c32909e121584caa7860e89f257fa18a8ee5dddabc630653c1064761dbd5e198

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e64369985af54e990a86fa6ea24b9ed0N.exe
Size

63KB
MD5

e64369985af54e990a86fa6ea24b9ed0
SHA1

9fdfaf766173506c7bc25e354973b260cae47334
SHA256

c32909e121584caa7860e89f257fa18a8ee5dddabc630653c1064761dbd5e198
SHA512

7a820a364215de885868a4565cae1b5892d62e96fe6b962d54cafc3a40c3cc5fb153b90b62e289acec8d0462b8aac97abb4f3411558ec5cc3f4dbedf2a7c2793
SSDEEP

768:43+texhzhJK/Pxa+/H4K01yGz+vkqthvEQMWxtkemCC30uIQ/1H5MYtCXdnhg20n:WuwwP4dncEQn7xGIqhKH1juIZo

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjpacfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clilkfnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfmdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emieil32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biamilfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bblogakg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cddaphkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdikkg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cghggc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eibbcm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkmdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjpacfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckoilb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ednpej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpnbkeld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biicik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgjdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eccmffjf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egafleqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebjglbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjaonpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bifgdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bppoqeja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdikkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkcofe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biicik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cadhnmnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behnnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfcampgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behnnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enakbp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bifgdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgjdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efcfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e64369985af54e990a86fa6ea24b9ed0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeeqehb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgjclbdi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e64369985af54e990a86fa6ea24b9ed0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddaphkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bppoqeja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpnbkeld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejkima32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cldooj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emieil32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eplkpgnh.exe

Executes dropped EXE 57 IoCs

pid	Process
2972	Bmkmdk32.exe
2716	Bdeeqehb.exe
2604	Bfcampgf.exe
2628	Biamilfj.exe
1996	Behnnm32.exe
1424	Bpnbkeld.exe
2464	Bblogakg.exe
2512	Bifgdk32.exe
2796	Bppoqeja.exe
2004	Bbokmqie.exe
2108	Biicik32.exe
2372	Ckjpacfp.exe
2536	Cadhnmnm.exe
2432	Clilkfnb.exe
2280	Cnkicn32.exe
1956	Cddaphkn.exe
108	Ckoilb32.exe
2996	Cahail32.exe
1884	Cdgneh32.exe
2216	Ckafbbph.exe
2012	Cnobnmpl.exe
916	Cdikkg32.exe
328	Cghggc32.exe
272	Cldooj32.exe
2760	Dgjclbdi.exe
2680	Dfmdho32.exe
2812	Dpbheh32.exe
2676	Djklnnaj.exe
376	Dhnmij32.exe
2428	Dfamcogo.exe
1584	Dhpiojfb.exe
2128	Dlkepi32.exe
2060	Dfdjhndl.exe
2912	Ddgjdk32.exe
2924	Dolnad32.exe
2016	Dhdcji32.exe
1784	Dkcofe32.exe
1548	Enakbp32.exe
784	Edkcojga.exe
2132	Ebodiofk.exe
2000	Ednpej32.exe
1636	Ejkima32.exe
768	Emieil32.exe
1228	Eccmffjf.exe
1468	Ejmebq32.exe
1924	Enhacojl.exe
1444	Eqgnokip.exe
1648	Egafleqm.exe
1644	Efcfga32.exe
1536	Ejobhppq.exe
2700	Eibbcm32.exe
3036	Eplkpgnh.exe
2620	Echfaf32.exe
276	Ebjglbml.exe
1624	Fjaonpnn.exe
2904	Fidoim32.exe
2044	Fkckeh32.exe

Loads dropped DLL 64 IoCs

pid	Process
2748	e64369985af54e990a86fa6ea24b9ed0N.exe
2748	e64369985af54e990a86fa6ea24b9ed0N.exe
2972	Bmkmdk32.exe
2972	Bmkmdk32.exe
2716	Bdeeqehb.exe
2716	Bdeeqehb.exe
2604	Bfcampgf.exe
2604	Bfcampgf.exe
2628	Biamilfj.exe
2628	Biamilfj.exe
1996	Behnnm32.exe
1996	Behnnm32.exe
1424	Bpnbkeld.exe
1424	Bpnbkeld.exe
2464	Bblogakg.exe
2464	Bblogakg.exe
2512	Bifgdk32.exe
2512	Bifgdk32.exe
2796	Bppoqeja.exe
2796	Bppoqeja.exe
2004	Bbokmqie.exe
2004	Bbokmqie.exe
2108	Biicik32.exe
2108	Biicik32.exe
2372	Ckjpacfp.exe
2372	Ckjpacfp.exe
2536	Cadhnmnm.exe
2536	Cadhnmnm.exe
2432	Clilkfnb.exe
2432	Clilkfnb.exe
2280	Cnkicn32.exe
2280	Cnkicn32.exe
1956	Cddaphkn.exe
1956	Cddaphkn.exe
108	Ckoilb32.exe
108	Ckoilb32.exe
2996	Cahail32.exe
2996	Cahail32.exe
1884	Cdgneh32.exe
1884	Cdgneh32.exe
2216	Ckafbbph.exe
2216	Ckafbbph.exe
2012	Cnobnmpl.exe
2012	Cnobnmpl.exe
916	Cdikkg32.exe
916	Cdikkg32.exe
328	Cghggc32.exe
328	Cghggc32.exe
272	Cldooj32.exe
272	Cldooj32.exe
2760	Dgjclbdi.exe
2760	Dgjclbdi.exe
2680	Dfmdho32.exe
2680	Dfmdho32.exe
2812	Dpbheh32.exe
2812	Dpbheh32.exe
2676	Djklnnaj.exe
2676	Djklnnaj.exe
376	Dhnmij32.exe
376	Dhnmij32.exe
2428	Dfamcogo.exe
2428	Dfamcogo.exe
1584	Dhpiojfb.exe
1584	Dhpiojfb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dlkepi32.exe	Dhpiojfb.exe
File opened for modification	C:\Windows\SysWOW64\Enakbp32.exe	Dkcofe32.exe
File opened for modification	C:\Windows\SysWOW64\Bfcampgf.exe	Bdeeqehb.exe
File created	C:\Windows\SysWOW64\Keefji32.dll	Behnnm32.exe
File created	C:\Windows\SysWOW64\Bifgdk32.exe	Bblogakg.exe
File opened for modification	C:\Windows\SysWOW64\Clilkfnb.exe	Cadhnmnm.exe
File created	C:\Windows\SysWOW64\Mnghjbjl.dll	Cdikkg32.exe
File created	C:\Windows\SysWOW64\Cldooj32.exe	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Emieil32.exe	Ejkima32.exe
File created	C:\Windows\SysWOW64\Clilkfnb.exe	Cadhnmnm.exe
File created	C:\Windows\SysWOW64\Ejmmiihp.dll	Ckoilb32.exe
File created	C:\Windows\SysWOW64\Mmjale32.dll	Ednpej32.exe
File created	C:\Windows\SysWOW64\Illjbiak.dll	Eccmffjf.exe
File created	C:\Windows\SysWOW64\Bppoqeja.exe	Bifgdk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnobnmpl.exe	Ckafbbph.exe
File opened for modification	C:\Windows\SysWOW64\Dfamcogo.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Edkcojga.exe	Enakbp32.exe
File created	C:\Windows\SysWOW64\Ckjpacfp.exe	Biicik32.exe
File opened for modification	C:\Windows\SysWOW64\Djklnnaj.exe	Dpbheh32.exe
File opened for modification	C:\Windows\SysWOW64\Ebodiofk.exe	Edkcojga.exe
File opened for modification	C:\Windows\SysWOW64\Eibbcm32.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Najgne32.dll	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Jaqddb32.dll	Enhacojl.exe
File opened for modification	C:\Windows\SysWOW64\Behnnm32.exe	Biamilfj.exe
File created	C:\Windows\SysWOW64\Njabih32.dll	Bpnbkeld.exe
File created	C:\Windows\SysWOW64\Dlkaflan.dll	Dpbheh32.exe
File created	C:\Windows\SysWOW64\Dfamcogo.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Jdjfho32.dll	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Imehcohk.dll	Emieil32.exe
File opened for modification	C:\Windows\SysWOW64\Ckafbbph.exe	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Cghggc32.exe	Cdikkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkmdk32.exe	e64369985af54e990a86fa6ea24b9ed0N.exe
File opened for modification	C:\Windows\SysWOW64\Bdeeqehb.exe	Bmkmdk32.exe
File opened for modification	C:\Windows\SysWOW64\Bblogakg.exe	Bpnbkeld.exe
File created	C:\Windows\SysWOW64\Bbokmqie.exe	Bppoqeja.exe
File opened for modification	C:\Windows\SysWOW64\Cddaphkn.exe	Cnkicn32.exe
File created	C:\Windows\SysWOW64\Nmnlfg32.dll	Cahail32.exe
File created	C:\Windows\SysWOW64\Fjaonpnn.exe	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Lnfhlh32.dll	Ckafbbph.exe
File opened for modification	C:\Windows\SysWOW64\Dpbheh32.exe	Dfmdho32.exe
File created	C:\Windows\SysWOW64\Ednpej32.exe	Ebodiofk.exe
File opened for modification	C:\Windows\SysWOW64\Bifgdk32.exe	Bblogakg.exe
File created	C:\Windows\SysWOW64\Cahail32.exe	Ckoilb32.exe
File created	C:\Windows\SysWOW64\Ejobhppq.exe	Efcfga32.exe
File opened for modification	C:\Windows\SysWOW64\Eplkpgnh.exe	Eibbcm32.exe
File opened for modification	C:\Windows\SysWOW64\Fjaonpnn.exe	Ebjglbml.exe
File created	C:\Windows\SysWOW64\Cadhnmnm.exe	Ckjpacfp.exe
File created	C:\Windows\SysWOW64\Mecbia32.dll	Cadhnmnm.exe
File created	C:\Windows\SysWOW64\Eaklqfem.dll	Dfamcogo.exe
File created	C:\Windows\SysWOW64\Enhacojl.exe	Ejmebq32.exe
File opened for modification	C:\Windows\SysWOW64\Bbokmqie.exe	Bppoqeja.exe
File opened for modification	C:\Windows\SysWOW64\Egafleqm.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Echfaf32.exe	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Ebjglbml.exe	Echfaf32.exe
File created	C:\Windows\SysWOW64\Bmkmdk32.exe	e64369985af54e990a86fa6ea24b9ed0N.exe
File created	C:\Windows\SysWOW64\Ejkima32.exe	Ednpej32.exe
File created	C:\Windows\SysWOW64\Eqgnokip.exe	Enhacojl.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File created	C:\Windows\SysWOW64\Blopagpd.dll	Dhnmij32.exe
File opened for modification	C:\Windows\SysWOW64\Dlkepi32.exe	Dhpiojfb.exe
File created	C:\Windows\SysWOW64\Dfdjhndl.exe	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Khknah32.dll	Fjaonpnn.exe
File created	C:\Windows\SysWOW64\Njmggi32.dll	Edkcojga.exe
File created	C:\Windows\SysWOW64\Ejmebq32.exe	Eccmffjf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3060	2044	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejobhppq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eibbcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfcampgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enakbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edkcojga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eccmffjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djklnnaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhnmij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhpiojfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egafleqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echfaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebodiofk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behnnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpnbkeld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cldooj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgjclbdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckoilb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnobnmpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqgnokip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fidoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifgdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdikkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biamilfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cghggc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e64369985af54e990a86fa6ea24b9ed0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpbheh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejkima32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhacojl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgjdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkcofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efcfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eplkpgnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeeqehb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cahail32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfamcogo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ednpej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjaonpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbokmqie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjpacfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgneh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckafbbph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emieil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebjglbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bppoqeja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clilkfnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdjhndl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfmdho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dolnad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bblogakg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejmebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkmdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biicik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cadhnmnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddaphkn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefmgahq.dll"	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnobnmpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cghggc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enakbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddpkh32.dll"	Bifgdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll"	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bifgdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fileil32.dll"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll"	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll"	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imehcohk.dll"	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll"	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najgne32.dll"	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckoilb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhfbach.dll"	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hokokc32.dll"	e64369985af54e990a86fa6ea24b9ed0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdeeqehb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecbia32.dll"	Cadhnmnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejkima32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emieil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll"	Egafleqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e64369985af54e990a86fa6ea24b9ed0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keefji32.dll"	Behnnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpnbkeld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhlh32.dll"	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckafbbph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll"	Ejkima32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecenlqh.dll"	Bfcampgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebodiofk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgjclbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjajfei.dll"	Bppoqeja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bppoqeja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll"	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejmebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e64369985af54e990a86fa6ea24b9ed0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behnnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clilkfnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkcofe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebjglbml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e64369985af54e990a86fa6ea24b9ed0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdcoomf.dll"	Cddaphkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cahail32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efcfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkmdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpnbkeld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biicik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cahail32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll"	Enhacojl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2972	2748	e64369985af54e990a86fa6ea24b9ed0N.exe	30
PID 2748 wrote to memory of 2972	2748	e64369985af54e990a86fa6ea24b9ed0N.exe	30
PID 2748 wrote to memory of 2972	2748	e64369985af54e990a86fa6ea24b9ed0N.exe	30
PID 2748 wrote to memory of 2972	2748	e64369985af54e990a86fa6ea24b9ed0N.exe	30
PID 2972 wrote to memory of 2716	2972	Bmkmdk32.exe	31
PID 2972 wrote to memory of 2716	2972	Bmkmdk32.exe	31
PID 2972 wrote to memory of 2716	2972	Bmkmdk32.exe	31
PID 2972 wrote to memory of 2716	2972	Bmkmdk32.exe	31
PID 2716 wrote to memory of 2604	2716	Bdeeqehb.exe	32
PID 2716 wrote to memory of 2604	2716	Bdeeqehb.exe	32
PID 2716 wrote to memory of 2604	2716	Bdeeqehb.exe	32
PID 2716 wrote to memory of 2604	2716	Bdeeqehb.exe	32
PID 2604 wrote to memory of 2628	2604	Bfcampgf.exe	33
PID 2604 wrote to memory of 2628	2604	Bfcampgf.exe	33
PID 2604 wrote to memory of 2628	2604	Bfcampgf.exe	33
PID 2604 wrote to memory of 2628	2604	Bfcampgf.exe	33
PID 2628 wrote to memory of 1996	2628	Biamilfj.exe	34
PID 2628 wrote to memory of 1996	2628	Biamilfj.exe	34
PID 2628 wrote to memory of 1996	2628	Biamilfj.exe	34
PID 2628 wrote to memory of 1996	2628	Biamilfj.exe	34
PID 1996 wrote to memory of 1424	1996	Behnnm32.exe	35
PID 1996 wrote to memory of 1424	1996	Behnnm32.exe	35
PID 1996 wrote to memory of 1424	1996	Behnnm32.exe	35
PID 1996 wrote to memory of 1424	1996	Behnnm32.exe	35
PID 1424 wrote to memory of 2464	1424	Bpnbkeld.exe	36
PID 1424 wrote to memory of 2464	1424	Bpnbkeld.exe	36
PID 1424 wrote to memory of 2464	1424	Bpnbkeld.exe	36
PID 1424 wrote to memory of 2464	1424	Bpnbkeld.exe	36
PID 2464 wrote to memory of 2512	2464	Bblogakg.exe	37
PID 2464 wrote to memory of 2512	2464	Bblogakg.exe	37
PID 2464 wrote to memory of 2512	2464	Bblogakg.exe	37
PID 2464 wrote to memory of 2512	2464	Bblogakg.exe	37
PID 2512 wrote to memory of 2796	2512	Bifgdk32.exe	38
PID 2512 wrote to memory of 2796	2512	Bifgdk32.exe	38
PID 2512 wrote to memory of 2796	2512	Bifgdk32.exe	38
PID 2512 wrote to memory of 2796	2512	Bifgdk32.exe	38
PID 2796 wrote to memory of 2004	2796	Bppoqeja.exe	39
PID 2796 wrote to memory of 2004	2796	Bppoqeja.exe	39
PID 2796 wrote to memory of 2004	2796	Bppoqeja.exe	39
PID 2796 wrote to memory of 2004	2796	Bppoqeja.exe	39
PID 2004 wrote to memory of 2108	2004	Bbokmqie.exe	40
PID 2004 wrote to memory of 2108	2004	Bbokmqie.exe	40
PID 2004 wrote to memory of 2108	2004	Bbokmqie.exe	40
PID 2004 wrote to memory of 2108	2004	Bbokmqie.exe	40
PID 2108 wrote to memory of 2372	2108	Biicik32.exe	41
PID 2108 wrote to memory of 2372	2108	Biicik32.exe	41
PID 2108 wrote to memory of 2372	2108	Biicik32.exe	41
PID 2108 wrote to memory of 2372	2108	Biicik32.exe	41
PID 2372 wrote to memory of 2536	2372	Ckjpacfp.exe	42
PID 2372 wrote to memory of 2536	2372	Ckjpacfp.exe	42
PID 2372 wrote to memory of 2536	2372	Ckjpacfp.exe	42
PID 2372 wrote to memory of 2536	2372	Ckjpacfp.exe	42
PID 2536 wrote to memory of 2432	2536	Cadhnmnm.exe	43
PID 2536 wrote to memory of 2432	2536	Cadhnmnm.exe	43
PID 2536 wrote to memory of 2432	2536	Cadhnmnm.exe	43
PID 2536 wrote to memory of 2432	2536	Cadhnmnm.exe	43
PID 2432 wrote to memory of 2280	2432	Clilkfnb.exe	44
PID 2432 wrote to memory of 2280	2432	Clilkfnb.exe	44
PID 2432 wrote to memory of 2280	2432	Clilkfnb.exe	44
PID 2432 wrote to memory of 2280	2432	Clilkfnb.exe	44
PID 2280 wrote to memory of 1956	2280	Cnkicn32.exe	45
PID 2280 wrote to memory of 1956	2280	Cnkicn32.exe	45
PID 2280 wrote to memory of 1956	2280	Cnkicn32.exe	45
PID 2280 wrote to memory of 1956	2280	Cnkicn32.exe	45

C:\Users\Admin\AppData\Local\Temp\e64369985af54e990a86fa6ea24b9ed0N.exe
"C:\Users\Admin\AppData\Local\Temp\e64369985af54e990a86fa6ea24b9ed0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\Bmkmdk32.exe
  C:\Windows\system32\Bmkmdk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\Bdeeqehb.exe
    C:\Windows\system32\Bdeeqehb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\Bfcampgf.exe
      C:\Windows\system32\Bfcampgf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\Biamilfj.exe
        
        C:\Windows\system32\Biamilfj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\SysWOW64\Behnnm32.exe
        
        C:\Windows\system32\Behnnm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Bpnbkeld.exe
        
        C:\Windows\system32\Bpnbkeld.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Bblogakg.exe
        
        C:\Windows\system32\Bblogakg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Bifgdk32.exe
        
        C:\Windows\system32\Bifgdk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Bppoqeja.exe
        
        C:\Windows\system32\Bppoqeja.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Bbokmqie.exe
        
        C:\Windows\system32\Bbokmqie.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Biicik32.exe
        
        C:\Windows\system32\Biicik32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ckjpacfp.exe
        
        C:\Windows\system32\Ckjpacfp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Cadhnmnm.exe
        
        C:\Windows\system32\Cadhnmnm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Clilkfnb.exe
        
        C:\Windows\system32\Clilkfnb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Cnkicn32.exe
        
        C:\Windows\system32\Cnkicn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Cddaphkn.exe
        
        C:\Windows\system32\Cddaphkn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Ckoilb32.exe
        
        C:\Windows\system32\Ckoilb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:108
        
        C:\Windows\SysWOW64\Cahail32.exe
        
        C:\Windows\system32\Cahail32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Cdgneh32.exe
        
        C:\Windows\system32\Cdgneh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Ckafbbph.exe
        
        C:\Windows\system32\Ckafbbph.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Cnobnmpl.exe
        
        C:\Windows\system32\Cnobnmpl.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Cdikkg32.exe
        
        C:\Windows\system32\Cdikkg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Cghggc32.exe
        
        C:\Windows\system32\Cghggc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\Cldooj32.exe
        
        C:\Windows\system32\Cldooj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:272
        
        C:\Windows\SysWOW64\Dgjclbdi.exe
        
        C:\Windows\system32\Dgjclbdi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Dfmdho32.exe
        
        C:\Windows\system32\Dfmdho32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Dpbheh32.exe
        
        C:\Windows\system32\Dpbheh32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Djklnnaj.exe
        
        C:\Windows\system32\Djklnnaj.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Dhnmij32.exe
        
        C:\Windows\system32\Dhnmij32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Dfamcogo.exe
        
        C:\Windows\system32\Dfamcogo.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Dhpiojfb.exe
        
        C:\Windows\system32\Dhpiojfb.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Dlkepi32.exe
        
        C:\Windows\system32\Dlkepi32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Dfdjhndl.exe
        
        C:\Windows\system32\Dfdjhndl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Ddgjdk32.exe
        
        C:\Windows\system32\Ddgjdk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Dolnad32.exe
        
        C:\Windows\system32\Dolnad32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Dhdcji32.exe
        
        C:\Windows\system32\Dhdcji32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Dkcofe32.exe
        
        C:\Windows\system32\Dkcofe32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Enakbp32.exe
        
        C:\Windows\system32\Enakbp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Edkcojga.exe
        
        C:\Windows\system32\Edkcojga.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Ebodiofk.exe
        
        C:\Windows\system32\Ebodiofk.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Ednpej32.exe
        
        C:\Windows\system32\Ednpej32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\Ejkima32.exe
        
        C:\Windows\system32\Ejkima32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Emieil32.exe
        
        C:\Windows\system32\Emieil32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Eccmffjf.exe
        
        C:\Windows\system32\Eccmffjf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Ejmebq32.exe
        
        C:\Windows\system32\Ejmebq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Enhacojl.exe
        
        C:\Windows\system32\Enhacojl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Egafleqm.exe
        
        C:\Windows\system32\Egafleqm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Efcfga32.exe
        
        C:\Windows\system32\Efcfga32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Eibbcm32.exe
        
        C:\Windows\system32\Eibbcm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Eplkpgnh.exe
        
        C:\Windows\system32\Eplkpgnh.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Echfaf32.exe
        
        C:\Windows\system32\Echfaf32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Ebjglbml.exe
        
        C:\Windows\system32\Ebjglbml.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:276
        
        C:\Windows\SysWOW64\Fjaonpnn.exe
        
        C:\Windows\system32\Fjaonpnn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Fidoim32.exe
        
        C:\Windows\system32\Fidoim32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 148
        59⤵
        Program crash
        
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bblogakg.exe

Filesize
63KB

MD5
e459d275be248f2c5b2be9d76345e7dd

SHA1
2465da2f64b80aa7a9426ec5ee97079085da410a

SHA256
142287497e70458bdefdfa9cf4da2853ab692e98eca1049b2148343c00a8dcb2

SHA512
928339ba5aebbb2098ba7e90949e6ff5651bab08a8cac0e173857afb94a22d1344d4c1c86a7d64f30d4dfad116df057d6ca34580f4298371e32b08e942aafb81

Download Submit
C:\Windows\SysWOW64\Bdeeqehb.exe

Filesize
63KB

MD5
043d24760efee5bc2c7ce397a152d299

SHA1
712badf352c153fafef1b8cba8cb4f507d2175d2

SHA256
a08ea32fdcef02dfe4648e4e7b63b6c20bfb17f2d87710cd2185ab14e5f5444a

SHA512
0cc130cb3d699c912fcf9ae644c349f17ece122485879d08697dd2b2d01a6db770c8eeff2879ec1369682d2772a1f6e872ba222e39820ea2546a187f9fb1fdfd

Download Submit
C:\Windows\SysWOW64\Bfcampgf.exe

Filesize
63KB

MD5
7385cb07527870b87cfbac8082639204

SHA1
19eba30d5a146021b119767436669f0d5b45f746

SHA256
538434e2fb7e10fc504ef252d9e20efed62786da15f706f22a044435563a41a1

SHA512
d1dccb3760060efc016e156eca72b62a6d41444524bd239a7c30914bd5464d34eaca6fdcb2b94e4ddd801d9d8474f1fbef2766730b19577ffaae9fd2cbf2f4ae

Download Submit
C:\Windows\SysWOW64\Biicik32.exe

Filesize
63KB

MD5
c7fdcfce977c9b945ae63f72688767d6

SHA1
caef4553fa822b8f99db6c68cb047eec26558cd0

SHA256
4e17a27d9b553d62aac62e4b6311efdf18bc29d5a0457d37949980f81fad6d11

SHA512
9b38504812581468edf0bfe3d5a324e9299366501dcd42e60656b188c6be0a828e8ac7ae059d1d06eb9da034cdcef3a11478bc177e0932ee14181043fb11a861

Download Submit
C:\Windows\SysWOW64\Cahail32.exe

Filesize
63KB

MD5
d3824c35f8ad1978ec7ec487a1870fe4

SHA1
e2a0499661e3aca3062cc1148bd3fe7e110d9d1c

SHA256
5279e383d4e9e2e92ad17330f00a1e0ee3b2a835f905d9d180319e5d6d5f5334

SHA512
987cec84799e1ca7ce164b01fb80e4ac97fc1a63f255b8e12d2a161edacc7132bb4e9c3501b9129009d5c352910db21feea16a71c89089ac7ccd963088e4ef5e

Download Submit
C:\Windows\SysWOW64\Cdgneh32.exe

Filesize
63KB

MD5
3e02c61cd63abb9c09cea41988a5f60b

SHA1
56a9535b078b7429ed1748fda65f6bb42339f27a

SHA256
373701ddbcba7917c95b2c42db6a71475547a7e274a25f4839cd810b027467e7

SHA512
c3dc3779f029d7254accde74a3742d95f609292149a148c0749c72af6b0c540a7f76deef4df777a47a1e22e58586803323314d371113f5c4308970fde398a17c

Download Submit
C:\Windows\SysWOW64\Cdikkg32.exe

Filesize
63KB

MD5
b1088de33862907aa812d3980b2a09bf

SHA1
5513d6e0df3e078e6fa1a6ac8697e0b18d519ddb

SHA256
06156df4d414dc3b55f4e3285390da914c198f3707f3848d168ab09c0b0d3fd0

SHA512
0a25bdd9525959d95b121ee943b12098077baa5735f15f21dfcbb8e4738ec20e9eb284d06955714b225d27ac0c49c048cb2bdb3d5f3dfeba58d40820dd1c4722

Download Submit
C:\Windows\SysWOW64\Cghggc32.exe

Filesize
63KB

MD5
08298a77cd9cf97b0a89a32d070ac67d

SHA1
43108279cbfea6d8abba995a502898779f6473a7

SHA256
e78749da11078627fae9a5fb9d8996d7ae8362e0ed864205915ad7bf7bdf24da

SHA512
9fcfcc1560df40c10fe5575c4bf14ed0ec8eea90f35856c63c864d01bbe6343e4a0e2a0e29b76610524e46981ed8fcb5e07973a411db7f99a633eda2aa1c1cd4

Download Submit
C:\Windows\SysWOW64\Ckafbbph.exe

Filesize
63KB

MD5
c0af1386a3fbee144e0249d289e35252

SHA1
fd778cae0888ba0e39144f828da1b38b4355aae0

SHA256
ca6d3523327a7452833ad19ee38af4829b7b338e7bf77ddb8723cb088f435f4d

SHA512
fb9d9bfaf84d8f3a5f984578a33255fcbff904b61aaf805a19d01aa1304d1fe350eba5f69e1155fa3b7dee8daf44aaf479a27eb02adf5f9ecc8a30f297188b43

Download Submit
C:\Windows\SysWOW64\Ckoilb32.exe

Filesize
63KB

MD5
34c45957a8864883bc98311790b2fcbb

SHA1
87fa2594dab35931d94225c137d1c7af0ebdd037

SHA256
a49e42ac77f3499fe0fcf2aa18ff0e04f4257e647f6bfd3815c87310ab0ddc49

SHA512
39924f1bd900d0af0301a35a14ae2887b1c6f82f5dfd5063a88d084727e2c625f48273e596315a45ce150fd93a939427a078d5049e4922322aa0007c5b920258

Download Submit
C:\Windows\SysWOW64\Cldooj32.exe

Filesize
63KB

MD5
a0f3d844de14090898a34cbf5f287a5b

SHA1
7e4e10efa4a336da642417608dc0cd1393dd8e69

SHA256
77dd51957ff6a7d429b2911f9bd5d11601e16a415cfa8729b6aa2d59daac2015

SHA512
ab6bc0ba40c16884e680eb94d1cec76e840f5eac5f41d883416f7d5fb9222ec672b963ea568d0e03fccb4cdc830a31bde599a2740f93d2f3e1473019770e4810

Download Submit
C:\Windows\SysWOW64\Cnkicn32.exe

Filesize
63KB

MD5
f6845f5f2f795a8e802082db6130bdb3

SHA1
3d96774ffc02f112b611963861341633445111a9

SHA256
241734fa2424ea38d3cdfee80916b0be421b90fdfcba38b8304dc0cbbc2e31f3

SHA512
f2be675b56b94c089e942d338d1f07e54b7273b07e330ddd060d7e646f124bd5fb1dda9c01f49d7c9ae8d2071ecca23b36390f29a313593645b0e174837a3b2b

Download Submit
C:\Windows\SysWOW64\Cnobnmpl.exe

Filesize
63KB

MD5
3ca3b9cbbd3cc98c1629f264901c22df

SHA1
a7b70b697f0bf19aa85e6f6399218aa6009ba4b8

SHA256
03cddcc5da14595ca7c97cb7acb9b8308a0a8aded13f5b2b1a585d53a0f32cd7

SHA512
81ce1f993ac7ccc1961de97db1e2d6f5111a93e0b2c61117e11bc3016eb603c1eed1222b572c63f46b0b51bd7ef3d4bbb73b16863aca45af9c3a6e166b2b7f4b

Download Submit
C:\Windows\SysWOW64\Ddgjdk32.exe

Filesize
63KB

MD5
f8d80810216386756879977bd6583d6d

SHA1
e891aca9cb642e160ca92b6e1799ea5c51fb08ef

SHA256
4c5ffe6f552e4a695e845214ace1b36c9c56802f1dee2528a4816c8b2cc11b0a

SHA512
f6d77d29dd3508268989db9dafddbf14b7f472073a5dac34941afeb057a397df1d7404c8414580f3b85c5bd687c088f4e8418c74f308fb857fb6fee358afd6cc

Download Submit
C:\Windows\SysWOW64\Dfamcogo.exe

Filesize
63KB

MD5
e88b8167bc31c02dbb5e8d2d9e877ae9

SHA1
c1dd43319495fda88e300c2e6829ea4d3ed9fe0b

SHA256
e806806c3377781f15a64ec8cc44c8e59bd47f44614f6ba47c9090f1a8a6a7bf

SHA512
78bf49f141e8a513dea0c68506721263d25a26a7d601feace6ddd8a8478565ba1770ec65b639441702a5e394ea62fe2a8e50dbdf39479378f68420fb35be72e4

Download Submit
C:\Windows\SysWOW64\Dfdjhndl.exe

Filesize
63KB

MD5
2c8dd39474ac39c8f982b81617716c66

SHA1
3020cb0f8c91924f1b27d598288ae640285497ce

SHA256
a2b566ab986569d176cc5dc00d43fc14aecc79620ae7025f1b55c61d64731464

SHA512
a613604e8c52a74203ee32761ee2d707d8c25a03d05e936c3e668d899df81a0166d58e7b9ff4a1ca17f4186bdc01cfe66e55b59e880fb6d84bca4e7cc02199c8

Download Submit
C:\Windows\SysWOW64\Dfmdho32.exe

Filesize
63KB

MD5
26c7cbb0a9176901aa57329e39bd273c

SHA1
f93823e15b008a1006ae48651a4261cf25f7be63

SHA256
3a022e8f1f1d57d07e329a710c4e05f6556a1451144506660980a65920b846b6

SHA512
dafa763722fe50c4bf23bc40cd295025557fa9c44973506b4890c8728fa8f2832ef6f0a809b25e60a07b85e5b281dccf9cc1bf301847f300ba4281a3539743d0

Download Submit
C:\Windows\SysWOW64\Dgjclbdi.exe

Filesize
63KB

MD5
beb6d118a1e6dbf82d5e26c7ecbb9bb5

SHA1
7e20847e9fb022b2d7bcf8c8b7ec2e28f860ba6c

SHA256
32ac947d85297d84247185728b42a2796cc77761e6d2c9d072eb3ba003acd9f8

SHA512
c8ec9d09dc9bb34f396096280350823d11fe4e16247bf4baf04c4e57af213baa06ec6b0277b05d64c4abdeab10b129d94edbdf5e515a3c6139c317d11e61b10b

Download Submit
C:\Windows\SysWOW64\Dhdcji32.exe

Filesize
63KB

MD5
ff05c21bcba1c269a35f8a425fdbb1c2

SHA1
6a796cdb6960b89135232432f5d73d715870cd43

SHA256
c448cb493a73334f1d6978693c0d0f3705126918139326f16f618f6e69caf737

SHA512
d321deefaece90827cc97ba99fbe977ba53fc01dae49adc8e18cd0e192adc61558cceb64cafa7f1c64cdc10099f192b838d001e2ec36c288f791de66b896bfea

Download Submit
C:\Windows\SysWOW64\Dhnmij32.exe

Filesize
63KB

MD5
065e48d25eab5e98f2d6c08c95e62d0a

SHA1
3582f3743637721c93017faa1f2f5ffd40071478

SHA256
4c436c61a1121111795eef2b303ed007d4218ade547e82fb0d565eff0466bf19

SHA512
aef3642b7b41452c378f1f48eb2623dade0fda3e3ffd6d07334650f73ed73d1a4bc1ee60e5d416722d906f05f77d1f6be3d0bae307da8f09872f868d765332a8

Download Submit
C:\Windows\SysWOW64\Dhpiojfb.exe

Filesize
63KB

MD5
767bb32d157348ae2d818dfe0b39dfd1

SHA1
2a525d32d22dee44fd6e9271bb1e46ebcaa6b051

SHA256
057a317e247481c605e713d102ba213333a1bcfce0565b5858b15b263dafd9d2

SHA512
738eae5d32fd7ce15c20c0f461ae14c80b67ab413aa3184a95112e99f09a76ce7d1c3f7857c52061847e69dcbd4b611fd9a73245463e4bcc4b1553abf98b64ee

Download Submit
C:\Windows\SysWOW64\Djklnnaj.exe

Filesize
63KB

MD5
b23c8fae8c980021ac297289cec97104

SHA1
8dfe58427fd56d0d08fb7ebb26629c35dfaf8651

SHA256
ccb7773a9863fb950312fc2793386561a6d0c74f8d870f098171a19f9207c0a4

SHA512
9ab0cfd81fa0fafac1f03a32ec5562f6dba15bd972dce3b5362c066a9308f3c44fe05aabd837e0de4688bc22cd3662c599f9def52a9f2ba4b64c3456a1c152e1

Download Submit
C:\Windows\SysWOW64\Dkcofe32.exe

Filesize
63KB

MD5
03b269fdac366324db1308dc6efc161e

SHA1
bfbf2f35c99e1b98a7c153f8263000b515e025c8

SHA256
d2760c21c03e9a2f0567e49f4ddb01a47d9d1959c3c55a0e5a138dadfd4eb8a3

SHA512
3fc25a671583d4cb76d0f97b935bc3ab0939ac0ab43ef30aac453127a56d23d3d0595e014eb846a3091045101ed368329828e8c9d2bc6fbaed65643e2135416d

Download Submit
C:\Windows\SysWOW64\Dlkepi32.exe

Filesize
63KB

MD5
2f788c81a375529e0cd5dd682914aa8f

SHA1
a8a9c17b27c0c68ee285a9537c387450b24c4fec

SHA256
3c139dd016a58cb08b078341a5130760e65bd6c616f12937850af2d02a2385c0

SHA512
637e6a8ecf6036a232f0d10c39641d91d6ffd2d060709bcf20b2c419607946efde41a7cac093ae2154bd44681e56d83a3285d6c1a1a2a88ff716318063484379

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
63KB

MD5
98cc06a928485cea44e8ed415072bc2a

SHA1
1e17ecf61ef631d4326a0a826ae29eec3e5dc313

SHA256
e4da3405b01e3a8bfeb22dd9de9fac2738bcf133ff11bdd2bd2e225b7a87bb9f

SHA512
a7116ab7117ca1646566a733719efd3bd550216954a38e5e0d4e5276ff88f641a09583c15d395c0707e7fa7351f391db04d3362088bb2b45b6ab51b3175b0e42

Download Submit
C:\Windows\SysWOW64\Dpbheh32.exe

Filesize
63KB

MD5
3f2c1183816e5c6609e99e5af8c978bd

SHA1
e65396c7d3f247992156ac2e9dc8d68364d2dfd1

SHA256
971a088e30536ca3d873afc50662e2db9ef4ed318c26859a10ecb7af837302bc

SHA512
cf441b1a4173292e9efd82d8d99382641a3eb0b4788666b1fae0b7521ea76b4887b8e5843b99616eb85d5b17c0de986fd50230713eaaed7e82bcd76655d487a5

Download Submit
C:\Windows\SysWOW64\Ebjglbml.exe

Filesize
63KB

MD5
15d251cb363d801c88016587e4d43039

SHA1
2f4be79831106e16fb608968b525693a5b302ab2

SHA256
06f25aa03ba446a63fae71c9a9f79223362920e53a17a844a09efddedf231575

SHA512
c563b138dc82d15815d6f2967627b5a0d8f014948fcacff48b80ae9e563ff11be88f68aecb94154858c654209ba4b86f8d98c9a66593b599b92403bc029b1ab0

Download Submit
C:\Windows\SysWOW64\Ebodiofk.exe

Filesize
63KB

MD5
eaac0250cf57ed7dbd84fb8a83beadf1

SHA1
751cc8c492e2466251d7874f808bbc5e8c55ce8a

SHA256
9fdc520208d6ee4acb9f40f2e37d20086954beaebf62f52e34d3ce173ec138a8

SHA512
9c19f40d2bcb11fbd0b9b7906798956835e0e10fb6ba0b897903fe164b45afaf234b74f515ba2b41d31262bbf7c212b88487af58a1e4d24f6796dfacd6a88e59

Download Submit
C:\Windows\SysWOW64\Eccmffjf.exe

Filesize
63KB

MD5
91e2fb6e1df0f8dcaf3da56d33a88d03

SHA1
aac229219c120327eb2e023c636b2f5d721ac307

SHA256
359fe269453e2b97dc53de43d3440d901bdc582dca4af37448cf18fe53f67ea4

SHA512
15e50d835a8fddbb9b47a45b332d15987f59b026a5e7de26be1168d77edd1a85421f7ebdbeac22192c4191f73b49a7d634b6f37bdb07d5ebb8b52aed01e56091

Download Submit
C:\Windows\SysWOW64\Echfaf32.exe

Filesize
63KB

MD5
5095e35236680b8ecc0517f2a6823798

SHA1
c6e1d5fa1b5248e93d4d016c5318dbb0f40b499e

SHA256
2b8bccb4ed8d0718e23eac30c387cf14e1ead6f9a9eddb22fdd8dc125a12d7b4

SHA512
b5499e2e001ddbf5b67da9556992c82582d017e7eb1800068e04dc7daaf412bb6dd73bbe15b873a8f220b11ceb1177725d0eb17dd5176b0821cd15f9586e0cb6

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
63KB

MD5
3f14647d41f0654f93536971e38ca984

SHA1
791db236c58ca48b4c85cdc9333b268bb45450a7

SHA256
970f37f3fd9bc5c2ead902251cf290ce441c6dad107023505e47458d97b44806

SHA512
ee813c5613766375c5f05f43885741137385bf19a35e6b65847d8135a8d55385d41c39cd1902ead928140deef4d4fb99b1b9272d51382f22e2571c1f89a35f69

Download Submit
C:\Windows\SysWOW64\Ednpej32.exe

Filesize
63KB

MD5
b27652d47f2ed7ecbd59d285e2e16cca

SHA1
d785fb4d0e11cc43dea07b651606748d42c5e892

SHA256
1d594494f596d08b36406c8c10e9153aa388f6aa52919d27fb7bc364117d068d

SHA512
73d6823b8b94fe36f7c3e0bf53d200c389db11644977127cc0966286986e2b1420d71894cdaa9c6d2ce7bdb54fb0f7c82b76c4cb9a3699577b600cb82fd35570

Download Submit
C:\Windows\SysWOW64\Efcfga32.exe

Filesize
63KB

MD5
3cd585e61eca29f727b1391d731cd854

SHA1
4c2027ccaadb5a083bbf969f514c3d735cf66550

SHA256
ccaf23b0e5a5ac6dd02363a4eee758210b8899b62b8eb60e9a312958f1319352

SHA512
98c18a0abf13567c8d1fd7194e4bd4cb3f653f5f55f65f51afe9c4db937f59e81cff23aa60b51540ce8e028c205b22883ef1aaa2b35b06ab2cccd8845a18360f

Download Submit
C:\Windows\SysWOW64\Egafleqm.exe

Filesize
63KB

MD5
1cd1183c6293c32c9a687c35d535f953

SHA1
feb72342a437267b3ebb86b14659b5126686a063

SHA256
49d00ad9acd306291c55500f3935827c8e6dc64ad53ebfec61f6a6138fe6792c

SHA512
a497a229143666f25e7673d7089c18f241ab307f2af9dfbd74f87671805add7facf1ee0dfe0e8da359abe7ff6dfd73e0c2e399c971221a035391329dc090c9da

Download Submit
C:\Windows\SysWOW64\Eibbcm32.exe

Filesize
63KB

MD5
075aa04fb3b439d62e02927f7b3b86ce

SHA1
69d243982d381b1de40b06c18b9dd31e36bbfe14

SHA256
53ecc757e7252351a0847681e4a06137881b25edce9b8227ed3c62d9542e3606

SHA512
bb28861f20f79e42f7697d2766332e75a2cf460811c4cf9e319d8e5a43540fb6d6e0baea9521dbb6a0af214cd0104216e86da2e48a27dc226a6ba7844518cc6d

Download Submit
C:\Windows\SysWOW64\Ejkima32.exe

Filesize
63KB

MD5
53faac6e31aa6a9f54036b4c82cf8e97

SHA1
f1f7d88293d4ebed8011e45888bcf238557f742d

SHA256
4697b2ff532e19d0a241ce15a1a6fb177b2447c3a9afed4b703bd03124d8613f

SHA512
a9e5653342c84eb6ef839bd7cf5438016d57a55320793dc322cf63b6f24f4fb19293f564562fa8b6ab1a3ac6024f3e19d16b7842aa165ec3b06e1594923dcbfa

Download Submit
C:\Windows\SysWOW64\Ejmebq32.exe

Filesize
63KB

MD5
ef78a57d8c690ff0d25d1821fb3676dc

SHA1
98509ddce29a08486756b7ef2a449216c760d035

SHA256
c482be03070e04a810ac013af3aa2c290c6bac365c959928232b052bd3cd38b8

SHA512
9254e06f9b923f536bb3087c47b360e31771602d4f0530cc4db940e0259369e63c51ca2588de8ee94294515dd72af6101aa7241fc8ea46ddbea47da6c540ac79

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
63KB

MD5
280ed07a4e525cafcfe9fc41b9301322

SHA1
51635e7de5927995dca4fafae408672933180242

SHA256
5bf75c7dc3097655eac28cfb8254dcb058177374f2842af9d56e947d42fabafc

SHA512
764a3e160e5beeb6af7e3276bce731eb5d238718d794e18d82b49ee6f82e589be3fe7f6941eee1844159f154040a0480f7a24345ec1e7890094c2efd8d7eda83

Download Submit
C:\Windows\SysWOW64\Emieil32.exe

Filesize
63KB

MD5
2a3e2eb1f651cfe8deccfad76a658990

SHA1
9cc2d3df8be1aaf3f32bf7e48b4cef53342d06aa

SHA256
4a56cc05e77e6b860e218de2dff88805f8ceff24fe94990e2a377c1b171305c2

SHA512
b1ca455c9d1a76f791c13744553eda4ac81bb0d1a7a465dbc4588b7ea30d735573c759e966043df4bfcc22947a34a4078fd0588e9ecf7b26af8fce72013d695f

Download Submit
C:\Windows\SysWOW64\Enakbp32.exe

Filesize
63KB

MD5
b91eb4ba5959eed1bdf7f3d95062dd67

SHA1
fd5cd29d6bb5297c81e57c5d44e271bde30d7f89

SHA256
c86901d7116fa8e80027bd286be963a2ef965443a0f045d81741560800dd9f1b

SHA512
50a608f397be09b03fae97787dda16a4797042d19b90fffb5961568650590c637ac3e98dc47b45ea92857fa55c0df7f73fcd1e340d850151f7a012326af720bf

Download Submit
C:\Windows\SysWOW64\Enhacojl.exe

Filesize
63KB

MD5
b4e43a05ef4353ece23bb8133582d956

SHA1
bdead398f6e434ba3551713ccf30a74ff30a61f6

SHA256
424935fa3e7d9266bbefc9b7e1356d612ae19a12a0581c5f65635425f0da23a2

SHA512
df71e8bfe4c68fe0f01388e5038ab209d96b368edf728652cf8394fba597e378e4899aac80a22592b394cdab2c76b55184a9d9346e9f8673eb5d3d9769910d4e

Download Submit
C:\Windows\SysWOW64\Eplkpgnh.exe

Filesize
63KB

MD5
eb70dc9c99f54132e33d0434f25ceb4c

SHA1
e3894abd0d090b10bae384f6bd1d6ee3d80baea2

SHA256
ca8ee7de977e9a2aab2030cd223772a221b5509150e4a7d4cb5e6ccddb4c4ee0

SHA512
3c0de2719bca082b1be460a4341855b99b15e0eeb074cb09c0de6bf16c57fb31ece992477c965b3b5a0687b102ba16451130b38232bdc0c4fc17b963a239b9ba

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
63KB

MD5
2806f6a56568d103b1637ce7309ccd8c

SHA1
1b0141f17ecc6003bfb48c025fd2c05a1955fa77

SHA256
08cf8a7c1e22073ec78e9fcb23645b0b898f787d61bc2d0f19982bdd978a0af0

SHA512
a5368ea92b8de451737550933adc5b9b9e010901f8b6a55d3014c81d23583677f4e3cdbd9ea2bba6735fafdff520bd38c4f04ea10d88de72c98340de3e24a6ec

Download Submit
C:\Windows\SysWOW64\Fidoim32.exe

Filesize
63KB

MD5
79a04a58b0ff7b500e5585d71045740c

SHA1
d4398fc594ec7f098dc78f877b4d3fb168231f5a

SHA256
50bdb0bf802a581835a7cad055af96e7cce94ecf3d41d089143976664687e836

SHA512
75119f10b0ebe392ab797fff72aecdb5f2c1f89c0b9c97255e8414c6fd9507a099c36da5752012e83fafa0213a6a9a5dc0a69ec6f1deb78859c58984176adbf6

Download Submit
C:\Windows\SysWOW64\Fjaonpnn.exe

Filesize
63KB

MD5
bdbb0ab8b9bfd7c65b36bed91a6186bc

SHA1
3bbabb209294fa0426ec50a78c62a960977bc887

SHA256
2ff78589045931416c5a41f86e7d944bcdc65a16cfcb3cbff50d031e558b5da9

SHA512
865cd316a0ed67c7dffe095a32c78f9678b61e4c1353453289863c007c2cc6b7e54e244d55c97ac67245283a932f977bffacfcdfd5966854d2afe321305db459

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
63KB

MD5
e512caed1cf150c8971fc090d4be14b0

SHA1
2e92186adaec2b4b8275acfe3f1ede3e43bea37a

SHA256
c79a480f6cabcf5d704207addaa64efbbb785edbbc7908a4918ba618caa0c503

SHA512
5e4d02f8845ea292d5fdc7278718a30d4463e76083c4d3ceb089560ae9369f6e323bd8414deb13f6707f546e25a57369a4f59b18d76dc62a750abc2e0771fabe

Download Submit
\Windows\SysWOW64\Bbokmqie.exe

Filesize
63KB

MD5
476c49a26e291dcf7136334d92da5859

SHA1
5e932c651d33fba04181b2c9bd3db7d8ff92a96e

SHA256
f90c5f341d997697ea872ecc82c0f30ce0c527d6955fce511cbb1419053eb80a

SHA512
39f771fb4b93ca4ebe296fc0cb920a711ab1cc483f00dc3788d8725989661131b7861090f5c7ef308db4b004cc3afbaaa6e863944eec2a1517fe85d84543ca2e

Download Submit
\Windows\SysWOW64\Behnnm32.exe

Filesize
63KB

MD5
3c53ea1616a990c8aa285150d2faefc4

SHA1
14d5bf376c4c13cb86a28aa527d0d863d1bfab16

SHA256
3aaf1088cbd571d3dc40113851ad16b67ced117d69021fcd87abd781dd4f21e9

SHA512
75dc34b8705b018193e012fe07fe4e3b59b88e3965069f6ddcaaf1ba77ffea3a32a1e6abf7f4799af7fe77eae43dcbba867d064ffe3b79a11ff5993df427f3ca

Download Submit
\Windows\SysWOW64\Biamilfj.exe

Filesize
63KB

MD5
cd1e6a1c857709b32904fba8eaaba54e

SHA1
f3253764e747bd5deae8047ac4a23c8d2dd910c6

SHA256
df48490a8dbc675f057423ef8a72596ee5da75755bee788583b9655a9853f9af

SHA512
87a1a76e485b5859cf1653836188b12ee8ceed772553400c9131c82a0e39f5daf0faeea045f555370f5a9633819931e4ca7950ae13463592e8f33e209799c59f

Download Submit
\Windows\SysWOW64\Bifgdk32.exe

Filesize
63KB

MD5
abcbae63f4a97a5ae34efbaf88cbab1b

SHA1
80ccb0973dde23d81d0929c4f56dc7f0ba51640a

SHA256
bb6dda56c2789cb571b1f3aea5f6b0bf76bcc814b07444f6e86db3c70b53a0d3

SHA512
78df8f2da9c2229d9d0784691758bfed9cfe68e050cf892a79c8491df1a0cebaf74bbfd40e279b0ee065b1b0ad688668c0b50c06534c0814e01ae75394391748

Download Submit
\Windows\SysWOW64\Bmkmdk32.exe

Filesize
63KB

MD5
2c2dfd6d49497e2b1f3167a9bc32a7e7

SHA1
5484cc2448943ed0172facdd687fa117388f286a

SHA256
0d67b09dc0f241fa522d9aacb8ae62db6a5592b816778690aead6db3ba0ab1fb

SHA512
d7939fc91d5ca0e9d8ef038f69eebddee445fd7e8593cde9498e18a13591a793463be3aa11f1f06f4c2b479bfbeb34398c719105256e60bfe9cbfbbc4715ddd0

Download Submit
\Windows\SysWOW64\Bpnbkeld.exe

Filesize
63KB

MD5
74b18d65d8685f068a0859f30127a0d3

SHA1
99b82adc0644821c7e25210baf03e53a469716b6

SHA256
bcc2f2b1ecf3b517b18b5b50b9d3b4cc1803d5f0b472d57b1eaf7201dde15a51

SHA512
dc75778e7d3468004dd5df1556586da1ae3c12827be33b47e001c8cae7d91716debf7f1ad2c3780587b9dd54b52dd79891f4207efe17582592bd05a2ecb97eb7

Download Submit
\Windows\SysWOW64\Bppoqeja.exe

Filesize
63KB

MD5
84179e88361ce38be75274326286d102

SHA1
a32ebdbd19d71e5ea7bf72e7499dd778b6359485

SHA256
94156897377f083159e0e7026281dfd01987f0c2494f6bd7567e67ad13c9e108

SHA512
97596e1391babe3597f7e646fa4f78c312a89b0745fd6bdea5658fc5ed51cf32221f7cc9caf66c72d07bfa5aac3214ee0c362080f03e8223ed090cbb038c2d58

Download Submit
\Windows\SysWOW64\Cadhnmnm.exe

Filesize
63KB

MD5
c5edeb90f01c0b41787e39ed98009d78

SHA1
7d60d04b34e2926a0a672673718652f7a9033efc

SHA256
bf476c6bb828fab641b56b509e611a2c531080500554666424dd3f54280a8655

SHA512
0068d100a16934b47c9198f19d87ef72447bc1b2fb26e3f71e088341a681d81e7b423f1eb5e44aa089f2756c6ec99ae38894e0b928a6007b5498cef1ef3e9579

Download Submit
\Windows\SysWOW64\Cddaphkn.exe

Filesize
63KB

MD5
cc15f55a64e9174982170deacab26c53

SHA1
ce48adb0439f3a1137311c7dd450a5f707891fc8

SHA256
05e4ab3443167b8e30212df45c28a6772d73abc488dbfac7bd26156fb6443689

SHA512
0096dbadce1af251755d678e33a48069a67c4caecb0778d2733f2d953bfb31b278819118d60a0ceda20edac015f8638e5e2bf0c6f75fba96728d96b34e8b85b7

Download Submit
\Windows\SysWOW64\Ckjpacfp.exe

Filesize
63KB

MD5
6d7b81c8356241a1a6e4a89e7a6af268

SHA1
6548e92f5228a8e540d6fff93293c8d120460e75

SHA256
50f73f76827ffabbfea1d33f7377068a4440b45a8e86050e4451c7d3b2f7c374

SHA512
310b5f3bc4927de45df5eb31f72b05acc1165d15082fb7bbccd7e8a620b29b01ea4d423daca94c280a9cc6d84c27e4b223303870139bdd01071ba4a21ac2f2c4

Download Submit
\Windows\SysWOW64\Clilkfnb.exe

Filesize
63KB

MD5
8abc409383301f8aeb084ea75031bc3d

SHA1
3b0c8f831feb12791cfc66481b73da5f6f1d6e55

SHA256
3a55612052f27758a6d11b7187ffe3a2e247fa1909f1b7e94b882556001cc051

SHA512
6c69035510f871274d9bfb42234b059265cbaec2a25d42bc82cccf5dc4c04e884130bbb044d47d57519847ea91d41f72b974fb82f1ffa831f9e3dead88f0c5e9

Download Submit
memory/108-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/272-308-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/272-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/328-305-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/328-306-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/328-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/376-362-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/376-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/376-363-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/784-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/784-470-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/916-283-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/916-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-287-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1424-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1424-95-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/1548-460-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1548-459-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1548-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1584-382-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1584-707-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1636-503-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1636-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1784-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1784-452-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/1784-444-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/1884-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-257-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1956-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1996-78-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/1996-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2000-490-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2000-481-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2004-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2012-276-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2016-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2060-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-492-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2108-163-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2128-396-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2128-395-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2128-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-476-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-264-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2280-213-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2280-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-493-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2428-374-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2428-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2464-109-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2464-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2464-104-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2512-122-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2512-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-186-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2604-55-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2604-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-64-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2628-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-416-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2676-352-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/2676-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-351-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/2680-330-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2680-329-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2680-320-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-45-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2716-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-380-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2748-12-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2748-11-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2748-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2760-319-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2760-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2760-318-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2796-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-132-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2812-341-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2812-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-340-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2912-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-32-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2996-244-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2996-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads