c05eef3433

SHA256
40e8a557ee79a5c063df0b5fcf6d8d7585c00c4cd4420834f04a44cbd809b4a4

SHA512
fc4680f55c69a348b393e7313ad1d18c21611f3fa7a41bc39c47f48ee85bd8255e4103d92062716f57288253a5262ea988c8b7cd0054900d1b9a42011f2ae5bf

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
464KB

MD5
a081ceda15b1521d33ccaeafbac0d155

SHA1
765d065ee78bbc6f8c8282183dc75e8ee4d3d3a1

SHA256
1b5b21e4afa1a9a85049bea5dcdece948139756b2095a7cf1a939e19af7a6bc4

SHA512
b675269c3bd417a3304b04622863377695a101986b9bfeefdc5081073609bc90f229680bfdfd95e045454f9437322979776b95152f2ff63a5b94bdf187142a02

Download Submit
C:\Windows\SysWOW64\Dckoia32.exe

Filesize
464KB

MD5
d190d960cd921089c66faa1bd46ea8fd

SHA1
2a0704b91350e7adf6d2ee8515dbf94f6c4033ef

SHA256
8114bca28acfffb07c6c5ad52e7c9e1619947ba5c2f8d037f2a313f1065a0ffb

SHA512
3ebbb04ab2f5252a254611b4c137f844ac99fda835eba904105f8dbd1577d5abf00c3c7d8042b5f59a4fc17116d06e57a26c62ea201b73a429b85c287f16f93d

Download Submit
C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
464KB

MD5
7766da8152ecd248832226a065f7c355

SHA1
4c2c1b052d6b9dea9631222e46047788fd71d1b6

SHA256
a5e226edb4dab961c68365bd1c6a26eaedc8aabf89039cdc2d5c9f0b0dae8d0b

SHA512
914a49ecc8efb1a25e96b8cfd0bdb3dbd444b3efa4f070571b2eae3a1cccc50422f9fd8134592b8911fea5a56724ff1a1a428c4bc256560cd34b319e4d1682f5

Download Submit
C:\Windows\SysWOW64\Ddfbgelh.exe

Filesize
464KB

MD5
56db1e166b9133742f724d45a77b5da4

SHA1
569840eec7b7b8f333e5162e3be564b2f2de3ab6

SHA256
6636ad510f875fe26b02de67bcbaf4d92b468106c4280378ee5a8ebe835e8fd0

SHA512
bdda920fba6c3c33b441f35026efad305504508a1dad07c643c9a3a1d17c2ebbd2d866c794bddfc463b40cc61c743280c95e991202340b302004af5b5531d433

Download Submit
C:\Windows\SysWOW64\Ddhomdje.exe

Filesize
464KB

MD5
dd344c5fe76dbd857a245e90013d304b

SHA1
14cb2cb8a18888e583d7e91a93c42bac0896baf4

SHA256
904d17b4277c40ef6f7ba4515143abadc1a74e7156f71cfe1e7ebbdd8d47803c

SHA512
08d4267194a758a5fa1a08a6f0aa0c68db697217cb310f7b1b3084ce94d7b2ffd5f9f7a94f2ade649d03123ae031e1a5062ff6ee96d10af6beb641f9126a950d

Download Submit
C:\Windows\SysWOW64\Ddmhhd32.exe

Filesize
464KB

MD5
e1ac01957944e271524b1d7a942b4a3b

SHA1
81070935f8a6d7f7bccd7a936f6993034d3f01d4

SHA256
d2db880c988d2b2a47b3f0167bc886cdf2d698c6f7fdec47ccaf4eb92933cb0a

SHA512
73cf22477cd5fad2aefb3a19080bce49596e5ed9d753da1048c359497cab3d8566e601c4e3725c925e071322b3fa874c89c0cfdd3e0738f550503fa2c30c4d2c

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
464KB

MD5
9cb0ff18dab779efa3ae06d7c71ff3a0

SHA1
25150a02c6d0cea12fbd1b70c282f55c6abe3d6a

SHA256
cbf45d1e81b436f2fa8c8424cd08ba60b2c64c9757b831852c8f3c9132408826

SHA512
902461b9c1e204f849c2f37404b6c9145955a73c7f5e7be9c5a945fe93cfd67546df496c2ca900942caa7f9397d172fd40f05402289f6080adcc7b3b44c1bc76

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
464KB

MD5
d8d3470eeef95dc85f669fd2c561856f

SHA1
9361ac4920055702757d837c637d0b16491520a5

SHA256
35ae7aa8f6a7c3ba1e5943cf99c1f754a3d319e7694f02d916d303769e3ed199

SHA512
c692d13f6ce28fbcdd7342caa6b3983e9878c422344e9e6115eb365d7518c0f1b0e2f463b0a0704c91bd691521c5893b44eb6d1e81d427ea179c65274d82b2ea

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
464KB

MD5
d47e7d7637f6cc54e3752fa516b3b16e

SHA1
84eb21bd3ceaf46613ea27b9b4633fdf2a121f59

SHA256
2aeb746c2b9f86c15bce1aacdd1add28f85948ca3d2bc213c0609f40a4aa3e5f

SHA512
9fe45ad3f785cb81fd1a27e47a8d33900595deada006b4dcd377e31f3454c24403b2ac6e44b25ef8ad18694e266219f67e990ce3d0b7214672476d8c42824ed2

Download Submit
C:\Windows\SysWOW64\Dgihop32.exe

Filesize
464KB

MD5
b7787be991df3a0945103736aa08fbb8

SHA1
d922b7889fe93d479c6cf957b9ddd5f982d39bd7

SHA256
cf66cf9ad8a356e38a9a4b6c275123c53d1695df4c47cf4a6804a5a8d77bad25

SHA512
c6f9213c6c786dd731326f13d9e31ad1143a6af31e0f86a711906769cfaa17638a5a591f6a956b8224187ca58592b5924ecddff53df38a69095934b03f3638de

Download Submit
C:\Windows\SysWOW64\Djegekil.exe

Filesize
464KB

MD5
74522b23d763b1b314d8703d05e3e864

SHA1
9d8b4f0c4b3e97989c330c224704fb5a3e1781ea

SHA256
c8ce62d9da53f203da0a7fe4f00187b994dd088bbb7857afc5570c3d65c64979

SHA512
d845964d2e5d6910b126c6d4ab1bd92c7eb7b07d6d645ee1d25a3cf9b35c71861dfd17a82ee89fb966d566d08d44ef1102fa0dedee9b657c2785c9a4afaa4377

Download Submit
C:\Windows\SysWOW64\Djgdkk32.exe

Filesize
464KB

MD5
17a6d9ae1cbc0566168a994db2cfff16

SHA1
bb00efa601a007c941d9c8de51834c204c046c5d

SHA256
4507542b764680cdf9287dcabaa5d8ff7fa529009a275a0d5d5b9f124baeefaf

SHA512
509940dd0042d8b051f1dfeebe0996ed6ffe4dfdad1f5a435c426e48419e242ba8613be97d998efcd8fe7741d20cef2f86bc805a3192c0da764835a1686a85af

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
464KB

MD5
65e25aaa8c72b9d7973659968ddd4a42

SHA1
28f64f6bb9afa95fce6ccf823df983f40d107949

SHA256
43fe94c990da6f7c5b985fd76c15b74b1148a59de09e582b966bdcfd1eb84e87

SHA512
5f2a4baa6f2db6569973ee8627aca43026da39480fe13f813c9e3a1d460534b55f8c29a895b63b1f3d7caeb2a147b7d9fd216a5405ea43055a6143dd296d0b05

Download Submit
C:\Windows\SysWOW64\Dkpjdo32.exe

Filesize
464KB

MD5
ed9c3afb9ddaafd7fde39cc2ea3e625a

SHA1
8a579ad19b8a91f2f2691ba77668ee7f59a53d23

SHA256
7a4f1550c0fa915608eaa2fa705fc2e5078820f7cdb6f3ec574a3781f2439058

SHA512
658809022a10bae6cfc1de42f3be6ce297cc7427c2ca33577abf43894580cd7a32de641bb91aebcc3149b3d5dc9c1f03351e16b7063449faf0885e5555908653

Download Submit
C:\Windows\SysWOW64\Dncpkjoc.exe

Filesize
464KB

MD5
ba764e91a5b36ce50b3ffd789867b0d4

SHA1
59bc9d7307b609796fadbb0b61004c7d9ae59a44

SHA256
50acb7fced25153aab08d61c028c8123deba1563501da20f18be84c43187e273

SHA512
b5e98b14e919bf7b3b9c39a503144fbaca2e402e82817c27b19c003126720af5fa11041471c0915d370665c83f9c7d58883ce83068ce4472b3adc6df1441d2d8

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
464KB

MD5
a7c3fdb3d9458221d1c57418c74bf066

SHA1
882297977fddf263269994e494ae6da5c368065f

SHA256
0f2c37040a45b8118e4989bc24888ca9a8d4bd16f175d37c73344a07269c4f89

SHA512
c28c78dfb5ac843e1a8dcc6409ed9ad2141cf0227ab5919356ac2143b680e66fb78c933c76b127f91448230c26dd90c835cec6e2eaa535fbb289cc4fa03fd973

Download Submit
C:\Windows\SysWOW64\Dnngpj32.exe

Filesize
464KB

MD5
4e4c193a938b8416a884517ce6ddeeec

SHA1
8814e06099a786333a08af6ce69c41c28a646b14

SHA256
364e82c2ae5d155c8908f37b348788910d6e8aeeedd3dbac2155ad5c656627aa

SHA512
b0520de3270a6c2b53945e0127bb03b184cbc0ef6ce2ce6df16b1e26dde822df2e2cf3efb5149b6fced2271f4ff34659bf8b925d200dd39aa6a5ca2dbb1e2c0d

Download Submit
C:\Windows\SysWOW64\Dnqcfjae.exe

Filesize
464KB

MD5
0fb4fe8f5016136fd03a674e415293de

SHA1
114d3772b48b7a3fa4d569cca7dfd5d7018f7862

SHA256
dfe8c072ac9cac3f63e41387a971727931dc5009d1cd74b1d9429e12fc85e20f

SHA512
3b47171fde62723cdc18c86222bcecd3a8c02ccde23ca3753b687bb8e3d030bd435f0a26b32ed787eb1a3d95b3c31c43d60a3824aea2eb613d4e94f5c3811083

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
464KB

MD5
c2b5c4a5a66f9ba0d0ee70990f8b3a2b

SHA1
25fd571957393710a40c1c7359f9375463c60243

SHA256
ecbdabc1eeff9e94a2b446094782a1553399b3854038238000bca6e6d7bd73c9

SHA512
18d119b87e39ba536295911d977830f577401bb184f0f53cb89b95483972b481fb77a2c313d9cf4ff17d369791333dc6ee357657de38ae3e31583b21c3b3a5cd

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
464KB

MD5
95d7ac7a6a92d9496ae4a9bf46842a06

SHA1
2881c9e322eed9dcc1e1fdf2acac9243aecab042

SHA256
12eb320ca5dab4f3d7cec30cf6ecb66a734e0a43004121d2760cb73d3e1bbfd3

SHA512
83e42ed25e14c83f1988086ac601daae2b80a4d2c8c177e608fd869fad3afac6764166061df2636cea32fef982ccc9506e02f5697c24ee03ad6ca077eef7a64e

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
464KB

MD5
b59f2f554c5cd816ef7f13087c4f414c

SHA1
44d29106187405b18f0edb3015156f6a3caf9cda

SHA256
e3b4fcc1137710f182b63d4c44e202fdb776b33e35c6766181bcf0671de900f3

SHA512
901ae780e6bc0dae3fbec5a92c07a719303741859a5d55a697edc96c95a3e1ca800a96f8cf4d8154ae8c18630a52eabc651eaccc518e93e5d121cd0421971718

Download Submit
C:\Windows\SysWOW64\Egkddo32.exe

Filesize
464KB

MD5
dfa5c1b91a97074eeec7aa3d2709875f

SHA1
9ba423547e9118e72ced5b5d5c485741c4194428

SHA256
dc37ee87616d100e270534826faa61e6c10e698111152010abe1e1983fecc241

SHA512
7f7ea3f8ae4991713565fd403d8413e5c966a993bce2ab660a373468b427bd7b4cac34f3fcf451d2f8efcc56f5b223a5852497b5143520d8a37e3bba5aae1c12

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe

Filesize
464KB

MD5
830cd37d09daa23b232b4fd87e730b47

SHA1
36e2b385a1048386bec5c5c57c12271246b65b72

SHA256
8ec69a1db0f00fcb0fe44742b91975ccd11949dfaf24e74e040bf9d66b6c0ab4

SHA512
3fc5ce5e7d179514200153e7cedb2214a519c157fe6831183e9d902db2b7b189e1f0f6a078c01a31c3097a9a6e8ee6d1881be89e0f1613c94da08321fdeb6407

Download Submit
C:\Windows\SysWOW64\Fbcolk32.dll

Filesize
7KB

MD5
e52fd7ffd05c68e334ae8a0a45f730c0

SHA1
2f7efe1d66f69412a612873663c8e19e24821ca9

SHA256
55d643f8a7f3bbfec1b3da9f3761055a9a8ab3087b7ba7f81aa9db93fe71b198

SHA512
d3b6d1872aa2848e2487526b4bad8ba3d7cf97900f84ee5160410389a4b28d076529386870ffb96d20ee380372939384559498fefbb0a77c13bfd799800632af

Download Submit
memory/512-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/624-506-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/948-228-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/960-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/960-572-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1008-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1168-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1376-548-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1376-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1532-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1532-576-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-574-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1656-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1820-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1820-575-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2020-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2036-482-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2088-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2088-562-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2264-500-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2436-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2804-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2844-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2852-494-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2928-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2932-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2932-569-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2984-164-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3160-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3212-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3212-577-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3240-488-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3288-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3396-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3412-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3588-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3664-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3700-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3736-266-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3940-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4064-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4108-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4160-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4396-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4416-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4472-555-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4472-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4508-476-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4648-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-579-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4752-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4864-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4948-578-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4948-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5112-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5136-512-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5148-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5188-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5220-518-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5228-338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5268-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5292-524-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5312-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5352-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5376-530-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5388-362-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5428-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5444-536-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5468-374-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5504-542-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5512-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5548-386-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5576-549-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5596-392-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5636-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5652-556-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5668-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5708-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5736-563-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5748-416-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5788-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5804-570-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5828-428-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5860-573-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5872-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5908-440-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5948-446-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5988-452-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6028-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6068-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6108-470-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads