068821fb02a32382e1893de3dada62ed19ec218c347f1e6a6b77d5875caffecc

Analysis

max time kernel
111s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd5a5545a9a4110587bd00b3e7187a90N.exe
Size

64KB
MD5

fd5a5545a9a4110587bd00b3e7187a90
SHA1

58f6d742ce99eea547c91b4e5f380d6ab4ada94e
SHA256

068821fb02a32382e1893de3dada62ed19ec218c347f1e6a6b77d5875caffecc
SHA512

406494c60eb4ecb6e215f1feb9fffa2f2b0bc863c1a609c8b332259a7bca67c0de0d1c15bae60e952f229b1b4590ba5035cb83b3049bb254b50497a7e21095dd
SSDEEP

1536:ij2DmjVO0pGUolcNmGvIaDtoaGhYQD773BWstwJQ:ij2DmI0pG1lKvIaDtIhYKNwJQ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fd5a5545a9a4110587bd00b3e7187a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fd5a5545a9a4110587bd00b3e7187a90N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe

Executes dropped EXE 29 IoCs

pid	Process
2360	Bmpkqklh.exe
2292	Bbmcibjp.exe
2708	Bigkel32.exe
2720	Bkegah32.exe
2588	Ccmpce32.exe
2728	Cfkloq32.exe
2616	Ciihklpj.exe
1936	Ckhdggom.exe
1484	Cnfqccna.exe
536	Cbblda32.exe
2740	Cepipm32.exe
1876	Cgoelh32.exe
1948	Cpfmmf32.exe
3056	Cbdiia32.exe
2456	Cebeem32.exe
960	Cgaaah32.exe
3024	Ckmnbg32.exe
648	Cnkjnb32.exe
1308	Cbffoabe.exe
1756	Ceebklai.exe
1780	Cchbgi32.exe
1820	Clojhf32.exe
2248	Cjakccop.exe
2432	Cmpgpond.exe
2496	Calcpm32.exe
856	Ccjoli32.exe
2940	Djdgic32.exe
2764	Dmbcen32.exe
2572	Dpapaj32.exe

Loads dropped DLL 61 IoCs

pid	Process
2336	fd5a5545a9a4110587bd00b3e7187a90N.exe
2336	fd5a5545a9a4110587bd00b3e7187a90N.exe
2360	Bmpkqklh.exe
2360	Bmpkqklh.exe
2292	Bbmcibjp.exe
2292	Bbmcibjp.exe
2708	Bigkel32.exe
2708	Bigkel32.exe
2720	Bkegah32.exe
2720	Bkegah32.exe
2588	Ccmpce32.exe
2588	Ccmpce32.exe
2728	Cfkloq32.exe
2728	Cfkloq32.exe
2616	Ciihklpj.exe
2616	Ciihklpj.exe
1936	Ckhdggom.exe
1936	Ckhdggom.exe
1484	Cnfqccna.exe
1484	Cnfqccna.exe
536	Cbblda32.exe
536	Cbblda32.exe
2740	Cepipm32.exe
2740	Cepipm32.exe
1876	Cgoelh32.exe
1876	Cgoelh32.exe
1948	Cpfmmf32.exe
1948	Cpfmmf32.exe
3056	Cbdiia32.exe
3056	Cbdiia32.exe
2456	Cebeem32.exe
2456	Cebeem32.exe
960	Cgaaah32.exe
960	Cgaaah32.exe
3024	Ckmnbg32.exe
3024	Ckmnbg32.exe
648	Cnkjnb32.exe
648	Cnkjnb32.exe
1308	Cbffoabe.exe
1308	Cbffoabe.exe
1756	Ceebklai.exe
1756	Ceebklai.exe
1780	Cchbgi32.exe
1780	Cchbgi32.exe
1820	Clojhf32.exe
1820	Clojhf32.exe
2248	Cjakccop.exe
2248	Cjakccop.exe
2432	Cmpgpond.exe
2432	Cmpgpond.exe
2496	Calcpm32.exe
2496	Calcpm32.exe
856	Ccjoli32.exe
856	Ccjoli32.exe
2940	Djdgic32.exe
2940	Djdgic32.exe
2764	Dmbcen32.exe
2764	Dmbcen32.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ednoihel.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	fd5a5545a9a4110587bd00b3e7187a90N.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process
3036	2572	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd5a5545a9a4110587bd00b3e7187a90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fd5a5545a9a4110587bd00b3e7187a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fd5a5545a9a4110587bd00b3e7187a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	fd5a5545a9a4110587bd00b3e7187a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cfkloq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2360	2336	fd5a5545a9a4110587bd00b3e7187a90N.exe	31
PID 2336 wrote to memory of 2360	2336	fd5a5545a9a4110587bd00b3e7187a90N.exe	31
PID 2336 wrote to memory of 2360	2336	fd5a5545a9a4110587bd00b3e7187a90N.exe	31
PID 2336 wrote to memory of 2360	2336	fd5a5545a9a4110587bd00b3e7187a90N.exe	31
PID 2360 wrote to memory of 2292	2360	Bmpkqklh.exe	32
PID 2360 wrote to memory of 2292	2360	Bmpkqklh.exe	32
PID 2360 wrote to memory of 2292	2360	Bmpkqklh.exe	32
PID 2360 wrote to memory of 2292	2360	Bmpkqklh.exe	32
PID 2292 wrote to memory of 2708	2292	Bbmcibjp.exe	33
PID 2292 wrote to memory of 2708	2292	Bbmcibjp.exe	33
PID 2292 wrote to memory of 2708	2292	Bbmcibjp.exe	33
PID 2292 wrote to memory of 2708	2292	Bbmcibjp.exe	33
PID 2708 wrote to memory of 2720	2708	Bigkel32.exe	34
PID 2708 wrote to memory of 2720	2708	Bigkel32.exe	34
PID 2708 wrote to memory of 2720	2708	Bigkel32.exe	34
PID 2708 wrote to memory of 2720	2708	Bigkel32.exe	34
PID 2720 wrote to memory of 2588	2720	Bkegah32.exe	35
PID 2720 wrote to memory of 2588	2720	Bkegah32.exe	35
PID 2720 wrote to memory of 2588	2720	Bkegah32.exe	35
PID 2720 wrote to memory of 2588	2720	Bkegah32.exe	35
PID 2588 wrote to memory of 2728	2588	Ccmpce32.exe	36
PID 2588 wrote to memory of 2728	2588	Ccmpce32.exe	36
PID 2588 wrote to memory of 2728	2588	Ccmpce32.exe	36
PID 2588 wrote to memory of 2728	2588	Ccmpce32.exe	36
PID 2728 wrote to memory of 2616	2728	Cfkloq32.exe	37
PID 2728 wrote to memory of 2616	2728	Cfkloq32.exe	37
PID 2728 wrote to memory of 2616	2728	Cfkloq32.exe	37
PID 2728 wrote to memory of 2616	2728	Cfkloq32.exe	37
PID 2616 wrote to memory of 1936	2616	Ciihklpj.exe	38
PID 2616 wrote to memory of 1936	2616	Ciihklpj.exe	38
PID 2616 wrote to memory of 1936	2616	Ciihklpj.exe	38
PID 2616 wrote to memory of 1936	2616	Ciihklpj.exe	38
PID 1936 wrote to memory of 1484	1936	Ckhdggom.exe	39
PID 1936 wrote to memory of 1484	1936	Ckhdggom.exe	39
PID 1936 wrote to memory of 1484	1936	Ckhdggom.exe	39
PID 1936 wrote to memory of 1484	1936	Ckhdggom.exe	39
PID 1484 wrote to memory of 536	1484	Cnfqccna.exe	40
PID 1484 wrote to memory of 536	1484	Cnfqccna.exe	40
PID 1484 wrote to memory of 536	1484	Cnfqccna.exe	40
PID 1484 wrote to memory of 536	1484	Cnfqccna.exe	40
PID 536 wrote to memory of 2740	536	Cbblda32.exe	41
PID 536 wrote to memory of 2740	536	Cbblda32.exe	41
PID 536 wrote to memory of 2740	536	Cbblda32.exe	41
PID 536 wrote to memory of 2740	536	Cbblda32.exe	41
PID 2740 wrote to memory of 1876	2740	Cepipm32.exe	42
PID 2740 wrote to memory of 1876	2740	Cepipm32.exe	42
PID 2740 wrote to memory of 1876	2740	Cepipm32.exe	42
PID 2740 wrote to memory of 1876	2740	Cepipm32.exe	42
PID 1876 wrote to memory of 1948	1876	Cgoelh32.exe	43
PID 1876 wrote to memory of 1948	1876	Cgoelh32.exe	43
PID 1876 wrote to memory of 1948	1876	Cgoelh32.exe	43
PID 1876 wrote to memory of 1948	1876	Cgoelh32.exe	43
PID 1948 wrote to memory of 3056	1948	Cpfmmf32.exe	44
PID 1948 wrote to memory of 3056	1948	Cpfmmf32.exe	44
PID 1948 wrote to memory of 3056	1948	Cpfmmf32.exe	44
PID 1948 wrote to memory of 3056	1948	Cpfmmf32.exe	44
PID 3056 wrote to memory of 2456	3056	Cbdiia32.exe	45
PID 3056 wrote to memory of 2456	3056	Cbdiia32.exe	45
PID 3056 wrote to memory of 2456	3056	Cbdiia32.exe	45
PID 3056 wrote to memory of 2456	3056	Cbdiia32.exe	45
PID 2456 wrote to memory of 960	2456	Cebeem32.exe	46
PID 2456 wrote to memory of 960	2456	Cebeem32.exe	46
PID 2456 wrote to memory of 960	2456	Cebeem32.exe	46
PID 2456 wrote to memory of 960	2456	Cebeem32.exe	46

C:\Users\Admin\AppData\Local\Temp\fd5a5545a9a4110587bd00b3e7187a90N.exe
"C:\Users\Admin\AppData\Local\Temp\fd5a5545a9a4110587bd00b3e7187a90N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\Bmpkqklh.exe
  C:\Windows\system32\Bmpkqklh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\Bbmcibjp.exe
    C:\Windows\system32\Bbmcibjp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\Bigkel32.exe
      C:\Windows\system32\Bigkel32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        30⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 144
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bigkel32.exe

Filesize
64KB

MD5
ab777d995871b362ee970287a9796b58

SHA1
9380d87ee63a0e1cbebbabeb18a20c41ab0e92ab

SHA256
01353cdc51d344376432ed00113993a32285591513d0af47ef19427f81abed6e

SHA512
da0805e2a2c35b446acc88313f158a454e21d61c320095f25d461a5c098ac2b0949c48e14e825d94d7be958c8e0f183842d5e841d1b1b279dbbd10027c4b8ebc

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
64KB

MD5
3a9f2e167e6c531e45bfd091e107c76b

SHA1
bda52da420fabedfa318e0163ed6c14bc4601ddf

SHA256
b4bf87957ebe0fe74d358f8787dee6f03463be00dbc24b15c0545aac1eb2cb82

SHA512
2cb7ae5921c7a8546a937ee81755c73f5aa4b4b69f2ace726f7cc05343e0e677c7417cf726afd00287d74bfc7412cf4f9099eac59ff46f21d4a3d5d8fb7f539a

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
64KB

MD5
8ad3ad86ad78f630be192f022155dfcd

SHA1
956186c28ec66c0ff68eeb3c2acd2714505d7341

SHA256
d723f52903a00c659a85648ef2546de2216bce8d0240546be9910d3ef9370f3c

SHA512
668fe8021d563b60a1f37992f399dbcb06127cd9123e527f2c122369b8ff2c044e6975fddcfd9d4bf818f9a8dff5a3ed6dd98e549b17579f3e66aa973826e9b8

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
64KB

MD5
6d7c2bc392dc96438407417b1e3a351f

SHA1
d0214175c06bd5784fcc0c22deaf49b57a4efa4d

SHA256
0dae5a9759a2696226bbfcc78bcfb8a3cfd0a106eee20554d1ffd7f2cbf5b1e6

SHA512
40ac3109fa810d038c4aab7de8d72d03c1266c7bb3675fea922eb560fa9712c036a5d1db5620ffc2f9187c9134e5daa63e424f6661c7e24ff774b46fcefd5854

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
64KB

MD5
8597ecef709f5283e9c4bae6d8476294

SHA1
a176601487249b209954eccb5c6aba655e49cd2a

SHA256
94fd8b7f410f6765d76a63df27a5de39f08ae5e8feffdae1fa5892cc0f888568

SHA512
e4ae64070608fc55383258c2e4290a611361b854d5bedfb1f80fa1191e8e1fd76af039df391f4c1d829d43a093dd89b318d544102b1b7f9ddf1ec6d810ee3aa5

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
64KB

MD5
39f3ed1a0520c065ba2f96ed7b5fba61

SHA1
61ec4988026908da2381e6c9273cd24a4d67038f

SHA256
e6cb30853e93caeea7e83991dfba52c1fb6da379374973754a88f6dc5e36d6e2

SHA512
eadcee37e7fb73fd1be62733ca0beacd6d42efffdf653c2fb088a9bc5704d1f552e7b7f977077c8054c0aab24769414654e16610e46f851720c070e8d29ae056

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
64KB

MD5
7f295bae479543f885ad41792037d363

SHA1
cfb716760562cad32883f3a3e6206a600688f8db

SHA256
557ebba7ca9290d747a574389a413a6cf75c399e9c4e295c6797207c51c4b0ce

SHA512
d708a1e499d4b24232731b8ca7bf08c6a2d5b83166bf0bc4f10d51c6b78cb29786e89188b2faacb8ac0728b5d4d4dc3cf3df75b582167f5f882aa736b9da64a2

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
64KB

MD5
717a4e13044d805257a4d4656396081f

SHA1
ab962512051657ead78de55df88ee7b70a7cefb2

SHA256
7bec0667efff2076cb56ea754036b912f6aa1585639c6fab07279353e67dabaf

SHA512
6f236fe01aa984c3eed162b306af3b2845ce938cbb595b3a2451fc5243c64da9561c37018ded8a320e2c04e34da398066fee6a426dc5cc71a2c2d55c329d8c54

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
64KB

MD5
6f7d26b629221aaf8a19b50b7d977512

SHA1
32b9bc3fca85d29db9f1b44639cc7f2571f7cca2

SHA256
2129d1834fc15d74e54ae24e47dead4c99f5796beb08990eb56cce14427c55cf

SHA512
9b3d6d42cbd878858dfa9fe2e4c0a27f4619f3b87c0d2f32756599a5603b5562338c3d26c0bbfa0878a3a92318b0cb3d59f5c18d4c9156359c5c9de3c3a3b1fa

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
64KB

MD5
b0ade28d5ef03377e0cb9d4735b7a910

SHA1
50aa68542336d8051ad6f93b2ec5b03cb1acace9

SHA256
cd126cb9c6c34b7dd9cc60564c8b83be3745771e0d25dacbe4dd6438025c97c8

SHA512
9241f9b734c8d6503280168933d22e087f4e1aef57b84d6e5ff9dc1f8e3cfafedb99e6cd37d341da59d3a9bc8ecc96ff099edfe09ae5906c3ef32654388d77ec

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
64KB

MD5
570b6fff224ffe86a35a97682705b8c5

SHA1
c7a088496735040932abbffe42a4e4d85d2a24e6

SHA256
01ed52f7a761adda9e515cd9402ffece309310140824811b2c7dd975f10b4646

SHA512
b57ecdfb81a53835d448f267c453ccc77283067a0cf5e498fcbc051204576bf12f6746e3bc6be1c7106fc44c28b0829f5e1b4478b1422460ce82711c7ab4a659

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
64KB

MD5
7a55b79447bf9da7f37d333106b3d170

SHA1
207f4db503a9cab4e67c5514e7abd5b2794fbac6

SHA256
ae78dfd2adfd7f254845712150b3a9cc7185e1a40613ebf03d9073fcf256c59f

SHA512
643bd8f12d3560ea17b9ef5754447357dd16a70dabba46274749ef6a26a406f34cc5963348e2a4c983b0ba2636f087260bf0e0afb52bf6754bb4d39df69f438d

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
64KB

MD5
00a1f428724be8c50113cf94a1d9ff74

SHA1
5578a515633a237d893a4c81fea3c1b6b3cc9032

SHA256
7e372df011b327e8ccf1c6580c1b3b6113272bab735f3f85a23ab9e6c268de11

SHA512
65432f24996dc0e89e6cc3ddbd9631feca7fe70df8dbd8cb778c0897ba3d9885334dcdfa384d65adb4a56b477ad5133be1776fb31561a094e7f8bb1602324962

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
64KB

MD5
8ac6165b1d2420ad15f593590b7ef5b4

SHA1
7541f74886073ffde14bf22d9a9737f0793c1b14

SHA256
fa01448ca2b7130a033b5420327a8ff0d15d6903c0f9f52f4e9eb495b1099204

SHA512
46f79cc893ec80523aa3cf8b131702cac2b5086c2d2a80129439fbc5e4226f6c422b6c6d36ac16b66b606fe41ccc70ecc791401021cd214d369f675ff6d5d4a2

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
64KB

MD5
c9b9afa115a615561ff46584f60466f0

SHA1
841092875294aeab25d80dcc178685c902bdfad9

SHA256
4d9d33eb5e67cfbcd8651e94db9032863e504c66d431101498d33f7992894b13

SHA512
c13ca8b344607a0b258a705c6c7b8c58637f44af995ae77d31cc12319658f7c9f48607d99766420ef0051e4b8846bb0d7fb8eb199c7577bfde3229635934f58a

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
64KB

MD5
8a640c20c438ba88fa76c8b933bbc402

SHA1
d628d2b0123075dc351eb387a263eaa2c8dd83d2

SHA256
4cf3f41805e9e8aedfb2aaa52b8864aa3a53e72906cac9b8438726f5b540b584

SHA512
b43b36a6bdecc70a29c4c999ec2c64ab36f54ff7aaefab6d43a2740182fe5398cefae100f8e9b5f214721da07c9f3ecc0d28964a560d9e553978dbd27f533a04

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
64KB

MD5
927db38401cc43bb97a0d6dfd639fa76

SHA1
227c98bb41c8b3e464d0da854ebb82f8477e805d

SHA256
e034514b4d9644d26adcd7cf926a60d6b9360f0b6e32b39b890d253323763cf8

SHA512
5d2acdaf06a5e83d51894092a6b5107757c7a1b0e25af4df4c5a05784c015f805707bb2bf8e5afc9aaa5c46a3711fd7273d361a6723db9d6996aa030c6b9de95

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
64KB

MD5
48c36a5894d07b42420175f415242396

SHA1
baca21ac755a207bae48a46db9a7ba2c0badfbbd

SHA256
89ef4452ce3a92abbd8ac57220489676f20e53501677b4ac748ad1e506d1a24c

SHA512
59a0174ffd0393072ecfac1d4149315d4b79765c6317b15c933589d2863fdf568cd0d20102ed3ea3b45675e75b04633b048e7b19c01efb982549930afb427e2a

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
64KB

MD5
60d4fa6d83878084e6a752c3f14507d5

SHA1
0fdb7d3a37eee1c572b35f2757013dc39e867626

SHA256
d9994f574d36492a3c36e3866f3cd541ceaaa81aecd624994e002f4efe42db91

SHA512
6b493b137907832abef8743e3ee6aea8353c0bf18d46256e706e3705cb0d066a71a02b281bede1067429380f4d775f2a4403181c2815209f138b4ad973609696

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
64KB

MD5
6795123cdd5048f89f0b0e9519c8b267

SHA1
f6e5598d10eb859a428de3c3721d7bdb08bbcfbc

SHA256
aeb8ce5885bac2557afc51c33db83bb39a180eb53dc0bdf067e65a3e6950383c

SHA512
bf57d2ff21cbaf9a70b903e47bf5efae77ea7b42820f8b67e3399a3be1cd127f2ced29e883ec3f4498916028133166085166d84a4cb078a9b521a109940b089f

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
64KB

MD5
40c8f9c3026c1a5916a3c4d670c23b95

SHA1
3b3b8e5736f44d510b627528485c70d4e3ec9b8f

SHA256
1a0f920d4fe8be54136009eadf25fd79eb5cc1ab251d8222699d1cc53b592578

SHA512
c5ae8f34c764dc88a17f495c37a478bcc53b032395620291069946f147a4da79cdcc3c02bf3c7c1b8b1a2071d0e235ac8347da58b2c0db82fe78c634770e978f

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
64KB

MD5
4cea5c6c6c2d9811f82695c930299ab6

SHA1
4d964be894357ce2322c6ffcee679e194b809e45

SHA256
5aa21dd153db7b69e8881381c4f72f23b521c5276001dcd58dd49281225d91f9

SHA512
ee721d4f27861f65021718aa6363deee4e75f8632f2925c152cf9bc7a3898f2799ff5efe5abb1188af84e872e3ead96b223183bf5593e89758644940a67a8c77

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
64KB

MD5
63b0e0d43ba49466919dfbe7b9852e8e

SHA1
62b0b87f82bedde795896bc810b3e3377890b83a

SHA256
719c3ac4fca14d829254ba03f5ca5aba75408d13ed75aba52cb23232e5b261de

SHA512
d04ab449e5f49f7c5c73ec0f46c646185bd163b6524415e2d1ae744e884d6af19a660de6c6bd0948415000c1ef92fd20a57c27097ec75966911b4f1edb7c0439

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
64KB

MD5
9a4fbe56768d6daeae391e24a80d74f8

SHA1
2ac8d0dd7a9a0f1111270a647392b70eb1c17542

SHA256
e34b03ceacb419d2c797ee34298ec36874ce662a0c2a35dd5abec7d03d042071

SHA512
417c5f38124a0c5589e78ebd71ba86d5f5acb93fd539e38f2e773198e41542237f6e06e2d609d05c1d0571e11ab1699df287e861693a5c49b50da6f8bcdede46

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
64KB

MD5
e27d6d7b5d5f9971402d24589f42c974

SHA1
5fc8ca66a408b4f62cd447a3deeac987a92b5699

SHA256
b5730046ff67a56ba089a2fe3b8bb8e0a3d894d7ca83a7643063fa9ddbd4cfaf

SHA512
eebdbcaf9e0c00501604268fdfc6741430566cd1b8d64d55a47f3ca7d4d53be5aeff155ec8daa2fab3af0c83c9864b5314664247528e15caa41b9c285332a39e

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
64KB

MD5
b52ee1705104a1f6469aeb39c9953f90

SHA1
77169cd8a3bf28ff7f56324af69b7c7244f74d32

SHA256
8c3781d9f991d9078e432c15a2c36bb257a4c4e81ba3d3f0b7c0beb877155433

SHA512
a4bdbac4f94edbae8241a53105b6fe1ad219f0334376489772e8fae01564d19a6d2ac2d32d4ed437df0ce48e27a0c2eb09accb29cf1b54951e2e5b6333f33799

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
64KB

MD5
180651a7d2a18c618f1261a865487c04

SHA1
2aeff158ed11087b79ef43a81293c4e6df5fb189

SHA256
cedb6fa6e29940fd847fc03825c48a326901edc168e7a878d3e173605a5b2e1d

SHA512
6d62efc7dd5e66b04e75418736d963131f17cb3cb7acfb71c684a0c51de6b2ce1060901a14a5e5e396323393b0ddeaf39260b1602147d74682ae5b32c81f7034

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
64KB

MD5
be61591a325ad23a3b57d8c8a5292475

SHA1
fc5462b40e7699def7599a7b0839b96e95caab76

SHA256
983247dcd9d07ee46274f2b5b6c1911ed76758267d55f6b3afa5d758d48af15b

SHA512
55c082e6a92adcc35d7b13101b7071e088bdba595eb85d076bccfe2bda0772d65458d249967d487449c19c0867beb25d168452cd7bd5a93829a77d3f12511926

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
64KB

MD5
fdb3792858ff57dd017a105cba4d2b07

SHA1
89554cc6d0992fa1c617bb85f37263ed7c9ccce6

SHA256
95dcaebbddae2228b151b4b30df398b2f57fea8ba52e097f69d6d880860386dc

SHA512
c608784e6484e1f8c51b0571aa192aa3526938fbe89a82c35e9844db4e2330d9ed8e8f26d75ee6ef37b3f89329515b9d33ff0735e061a8e70d5bea0b72c8c308

Download Submit
memory/536-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-142-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/648-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/648-237-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/856-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-322-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/856-318-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/856-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/960-219-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/960-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/960-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1308-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1484-132-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1484-127-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1484-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-259-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/1756-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-255-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/1780-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-269-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1780-268-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1820-279-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1820-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-280-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1876-167-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1876-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-114-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1948-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-179-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2248-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-290-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2248-288-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2292-35-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2292-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2336-12-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2336-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2336-348-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2336-13-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2336-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-22-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2360-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-300-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2432-296-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2456-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-301-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-311-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2496-310-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2572-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-80-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2588-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-411-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2616-102-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2616-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-53-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2720-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-61-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2728-88-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2728-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-342-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2764-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-331-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2940-332-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2940-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-228-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3024-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-198-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/3056-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-193-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads