862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe
Size

96KB
MD5

cbac207565fa2b4de3ee78c6964520eb
SHA1

8c0f9c01c3d795fe153fa7c0ecd57247ff30f69f
SHA256

862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485
SHA512

bd30031ab32c8934cc836857de3220e0bf94e29b284c72f0711f52434a0b9b74cfd5a5de5e5fddeff8488e74aeff301fd0a11e110438868a4d2a7c74fdaa909e
SSDEEP

1536:FCp1pcD+eQTWex+s29FbL6XQlUY1zmJFSv/jPbP3259WFFfUN1Avhw6JCMd:IRcD+eQ9xkxztzmJFSHnPm59WFFfUrQz

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epcddopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emgdmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efoifiep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdpdnpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doqkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnjalhpp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebcmfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlpbna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnofaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnehado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhndnpnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnofaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clkicbfa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bafhff32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqfabdaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecjgio32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkcfjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbadagln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfjkphjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjjpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgnminke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnhefh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnjalhpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bggjjlnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffjagko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifobe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecjgio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eepmlf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bihgmdih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caokmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eepmlf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkcfjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbbinig.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgnminke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enmnahnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blkmdodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cppobaeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dboglhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiilge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caokmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enmnahnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efjpkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boeoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbchkime.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkmdodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Faijggao.exe

Executes dropped EXE 58 IoCs

pid	Process
2160	Bfjkphjd.exe
2712	Bihgmdih.exe
2864	Boeoek32.exe
2968	Bhndnpnp.exe
2584	Bbchkime.exe
332	Bafhff32.exe
1144	Blkmdodf.exe
2532	Bceeqi32.exe
2068	Bedamd32.exe
1512	Bkqiek32.exe
2052	Bnofaf32.exe
2264	Bggjjlnb.exe
868	Bkcfjk32.exe
2224	Cppobaeb.exe
3020	Chggdoee.exe
2396	Caokmd32.exe
2132	Cdngip32.exe
2064	Cjjpag32.exe
2288	Cdpdnpif.exe
2380	Clkicbfa.exe
2292	Cojeomee.exe
1076	Cceapl32.exe
2348	Clnehado.exe
2280	Ccgnelll.exe
1580	Cffjagko.exe
2768	Dlpbna32.exe
2560	Dkbbinig.exe
2692	Doqkpl32.exe
2580	Dboglhna.exe
2676	Dkgldm32.exe
3032	Dbadagln.exe
1288	Dqddmd32.exe
1632	Dgnminke.exe
2896	Dnhefh32.exe
2592	Dqfabdaf.exe
1620	Dnjalhpp.exe
2448	Dmmbge32.exe
536	Enmnahnm.exe
2112	Eqkjmcmq.exe
1624	Ecjgio32.exe
2916	Eifobe32.exe
1368	Embkbdce.exe
964	Efjpkj32.exe
1572	Eiilge32.exe
2424	Epcddopf.exe
2412	Ebappk32.exe
3008	Efmlqigc.exe
1328	Eepmlf32.exe
2004	Emgdmc32.exe
2788	Elieipej.exe
2644	Ebcmfj32.exe
2736	Efoifiep.exe
2776	Einebddd.exe
2600	Fllaopcg.exe
2980	Fbfjkj32.exe
848	Faijggao.exe
2180	Fipbhd32.exe
1056	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
3016	862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe
3016	862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe
2160	Bfjkphjd.exe
2160	Bfjkphjd.exe
2712	Bihgmdih.exe
2712	Bihgmdih.exe
2864	Boeoek32.exe
2864	Boeoek32.exe
2968	Bhndnpnp.exe
2968	Bhndnpnp.exe
2584	Bbchkime.exe
2584	Bbchkime.exe
332	Bafhff32.exe
332	Bafhff32.exe
1144	Blkmdodf.exe
1144	Blkmdodf.exe
2532	Bceeqi32.exe
2532	Bceeqi32.exe
2068	Bedamd32.exe
2068	Bedamd32.exe
1512	Bkqiek32.exe
1512	Bkqiek32.exe
2052	Bnofaf32.exe
2052	Bnofaf32.exe
2264	Bggjjlnb.exe
2264	Bggjjlnb.exe
868	Bkcfjk32.exe
868	Bkcfjk32.exe
2224	Cppobaeb.exe
2224	Cppobaeb.exe
3020	Chggdoee.exe
3020	Chggdoee.exe
2396	Caokmd32.exe
2396	Caokmd32.exe
2132	Cdngip32.exe
2132	Cdngip32.exe
2064	Cjjpag32.exe
2064	Cjjpag32.exe
2288	Cdpdnpif.exe
2288	Cdpdnpif.exe
2380	Clkicbfa.exe
2380	Clkicbfa.exe
2292	Cojeomee.exe
2292	Cojeomee.exe
1076	Cceapl32.exe
1076	Cceapl32.exe
2348	Clnehado.exe
2348	Clnehado.exe
2280	Ccgnelll.exe
2280	Ccgnelll.exe
1580	Cffjagko.exe
1580	Cffjagko.exe
2768	Dlpbna32.exe
2768	Dlpbna32.exe
2560	Dkbbinig.exe
2560	Dkbbinig.exe
2692	Doqkpl32.exe
2692	Doqkpl32.exe
2580	Dboglhna.exe
2580	Dboglhna.exe
2676	Dkgldm32.exe
2676	Dkgldm32.exe
3032	Dbadagln.exe
3032	Dbadagln.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Blkmdodf.exe	Bafhff32.exe
File created	C:\Windows\SysWOW64\Mlanmb32.dll	Ccgnelll.exe
File created	C:\Windows\SysWOW64\Oomjld32.dll	Eiilge32.exe
File created	C:\Windows\SysWOW64\Emgdmc32.exe	Eepmlf32.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fipbhd32.exe
File created	C:\Windows\SysWOW64\Fipbhd32.exe	Faijggao.exe
File opened for modification	C:\Windows\SysWOW64\Bkcfjk32.exe	Bggjjlnb.exe
File created	C:\Windows\SysWOW64\Ngeogk32.dll	Bggjjlnb.exe
File created	C:\Windows\SysWOW64\Chggdoee.exe	Cppobaeb.exe
File opened for modification	C:\Windows\SysWOW64\Dnhefh32.exe	Dgnminke.exe
File created	C:\Windows\SysWOW64\Elieipej.exe	Emgdmc32.exe
File created	C:\Windows\SysWOW64\Dgnminke.exe	Dqddmd32.exe
File created	C:\Windows\SysWOW64\Ebappk32.exe	Epcddopf.exe
File created	C:\Windows\SysWOW64\Efoifiep.exe	Ebcmfj32.exe
File created	C:\Windows\SysWOW64\Bfjkphjd.exe	862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe
File opened for modification	C:\Windows\SysWOW64\Bfjkphjd.exe	862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe
File opened for modification	C:\Windows\SysWOW64\Bhndnpnp.exe	Boeoek32.exe
File created	C:\Windows\SysWOW64\Mgaajh32.dll	Bafhff32.exe
File opened for modification	C:\Windows\SysWOW64\Clkicbfa.exe	Cdpdnpif.exe
File created	C:\Windows\SysWOW64\Fpkljm32.dll	Einebddd.exe
File opened for modification	C:\Windows\SysWOW64\Dboglhna.exe	Doqkpl32.exe
File created	C:\Windows\SysWOW64\Dmmbge32.exe	Dnjalhpp.exe
File created	C:\Windows\SysWOW64\Acpchmhl.dll	Dnjalhpp.exe
File created	C:\Windows\SysWOW64\Faijggao.exe	Fbfjkj32.exe
File created	C:\Windows\SysWOW64\Glgkjp32.dll	Dmmbge32.exe
File opened for modification	C:\Windows\SysWOW64\Enmnahnm.exe	Dmmbge32.exe
File created	C:\Windows\SysWOW64\Fbfjkj32.exe	Fllaopcg.exe
File opened for modification	C:\Windows\SysWOW64\Ccgnelll.exe	Clnehado.exe
File created	C:\Windows\SysWOW64\Ojdlmb32.dll	Dqfabdaf.exe
File created	C:\Windows\SysWOW64\Gnngnk32.dll	Eqkjmcmq.exe
File created	C:\Windows\SysWOW64\Bhndnpnp.exe	Boeoek32.exe
File created	C:\Windows\SysWOW64\Fkbhkj32.dll	Bceeqi32.exe
File opened for modification	C:\Windows\SysWOW64\Bkqiek32.exe	Bedamd32.exe
File opened for modification	C:\Windows\SysWOW64\Chggdoee.exe	Cppobaeb.exe
File created	C:\Windows\SysWOW64\Cojeomee.exe	Clkicbfa.exe
File opened for modification	C:\Windows\SysWOW64\Eifobe32.exe	Ecjgio32.exe
File opened for modification	C:\Windows\SysWOW64\Efoifiep.exe	Ebcmfj32.exe
File created	C:\Windows\SysWOW64\Bihgmdih.exe	Bfjkphjd.exe
File opened for modification	C:\Windows\SysWOW64\Cceapl32.exe	Cojeomee.exe
File opened for modification	C:\Windows\SysWOW64\Dbadagln.exe	Dkgldm32.exe
File opened for modification	C:\Windows\SysWOW64\Eiilge32.exe	Efjpkj32.exe
File created	C:\Windows\SysWOW64\Efmlqigc.exe	Ebappk32.exe
File created	C:\Windows\SysWOW64\Dkbbinig.exe	Dlpbna32.exe
File created	C:\Windows\SysWOW64\Doqkpl32.exe	Dkbbinig.exe
File created	C:\Windows\SysWOW64\Nlaaie32.dll	Ebappk32.exe
File opened for modification	C:\Windows\SysWOW64\Doqkpl32.exe	Dkbbinig.exe
File opened for modification	C:\Windows\SysWOW64\Dqddmd32.exe	Dbadagln.exe
File created	C:\Windows\SysWOW64\Nmkmnp32.dll	Efoifiep.exe
File created	C:\Windows\SysWOW64\Imcplf32.dll	Bihgmdih.exe
File created	C:\Windows\SysWOW64\Bkqiek32.exe	Bedamd32.exe
File created	C:\Windows\SysWOW64\Bnofaf32.exe	Bkqiek32.exe
File opened for modification	C:\Windows\SysWOW64\Dlpbna32.exe	Cffjagko.exe
File created	C:\Windows\SysWOW64\Bafmhm32.dll	Cffjagko.exe
File created	C:\Windows\SysWOW64\Fiakeijo.dll	Fllaopcg.exe
File created	C:\Windows\SysWOW64\Efjpkj32.exe	Embkbdce.exe
File created	C:\Windows\SysWOW64\Epcddopf.exe	Eiilge32.exe
File created	C:\Windows\SysWOW64\Dccpbd32.dll	Bfjkphjd.exe
File created	C:\Windows\SysWOW64\Bggjjlnb.exe	Bnofaf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdpdnpif.exe	Cjjpag32.exe
File created	C:\Windows\SysWOW64\Clkicbfa.exe	Cdpdnpif.exe
File created	C:\Windows\SysWOW64\Nliqma32.dll	Cojeomee.exe
File created	C:\Windows\SysWOW64\Dkgldm32.exe	Dboglhna.exe
File opened for modification	C:\Windows\SysWOW64\Efjpkj32.exe	Embkbdce.exe
File opened for modification	C:\Windows\SysWOW64\Emgdmc32.exe	Eepmlf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2616	1056	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bihgmdih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnofaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faijggao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbchkime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceeqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caokmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifobe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efjpkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjjpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbadagln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqfabdaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elieipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bggjjlnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bedamd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chggdoee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdngip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cojeomee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbbinig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efmlqigc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpdnpif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlpbna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnhefh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eepmlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkmdodf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffjagko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmmbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiilge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfjkphjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccgnelll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecjgio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Einebddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bafhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnminke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Embkbdce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epcddopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebcmfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fllaopcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clkicbfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dboglhna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfjkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cceapl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhndnpnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkcfjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkgldm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnjalhpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cppobaeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doqkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkqiek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clnehado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enmnahnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efoifiep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boeoek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emgdmc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Einebddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccpbd32.dll"	Bfjkphjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cojeomee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffjagko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enmnahnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dqfabdaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiheodlg.dll"	Cceapl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malbbh32.dll"	Dboglhna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoinika.dll"	Dnhefh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boeoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngeogk32.dll"	Bggjjlnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkbbinig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqkjmcmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabcdq32.dll"	Bhndnpnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caokmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjjpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eiilge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhejoigh.dll"	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Embkbdce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipoidefp.dll"	Cppobaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjjpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlpbna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfjkphjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bihgmdih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqddq32.dll"	Bnofaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doqkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dboglhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaaie32.dll"	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cppobaeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkdaemk.dll"	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcphaglh.dll"	Doqkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okobem32.dll"	Dgnminke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enmnahnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Emgdmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefllkej.dll"	Blkmdodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cojeomee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cceapl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cceapl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Faijggao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljfocan.dll"	Boeoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aankboko.dll"	Cjjpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnkmfoc.dll"	Clkicbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clkicbfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkgldm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgnminke.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2160	3016	862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe	30
PID 3016 wrote to memory of 2160	3016	862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe	30
PID 3016 wrote to memory of 2160	3016	862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe	30
PID 3016 wrote to memory of 2160	3016	862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe	30
PID 2160 wrote to memory of 2712	2160	Bfjkphjd.exe	31
PID 2160 wrote to memory of 2712	2160	Bfjkphjd.exe	31
PID 2160 wrote to memory of 2712	2160	Bfjkphjd.exe	31
PID 2160 wrote to memory of 2712	2160	Bfjkphjd.exe	31
PID 2712 wrote to memory of 2864	2712	Bihgmdih.exe	32
PID 2712 wrote to memory of 2864	2712	Bihgmdih.exe	32
PID 2712 wrote to memory of 2864	2712	Bihgmdih.exe	32
PID 2712 wrote to memory of 2864	2712	Bihgmdih.exe	32
PID 2864 wrote to memory of 2968	2864	Boeoek32.exe	33
PID 2864 wrote to memory of 2968	2864	Boeoek32.exe	33
PID 2864 wrote to memory of 2968	2864	Boeoek32.exe	33
PID 2864 wrote to memory of 2968	2864	Boeoek32.exe	33
PID 2968 wrote to memory of 2584	2968	Bhndnpnp.exe	34
PID 2968 wrote to memory of 2584	2968	Bhndnpnp.exe	34
PID 2968 wrote to memory of 2584	2968	Bhndnpnp.exe	34
PID 2968 wrote to memory of 2584	2968	Bhndnpnp.exe	34
PID 2584 wrote to memory of 332	2584	Bbchkime.exe	35
PID 2584 wrote to memory of 332	2584	Bbchkime.exe	35
PID 2584 wrote to memory of 332	2584	Bbchkime.exe	35
PID 2584 wrote to memory of 332	2584	Bbchkime.exe	35
PID 332 wrote to memory of 1144	332	Bafhff32.exe	36
PID 332 wrote to memory of 1144	332	Bafhff32.exe	36
PID 332 wrote to memory of 1144	332	Bafhff32.exe	36
PID 332 wrote to memory of 1144	332	Bafhff32.exe	36
PID 1144 wrote to memory of 2532	1144	Blkmdodf.exe	37
PID 1144 wrote to memory of 2532	1144	Blkmdodf.exe	37
PID 1144 wrote to memory of 2532	1144	Blkmdodf.exe	37
PID 1144 wrote to memory of 2532	1144	Blkmdodf.exe	37
PID 2532 wrote to memory of 2068	2532	Bceeqi32.exe	38
PID 2532 wrote to memory of 2068	2532	Bceeqi32.exe	38
PID 2532 wrote to memory of 2068	2532	Bceeqi32.exe	38
PID 2532 wrote to memory of 2068	2532	Bceeqi32.exe	38
PID 2068 wrote to memory of 1512	2068	Bedamd32.exe	39
PID 2068 wrote to memory of 1512	2068	Bedamd32.exe	39
PID 2068 wrote to memory of 1512	2068	Bedamd32.exe	39
PID 2068 wrote to memory of 1512	2068	Bedamd32.exe	39
PID 1512 wrote to memory of 2052	1512	Bkqiek32.exe	40
PID 1512 wrote to memory of 2052	1512	Bkqiek32.exe	40
PID 1512 wrote to memory of 2052	1512	Bkqiek32.exe	40
PID 1512 wrote to memory of 2052	1512	Bkqiek32.exe	40
PID 2052 wrote to memory of 2264	2052	Bnofaf32.exe	41
PID 2052 wrote to memory of 2264	2052	Bnofaf32.exe	41
PID 2052 wrote to memory of 2264	2052	Bnofaf32.exe	41
PID 2052 wrote to memory of 2264	2052	Bnofaf32.exe	41
PID 2264 wrote to memory of 868	2264	Bggjjlnb.exe	42
PID 2264 wrote to memory of 868	2264	Bggjjlnb.exe	42
PID 2264 wrote to memory of 868	2264	Bggjjlnb.exe	42
PID 2264 wrote to memory of 868	2264	Bggjjlnb.exe	42
PID 868 wrote to memory of 2224	868	Bkcfjk32.exe	43
PID 868 wrote to memory of 2224	868	Bkcfjk32.exe	43
PID 868 wrote to memory of 2224	868	Bkcfjk32.exe	43
PID 868 wrote to memory of 2224	868	Bkcfjk32.exe	43
PID 2224 wrote to memory of 3020	2224	Cppobaeb.exe	44
PID 2224 wrote to memory of 3020	2224	Cppobaeb.exe	44
PID 2224 wrote to memory of 3020	2224	Cppobaeb.exe	44
PID 2224 wrote to memory of 3020	2224	Cppobaeb.exe	44
PID 3020 wrote to memory of 2396	3020	Chggdoee.exe	45
PID 3020 wrote to memory of 2396	3020	Chggdoee.exe	45
PID 3020 wrote to memory of 2396	3020	Chggdoee.exe	45
PID 3020 wrote to memory of 2396	3020	Chggdoee.exe	45

C:\Users\Admin\AppData\Local\Temp\862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe
"C:\Users\Admin\AppData\Local\Temp\862855a5c97f7cb774da29a85be5e15692785ae01e5002836230bfaf6a29f485.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\Bfjkphjd.exe
  C:\Windows\system32\Bfjkphjd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\Bihgmdih.exe
    C:\Windows\system32\Bihgmdih.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Boeoek32.exe
      C:\Windows\system32\Boeoek32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Bhndnpnp.exe
        
        C:\Windows\system32\Bhndnpnp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\SysWOW64\Bbchkime.exe
        
        C:\Windows\system32\Bbchkime.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Bafhff32.exe
        
        C:\Windows\system32\Bafhff32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Blkmdodf.exe
        
        C:\Windows\system32\Blkmdodf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Bceeqi32.exe
        
        C:\Windows\system32\Bceeqi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Bedamd32.exe
        
        C:\Windows\system32\Bedamd32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Bkqiek32.exe
        
        C:\Windows\system32\Bkqiek32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Bnofaf32.exe
        
        C:\Windows\system32\Bnofaf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Bggjjlnb.exe
        
        C:\Windows\system32\Bggjjlnb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Bkcfjk32.exe
        
        C:\Windows\system32\Bkcfjk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Cppobaeb.exe
        
        C:\Windows\system32\Cppobaeb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Chggdoee.exe
        
        C:\Windows\system32\Chggdoee.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Caokmd32.exe
        
        C:\Windows\system32\Caokmd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Cdngip32.exe
        
        C:\Windows\system32\Cdngip32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Cjjpag32.exe
        
        C:\Windows\system32\Cjjpag32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Cdpdnpif.exe
        
        C:\Windows\system32\Cdpdnpif.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Clkicbfa.exe
        
        C:\Windows\system32\Clkicbfa.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Cojeomee.exe
        
        C:\Windows\system32\Cojeomee.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Cceapl32.exe
        
        C:\Windows\system32\Cceapl32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Clnehado.exe
        
        C:\Windows\system32\Clnehado.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Ccgnelll.exe
        
        C:\Windows\system32\Ccgnelll.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Cffjagko.exe
        
        C:\Windows\system32\Cffjagko.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Dlpbna32.exe
        
        C:\Windows\system32\Dlpbna32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Dkbbinig.exe
        
        C:\Windows\system32\Dkbbinig.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Doqkpl32.exe
        
        C:\Windows\system32\Doqkpl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Dboglhna.exe
        
        C:\Windows\system32\Dboglhna.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Dkgldm32.exe
        
        C:\Windows\system32\Dkgldm32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Dbadagln.exe
        
        C:\Windows\system32\Dbadagln.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Dgnminke.exe
        
        C:\Windows\system32\Dgnminke.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Dnhefh32.exe
        
        C:\Windows\system32\Dnhefh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Dqfabdaf.exe
        
        C:\Windows\system32\Dqfabdaf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Dnjalhpp.exe
        
        C:\Windows\system32\Dnjalhpp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Dmmbge32.exe
        
        C:\Windows\system32\Dmmbge32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Enmnahnm.exe
        
        C:\Windows\system32\Enmnahnm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Ecjgio32.exe
        
        C:\Windows\system32\Ecjgio32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Eifobe32.exe
        
        C:\Windows\system32\Eifobe32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Embkbdce.exe
        
        C:\Windows\system32\Embkbdce.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Efjpkj32.exe
        
        C:\Windows\system32\Efjpkj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Eiilge32.exe
        
        C:\Windows\system32\Eiilge32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Epcddopf.exe
        
        C:\Windows\system32\Epcddopf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Efmlqigc.exe
        
        C:\Windows\system32\Efmlqigc.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Eepmlf32.exe
        
        C:\Windows\system32\Eepmlf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Emgdmc32.exe
        
        C:\Windows\system32\Emgdmc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\Ebcmfj32.exe
        
        C:\Windows\system32\Ebcmfj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Efoifiep.exe
        
        C:\Windows\system32\Efoifiep.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Einebddd.exe
        
        C:\Windows\system32\Einebddd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Fllaopcg.exe
        
        C:\Windows\system32\Fllaopcg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Fbfjkj32.exe
        
        C:\Windows\system32\Fbfjkj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Faijggao.exe
        
        C:\Windows\system32\Faijggao.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 140
        60⤵
        Program crash
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfjkphjd.exe

Filesize
96KB

MD5
e9143785727ac8eb81cfff4aa97bcd51

SHA1
dff6ba004cbcf2ec978ee8edb3aad38762b58181

SHA256
2609d60579661eea103ddd0bbf607d92d48c87a2825031c652ed323aba237277

SHA512
a6f691524ab07fb59548467e152dd667366b8ca893b71bc33f9604cfeb396656bb26d557c6238d381ae97613cbd189323d5e816ee9db572feb5b6bdbe75e8d2a

Download Submit
C:\Windows\SysWOW64\Bhndnpnp.exe

Filesize
96KB

MD5
91eb9ad7031a5553fe304e56951ad3b6

SHA1
a5f136a88e7cff522819ae369a228df5e06ce3f7

SHA256
d25fcd646f850b03e32aa04ef80ecb5ae3ab6bdd4eff2f3cf18f2c25ff3a15ce

SHA512
fa7db0484a96ba7deee8656691884e4a33ae23c9f094e66977507637ad8e185eb01271f4578570f8dbe33bd7b86ea51e834bb298eac05bd1b1c54348cc0b05e0

Download Submit
C:\Windows\SysWOW64\Cabcdq32.dll

Filesize
7KB

MD5
e70a4ea709b1a329b0d153eb8dd987f4

SHA1
44bc5b21b89fdcc3b51ba55ce91796209e9d99e5

SHA256
dc6a38cb82851783fa42e5c6b20cf3d32460039eca914fae8441c5fb3cfd43a8

SHA512
f0540d989c9602ddb0985f99840cc2d6985bb4ddda505c1a7f64e5aa215485bf057f0604bac2bc0551cbd30ada31636f36bdb44095411832f3d1213f85d2adad

Download Submit
C:\Windows\SysWOW64\Cceapl32.exe

Filesize
96KB

MD5
978908a9816a556c24474662e0e83a9f

SHA1
6b003cf92bd2448b8ed77229449d6f77e2a46e1a

SHA256
ca243ff9a245a4644b150940380c078b2712aec202ebb56dec057c3c1acef04a

SHA512
191eee8efb83f0ed950b4079f4e344788297da8b7278ca8a97abb2dd4d360c922b8529a1a7b7386ef389feef843c7ed38794a0d3527de1b621797bea81f181f1

Download Submit
C:\Windows\SysWOW64\Ccgnelll.exe

Filesize
96KB

MD5
3c1904392a7d7163b23a899d1c97781c

SHA1
aed74b4a073b30aceb5902bcd791366e8da7f171

SHA256
22af16e46415e824fc51e6001293719feb57cee70266c717e3ff60ee26c36bca

SHA512
5d8bfaa24b6c95e0ce7f912287cf2176284d9df82d99a6839be6a71b41fcf3bd741bd6686ec05473b4d56c205a03062f6ec5cf6faab1bb6f702acb433771da7c

Download Submit
C:\Windows\SysWOW64\Cdngip32.exe

Filesize
96KB

MD5
91c88a6dc5e3a83a6b010053b970ccb0

SHA1
dc04ac6b747a3109039f1d8c52cfe00fac73297c

SHA256
806dae44bc5e7ea731482307025131babc35ab5fe08ca45246e415fed5718aef

SHA512
f5662a3e9c368caeb07f0fdf14ed4fe507ff0d8964382f8096c9585f26e636619a06ef7ddd0a05250b218f23abfee56ae61ed4dc98fbbd7e54c0b5bd356f6ea9

Download Submit
C:\Windows\SysWOW64\Cdpdnpif.exe

Filesize
96KB

MD5
21af5286c50d1bc14fbfe633ac1ca1c3

SHA1
fed11cced4d93db49567b6ad559967551793d8b0

SHA256
accef50b0ea67dd41db47e22ae00c867d236425a268e0342196363d8e5e96afe

SHA512
f7ba33094f78ec3cb436d13c8936a32621cec8a72a5c93452c8a890faa015993407696f0d6c1e1ef9937305f3e024d7f5fb983334a9e9c60565753fcb5d56095

Download Submit
C:\Windows\SysWOW64\Cffjagko.exe

Filesize
96KB

MD5
3b721b468fe7d71e74f168ebbec34cc8

SHA1
b755ee7ef2392e430cebb103b8ab1d1c59d56cb4

SHA256
6969e2835cda36889ed8c975fb6781332d35b1a75d48ef7b694227c119ea1a24

SHA512
307f1f8d0732aae40c15c6ca3caaa013280c3165572619c375dcbd3e88b325eefc5e2e53b30310ae610bbd72218c9e850bf463ae59fd6bd0fd68f1be8a8519d7

Download Submit
C:\Windows\SysWOW64\Cjjpag32.exe

Filesize
96KB

MD5
d8b7aab52347e6723d53642ab792c294

SHA1
51a937736879db324d2d12b798b159991c1b510e

SHA256
20309e0b7d524d8a4385ab554f083f0cae0315450aeb515ced04a297da8240ff

SHA512
d43e66f12c1c33c85bc2f661e2215caaea32dd5f15d16f937fc2f931f91165c4badfc2d3955890414baf6cdf2e3bc354c7605e96fab12dd20cb4ee3ef6d8d35a

Download Submit
C:\Windows\SysWOW64\Clkicbfa.exe

Filesize
96KB

MD5
410e53a3459d37c264a8602329f26403

SHA1
86a8988a1738caed4ed6fc28cf331f68f746703d

SHA256
9be7a184d2d17ba0d63b74637f8db70269672f6f5abe99fec4f909ad97826fe4

SHA512
cc749e94659baff95f6b645aceb89dce924af0c26af7e2585db112d4f613d206d119960a346d8a7f8fdcefaf3efb1c01d004189e9652c54e86c5f0b1d87354e8

Download Submit
C:\Windows\SysWOW64\Clnehado.exe

Filesize
96KB

MD5
1b06e65da62bcef9ec786b2ae16fca7e

SHA1
68584f9743bc307b0f7b6c1d9cdb29e08dc7093b

SHA256
879f8d5e1ac136198bc8ebdf76eee80a7a5b131faf38884d2d0a05e619dfc00a

SHA512
4e855476f6ba2badeacfe01fa2837ec33c9c90aaa8cff9b3d969fd8758920102627a456b14f11a0ebceee6c62dab23deb49e396f48b8a0d56ba796de267ebeea

Download Submit
C:\Windows\SysWOW64\Cojeomee.exe

Filesize
96KB

MD5
6023681084ab579336c08522bb414caa

SHA1
a2df6811001f224d82d18051c03f56358b7f23f9

SHA256
79d2db326ff613f5e469ca966b0a98989fb7b837d884243b96ba1efc1b00305c

SHA512
f6200790485c010f1ccbcb1ad7d4fae8acb4dc65c9d214457b04d85c508b9c93719cc11bdbd1e11f75881d25301ba118e26bb90eb163b9ee5fd7266fb9019b1b

Download Submit
C:\Windows\SysWOW64\Dbadagln.exe

Filesize
96KB

MD5
8665bc5fa33cd8834f1bfd71bfbf2f86

SHA1
e5408513f1af61ba0185ce054e17da53cc6c0cc3

SHA256
0c91fd017ad307a578eac3ed9b9e529c6196d73333e71bf9671b6a39590994d0

SHA512
7a94e9c0fe7dfcbe63098b340b329ad104bb89a3df01bad1cd460148a6b00f2a2ad93b2a3c0d7f17697b80091a0b1f393c28d2856213d9ef32b6b04bf9dac581

Download Submit
C:\Windows\SysWOW64\Dboglhna.exe

Filesize
96KB

MD5
55e09994588fdfc85134a7f4283b1dd3

SHA1
548fcc4a4c87fcf8cee9cd02be22244dfdbe546d

SHA256
d026a0ae992ae4ec18eed90e7d67f0cd9bedf01737335b38db5406ea4512d533

SHA512
dd5079532fd74031bd8105a7fe5dbbab110ad419e45bca2eb15e3fdd2ba95ad8c92f222d747b4cbebd7a3c1ad4531c0dd971788df74189f6060d011f7efbf53d

Download Submit
C:\Windows\SysWOW64\Dgnminke.exe

Filesize
96KB

MD5
c5388b3b3faba22ac897c1f5dd4c7faf

SHA1
9f09193696cf3f3e4ba36f5d330ca8a0b58de5a1

SHA256
fa033280168c7b9dea5abe03b7f88ae6685d60425f50af659170db82c77362ce

SHA512
58bda1775465099652cd825a9ba4b26ba0024336e606db25a3446f1b84d6ad058443a843d1780315615ae74e8f88868db05e08b53183a6b8d56e9065016a8b69

Download Submit
C:\Windows\SysWOW64\Dkbbinig.exe

Filesize
96KB

MD5
c3d66beb863c62647e5482526bd65ad1

SHA1
724f9a40be405a388da705ea10998e15fb41d5af

SHA256
5953da11c28910661dd18e14722545e16b4832395bce0020b5e8c7e535dd2fb7

SHA512
f3bcadaa5170a6b700c7f3309512aa9ec39f8cf492a9b3221261ab8f9fe2b28dac186258c899df5755ab680f955bd9e74a0d6ee8ec0aff2cbb1f5fc11e7e5f65

Download Submit
C:\Windows\SysWOW64\Dkgldm32.exe

Filesize
96KB

MD5
5797e5e259a624063f291aa6f942e877

SHA1
00f5403326f5c552bdd0a23948cdd55d943000fe

SHA256
7475c99f2612029500ad17267585dbd5364746f85c3d67a04b9e8caf88b176ae

SHA512
fea283dcf7bdd7fab8eb39f1fdfd2f0121db7f76b46c64de6f08f23d7ab999deae25ea879b35097e4d6f65095749b3c106d4a4a9a52b20dcba778c6197fe309f

Download Submit
C:\Windows\SysWOW64\Dlpbna32.exe

Filesize
96KB

MD5
6bb5fa72661c1fd037ea35d32db2b1f2

SHA1
741723945e2a453321d6db1471a1a90e195f4493

SHA256
bc4011af411ebc990d383a9357f2ef9e231903b4c17ac5f20323d98b01f4ca7b

SHA512
de526afb2bc1a23c7a3e44c2a0b292fd30dd3dd2fd3256c8645d198fd81e9ee62c2ee82fd0b8adeed9c4c64a22058c93b2886fe20a631db7f994c76f3755e412

Download Submit
C:\Windows\SysWOW64\Dmmbge32.exe

Filesize
96KB

MD5
0f4f8ab6ccec22af7637837703fca136

SHA1
c9309138e3d57d7c01b571b555261905391cc02e

SHA256
da67d2e3095ccda96e8e02176e9f8069527d648e102af20c6c31a99a96ca108e

SHA512
40c929ccf0af8d643b81ae39a2ca163fe0291b7cd5ccc056fa80307be875ed7bdfede1a0d9488b66895cfd5c2d58535847d596497bdd81672c37d1c8e98e9050

Download Submit
C:\Windows\SysWOW64\Dnhefh32.exe

Filesize
96KB

MD5
f32344c5afd21959085b6e4d1acac603

SHA1
aafc86d92f1436b6815513a20dc1bda3f3d7ada9

SHA256
1fb1ce1426b628f2cdb7ef43862f5d16c8254700e7a8d641b00ac1cf80a01fad

SHA512
e1670fb504da8533b88d5b658d2c5049be9ab19f6ffb3075d0f54ad23dfcdf2360d06b441fac0c58f67980d6631eb28df09ebd6ea1291c62250824bdc5cd4cfc

Download Submit
C:\Windows\SysWOW64\Dnjalhpp.exe

Filesize
96KB

MD5
31488a85431148871fa5c897159b36b2

SHA1
784454623d2a6d6af9bc6b574f6dcc1cbad14432

SHA256
26dc23a5a835a8c8ab09e136e34b5b7087cf7cb840f98e0d1a738ae194a417c5

SHA512
826937049f09742cebcb7458a45d0977609d4d78880148e54118d91bffd28dd91a14b41fe1418dd467aec9c6a42e2adf08dac0cfea1779ae71e03fef99fad542

Download Submit
C:\Windows\SysWOW64\Doqkpl32.exe

Filesize
96KB

MD5
a395fbfd0b9b01e3a7bed0073a1d66bb

SHA1
d28414a7080ceff8ae22ac3a1fb6e5fdd28ea05d

SHA256
218896cfb5030b32953c211496246b07dd5bcafb8850a13c5a04fa3abae1347b

SHA512
d715e88fcb5d862ed8fd57393679f591f61c979e86126897a5d37d363e01a58dd6cdceb38b9303fdef2925aad1e46c9fd3e13557d35a8b420e7cc22610d2738e

Download Submit
C:\Windows\SysWOW64\Dqddmd32.exe

Filesize
96KB

MD5
0c64a931a4c498deb9327b0911cf8c38

SHA1
72f819b34f1e64288c7ffa92a86b6189a889332e

SHA256
e172546738b6ef9d5bdd526f3e45c7e8cd950e8d49c0cc6036d5913f09714f3e

SHA512
da583078c501a25f09d3c28b368629ad2493fcdab93353406ff6b0eb51861bb6c0e3c96dfd90e51a2550da16d588348dc5fa166b643aac34e8d639c25178fd7e

Download Submit
C:\Windows\SysWOW64\Dqfabdaf.exe

Filesize
96KB

MD5
cd29ab190410323cd81a4053198233b6

SHA1
47bbddef4a1d9a4abbaddcd268ffc7499c5b320f

SHA256
da4fc4064ab03d6d86976b32bcbefdccf613e7412a39213824a16367472bb360

SHA512
ad7367349362b5e5835c7bcfb82ea9dc67bfef2083ac7c01123696e0daec850ee3b50a3ca686f94d17b3e6d7bfa3e807498fbb9c0498e44e9465a531ef527626

Download Submit
C:\Windows\SysWOW64\Ebappk32.exe

Filesize
96KB

MD5
bda4dbf9c848ed5f1b5a309492bf20fc

SHA1
0eef0ce72e58562a9ab745e90c806f09ed15049b

SHA256
12f54220f66e697efee5c4d919ebf61eda57be2ccc8a5d842c2d16f133f469e9

SHA512
5eaa64bbea79fabc58875705bc212f7a0f5febef538b4dd0a94bafe1f59bbe0d36312dea55b315e6ab51ef7c69801aa8db156d7e84039501db88ec60f2ec676b

Download Submit
C:\Windows\SysWOW64\Ebcmfj32.exe

Filesize
96KB

MD5
27dbda683d00f35e1c5ef955418fed03

SHA1
a995a313cc7ee5f4e0f83c03a521c807f264c083

SHA256
32d1a16efbf7521e909073665a8823403efb8fa2f704b40538d769bda4d24ce7

SHA512
6ee8b0ac346f6dcceed1db1f52d10efdd110ef7103dd5fcd6c1a46d8c3b9d8fc41ffd6ba4209c7f5c1b8efed19d127a69d81d12fd177f7432993ae20c5445d6f

Download Submit
C:\Windows\SysWOW64\Ecjgio32.exe

Filesize
96KB

MD5
32b0b46df187af22d959902b57940de3

SHA1
539c6690358b6fdca4450bd273c4614e4b593788

SHA256
bd9ab5954d8e5b55eed94261efb85c31d233f0f6db16f79c5889d76b5124ee1c

SHA512
15eed5d85dafc80c71a6abb5a04de0baebbcf4cfc95c8d61ee46ef17737932d9ddf35fc79b2bc0b6ffd986a985f1e51be562c7ce00d034d96029bf2b54a4e205

Download Submit
C:\Windows\SysWOW64\Eepmlf32.exe

Filesize
96KB

MD5
9ea478b275e8b16f832ffbb7b3022387

SHA1
7f3bdd10bf8824697530078a338dce90bc7aff56

SHA256
12b21a07593af1a3369827b79cd2d4a007512a7db21e3f5ae8f3f4c0e144d4e5

SHA512
f63bf027df5ef3a7951dbacc32efe4eff586c0778bc4f27efd024e45baa421e42fefd9de1da62d68d79292e9c5aa2b3714e2e519a3e91a17302b9354812646e5

Download Submit
C:\Windows\SysWOW64\Efjpkj32.exe

Filesize
96KB

MD5
cabbe358ec8caef9e23deb09ce2e2c4d

SHA1
d1181bca9f334763e77585ce3134ed923a3aec12

SHA256
6df5aedd61e552f64878646316ea6fa0fd45587235d57c2106d8be4dde6aeb54

SHA512
cdd5b101eae2a62786e55bbad39d0f31f81e39fe2e7057013c0f441fc0cb77d3074330c6a456df251587d598b90d9fda76f9d62d133b8b3a175d55e52025ae4c

Download Submit
C:\Windows\SysWOW64\Efmlqigc.exe

Filesize
96KB

MD5
e54c496842518bcbb306c7c5dcd76d4b

SHA1
74decf336ea259aeff311ef27c44066cdf46e20a

SHA256
8eafe77f1db1bb5a2a75a3621d738c0354da5f09444c725f6130f4b81b0c7e51

SHA512
469deaced0aaa6fdf13ec5be1691cb0c33eabcdd489afe4c3a95b38e6871b9ea5c33cc9fd4824f0aaa2e2dddd7c0288381d3ecaafb9589d0a7d831618a5a1655

Download Submit
C:\Windows\SysWOW64\Efoifiep.exe

Filesize
96KB

MD5
2bcce6688e7ec9859e2c6fd7b7cfa9bf

SHA1
c548bfdcd7ed8827107151647575fffb9ebcc6f0

SHA256
778a4ba3213b82871956f6c5a06182546ce1bcc4cb9f419a4bf2509a8dac376b

SHA512
88cfda5247288f139281e10b130017b441efa10a2b7fe01d76e3efddb44701818abf09e434c53afc15b1f71f531f1d97ae2c72190e9b530490c6c1d2a6718f43

Download Submit
C:\Windows\SysWOW64\Eifobe32.exe

Filesize
96KB

MD5
208aab41b0a30b8d00bdf46c66903653

SHA1
eb5baae38da0a230d909924d22d385c86f7014c9

SHA256
0d11a5e978b5339d3ab53c9a228ef02c754512a762e842547bc2795189e37511

SHA512
f8dc8dafcd18c97275244b735b5857dad3609b202b227e7d546675ac93f4d13ec1a8bad606c45653d602d0eeccfe6a2a6a03fb49a27bf1d3e2e932126fa5eb7c

Download Submit
C:\Windows\SysWOW64\Eiilge32.exe

Filesize
96KB

MD5
626d941a2daf2778f3b8501db6c2c047

SHA1
80d925b235018a954e8bec10dd727fc2d59f848c

SHA256
60eee3615c7de6fcb2ce337173aa39c1ba0a9caffb7ccc04df70eafec8537355

SHA512
275d1403ffdabab39013b2438a92ba01b4af19c5ba2917cc366f466bbe8b8aedfc6981ed3b5a68b7f1e28e80a96bba1481546fc657d3881900774285b7f87be9

Download Submit
C:\Windows\SysWOW64\Einebddd.exe

Filesize
96KB

MD5
9d6b62da11c6503f5ae04c5b17d79119

SHA1
2291f7754e47a7bc6f399ced02112882966c4ce9

SHA256
a14bcce8240c1cf92085c46544c6026ab9beb0119d41fee2054aee72e13fdaa7

SHA512
769006bf9cb83ca4a518f1ebb6a540e755e786c8f8399b585d07115fe1ce8e0fe0eb92290ac50e3befb9b6eca66c64672af5f8ab0e8fcf19bb6821b74e1643ea

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
96KB

MD5
a8266e22787ab477895edebceeb14cbb

SHA1
86dd409b11cf681ab8615c3ec04d9104864097cb

SHA256
8cc1d4d4e7a25713ab31f2969cd0488affed058d9f8f640e9ba02f05b7aef835

SHA512
683b7fd46608672092d574b4721840ad8cfb6e7d58d4badec5c2465fc1ec5862dd51fb24b7451197388f87d0bb00503e5656a9cd5bcbb096fcaa8374455fb7f5

Download Submit
C:\Windows\SysWOW64\Embkbdce.exe

Filesize
96KB

MD5
a4c38730d71e8f4b291d35cc176032c0

SHA1
cf06a0b94763906a76f17d46948939d2eb84aebb

SHA256
15231d2ffbbbf8cc87ec4f41678cd4103534f771f57a64956bd6cc982434ffb1

SHA512
02c69a429fbed1312987c7aff4240e308a1744aa96917640e76a6cede3624b3311b5b59738cc7d8b71d0fdc0989ca24eed47020637fe13f1a56bdf0d2d236b8f

Download Submit
C:\Windows\SysWOW64\Emgdmc32.exe

Filesize
96KB

MD5
f3079652803b3e9e2f859fc188da25df

SHA1
f722e451b3c4c37c5bdc66ae35b0a357f19e7f64

SHA256
734f01c9f8b98dd74a777b813968a5a0cd6528a87881eab979298b16b1f66c73

SHA512
fe97c3bce7aace084dd11e2bb0c9c2763598ff677c75c43067c8a3e728f47b86607fd3e84b6d32c7aaadb821295f0070230804406ca746b7cfb29d2cdef80345

Download Submit
C:\Windows\SysWOW64\Enmnahnm.exe

Filesize
96KB

MD5
0d3f0818a0f6e1141ec1144b77aef69c

SHA1
fc4b4e22f0bbf182d263dd39a0a75f34be760300

SHA256
b8fe83e934ced0bdd330c1a9c088e02b4e976ed93ac4486c1640fe4d2df438da

SHA512
31a439c783721af6a485019a2ede0e6f6c67e6aa63ed5a991e2b1b029d38284529af12f8bce387d699ca7aeb702ebbaafde89fa90c5429408ae0711d6ac30e52

Download Submit
C:\Windows\SysWOW64\Epcddopf.exe

Filesize
96KB

MD5
fdaf6f4ad2252223bdfaab762b840d29

SHA1
5c21e573a1c1785d14cc6671d8cc7218a7b1b8a1

SHA256
44c4a1cf9bbe9d8b404ac9197c9a9a24a7da927e7a8d274213031fc5c2007572

SHA512
daae297d4a6acfd7a22fe89abb73094ae4f2428d685cc509bb2ae2c5bab360e696023d660f6864475b3be7c291491749a3c48358e38a4f81e3d97b7e3c405193

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
96KB

MD5
3242b59abb573d5af2d2838d4e61d9e9

SHA1
4f024d5b4066769235a347d457861c1550081cf8

SHA256
647ee3454863539d1d18c2b5b985e6483faa766ab32408243e88cbcdaafc2990

SHA512
3036f7086fb3e4c1b16f21ee9c59c26ac57bd00fe0e10b448926c323e34c1666576da66271d4dec1185147a356381b83bf5ad9f2abbe385173ab356c87595f40

Download Submit
C:\Windows\SysWOW64\Faijggao.exe

Filesize
96KB

MD5
ef3a7176b253f3e857c7122be2014863

SHA1
65ceba91a834512ed91aaf4ad9a47b21e91ced1b

SHA256
1d26792dc87e4b56e403bf67ea8e12ee293463c75c77e69cd3995c0e438bca41

SHA512
29a8d56e58541fa1dc1b856279363f1b6c7b6289be7d8f9b9515b1bca128fda18c7a35f55ae3af312df37fa8b4ee09d83559bc5e066de5cbd1152b665dca6dbf

Download Submit
C:\Windows\SysWOW64\Fbfjkj32.exe

Filesize
96KB

MD5
d6968a1b8ccf9cc4a2a71bbd1809ee25

SHA1
744b95bfc9e5fd3234c116060d184b52e13ff4a9

SHA256
a410c4b33530a1cbd8c41f78d67f306b930ac9c9a0bf208eb7413fcf593c1e40

SHA512
c4b5f042acc1ece8be8836014be1e9f636a1c37fa18c8a56d06274a2b803ec16a86b373c3d19f8ea2147933fdf88047ea689d265fa5e9f95565f59e3cce69ae4

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
96KB

MD5
5258b4acd5fbb1d90a26b0ad6cb3cec9

SHA1
ed6dba1166e46dd7d7ae744e26ca8ca7bb7fc5fe

SHA256
c8f416ea831ccdecd49925ca19226072911ffe312389b29be4b4e7c984f363bb

SHA512
ef48eb0b633a4999eeed0adaa773669284d0b36d50779d55504e5d77800b71a7ae689d0eb0e7a7336cf6a7e153da312b772f848e36839448dc2f892f85acce17

Download Submit
C:\Windows\SysWOW64\Fllaopcg.exe

Filesize
96KB

MD5
ecf787df34a2ca4274c5371af98becbe

SHA1
298bf32ccae39cf9c49be048163fe2fe2faf7c85

SHA256
9d6ba37619d20689aa45634baa23f2484cc7ebedf5bf8c9ca2867f7e6be2232f

SHA512
0ee9dd371d0c1629f222de8fa8b892e3c2c7b752a7fc3f60bb0454e800550612875443f1b2f1dd433db34f68d4f72436e1719bf2f543ef311c5333aea7ee8bfa

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
96KB

MD5
513100661dd6ea5f33940ee9b0bc8af5

SHA1
2ce17b0ae3e3fc889174193dedd33babcfa9daba

SHA256
79ccf32166fa83e9502b887706d0026a9a43a5c56065eba1331785a3ac46eab7

SHA512
f98b979af3061da02f224ad9958627f93aafa263d607cc6d825ce97bc8de8457ed9ba10d24692a34cf11c934539d9efc5d9f32a1d48974b194caab7f1416ae8d

Download Submit
\Windows\SysWOW64\Bafhff32.exe

Filesize
96KB

MD5
f22c1ec3bb3d362d5dbbbbf65b1d0d24

SHA1
4b88f9b07a4fc7b6c7361dd0300a8cf0cc41f6e3

SHA256
34e80fcf5039f6e51a28660bf032efe3ce315c3f2cd05c963e678738ce87b17d

SHA512
883af5e1104cccf958e8ca413139cae703c3cafa127cc55c6def1d097e3a608eee1732bb8b0c1d51afbd0ae80c1039c691e3ac9e5ffb951992a9ba5c614b19cd

Download Submit
\Windows\SysWOW64\Bbchkime.exe

Filesize
96KB

MD5
1637693b63355e8768b73131cb8174a1

SHA1
e6759b8cc306a9b915087e16f99397371f74cbd8

SHA256
36f759d1b858e1d0f5eb1f9409c7af7bf2c2e269fbf197f4e1fe89bba1840ab1

SHA512
baa372b97a23f0dc2d6624a142072873025d17d2324310e3e68b1c0eb70e0f320c049d8df93c09e41766a1b60fe3272f7d4a605d68b3e116da1d305c73b4fc10

Download Submit
\Windows\SysWOW64\Bceeqi32.exe

Filesize
96KB

MD5
b86fdc45bdaab2e3b7fb2462ebb5c7fb

SHA1
79e59c93ff536a6a23db48eb17e00e2ee386673d

SHA256
05a2b6eb5ec79199dc0360f42bb68f7137161dd6b723cdacb2ec33fdfc7b8f76

SHA512
0c523f9722039e466d70aca04375fbf591b0c87d5d7801df2ab143bead755c82456735fd25de29f6ff0177223da1c9aaffdd84aae0d7a6c15393f7e4565f3c1f

Download Submit
\Windows\SysWOW64\Bedamd32.exe

Filesize
96KB

MD5
2948dafe21b301f99049154493ecfdd2

SHA1
8ae2a3eecdfd90da42bc438a48786f84a7cb5ae3

SHA256
eb1549263e3b963dfb70fea3c25bddff9b10cff41d703d95fef7260aa5381080

SHA512
6e4d09924bb37594418bc364b3884a07ae982ae4c4799cae03b2c7317aa5f6b798fe12b4f9c7f16e1207e83704115695a315f814caddb381ec7ea84a0f1357bc

Download Submit
\Windows\SysWOW64\Bggjjlnb.exe

Filesize
96KB

MD5
309a27f24475488d39914bf2b9e0e527

SHA1
1b188eab57c151ec3603dcae03fe8535fcb5728b

SHA256
758457a7b03e716d6d4fa15db258e24fdd7b6641fc22777beed05fcf02dd057f

SHA512
f56ef3dd1c0929cb49247cf3869953cc3f1c52766a8e974ae6ab2066b6ffb99cb19cfe827e996b3676bd366fe1ab87c011ec56814f9bd09a2ed4c4426404d676

Download Submit
\Windows\SysWOW64\Bihgmdih.exe

Filesize
96KB

MD5
492db3bcd9d66318ac5c60540f3977dc

SHA1
b0a13a014a66c7c2dced8884520e7f05b7d8048c

SHA256
cc32eae7d4ec7a7dbfa3c115f6bef79927fd0779607f3df73f61882ca117265b

SHA512
fb8085722089471d042026ee46d96b16dc33860921f98e062f98ed2a80ef6c53219936484e01afc53dbcfad1867669a380a6de6a6b878fda6f68a8ccd97c1556

Download Submit
\Windows\SysWOW64\Bkcfjk32.exe

Filesize
96KB

MD5
64168e5bcc5cc90c4f32f5470fd58a06

SHA1
83736821d27b33035b9176b1e5c9eb57d22434fd

SHA256
2486c428a620011bfae5092b1bbb8121a7a5120221a477e4d01bceb914ff143c

SHA512
35c78f17e31ab9e757080ae5612fdf9ed0c7e78f6ce165e57566be99298a1e6d6ca2817a2359fefeeac9cbab92a385ca749c12e521614366d3720e213cf08c43

Download Submit
\Windows\SysWOW64\Bkqiek32.exe

Filesize
96KB

MD5
678515073ef81d26b90e5fe4b52d464a

SHA1
97b8ae849f73b0db7abb5e9a6eccfeaa4d92b600

SHA256
6164b5e6977be4026f8c95e1c2eacaccdcdb4f60bdfb2decf119b3c04946a327

SHA512
04ed4d839d3c81b4cc6ab66296353871a81bd629602f9c37e8903a6f9fa4c462289443eecb5add7a96e5c4ac7e4275927f6b1f44537ab4b888f08b849fbbe05e

Download Submit
\Windows\SysWOW64\Blkmdodf.exe

Filesize
96KB

MD5
0e5ed7e86d8456ab444e7b40e524f0fb

SHA1
a66f7ca57d3d3397f881598223df56c741ea13d3

SHA256
9da8f2848ed5d59b069a595ee28627bea1686789e08d384d87c1a4e61cf71a1c

SHA512
93397b931400d0c57daa6786cde74dbaef3b787a881752aba7e1a01a571f3759036b0a7b8e2ec62a67dff7c27fa22f10ce929b28223f8662549425bf35131cb2

Download Submit
\Windows\SysWOW64\Bnofaf32.exe

Filesize
96KB

MD5
861440a07e7d0d399e2742ef695a0efd

SHA1
09ffcff41fb6af848105d5f791934299299b6ab7

SHA256
d8768fcc01861896e9a1694cf3a05df315ca2384b46090e45218551bc5646f8f

SHA512
0213d12ee6231e753a71e9eefd8b1664d9d4d4b5d8abb870ca660dfe2bac577a1bfcc1b5b2eb9e09a417734405b40b0aba3547b613086438a6d187094ba7032b

Download Submit
\Windows\SysWOW64\Boeoek32.exe

Filesize
96KB

MD5
c5c2b3584036a5e3497d99898cfda76c

SHA1
81c8b1be92fa2f5156aa0e312937c6833c2d5541

SHA256
8f2c04a366518b825a721bef1b4c7b8b9afcb318f28529eb79ee00234c524cc0

SHA512
8d0ba40eae0b573d595f333e485d69e54edaab39f17361d49b881eb887cef7f993d431a0119af1df8d765c351ab8790a9598431a072ca278a11f331c679d1902

Download Submit
\Windows\SysWOW64\Caokmd32.exe

Filesize
96KB

MD5
fb68a85286623fe1bcb86b19cbf28906

SHA1
078d587f6f8cdb8444448063e7c92cbec4e53cba

SHA256
9aac3ff82c1cd21749de152b47cd59d26858c6c60ee66a0a7e0c6745a03ca770

SHA512
b16ba8fc9a3e5f9ce5f36e17d540bf67c2ec6dc3c826a6aa680b0f77e2b89ee6f447cafd28721c10c10ba179d37320edb9002cd9adddcfd685056565c95c03e5

Download Submit
\Windows\SysWOW64\Chggdoee.exe

Filesize
96KB

MD5
bf6b545fc6c0344c98b9993be0e0cfe5

SHA1
57305494cfc47a867c10a890a21a0607ad6ffe3d

SHA256
f8141fd87ee30e44f2d87fb23c90f84ce29ee6dc8246885b161746b2559bf216

SHA512
82ab2683f937e00264d7c5e48f4efc3bcef3f20dcf720956d5550bc4ff6cf3dfb99e193e0240d0338cdb12e70fe86d553c99ce59064bba74d775df774382a0e0

Download Submit
\Windows\SysWOW64\Cppobaeb.exe

Filesize
96KB

MD5
edf801a16e52c864b419fe97f08be72d

SHA1
d2f6ee1a3fed3ba98ff662c97b9038819f276081

SHA256
d8ba58a7757648781752e2317f39b4ab12ee6dc5c7f7e116cdcd2743445cf7bc

SHA512
77bfc61dca6eb21994187f8671d5b786f16ba1f36618daecacb64565ae5581d22b5c83f2e16946ab91840fccbf6b993a8a12bc89680367aa795ad561cb93f680

Download Submit
memory/332-470-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-456-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-181-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/868-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-191-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1076-289-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/1076-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-285-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/1144-102-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1144-471-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1144-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-396-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-397-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1368-498-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1512-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1580-321-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1580-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1580-322-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1620-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-482-0x0000000000460000-0x00000000004A1000-memory.dmp

Filesize
260KB

Download
memory/1624-480-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-481-0x0000000000460000-0x00000000004A1000-memory.dmp

Filesize
260KB

Download
memory/1632-417-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1632-402-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2052-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2064-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2064-245-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2064-246-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2068-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2112-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2132-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2132-234-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2132-235-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2160-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2224-201-0x00000000004C0000-0x0000000000501000-memory.dmp

Filesize
260KB

Download
memory/2224-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2264-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2280-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2280-320-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2280-314-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2288-260-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2288-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2292-274-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2292-278-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2292-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2348-300-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2348-299-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2380-267-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2380-263-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2380-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2396-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-447-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2448-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-496-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2560-344-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2560-343-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2580-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-365-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2580-366-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2584-79-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2584-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2592-428-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2592-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2676-375-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/2676-376-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/2692-354-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2692-355-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2692-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-333-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2768-332-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2768-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2864-54-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2864-50-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2864-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2864-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2864-434-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2896-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-497-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/2916-483-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-62-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2968-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-413-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/3016-13-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/3016-12-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/3020-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3032-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3032-386-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/3032-387-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads