f057c8f7022ffe80a2547aa2cc8592d7471d2287af8e0732cf483708befae934

Analysis

max time kernel
136s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f057c8f7022ffe80a2547aa2cc8592d7471d2287af8e0732cf483708befae934.exe
Size

45KB
MD5

984823f54ccd4b44013f8ef91c818002
SHA1

319ce1cb25e2a4c5ee2e93b81a79f591f982d0c7
SHA256

f057c8f7022ffe80a2547aa2cc8592d7471d2287af8e0732cf483708befae934
SHA512

c888de2a28b8168be4d6552fb092f93873cb13f8ff2dbcff2cca7ef15603782b95cee21fbdffc81303ddb48c95abec4a0f741a557dacfd9fbc5dc786cbd8ce82
SSDEEP

768:O3XVkDETKlRHRVgilA5e463EjN+0vZ5uqp2puCQ3nXHzzKHIwaCnKW/1H5Yo:OVAreeEZ5uqsub3XTzKc2K8n

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagdnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqbeoc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eaaiahei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biklho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmhhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dajbaika.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abfdpfaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqikob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiplmq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dncpkjoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dickplko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjeplijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggepalof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjmkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggepalof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnaecedp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpedeiff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aimogakj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkbgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlnfjbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejojljqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adepji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdlfjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnaecedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbanq32.exe

Executes dropped EXE 64 IoCs

pid	Process
1892	Qbonoghb.exe
3704	Qmdblp32.exe
4136	Qpbnhl32.exe
2576	Qfmfefni.exe
2568	Aabkbono.exe
4524	Abcgjg32.exe
4228	Aimogakj.exe
4060	Apggckbf.exe
2540	Abfdpfaj.exe
4928	Aiplmq32.exe
2216	Aagdnn32.exe
952	Adepji32.exe
1064	Aibibp32.exe
4912	Aaiqcnhg.exe
1080	Aplaoj32.exe
2968	Abjmkf32.exe
4840	Aidehpea.exe
1432	Aalmimfd.exe
3860	Abmjqe32.exe
1792	Bmbnnn32.exe
4368	Bdlfjh32.exe
1116	Bjfogbjb.exe
3384	Bapgdm32.exe
4024	Bfmolc32.exe
448	Biklho32.exe
4148	Bpedeiff.exe
3700	Bfolacnc.exe
3324	Bmidnm32.exe
3488	Bdcmkgmm.exe
4564	Bbfmgd32.exe
4204	Bipecnkd.exe
3956	Bpjmph32.exe
1748	Bgdemb32.exe
3292	Cmnnimak.exe
2204	Cpljehpo.exe
2124	Cgfbbb32.exe
4888	Ckbncapd.exe
4416	Calfpk32.exe
1372	Cdjblf32.exe
8	Cmbgdl32.exe
4476	Cancekeo.exe
3224	Cdmoafdb.exe
2260	Ckggnp32.exe
4796	Caqpkjcl.exe
1580	Ccblbb32.exe
3528	Cmgqpkip.exe
2792	Dkkaiphj.exe
2824	Daeifj32.exe
4240	Dcffnbee.exe
1204	Dgbanq32.exe
548	Dnljkk32.exe
3904	Ddfbgelh.exe
4400	Dgdncplk.exe
924	Dickplko.exe
3568	Dajbaika.exe
3812	Dckoia32.exe
2664	Dkbgjo32.exe
4480	Dnqcfjae.exe
3980	Dcnlnaom.exe
2412	Dkedonpo.exe
1136	Dncpkjoc.exe
4276	Ddmhhd32.exe
5132	Ekgqennl.exe
5172	Eaaiahei.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bapgdm32.exe	Bjfogbjb.exe
File created	C:\Windows\SysWOW64\Bpedeiff.exe	Biklho32.exe
File created	C:\Windows\SysWOW64\Dcjdilmf.dll	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Egnajocq.exe	Edoencdm.exe
File created	C:\Windows\SysWOW64\Dmfbkh32.dll	Gqkhda32.exe
File opened for modification	C:\Windows\SysWOW64\Aalmimfd.exe	Aidehpea.exe
File created	C:\Windows\SysWOW64\Dajbaika.exe	Dickplko.exe
File created	C:\Windows\SysWOW64\Ddmhhd32.exe	Dncpkjoc.exe
File created	C:\Windows\SysWOW64\Iffahdpm.dll	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Aiplmq32.exe	Abfdpfaj.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Ggccllai.exe	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Abmjqe32.exe	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Leldmdbk.dll	Biklho32.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Bhkacq32.dll	Edoencdm.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	Fkjfakng.exe
File created	C:\Windows\SysWOW64\Gnmlhf32.exe	Ggccllai.exe
File created	C:\Windows\SysWOW64\Mcqelbcc.dll	Ggccllai.exe
File created	C:\Windows\SysWOW64\Eocmgd32.dll	Gqnejaff.exe
File opened for modification	C:\Windows\SysWOW64\Aidehpea.exe	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Aalmimfd.exe	Aidehpea.exe
File opened for modification	C:\Windows\SysWOW64\Bmidnm32.exe	Bfolacnc.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Dnljkk32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Pedfeccm.dll	Dkbgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Fqphic32.exe	Fjeplijj.exe
File created	C:\Windows\SysWOW64\Hhdjkflc.dll	Aimogakj.exe
File created	C:\Windows\SysWOW64\Bapgdm32.exe	Bjfogbjb.exe
File created	C:\Windows\SysWOW64\Podbibma.dll	Bjfogbjb.exe
File created	C:\Windows\SysWOW64\Cmnnimak.exe	Bgdemb32.exe
File opened for modification	C:\Windows\SysWOW64\Aimogakj.exe	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Mmebednk.dll	Adepji32.exe
File created	C:\Windows\SysWOW64\Ckggnp32.exe	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Gclafmej.exe	Gqnejaff.exe
File opened for modification	C:\Windows\SysWOW64\Gjficg32.exe	Gkcigjel.exe
File created	C:\Windows\SysWOW64\Bfedfi32.dll	Gjficg32.exe
File opened for modification	C:\Windows\SysWOW64\Bdlfjh32.exe	Bmbnnn32.exe
File created	C:\Windows\SysWOW64\Eddnic32.exe	Ejojljqa.exe
File opened for modification	C:\Windows\SysWOW64\Aibibp32.exe	Adepji32.exe
File opened for modification	C:\Windows\SysWOW64\Ejlnfjbd.exe	Egnajocq.exe
File created	C:\Windows\SysWOW64\Ggccllai.exe	Gcghkm32.exe
File created	C:\Windows\SysWOW64\Kfkklk32.dll	Gcjdam32.exe
File created	C:\Windows\SysWOW64\Ckfaapfi.dll	Gbkdod32.exe
File opened for modification	C:\Windows\SysWOW64\Aabkbono.exe	Qfmfefni.exe
File created	C:\Windows\SysWOW64\Abfdpfaj.exe	Apggckbf.exe
File opened for modification	C:\Windows\SysWOW64\Aplaoj32.exe	Aaiqcnhg.exe
File opened for modification	C:\Windows\SysWOW64\Bfmolc32.exe	Bapgdm32.exe
File opened for modification	C:\Windows\SysWOW64\Cdmoafdb.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Dodebo32.dll	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Iplfokdm.dll	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Ajbfciej.dll	Apggckbf.exe
File opened for modification	C:\Windows\SysWOW64\Aaiqcnhg.exe	Aibibp32.exe
File created	C:\Windows\SysWOW64\Qdqaqhbj.dll	Bbfmgd32.exe
File opened for modification	C:\Windows\SysWOW64\Bpjmph32.exe	Bipecnkd.exe
File opened for modification	C:\Windows\SysWOW64\Ddfbgelh.exe	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Epgldbkn.dll	f057c8f7022ffe80a2547aa2cc8592d7471d2287af8e0732cf483708befae934.exe
File created	C:\Windows\SysWOW64\Dccfkp32.dll	Aidehpea.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Edoencdm.exe	Eaaiahei.exe
File created	C:\Windows\SysWOW64\Gkcigjel.exe	Gclafmej.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Eaaiahei.exe	Ekgqennl.exe
File opened for modification	C:\Windows\SysWOW64\Fjjjgh32.exe	Fqbeoc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6132	5508	WerFault.exe	197

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aagdnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calfpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnqcfjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmdblp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalmimfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpedeiff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipecnkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbncapd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejojljqa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dickplko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecdbop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaiqcnhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmjqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqmlccdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbfmgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dncpkjoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcghkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daeifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcmkgmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjmph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckggnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnlnaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkedonpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmfefni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcgjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdncplk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epffbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddnic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aplaoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidehpea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnljkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejlnfjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbonoghb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dckoia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egnajocq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbkdod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abfdpfaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnimak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdpnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcjdam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adepji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgqpkip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqbeoc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmolc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eaaiahei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnmlhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biklho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejccgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimogakj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfbbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dajbaika.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjeplijj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfogbjb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggepalof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjficg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abjmkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpedeiff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll"	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epffbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojimfh32.dll"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfaapfi.dll"	Gbkdod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f057c8f7022ffe80a2547aa2cc8592d7471d2287af8e0732cf483708befae934.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eahobg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbnnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adepji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dickplko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efehkimj.dll"	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfokdm.dll"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkacq32.dll"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aiplmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalceb32.dll"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdaleh32.dll"	Epffbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekgqennl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqbeoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbkdod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdlfjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggccllai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmojj32.dll"	Eaaiahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gnaecedp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcjdam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfbjkg32.dll"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbbme32.dll"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daeifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekngemhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjeplijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpcgc32.dll"	Dnqcfjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abfdpfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deiljq32.dll"	Bmbnnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhaiafem.dll"	Ejlnfjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejlnfjbd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1892	2300	f057c8f7022ffe80a2547aa2cc8592d7471d2287af8e0732cf483708befae934.exe	91
PID 2300 wrote to memory of 1892	2300	f057c8f7022ffe80a2547aa2cc8592d7471d2287af8e0732cf483708befae934.exe	91
PID 2300 wrote to memory of 1892	2300	f057c8f7022ffe80a2547aa2cc8592d7471d2287af8e0732cf483708befae934.exe	91
PID 1892 wrote to memory of 3704	1892	Qbonoghb.exe	92
PID 1892 wrote to memory of 3704	1892	Qbonoghb.exe	92
PID 1892 wrote to memory of 3704	1892	Qbonoghb.exe	92
PID 3704 wrote to memory of 4136	3704	Qmdblp32.exe	93
PID 3704 wrote to memory of 4136	3704	Qmdblp32.exe	93
PID 3704 wrote to memory of 4136	3704	Qmdblp32.exe	93
PID 4136 wrote to memory of 2576	4136	Qpbnhl32.exe	94
PID 4136 wrote to memory of 2576	4136	Qpbnhl32.exe	94
PID 4136 wrote to memory of 2576	4136	Qpbnhl32.exe	94
PID 2576 wrote to memory of 2568	2576	Qfmfefni.exe	95
PID 2576 wrote to memory of 2568	2576	Qfmfefni.exe	95
PID 2576 wrote to memory of 2568	2576	Qfmfefni.exe	95
PID 2568 wrote to memory of 4524	2568	Aabkbono.exe	96
PID 2568 wrote to memory of 4524	2568	Aabkbono.exe	96
PID 2568 wrote to memory of 4524	2568	Aabkbono.exe	96
PID 4524 wrote to memory of 4228	4524	Abcgjg32.exe	97
PID 4524 wrote to memory of 4228	4524	Abcgjg32.exe	97
PID 4524 wrote to memory of 4228	4524	Abcgjg32.exe	97
PID 4228 wrote to memory of 4060	4228	Aimogakj.exe	98
PID 4228 wrote to memory of 4060	4228	Aimogakj.exe	98
PID 4228 wrote to memory of 4060	4228	Aimogakj.exe	98
PID 4060 wrote to memory of 2540	4060	Apggckbf.exe	99
PID 4060 wrote to memory of 2540	4060	Apggckbf.exe	99
PID 4060 wrote to memory of 2540	4060	Apggckbf.exe	99
PID 2540 wrote to memory of 4928	2540	Abfdpfaj.exe	100
PID 2540 wrote to memory of 4928	2540	Abfdpfaj.exe	100
PID 2540 wrote to memory of 4928	2540	Abfdpfaj.exe	100
PID 4928 wrote to memory of 2216	4928	Aiplmq32.exe	101
PID 4928 wrote to memory of 2216	4928	Aiplmq32.exe	101
PID 4928 wrote to memory of 2216	4928	Aiplmq32.exe	101
PID 2216 wrote to memory of 952	2216	Aagdnn32.exe	102
PID 2216 wrote to memory of 952	2216	Aagdnn32.exe	102
PID 2216 wrote to memory of 952	2216	Aagdnn32.exe	102
PID 952 wrote to memory of 1064	952	Adepji32.exe	103
PID 952 wrote to memory of 1064	952	Adepji32.exe	103
PID 952 wrote to memory of 1064	952	Adepji32.exe	103
PID 1064 wrote to memory of 4912	1064	Aibibp32.exe	104
PID 1064 wrote to memory of 4912	1064	Aibibp32.exe	104
PID 1064 wrote to memory of 4912	1064	Aibibp32.exe	104
PID 4912 wrote to memory of 1080	4912	Aaiqcnhg.exe	105
PID 4912 wrote to memory of 1080	4912	Aaiqcnhg.exe	105
PID 4912 wrote to memory of 1080	4912	Aaiqcnhg.exe	105
PID 1080 wrote to memory of 2968	1080	Aplaoj32.exe	106
PID 1080 wrote to memory of 2968	1080	Aplaoj32.exe	106
PID 1080 wrote to memory of 2968	1080	Aplaoj32.exe	106
PID 2968 wrote to memory of 4840	2968	Abjmkf32.exe	107
PID 2968 wrote to memory of 4840	2968	Abjmkf32.exe	107
PID 2968 wrote to memory of 4840	2968	Abjmkf32.exe	107
PID 4840 wrote to memory of 1432	4840	Aidehpea.exe	109
PID 4840 wrote to memory of 1432	4840	Aidehpea.exe	109
PID 4840 wrote to memory of 1432	4840	Aidehpea.exe	109
PID 1432 wrote to memory of 3860	1432	Aalmimfd.exe	110
PID 1432 wrote to memory of 3860	1432	Aalmimfd.exe	110
PID 1432 wrote to memory of 3860	1432	Aalmimfd.exe	110
PID 3860 wrote to memory of 1792	3860	Abmjqe32.exe	111
PID 3860 wrote to memory of 1792	3860	Abmjqe32.exe	111
PID 3860 wrote to memory of 1792	3860	Abmjqe32.exe	111
PID 1792 wrote to memory of 4368	1792	Bmbnnn32.exe	112
PID 1792 wrote to memory of 4368	1792	Bmbnnn32.exe	112
PID 1792 wrote to memory of 4368	1792	Bmbnnn32.exe	112
PID 4368 wrote to memory of 1116	4368	Bdlfjh32.exe	114

C:\Users\Admin\AppData\Local\Temp\f057c8f7022ffe80a2547aa2cc8592d7471d2287af8e0732cf483708befae934.exe
"C:\Users\Admin\AppData\Local\Temp\f057c8f7022ffe80a2547aa2cc8592d7471d2287af8e0732cf483708befae934.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\Qbonoghb.exe
  C:\Windows\system32\Qbonoghb.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\Qmdblp32.exe
    C:\Windows\system32\Qmdblp32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\SysWOW64\Qpbnhl32.exe
      C:\Windows\system32\Qpbnhl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Windows\SysWOW64\Qfmfefni.exe
        
        C:\Windows\system32\Qfmfefni.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Aaiqcnhg.exe
        
        C:\Windows\system32\Aaiqcnhg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Bmbnnn32.exe
        
        C:\Windows\system32\Bmbnnn32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        29⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        36⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Ddfbgelh.exe
        
        C:\Windows\system32\Ddfbgelh.exe
        53⤵
        Executes dropped EXE
        
        PID:3904
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Dickplko.exe
        
        C:\Windows\system32\Dickplko.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\Dncpkjoc.exe
        
        C:\Windows\system32\Dncpkjoc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Ekgqennl.exe
        
        C:\Windows\system32\Ekgqennl.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Eaaiahei.exe
        
        C:\Windows\system32\Eaaiahei.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Egnajocq.exe
        
        C:\Windows\system32\Egnajocq.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Ejlnfjbd.exe
        
        C:\Windows\system32\Ejlnfjbd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Epffbd32.exe
        
        C:\Windows\system32\Epffbd32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Ejojljqa.exe
        
        C:\Windows\system32\Ejojljqa.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        73⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        74⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Fqbeoc32.exe
        
        C:\Windows\system32\Fqbeoc32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        84⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        88⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Gcghkm32.exe
        
        C:\Windows\system32\Gcghkm32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Gcjdam32.exe
        
        C:\Windows\system32\Gcjdam32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Gbkdod32.exe
        
        C:\Windows\system32\Gbkdod32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        99⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        103⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 408
        104⤵
        Program crash
        
        PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5508 -ip 5508
1⤵
PID:5856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4276,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=1312 /prefetch:8
1⤵
PID:5128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabkbono.exe

Filesize
45KB

MD5
c0ceebbbce0a716002253bcc21d75ab5

SHA1
3333709f8b1fae27342a83428a624049ec11b651

SHA256
faf365fa6684215aeeff1244eb90448f14f1bbdde2e140ec8ea566d346a07a33

SHA512
3070fe83c73572be8b575ffad95e37876659ed2fb2f0d6e6405dfa441c9347760a7f4f3e4f64944bdf79b284af87f1807ed57aadf9697b1aec146a13f11656fc

Download Submit
C:\Windows\SysWOW64\Aagdnn32.exe

Filesize
45KB

MD5
4a48ccae385d4b6a3b19f46b822129d7

SHA1
d7e24afb4b48fa077597b702122c8e1fe7011030

SHA256
f72bfd987497caef2363ab98c9d1e6a79acceea3d0238b463c14d7b0ae23e935

SHA512
4664345079af937e981cc2f949b0d72ce1675d206b60d9a3fdf0bcc6a0dc569708e99f3572bded67e1a075a6cfd22bbd819037000ea323dcbbd789b53dbaebed

Download Submit
C:\Windows\SysWOW64\Aaiqcnhg.exe

Filesize
45KB

MD5
07a9d0c397b14d24e70ff99a73b8388e

SHA1
8e5c679922c282a7461de1c433bd6e1a9a860cde

SHA256
1867e2c2c35bf2b16faeabf2ed0d9c84ab0bd18d976ca4e99da67ab101f773cb

SHA512
eb606c14d1da10b3e5e9697892dc1a9b209c8a56a1e785f49fb62432b8e6d952ddb8cba19f9d58065e023df9d301bcd5bfbe74cf09dc8f54da0d0b566f2dbd29

Download Submit
C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
45KB

MD5
c43fa9232d869deff79f43fbc5c714ba

SHA1
0122ff2e0678073784d1e55f8a7822fdcc46b970

SHA256
c50a740125ecc071bedab4a6d86e86ecf2ccb0f82e78794aa6736ae863791014

SHA512
63b7c0d61bd437a25fc3325c0373eecc618b3db43a7a9cad386e2aefb4cfc4804d21f66fcd6c3ff95dde7363ff73bc3b56b5fec47987d60a76a4710baa05fad2

Download Submit
C:\Windows\SysWOW64\Abcgjg32.exe

Filesize
45KB

MD5
8b0b4f95361df0d33cb6dac8c382966a

SHA1
64d6d0f96512c6e2037db6a7c89f773af2bcdbfc

SHA256
d45840f5a907d21dec61539aa2588e49acd73b75c49af7f92a7ffabba7c87b36

SHA512
4e5de74c1901a501d5b73297c2c873a8f159e816d160c95721e0bf33b99b53d638f7afa13989f3076c526a3f094aa83e5c8f9a932a40932ba0bb8cf72fe19f30

Download Submit
C:\Windows\SysWOW64\Abfdpfaj.exe

Filesize
45KB

MD5
0fa2496111b6c03720f1aa5620729195

SHA1
394d9b771179cd18a699364070f5d1ef55d60d68

SHA256
676e54f3ef107da1dd63fc47e79d9fbfa20924cbcd4132038a73d8088e94e55a

SHA512
dd5a02dc64b21ccbd243069d59ce3dd15074805db0c004d5f4fbf364a4114eeb3f284e1bf75378064a531183409e856c096789b1e3ff65c7b550be364f64de99

Download Submit
C:\Windows\SysWOW64\Abjmkf32.exe

Filesize
45KB

MD5
eac1f2bc59c21faa3d0eaa523402fed7

SHA1
02d7c467602cacf3f2c6406c2fcab8e31a38ef12

SHA256
a25b7029d39e31307e0553aeeab01ed9115ec06877b55d7ff057cfec8fcc8f54

SHA512
f2a31a103026e4b02f682aa13fb97224c9d8f6489f2a5109698148e24f8530ba48eca27eee55820ba37d74b05a9a4fef57fea88f36ff456288830835cda0306d

Download Submit
C:\Windows\SysWOW64\Abmjqe32.exe

Filesize
45KB

MD5
62069ba847987884c626fa6ef755f46e

SHA1
17335497173421aac7b0c9b286db7a892bdee747

SHA256
4705d7caac3f5660833e3aec04adf6960c8cfabc36a061ee015529107bcdd16d

SHA512
a85144e3effea16d5053cf6cb3d848d746d8e234467e49bd19d5ee457fe9d2aa7ddd49aff5a6ecea69738ce504f1e77be0f734f106c2b2329ba87c2ddd700f90

Download Submit
C:\Windows\SysWOW64\Adepji32.exe

Filesize
45KB

MD5
74d7f86bf6e2860e92507b4dc82eaf58

SHA1
715c7a0d02c1e6b39e11d3502ef3010aa86a9053

SHA256
230a179e802dc7790c4144c977d27c9afc563ef79ca293f4ff80ee672684f29b

SHA512
3fed76a26f8e7f01edf202e3fde3996d552f958badd97c42f012cdfc45464ea29494d24fe173cc3c5692baeb8eca482a80da0eb015b0c8efa6d72670c0e0f5f1

Download Submit
C:\Windows\SysWOW64\Aibibp32.exe

Filesize
45KB

MD5
fb5d7ced88249f3c13a499ed1587f3be

SHA1
0a9f2c73272a0911916344557aaf8f18ce3e0498

SHA256
5c53c1d1f2a6918bd00b2d04c4d5c7b77e5a4374aa14c2d99676e4a322c65a84

SHA512
923bc7e3c4a86a7d6b777357116bd5718e62a87431a590c388bf0cd0cab34b141df7660c4155954fb1c49030df0735e753c56d2f94048a1008beb9fb4bb7f631

Download Submit
C:\Windows\SysWOW64\Aidehpea.exe

Filesize
45KB

MD5
e520f2101563922491fe0a28418733de

SHA1
036f2d0e804a73d3931b9f311a6fe96f50a4df79

SHA256
2575c0ae1ed45a6c8cd60f93e753b646d4a7f8af6533fedc9fccb89a7f16546e

SHA512
26d26d7756dafe2d81d9cc2f21c80fe1568f0eb0d1e7a369bcb15ae4dd4ba1e61d014292a4b2953a7b45326a6e1007991aa7bf091864a7e71847aa090ce5d000

Download Submit
C:\Windows\SysWOW64\Aimogakj.exe

Filesize
45KB

MD5
89e09bd0fc1979ea44d11b135cd8da9f

SHA1
328ce4a26c4580db1e4cd3468157e6b238958c0a

SHA256
0075d537dce98bab0f1d80213327fc7d21a319e9604a2d862f5df655eaeeeebe

SHA512
cbdbf8931272de6ab23c6a234d2851057e2d4708bd005f3265d37bff19a63abf9484845d8b8d6f0a8b272d4a4e25ac97a8e1259caec05c45a41ad40ce973a212

Download Submit
C:\Windows\SysWOW64\Aiplmq32.exe

Filesize
45KB

MD5
caeeaa980e1caac52cedd0cdef7ace59

SHA1
f8f94edf8ff2b292b3385ffac0d22e45aab75c90

SHA256
df80f4ae1c601f45f8fa472696b3a4f67648acbe3f7b1aefdac73164f1ddfea9

SHA512
2dd9faf72523aee0b6a7349179e46ce4518373d9de31da278c102f9fb272129300b07e68525b97ad058208312ef492eadba2d7d60d8b783e4ecb929a9191ee0a

Download Submit
C:\Windows\SysWOW64\Apggckbf.exe

Filesize
45KB

MD5
0005620e568bd8bb4ec3efa92ad2bbf3

SHA1
637984c4a9dcdb365ea6da33e994c3e3e5fd0228

SHA256
e2f6ad52e286881534709be518665e1ec211171c1ae06a2b8074e9cb5d4e9238

SHA512
7f2305ea7a6ffd81e28ff865ea7242b1216f96a21e21786b6acc015ef743bec1ecd66e5d710b6fd990f65bbcfce5d2b795a1a32b596b8389e1384ecedefc6218

Download Submit
C:\Windows\SysWOW64\Aplaoj32.exe

Filesize
45KB

MD5
c8c07e1536cadf3a88ece8053525c542

SHA1
d80f18400ad6381a4f0fffd09a436a1d1b4fba5b

SHA256
d97dcf0c97e0158bcfbce5842d4aedf81ef9796ea0e7be92e21703f15d258cbf

SHA512
c708b2a86d9b651e0c74f121ea2751ff7905509624a180dade5e608a5c58a0f6ec929e925a18311115d8faf8f66bebfdd8d54cee8d95bddf28afc39f83c30148

Download Submit
C:\Windows\SysWOW64\Bapgdm32.exe

Filesize
45KB

MD5
209ccaca33be8fac13b2efca2797724d

SHA1
ea7b205c92d3bcc0c2b6bba756d2d87c28f4f1b3

SHA256
c5f8b3b9d3e497433b97fea451098cadfda88778e39ff2f0ac1d776948c1ac6c

SHA512
bb1befe3ed4c6ad372fb9ba570f252460146da4a19c4b5b6e150393bf5fd4c346ff3e0d53fac83abe463073d0677ad5f4b19c0d6fb8dba323ba132daacaf4e18

Download Submit
C:\Windows\SysWOW64\Bbfmgd32.exe

Filesize
45KB

MD5
82bdb836b06ba975d1c58adf137cb223

SHA1
b77754d7329bd21d32c4fd4159221bae7afdda81

SHA256
44e99c2153ad902f6b908e3dde11c306d46f7aa795e1b0c9a889ed42e1428723

SHA512
e3ff60d918522c4d363a7788849abaa792dc3409ec6e90c8b156749e558dd277f8358d8be036b2dc0d9b5bc4d970cbe69c603143b91cf669a27a3dd2abea575f

Download Submit
C:\Windows\SysWOW64\Bdcmkgmm.exe

Filesize
45KB

MD5
649fd793ec118d2a2287a2647f6f93f8

SHA1
565a08c86e38ae183d5f14d55ff6dd99bd6a72d8

SHA256
18e37edfce3b2016fb1476c2c9f832e68b5d658fd7e551740fabc2a022176e64

SHA512
5ff29c88a368a0fc88cd512c34818f9915a6ba169dc4d8b0f45dad811ad4c00c128b355e558c9ed97d5a2d26faba19e47cd69f0b6bdeeb9dec644b3a776037ee

Download Submit
C:\Windows\SysWOW64\Bdlfjh32.exe

Filesize
45KB

MD5
1e5cb4c8ca054a514011b1c251644400

SHA1
608e92c2a4fc66cefc45d364aaf1fff7245aad50

SHA256
e5ca281320df597242569314690d5d30469176459778bbdb2ca0b45dac39259b

SHA512
5967a70cd4394df645d3de1befad533805d66406610ec078ae2ecf4f7f7e866f6c076c5164b260974bb7d619db93356dee26dcd00f32d1abf36b2e4e1b9bbb8a

Download Submit
C:\Windows\SysWOW64\Bfmolc32.exe

Filesize
45KB

MD5
766cc7fd1dc222bd1f1d61240e45908c

SHA1
12a43b29404e059171410367b8bb4c18948c6448

SHA256
0ccdca0ecf33ea0396930328cce5431843f9c12ffc296401a8744e1a2deafdfc

SHA512
5ab46be43b7e22e2b4e60ad291fb323437fdaa55fe58cfbfd514682714b80953b5ea2d6556b2c480a8a98dc89e0e949be86203254a540a11d23077c49073ec6a

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
45KB

MD5
6f1084f5fb5006fe571a23efa87e342f

SHA1
dbda3854501b647e051cc9e0a573563c2af6386f

SHA256
7ebdc47e6f8ec5587de568bb15994f39dd72fc24487fc136d69b9e13af856e04

SHA512
a096c8f53ab48e555bffb4d7b23ca5d66d4cb77ab4cad930277cbf5e4c310acac7017f42b055166ea1c85dda33154cf53d23c808aa2046d7138d095d998b9a0a

Download Submit
C:\Windows\SysWOW64\Biklho32.exe

Filesize
45KB

MD5
8566cb6fdaf92fa7b0c95d180e78bfdc

SHA1
abaf55ed5b2638583c6672820285caa93ae971aa

SHA256
8cb2908037f4843aaa031c5ea341174e52c4efe503d24e292cb04539a3c8a875

SHA512
692a1384f5e5a0ac0dc4a2a1782197696cba5ee97448c755ff240d52d24fafb4cdaaeedb3552782fe83a78c4a8f86bd5cf329a92d4af2fd05f8cba7016c7d49a

Download Submit
C:\Windows\SysWOW64\Bipecnkd.exe

Filesize
45KB

MD5
8e371e1ebc239bf1ffe8fee211a62f92

SHA1
345965d93cccce1e7c2159ee8473c1a59b783ab4

SHA256
45399021b1dc69ae26dde6abb109009c5bab6d701a2f6abb7e679a639b1dafee

SHA512
9f955dfb6912092836f64fd8e698068a86d250ea8aec60058ca24db6ae77dcfbf67d3ddb01053eb9f443011b6f91d44b20a5ff8faed22d3b79dcdf0ea22bea4f

Download Submit
C:\Windows\SysWOW64\Bjfogbjb.exe

Filesize
45KB

MD5
ad4691e33a66282ba5c87aef653bf437

SHA1
597c147a365860af849be04de9bcf1216cb779c0

SHA256
ca05dba3fe526fdbadbbd3b2156dc146be41a2f0825c22e632be9bfe9e911266

SHA512
d3927346b2f2cb694b7bdefa5e3de93dab0f881f16f7d9a0b61d99a0ccc51c038bf032192259b6fa9a0d0629af31347a888c16aa660db166ac7e66ea5205f115

Download Submit
C:\Windows\SysWOW64\Bmbnnn32.exe

Filesize
45KB

MD5
f060daedaf8e46364aa7a3926ab28d6f

SHA1
2054334b4a85fba5141f294af43ddcba5f7f5828

SHA256
c8de7778b7e917494504e22ff80b7dd484b81b5925c2c10895d0b4b286d68232

SHA512
8b5339838aea2e88ee13507255c2ff330026da7c94f5ff0dad1e309c150b614fc7ff159c6a5e3cb6d8a3c5e134945b70109cb8d57801651250664181b7319237

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
45KB

MD5
ddd5c228c5f1dcfad542a5c641cc1259

SHA1
be0589fc7bd4fae05baba3558ec26a1c9f8c65bc

SHA256
002d0d94a6e95cb038c90b89cdb236f272ddb08c73a9c66e2f2bad253c3bf006

SHA512
ddfc45ab82739924ab45dd2a3fb40332fbf3831ab2b0d1b732a937e112934472db5075203c38e5483a2fd3bef6e5c45daeb7fee66977b8acde352311f644022e

Download Submit
C:\Windows\SysWOW64\Bpedeiff.exe

Filesize
45KB

MD5
d5bf0d29cbdee040532d5d09dcf4b3a4

SHA1
96369d434bad07386e5954b955bf160a714578ee

SHA256
7bb3a9fdacf2e026c009a4bf88baf4280cebf34b5410358be1647749219a65ae

SHA512
fd8aba2028335565cfd243b65fd3d7580e636e6a31752ea742d20a4f50ab0a9153cf64b0b21b58af5d27628e3a5cb6e8b8228c81ec33ae47c21718430af9712c

Download Submit
C:\Windows\SysWOW64\Bpjmph32.exe

Filesize
45KB

MD5
3bff485ee490dd43c23ca09346385f88

SHA1
661ea79b18bb4fc68b7160be32d47955211e08e8

SHA256
393509a7f48deb232a3c67bec54e3155bf2f3249d32641f2638fdcabb4bb6fd3

SHA512
c74131941c436c6f1f3e8e191740a8cd026dd708c5e57b5eedbd2748fe7aca4a38d6807b83fce93e6cc49d8c6c98df0d6eed97a5e3ec9afb2f62da538c0706e3

Download Submit
C:\Windows\SysWOW64\Dncpkjoc.exe

Filesize
45KB

MD5
1d010e82f69a9f1c047db1772ba69f58

SHA1
f3c7ff38c665e1d5511ba3eed33f2bced56e6877

SHA256
6a511ee0ded01a88d4901c39a1c5798b90706f976e62d86c1f3e446ac99cd11b

SHA512
827bc542b76d47e915c2de4bb6418ddc2e0e148d9517274d5091d2e52573059bcb1466b43c5386732e2708414d079241dd2331b734dbd6021b1a8bc87359ee6f

Download Submit
C:\Windows\SysWOW64\Eddnic32.exe

Filesize
45KB

MD5
e827c4fd3819b2dabfd2ed85737a394b

SHA1
53d298673b5272a4708ce4dddde7e93443c250b8

SHA256
79873878402e2f26c7d7848989c529ca8b81ac5cfed9b988a06fd42e65856453

SHA512
42bd707c18e5e6e3d4df2f82f82cf44fc6f1b1c0b3c40a54fa300411988f0ad636de3210966ab60b69902e2e3fd7f01e41db564a27dd417bae90981e8fd15956

Download Submit
C:\Windows\SysWOW64\Egnajocq.exe

Filesize
45KB

MD5
ebcd9b21afdecf5af1469648887593c9

SHA1
b5e84d8fcb3fb74de37a2d216b0a8c9c37807756

SHA256
f5d780cbfb84824abae324a40a28ccd04c949445c72dcbfe028267e6719c860b

SHA512
c0bd6728165936cdbdeeb93ad03ef8c3282396885e420715e34cd5c4ec4fe5025fda041cab91c6f9122bc7af3b9b82ff41f0fc8ea3e369b8e855e14be7f1816c

Download Submit
C:\Windows\SysWOW64\Fjeplijj.exe

Filesize
45KB

MD5
b5deb6397b66e7be15793ba007f8da19

SHA1
cb894e0e8c0667c2df2650e1063c74fbf2c1dbf7

SHA256
7e265005801549024534ca564b590ea7e6f92481e0d5eb71bdf21c1911ca8fb6

SHA512
dc4248162c836ce02d3809ff83864063782ae679d377c5a66e9644f6bbd2dd4111ec8679e446b3b4c9f8241396baf0c56330c08206a6b137b735b51fe0408f6d

Download Submit
C:\Windows\SysWOW64\Fqikob32.exe

Filesize
45KB

MD5
2c78558965c716ba9977131a30225028

SHA1
225576f68d55d4e2d92d1a8aa6d7b18c8c4a6550

SHA256
ef47bb0109a39a335790c2edce55479ded5e77f99bc8e0666c1f50112dc3dfa5

SHA512
398a8f3d67617d7eb47ca4e4ecfe55e67f1d6db83a4802192c0e7c8aba73807d6fcfd54c5ca68339eba592eacf0ab897c7b8e7c30d5a9e8b56dfc843b245f0c1

Download Submit
C:\Windows\SysWOW64\Gqkhda32.exe

Filesize
45KB

MD5
01bbfce4a47f691c4587bd783fda8cc0

SHA1
276aec3ba39c8aa7a7d672490fcf767c482b5c88

SHA256
4f1d4675d3ad84e75d34fa30601432e70f99f7af6e335365a5a3ea3cb3cb5b27

SHA512
dec38726339a53cc452edefe8d5c89df529578aea24e398b94dc983ef378b16cbdceed09f260ad05583271779a2125bb17b4cc245f8f34cc609bc450f8dc5792

Download Submit
C:\Windows\SysWOW64\Qbonoghb.exe

Filesize
45KB

MD5
390b638c6da472346d474131686dd299

SHA1
e3023c7b69d5fc3531c0c69c9e35b10e9751372b

SHA256
c52ac3bda47482ce6f75130f804427f82021fbd420064bfa4e60550f6656f7f6

SHA512
cbfa0c1459fe0190962506505a6357d5ac09e72b54f83c169c291d1e4c951aad87795c115d2bc10a02f0e962a80675434e594dd74604cbe7c9b849cb437fd4ee

Download Submit
C:\Windows\SysWOW64\Qfmfefni.exe

Filesize
45KB

MD5
66f001a1a523f29002eba9d3ebe8d67b

SHA1
86998a6a6cb652ae18bf0f587b2997acf2993aa0

SHA256
5f73f25c635fcc7e5d50ce347254614d880d852f51d5b114fa023c6e6538eeca

SHA512
13fba5efe21d7f6819c4801be8b96f1be449aab20c7809d6206bcd37b5c903739d4ff398de5ddaa793ea3320c6d6486e8fef12d7d7aed38c808c98005f0cc6cb

Download Submit
C:\Windows\SysWOW64\Qmdblp32.exe

Filesize
45KB

MD5
83a2b170f554abdd147772ab8d996e8b

SHA1
94adabda5679ecd6b261712c51ce5a1abf0aa24b

SHA256
4c88bd93703d4010233ae833e8110fe3c593b1efd3413b64c0c39456b7fd794a

SHA512
b58033d2eac0e9e0baae11f5086555e5a0f2f075128f700951c370217b2cf7a420122346bbafcbc0a835c44281e0b24e9e55449a41747fdc4035e0d35b99184a

Download Submit
C:\Windows\SysWOW64\Qpbnhl32.exe

Filesize
45KB

MD5
ba15e21a2df21267bde672481167f1ab

SHA1
0ac2707041f927c15fd61e5dbe8adf9b2c4db451

SHA256
ed78a097fb23c603a5ebc474c2fe411192d31fa2298d22f04ec534ab175ef09c

SHA512
8c6a38c03c57768f71e4e11afe49e4ac477939536aebad72bc327b7aa7c464210eed1a8c3722668363327c87caa04ed38edfd6239e7f6d038730bea570cb512d

Download Submit
memory/8-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/924-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1432-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1748-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3324-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3384-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3568-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3704-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3812-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3860-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3904-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4148-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4228-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4228-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4276-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5132-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5148-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5172-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5212-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5220-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5252-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5292-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5332-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5372-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5416-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5468-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5512-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5560-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5604-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5644-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5716-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5776-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5820-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5860-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5900-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5944-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5988-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6032-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6076-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6120-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads