57daedb69732b37e0d81196d571268f31a45f2e34ae23eec2e37da6f58a8474a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e77002603d179eb3c478b596f8de51d0N.exe
Size

80KB
MD5

e77002603d179eb3c478b596f8de51d0
SHA1

74ce5a7749330dd23011074d916ac2b6996f2b29
SHA256

57daedb69732b37e0d81196d571268f31a45f2e34ae23eec2e37da6f58a8474a
SHA512

82a4a0174e1bbe6f37236659f996ffe70b9aec33a96a7eeef88bfadc1d793983a60964e51942d7b205e0cc49c3b1b15fce6d31905845bb38283eb8812676a6e2
SSDEEP

1536:FZTOfgM+6NX6zqBTAFI7cNDPzDfWqdMVrlEFtyb7IYOOqw4Tv:FZagMJXcFPzTWqAhELy1MTTv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dboglhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqngcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e77002603d179eb3c478b596f8de51d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccgnelll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgjgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfaqfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eebibf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhiphb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enmnahnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqmpkfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efjpkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojeomee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhklna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnjalhpp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhbbcail.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakaaepk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccqhdmbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmiejji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecjgio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efjpkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebcmfj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enmnahnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpena32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkkcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhhge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccqhdmbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddbmcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpiaipmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dboglhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fedfgejh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjhckg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnjalhpp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlboca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdinnqon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgjgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcjjkkji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emgdmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfaqfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdfmbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhgccbhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhhge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkgldm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhklna32.exe

Executes dropped EXE 56 IoCs

pid	Process
2700	Bakaaepk.exe
2844	Bdinnqon.exe
2588	Cnabffeo.exe
2600	Cdkkcp32.exe
1336	Cgjgol32.exe
2972	Cjhckg32.exe
444	Ccqhdmbc.exe
3008	Cnflae32.exe
2384	Cpdhna32.exe
2740	Cfaqfh32.exe
2360	Cnhhge32.exe
1688	Cojeomee.exe
540	Cgqmpkfg.exe
2332	Chbihc32.exe
2436	Cpiaipmh.exe
2152	Ccgnelll.exe
1648	Dhdfmbjc.exe
2448	Donojm32.exe
2736	Dcjjkkji.exe
1808	Dfhgggim.exe
1976	Dhgccbhp.exe
2256	Dlboca32.exe
1904	Doqkpl32.exe
1640	Dboglhna.exe
2304	Dhiphb32.exe
2392	Dkgldm32.exe
2860	Dqddmd32.exe
2716	Dhklna32.exe
2584	Djmiejji.exe
1212	Dbdagg32.exe
432	Ddbmcb32.exe
2536	Dnjalhpp.exe
1956	Eddjhb32.exe
700	Enmnahnm.exe
2352	Eqkjmcmq.exe
2260	Ecjgio32.exe
1712	Egebjmdn.exe
596	Eifobe32.exe
2504	Eqngcc32.exe
2132	Ebockkal.exe
960	Efjpkj32.exe
996	Ekghcq32.exe
920	Epcddopf.exe
780	Eepmlf32.exe
1980	Emgdmc32.exe
1316	Elieipej.exe
1700	Ebcmfj32.exe
2068	Eebibf32.exe
2560	Egpena32.exe
2224	Fllaopcg.exe
2624	Fpgnoo32.exe
1896	Fnjnkkbk.exe
2648	Faijggao.exe
616	Fedfgejh.exe
2216	Fhbbcail.exe
2640	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2160	e77002603d179eb3c478b596f8de51d0N.exe
2160	e77002603d179eb3c478b596f8de51d0N.exe
2700	Bakaaepk.exe
2700	Bakaaepk.exe
2844	Bdinnqon.exe
2844	Bdinnqon.exe
2588	Cnabffeo.exe
2588	Cnabffeo.exe
2600	Cdkkcp32.exe
2600	Cdkkcp32.exe
1336	Cgjgol32.exe
1336	Cgjgol32.exe
2972	Cjhckg32.exe
2972	Cjhckg32.exe
444	Ccqhdmbc.exe
444	Ccqhdmbc.exe
3008	Cnflae32.exe
3008	Cnflae32.exe
2384	Cpdhna32.exe
2384	Cpdhna32.exe
2740	Cfaqfh32.exe
2740	Cfaqfh32.exe
2360	Cnhhge32.exe
2360	Cnhhge32.exe
1688	Cojeomee.exe
1688	Cojeomee.exe
540	Cgqmpkfg.exe
540	Cgqmpkfg.exe
2332	Chbihc32.exe
2332	Chbihc32.exe
2436	Cpiaipmh.exe
2436	Cpiaipmh.exe
2152	Ccgnelll.exe
2152	Ccgnelll.exe
1648	Dhdfmbjc.exe
1648	Dhdfmbjc.exe
2448	Donojm32.exe
2448	Donojm32.exe
2736	Dcjjkkji.exe
2736	Dcjjkkji.exe
1808	Dfhgggim.exe
1808	Dfhgggim.exe
1976	Dhgccbhp.exe
1976	Dhgccbhp.exe
2256	Dlboca32.exe
2256	Dlboca32.exe
1904	Doqkpl32.exe
1904	Doqkpl32.exe
1640	Dboglhna.exe
1640	Dboglhna.exe
2304	Dhiphb32.exe
2304	Dhiphb32.exe
2392	Dkgldm32.exe
2392	Dkgldm32.exe
2860	Dqddmd32.exe
2860	Dqddmd32.exe
2716	Dhklna32.exe
2716	Dhklna32.exe
2584	Djmiejji.exe
2584	Djmiejji.exe
1212	Dbdagg32.exe
1212	Dbdagg32.exe
432	Ddbmcb32.exe
432	Ddbmcb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iidbakdl.dll	Cjhckg32.exe
File created	C:\Windows\SysWOW64\Qgfhapbi.dll	Dcjjkkji.exe
File created	C:\Windows\SysWOW64\Ecjgio32.exe	Eqkjmcmq.exe
File opened for modification	C:\Windows\SysWOW64\Ccqhdmbc.exe	Cjhckg32.exe
File opened for modification	C:\Windows\SysWOW64\Cpiaipmh.exe	Chbihc32.exe
File created	C:\Windows\SysWOW64\Dqddmd32.exe	Dkgldm32.exe
File created	C:\Windows\SysWOW64\Kmpnop32.dll	Faijggao.exe
File opened for modification	C:\Windows\SysWOW64\Chbihc32.exe	Cgqmpkfg.exe
File created	C:\Windows\SysWOW64\Chbihc32.exe	Cgqmpkfg.exe
File created	C:\Windows\SysWOW64\Kpcmnaip.dll	Cgqmpkfg.exe
File created	C:\Windows\SysWOW64\Malbbh32.dll	Dhiphb32.exe
File opened for modification	C:\Windows\SysWOW64\Dbdagg32.exe	Djmiejji.exe
File created	C:\Windows\SysWOW64\Ngbpoo32.dll	Ecjgio32.exe
File opened for modification	C:\Windows\SysWOW64\Ebockkal.exe	Eqngcc32.exe
File opened for modification	C:\Windows\SysWOW64\Emgdmc32.exe	Eepmlf32.exe
File created	C:\Windows\SysWOW64\Cgkqcb32.dll	Cnabffeo.exe
File created	C:\Windows\SysWOW64\Ihbldk32.dll	Cpiaipmh.exe
File opened for modification	C:\Windows\SysWOW64\Dlboca32.exe	Dhgccbhp.exe
File created	C:\Windows\SysWOW64\Dhklna32.exe	Dqddmd32.exe
File opened for modification	C:\Windows\SysWOW64\Djmiejji.exe	Dhklna32.exe
File created	C:\Windows\SysWOW64\Ddbmcb32.exe	Dbdagg32.exe
File created	C:\Windows\SysWOW64\Faijggao.exe	Fnjnkkbk.exe
File created	C:\Windows\SysWOW64\Cnhhge32.exe	Cfaqfh32.exe
File created	C:\Windows\SysWOW64\Fcphaglh.dll	Doqkpl32.exe
File created	C:\Windows\SysWOW64\Fpkljm32.dll	Egpena32.exe
File created	C:\Windows\SysWOW64\Alakfjbc.dll	Bdinnqon.exe
File created	C:\Windows\SysWOW64\Fdbnboph.dll	Dqddmd32.exe
File created	C:\Windows\SysWOW64\Eifobe32.exe	Egebjmdn.exe
File opened for modification	C:\Windows\SysWOW64\Epcddopf.exe	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Emgdmc32.exe	Eepmlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjhckg32.exe	Cgjgol32.exe
File opened for modification	C:\Windows\SysWOW64\Dhgccbhp.exe	Dfhgggim.exe
File created	C:\Windows\SysWOW64\Akomon32.dll	Eepmlf32.exe
File created	C:\Windows\SysWOW64\Fpgnoo32.exe	Fllaopcg.exe
File created	C:\Windows\SysWOW64\Dcjjkkji.exe	Donojm32.exe
File created	C:\Windows\SysWOW64\Doqkpl32.exe	Dlboca32.exe
File created	C:\Windows\SysWOW64\Bgjond32.dll	Dbdagg32.exe
File opened for modification	C:\Windows\SysWOW64\Ekghcq32.exe	Efjpkj32.exe
File created	C:\Windows\SysWOW64\Opnphfdp.dll	Fedfgejh.exe
File created	C:\Windows\SysWOW64\Bpmoggbh.dll	Donojm32.exe
File opened for modification	C:\Windows\SysWOW64\Dhdfmbjc.exe	Ccgnelll.exe
File created	C:\Windows\SysWOW64\Pdkooael.dll	Dhgccbhp.exe
File created	C:\Windows\SysWOW64\Jbaajccm.dll	Dkgldm32.exe
File opened for modification	C:\Windows\SysWOW64\Dhklna32.exe	Dqddmd32.exe
File created	C:\Windows\SysWOW64\Enmnahnm.exe	Eddjhb32.exe
File opened for modification	C:\Windows\SysWOW64\Eifobe32.exe	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Eqngcc32.exe	Eifobe32.exe
File opened for modification	C:\Windows\SysWOW64\Cnhhge32.exe	Cfaqfh32.exe
File created	C:\Windows\SysWOW64\Pggcij32.dll	Eebibf32.exe
File created	C:\Windows\SysWOW64\Fnjnkkbk.exe	Fpgnoo32.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fhbbcail.exe
File created	C:\Windows\SysWOW64\Fhoedaep.dll	Emgdmc32.exe
File created	C:\Windows\SysWOW64\Cpiaipmh.exe	Chbihc32.exe
File created	C:\Windows\SysWOW64\Booqgija.dll	Ccgnelll.exe
File created	C:\Windows\SysWOW64\Cojeomee.exe	Cnhhge32.exe
File opened for modification	C:\Windows\SysWOW64\Dqddmd32.exe	Dkgldm32.exe
File created	C:\Windows\SysWOW64\Eqkjmcmq.exe	Enmnahnm.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fhbbcail.exe
File created	C:\Windows\SysWOW64\Acnkmfoc.dll	Cnhhge32.exe
File opened for modification	C:\Windows\SysWOW64\Cojeomee.exe	Cnhhge32.exe
File created	C:\Windows\SysWOW64\Kecfmlgq.dll	Cojeomee.exe
File created	C:\Windows\SysWOW64\Hehaja32.dll	Efjpkj32.exe
File opened for modification	C:\Windows\SysWOW64\Cfaqfh32.exe	Cpdhna32.exe
File opened for modification	C:\Windows\SysWOW64\Dboglhna.exe	Doqkpl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2368	2640	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebockkal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhiphb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egebjmdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccgnelll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emgdmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fllaopcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cojeomee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enmnahnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqngcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgjgol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjhckg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chbihc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbdagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elieipej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakaaepk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doqkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlboca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddjhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e77002603d179eb3c478b596f8de51d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfhgggim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnjalhpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjnkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfaqfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkgldm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhklna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhdfmbjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhhge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epcddopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgnoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fedfgejh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnflae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhgccbhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifobe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efjpkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdinnqon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccqhdmbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqmpkfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecjgio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkkcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcjjkkji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddbmcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebcmfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpiaipmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Donojm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dboglhna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eebibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faijggao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmiejji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eepmlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhbbcail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnabffeo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endjeihi.dll"	Cpdhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhdfmbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apafhqnp.dll"	Dlboca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoedaep.dll"	Emgdmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eebibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fhbbcail.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcjjkkji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhklna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djmiejji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggcij32.dll"	Eebibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhiphb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnjalhpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfoepmg.dll"	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhbbcail.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Faijggao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhdfmbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmoggbh.dll"	Donojm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dboglhna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enmnahnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfadkk32.dll"	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnabffeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doqkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elieipej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e77002603d179eb3c478b596f8de51d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjhckg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhibakgh.dll"	Cnflae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djmiejji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpgpkho.dll"	Elieipej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fllaopcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdinnqon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cojeomee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaajccm.dll"	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcphaglh.dll"	Doqkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdkq32.dll"	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfk32.dll"	Fpgnoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpdhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghbakjma.dll"	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll"	Dnjalhpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebockkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epcddopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akomon32.dll"	Eepmlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnjnkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnkmfoc.dll"	Cnhhge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpiaipmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlboca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpfci32.dll"	Dboglhna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecjgio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnnjcdh.dll"	Eqngcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkqcb32.dll"	Cnabffeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidbakdl.dll"	Cjhckg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbigm32.dll"	Dhdfmbjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhiphb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2700	2160	e77002603d179eb3c478b596f8de51d0N.exe	30
PID 2160 wrote to memory of 2700	2160	e77002603d179eb3c478b596f8de51d0N.exe	30
PID 2160 wrote to memory of 2700	2160	e77002603d179eb3c478b596f8de51d0N.exe	30
PID 2160 wrote to memory of 2700	2160	e77002603d179eb3c478b596f8de51d0N.exe	30
PID 2700 wrote to memory of 2844	2700	Bakaaepk.exe	31
PID 2700 wrote to memory of 2844	2700	Bakaaepk.exe	31
PID 2700 wrote to memory of 2844	2700	Bakaaepk.exe	31
PID 2700 wrote to memory of 2844	2700	Bakaaepk.exe	31
PID 2844 wrote to memory of 2588	2844	Bdinnqon.exe	32
PID 2844 wrote to memory of 2588	2844	Bdinnqon.exe	32
PID 2844 wrote to memory of 2588	2844	Bdinnqon.exe	32
PID 2844 wrote to memory of 2588	2844	Bdinnqon.exe	32
PID 2588 wrote to memory of 2600	2588	Cnabffeo.exe	33
PID 2588 wrote to memory of 2600	2588	Cnabffeo.exe	33
PID 2588 wrote to memory of 2600	2588	Cnabffeo.exe	33
PID 2588 wrote to memory of 2600	2588	Cnabffeo.exe	33
PID 2600 wrote to memory of 1336	2600	Cdkkcp32.exe	34
PID 2600 wrote to memory of 1336	2600	Cdkkcp32.exe	34
PID 2600 wrote to memory of 1336	2600	Cdkkcp32.exe	34
PID 2600 wrote to memory of 1336	2600	Cdkkcp32.exe	34
PID 1336 wrote to memory of 2972	1336	Cgjgol32.exe	35
PID 1336 wrote to memory of 2972	1336	Cgjgol32.exe	35
PID 1336 wrote to memory of 2972	1336	Cgjgol32.exe	35
PID 1336 wrote to memory of 2972	1336	Cgjgol32.exe	35
PID 2972 wrote to memory of 444	2972	Cjhckg32.exe	36
PID 2972 wrote to memory of 444	2972	Cjhckg32.exe	36
PID 2972 wrote to memory of 444	2972	Cjhckg32.exe	36
PID 2972 wrote to memory of 444	2972	Cjhckg32.exe	36
PID 444 wrote to memory of 3008	444	Ccqhdmbc.exe	37
PID 444 wrote to memory of 3008	444	Ccqhdmbc.exe	37
PID 444 wrote to memory of 3008	444	Ccqhdmbc.exe	37
PID 444 wrote to memory of 3008	444	Ccqhdmbc.exe	37
PID 3008 wrote to memory of 2384	3008	Cnflae32.exe	38
PID 3008 wrote to memory of 2384	3008	Cnflae32.exe	38
PID 3008 wrote to memory of 2384	3008	Cnflae32.exe	38
PID 3008 wrote to memory of 2384	3008	Cnflae32.exe	38
PID 2384 wrote to memory of 2740	2384	Cpdhna32.exe	39
PID 2384 wrote to memory of 2740	2384	Cpdhna32.exe	39
PID 2384 wrote to memory of 2740	2384	Cpdhna32.exe	39
PID 2384 wrote to memory of 2740	2384	Cpdhna32.exe	39
PID 2740 wrote to memory of 2360	2740	Cfaqfh32.exe	40
PID 2740 wrote to memory of 2360	2740	Cfaqfh32.exe	40
PID 2740 wrote to memory of 2360	2740	Cfaqfh32.exe	40
PID 2740 wrote to memory of 2360	2740	Cfaqfh32.exe	40
PID 2360 wrote to memory of 1688	2360	Cnhhge32.exe	41
PID 2360 wrote to memory of 1688	2360	Cnhhge32.exe	41
PID 2360 wrote to memory of 1688	2360	Cnhhge32.exe	41
PID 2360 wrote to memory of 1688	2360	Cnhhge32.exe	41
PID 1688 wrote to memory of 540	1688	Cojeomee.exe	42
PID 1688 wrote to memory of 540	1688	Cojeomee.exe	42
PID 1688 wrote to memory of 540	1688	Cojeomee.exe	42
PID 1688 wrote to memory of 540	1688	Cojeomee.exe	42
PID 540 wrote to memory of 2332	540	Cgqmpkfg.exe	43
PID 540 wrote to memory of 2332	540	Cgqmpkfg.exe	43
PID 540 wrote to memory of 2332	540	Cgqmpkfg.exe	43
PID 540 wrote to memory of 2332	540	Cgqmpkfg.exe	43
PID 2332 wrote to memory of 2436	2332	Chbihc32.exe	44
PID 2332 wrote to memory of 2436	2332	Chbihc32.exe	44
PID 2332 wrote to memory of 2436	2332	Chbihc32.exe	44
PID 2332 wrote to memory of 2436	2332	Chbihc32.exe	44
PID 2436 wrote to memory of 2152	2436	Cpiaipmh.exe	45
PID 2436 wrote to memory of 2152	2436	Cpiaipmh.exe	45
PID 2436 wrote to memory of 2152	2436	Cpiaipmh.exe	45
PID 2436 wrote to memory of 2152	2436	Cpiaipmh.exe	45

C:\Users\Admin\AppData\Local\Temp\e77002603d179eb3c478b596f8de51d0N.exe
"C:\Users\Admin\AppData\Local\Temp\e77002603d179eb3c478b596f8de51d0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\Bakaaepk.exe
  C:\Windows\system32\Bakaaepk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\Bdinnqon.exe
    C:\Windows\system32\Bdinnqon.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\Cnabffeo.exe
      C:\Windows\system32\Cnabffeo.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\Cdkkcp32.exe
        
        C:\Windows\system32\Cdkkcp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Cgjgol32.exe
        
        C:\Windows\system32\Cgjgol32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Cjhckg32.exe
        
        C:\Windows\system32\Cjhckg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Ccqhdmbc.exe
        
        C:\Windows\system32\Ccqhdmbc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Cnflae32.exe
        
        C:\Windows\system32\Cnflae32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Cpdhna32.exe
        
        C:\Windows\system32\Cpdhna32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Cfaqfh32.exe
        
        C:\Windows\system32\Cfaqfh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Cnhhge32.exe
        
        C:\Windows\system32\Cnhhge32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Cojeomee.exe
        
        C:\Windows\system32\Cojeomee.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Cgqmpkfg.exe
        
        C:\Windows\system32\Cgqmpkfg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Chbihc32.exe
        
        C:\Windows\system32\Chbihc32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Cpiaipmh.exe
        
        C:\Windows\system32\Cpiaipmh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Ccgnelll.exe
        
        C:\Windows\system32\Ccgnelll.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Dhdfmbjc.exe
        
        C:\Windows\system32\Dhdfmbjc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Donojm32.exe
        
        C:\Windows\system32\Donojm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Dcjjkkji.exe
        
        C:\Windows\system32\Dcjjkkji.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Dfhgggim.exe
        
        C:\Windows\system32\Dfhgggim.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Dhgccbhp.exe
        
        C:\Windows\system32\Dhgccbhp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Dlboca32.exe
        
        C:\Windows\system32\Dlboca32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Doqkpl32.exe
        
        C:\Windows\system32\Doqkpl32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Dboglhna.exe
        
        C:\Windows\system32\Dboglhna.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Dhiphb32.exe
        
        C:\Windows\system32\Dhiphb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Dkgldm32.exe
        
        C:\Windows\system32\Dkgldm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Dhklna32.exe
        
        C:\Windows\system32\Dhklna32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Djmiejji.exe
        
        C:\Windows\system32\Djmiejji.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Dbdagg32.exe
        
        C:\Windows\system32\Dbdagg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\Ddbmcb32.exe
        
        C:\Windows\system32\Ddbmcb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Dnjalhpp.exe
        
        C:\Windows\system32\Dnjalhpp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Eddjhb32.exe
        
        C:\Windows\system32\Eddjhb32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Enmnahnm.exe
        
        C:\Windows\system32\Enmnahnm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Ecjgio32.exe
        
        C:\Windows\system32\Ecjgio32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Egebjmdn.exe
        
        C:\Windows\system32\Egebjmdn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Eifobe32.exe
        
        C:\Windows\system32\Eifobe32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\Eqngcc32.exe
        
        C:\Windows\system32\Eqngcc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Ebockkal.exe
        
        C:\Windows\system32\Ebockkal.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Efjpkj32.exe
        
        C:\Windows\system32\Efjpkj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Epcddopf.exe
        
        C:\Windows\system32\Epcddopf.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Eepmlf32.exe
        
        C:\Windows\system32\Eepmlf32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Emgdmc32.exe
        
        C:\Windows\system32\Emgdmc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Elieipej.exe
        
        C:\Windows\system32\Elieipej.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Ebcmfj32.exe
        
        C:\Windows\system32\Ebcmfj32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Eebibf32.exe
        
        C:\Windows\system32\Eebibf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Fllaopcg.exe
        
        C:\Windows\system32\Fllaopcg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Fpgnoo32.exe
        
        C:\Windows\system32\Fpgnoo32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Fnjnkkbk.exe
        
        C:\Windows\system32\Fnjnkkbk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Faijggao.exe
        
        C:\Windows\system32\Faijggao.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Fedfgejh.exe
        
        C:\Windows\system32\Fedfgejh.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\Fhbbcail.exe
        
        C:\Windows\system32\Fhbbcail.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 140
        58⤵
        Program crash
        
        PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdinnqon.exe

Filesize
80KB

MD5
b0634f5f45348f7e0f382fbd1950bf68

SHA1
514e0255fa75f1efbcccc9dbad81ef4ce5a1fc99

SHA256
4ce4bea5ddf23c52f8a5293c9e9f961238b37119bb9e65f0385059540c18593a

SHA512
69c96a7a1b359a9c089708c3a68a505b27b41664a4f86b97b9f3f0080c03b24b6a787f239cc9e2ae8e155b48c1e408a3d08f42c01cfa6ec002962fb447727970

Download Submit
C:\Windows\SysWOW64\Cgjgol32.exe

Filesize
80KB

MD5
f3eeffdc62afa0e8f9a60d78478d4089

SHA1
9ad30e3602775e4413106f2b466ca73c82d4746c

SHA256
d45e9ce024454dd99ae3fc66a346ac40e13a7567ee979163ffa1265bcea3e29f

SHA512
e6ac654a14525b49a5d05b0e43b588f66255ae7c78a86e44e864645a76eee361ae0d30d83f788de3f7f25506d8774c2f6115ac148bba77ac52e7b583251901ed

Download Submit
C:\Windows\SysWOW64\Dbdagg32.exe

Filesize
80KB

MD5
719ca7ecc0be4c65e8941bdffa774333

SHA1
f9043e35b5df1a9dd6e685330f23407dc502d770

SHA256
3e181da6fb438e25f4fe3bff5bac643e4b4ce9604069e74d4e599b4eee274885

SHA512
670c489c940b52c90b2b6517144aa93b016a78d057c4912f2c15b8c6d8f0814d8edbe6acfc4eb38a48d474e49214b55427168ef848137d2f078471002b155829

Download Submit
C:\Windows\SysWOW64\Dboglhna.exe

Filesize
80KB

MD5
221db65748528b8242af4331ce58dfc1

SHA1
c6b3304d37c989255f7fdfb5a17de6233a452807

SHA256
7dc1322ce9d0fdc324c7908d32d7181ef21b05c858c03465b896b9a7d4714676

SHA512
26e667eb90c81c3c4c190cc849ab4470eea51d12aa2f5fe87932b557c1afd64071156a8c7baa3f979476ec89588f8191cb49f797d54f11b44b395a850ac55674

Download Submit
C:\Windows\SysWOW64\Dcjjkkji.exe

Filesize
80KB

MD5
7fbf5f6900582ed9336793327d6dc851

SHA1
11cd43b29de1dde386cdedebb476bfc7a1db1423

SHA256
c2b8274aed911d13d6bc07567211198408165f958c265fa8c2e2b65afb5bf0ff

SHA512
409e3cf4ea575ded6a4a28b0196aa33367ad05354ba3d1c36bc2c7f004b5c1fb86c7b0527c3c6745c49abc4fef30c3002f22235417e93898f3d1106456e24775

Download Submit
C:\Windows\SysWOW64\Ddbmcb32.exe

Filesize
80KB

MD5
334eb7f76b2e93a80e2996aaf08a500d

SHA1
cf24b230bad695891c5cfd441a5a4b4e36de3a50

SHA256
0209c48798e8467c8232f004bd13cf7c0fbc38de63b6a213de2021748024ce5e

SHA512
83b6614d275c6a23951da1f9ca0bde52220a00d769d725178901c7e88549434cfbe29a8d0887780d63f48b7eb1642ce86100ecdf1cd86aa948ea4cb339b3e316

Download Submit
C:\Windows\SysWOW64\Dfhgggim.exe

Filesize
80KB

MD5
c4bc2e737ba681d82f4b88a9c7dcada1

SHA1
18e2b08146583c1d56cfbc4067804d294e33d021

SHA256
925efec40e8efbc66ed6c40839dc0e99bd2f66adfbffd507c7b92c0b99747be7

SHA512
1aadfc744f29a2c6e1db10cc17c2649dd34d8433630f3d1af0222d0be3386b40ba0091295582aa6b5ebeb509e4b1de039b20cdb30f7073d05a928e9029947d65

Download Submit
C:\Windows\SysWOW64\Dhdfmbjc.exe

Filesize
80KB

MD5
5c815a2a06439c27cbc18b979a77fe5f

SHA1
179fbc3230c721918afd323297a6ca02351a1a87

SHA256
d309e2084102312ded75046a20f47d428dd052f1b310c7b149024a7b6953ebc8

SHA512
eb649025c2492dead40344c5b62f33a557741d912222aa3807f82cbfd0093e6def774344c999b5a7fc5f402bf573fd829bbfde71eadb181f60e2c0641ac7f25a

Download Submit
C:\Windows\SysWOW64\Dhgccbhp.exe

Filesize
80KB

MD5
b8b5752e5a4df0981a9d63f8bf5fb1a6

SHA1
a23fb180887146e1854a9945b95ba245a4ef48c3

SHA256
1fdc83aca4146a561399f52d406c67f3af1257baa627217c7eace4330810b755

SHA512
346924fce62b799b5496b03528442dda6a0682f24890f72535bf40747e986501a83ea2b71089366234d075570d79bea9e0bb50a307f66c08e984d82542a60ece

Download Submit
C:\Windows\SysWOW64\Dhiphb32.exe

Filesize
80KB

MD5
8f481eeb485ec58eefe35c455187a0b1

SHA1
64696122c3400c7ced98007d22e5481f8c552545

SHA256
554507082357326e23e4395e31ad66d076ce93527efa0bcf5d4676c6e003184b

SHA512
46219772cb0b16bf94a3801268d0fca9d6ff954c4dcd4cd83d858173fb837314ccb03ee15b81bd924c96d82ccf6f513b9ce37762924b87c27ae0126e77eff1c5

Download Submit
C:\Windows\SysWOW64\Dhklna32.exe

Filesize
80KB

MD5
d05689551c0163ad44279b7cc7ac56f8

SHA1
a638fa12ede35a51eab82a7691c8c5bb7e72d1f4

SHA256
53d4617ceba7577089003f172b233adfac7a63b68af888fb5a2b485f57bdea7c

SHA512
53f3c48d66dacd8b3981b35069b3c98a6dfd83709834e4a98317b284ed76acbca770f97eadf1695dd9c5cf547ad8236be78b69014cef09c66f250ffc775d9be1

Download Submit
C:\Windows\SysWOW64\Djmiejji.exe

Filesize
80KB

MD5
38491ce5ad704e3bbb52c77182e3d969

SHA1
f8db2d8c5cc40acc7d23b00ec77b6cd808317c55

SHA256
6acd9c809cc9694fc55474200e9144d2c32e747644fc52ca32bb9207616a8674

SHA512
0b3637218a0f38e118db0d16d9e4a55f96465ae30675772bd56c24d827f60c33c09b286d9a85835a1190352528cc765b5491e21ad5389db6363d61bd9c77577f

Download Submit
C:\Windows\SysWOW64\Dkgldm32.exe

Filesize
80KB

MD5
462b490df989fa03c8f6806e419081f3

SHA1
f6d6f01088acd712c26b2f1b9d9604328241b6f3

SHA256
814de933442bac84dce198a5b84d1c1ef71bf2fbe3cc350bc23cdb8886713224

SHA512
1b52fa5a53150161932bf4c0afe712ee9d3480b0f490e02b6d2865c4e127c4538be6ecd4d3e2dbe156c5db15d498e7ef6b79ab8d52f29145d6f959fff5ffaec4

Download Submit
C:\Windows\SysWOW64\Dlboca32.exe

Filesize
80KB

MD5
d620330ef1150e5e10581b2c4ca44b6f

SHA1
7e7d89d716faff1555321973b036dcd2fdd0de42

SHA256
1c7c2e9f19cc879042835882af6f4b34ac00b40c9dee4758fa3f86387fc55a03

SHA512
bbde0cbf177f2eed18ba50c677ae7bc02eb921a23fe4b63f0e4772da33cb252693c3a76fa08457f05b6d4e6a47488ce65628d73b60f38efef0fef2b0b5dfd766

Download Submit
C:\Windows\SysWOW64\Dnjalhpp.exe

Filesize
80KB

MD5
a981824e09b72ae552d4d26f877d1618

SHA1
9293c9174fec8577a30add0d907d0d8e14503f63

SHA256
4e5a38cbb18d5cc9b3a75b3f0079b43a4c7494be43b29b62ccb7590eb8fe956c

SHA512
c364e20aca467207376ee40e53189a217f20a590f01f296bc741725fc9add8879a396c0d9959f0188b7498bf2fa270b0ac5ace60cc5159e092cc0bc4d7fff6d9

Download Submit
C:\Windows\SysWOW64\Donojm32.exe

Filesize
80KB

MD5
e3921323c1c5f9f9bb58d8e60fd7c36c

SHA1
796256ae7532692de0def4b8ab55bcf536ba6dcb

SHA256
85f0aeace8d62db3cc644e6c9b7706fe2f21399d058035cbcfc240ce4a019d72

SHA512
24d5f3131ba61bc1a2ba87efbee9f1a28f8f9ee5c678ae00f6929d90302cbb534885f5e9e56a536a65ebfdac24daeb17a68dfe688385f1f8f9ca794b6d1aee1c

Download Submit
C:\Windows\SysWOW64\Doqkpl32.exe

Filesize
80KB

MD5
b152ac8cacefcb95f3bebb62f192f549

SHA1
85a4e9b18a8239f9d92427cf63eca4666348491c

SHA256
8e3bf3003105fea3d00ba646ac439b7297f654a9ed0f96bba4fd4feee2899958

SHA512
370a07176dec7dfd8cc33a3a719d687776880691411fec26d98cd725b4ba96cfe0fa2646d6a007276149e9ebe573431c331bac1c283bab8463464140efaaf4d3

Download Submit
C:\Windows\SysWOW64\Dqddmd32.exe

Filesize
80KB

MD5
184d6d6decf2c5811b916fb24ec685a9

SHA1
dab51af13c1c71cc944614ae423871f852ddd2be

SHA256
c22bfd62a39ce1d0f6ead39eb62692230a8d1cd360a0a26ea47a2068d03b23b1

SHA512
d7fb0da0fd542d555229f09ab033dfdeb749592cc347f9dfb699fbac02b0f22cfead4d02ec742476ad8ec7b9a4c6642a47a7ae31d2ec7eb0fb5410776ea31f0a

Download Submit
C:\Windows\SysWOW64\Ebcmfj32.exe

Filesize
80KB

MD5
eeb35616a75fe66dd1c8b6aff0ba50f5

SHA1
45b66273876d6545f054d227466f240b2f509b79

SHA256
c8850577d9794a77223695086ee50f9b6972c813c66b6f07d86f7d09c677ba54

SHA512
ab7c826169fe0bb815b7073504f27d7cfed5c652dccdf11c3736b76d85ab78533e351ce3235636c2710432b3867c8789a239c803222d0821ffb8688d68f2561c

Download Submit
C:\Windows\SysWOW64\Ebockkal.exe

Filesize
80KB

MD5
5da8273525545f8e183b8f06f18b16b1

SHA1
a0bc0bf892daff1352f0c608f16c219c45ae79bd

SHA256
0becf9ee965cfa144a32ca833db2f066e187a947c6f15ec12ad63aee01034dc9

SHA512
f913bcd0e3803d26dc6ea85f358a2c739b44df60c600d9c5486a7c6c1bec6e2cf0f0495ba0800f058f767e1a434b21d987c89eaf9e2de63c9384198b613b5b31

Download Submit
C:\Windows\SysWOW64\Ecjgio32.exe

Filesize
80KB

MD5
dda8a4d0c2a0a7d2a24a6439f637b7bb

SHA1
2b23743aefc034c3db119c2d54cb2b8ed37368b8

SHA256
1daf7b70f4882bdfbe4e6154f09aabbffb50bb2882faf8e941252e93ac463b4e

SHA512
6fc36f20b47c53a8da662163215eaf3f8035ca464133ff36eecac02c8ca7c141a25502b22284caaff91fbb3b74789fb8f8a7e41a53437d4794335b4f170b95c1

Download Submit
C:\Windows\SysWOW64\Eddjhb32.exe

Filesize
80KB

MD5
d38965b2182324755e4d5f1f4200e7f0

SHA1
bd3dd8f60ecc55c8cf5cf0e41bd25b8f7ac9406c

SHA256
ad650feeb373ddf213f25eaeccd2838e3417d051561ffc984a920511165cadcb

SHA512
6e017d4d99e5fab7966560e4242eb587e763fed9d3b06494e8adda4cf9875892916c435a58ce317cc8cb930a1a47b3ba67d19c9eed4b37d44c03c365c3841330

Download Submit
C:\Windows\SysWOW64\Eebibf32.exe

Filesize
80KB

MD5
1cc33506b999244e3901b9b5c05d4517

SHA1
93d20c9a09fa09cb309151e8d890b4b3c22b29b4

SHA256
580078c161e14fb95daaeffc9b1ebd6187e4e86e54df7b91366c9d82677a9ca5

SHA512
d2fd540cbd72057778517ef21c08f23556c4295bd06fcb9eadb671f0c5c23323a470cbec7676d997d68693843aa86f4e37733b8dbdb60fd6e5e08aea1caed4d1

Download Submit
C:\Windows\SysWOW64\Eepmlf32.exe

Filesize
80KB

MD5
5e0070814e41fd84ac2801f57c36cc2f

SHA1
9d290baec036f92121b1b469ddc053fa06846ff7

SHA256
cc5acdda3d599fb6110776d5bc04020f965fc83d0f69a9d7654f74779066ce4a

SHA512
83736f47135d0bcfec2eb7cc7dedf62d854dbe6ae0a162d33788651317beb92dac79d62c2f6481ecca8bcfefdcf9b5ab71fd589dbd62d130fdd8538a8d5743ac

Download Submit
C:\Windows\SysWOW64\Efjpkj32.exe

Filesize
80KB

MD5
987ad5b55d0a02151286b7d146c33caf

SHA1
43b2014f9e6aa1f10d077567fb3f49e958c288ab

SHA256
19feca83a86a9dc8d73f744b78e330bfd9fe0a93e1ddf28d35b734d75cb2b184

SHA512
5fba46aa68ea67dcaa39141a63bafa81e12687f4b475c9ccb04b6c26d8b4034ec74c66e4983eca5e531f5bc6274e576773073ffbf06cd04c7ea803efa68dd89b

Download Submit
C:\Windows\SysWOW64\Egebjmdn.exe

Filesize
80KB

MD5
dea5b03304504a6fcf7672b325a7faa9

SHA1
4014d15b0cb4a6b32e3ee81d5d40eb89193cc72d

SHA256
1f1e1b548a2421a304be100dd0fce92b7a3b1d4bbc98394d84e1b7a28ac9da9e

SHA512
939304229c60f83e0994bb86957ae83f64ee89ede0e4c36d7d2d8e00332d5c24ab123efb10e474958410a7b76309ef0ecdf404aeec3eacd650b5a899b5ee9051

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
80KB

MD5
a420dda318a0a6de5449a96d879985ed

SHA1
90abec4008597c047b94b6c4f1f4721a202750fd

SHA256
935b4846102351d334d18c3352f0abde26304e36b65733dd5abd60694a92592a

SHA512
a53d3c717b1fbc83b0a3e7f8ea8be309b0332c36538834498712f8d694ec8ad797c91d1210cecf65ce5b3bcc0d16d4218f5d62887b03ec3ec9ad8a36b8e7b7e0

Download Submit
C:\Windows\SysWOW64\Eifobe32.exe

Filesize
80KB

MD5
f2037280ce3150de0b9bdca9e3c80f1e

SHA1
874a0805aad0f95f32b3b845f6ca424f23121902

SHA256
c379711c2daef1b9e5e5668202f6cb4c9fd681e46bf0f8557a56dc666208f496

SHA512
50cac7b39df271fcac0218a9d6b89664e5b320d4da7c8a569ccd7812ce5824485f6877bb85b5ee015114a9d4aec7736aeda31cda77038f1ac2d9010da595a0bb

Download Submit
C:\Windows\SysWOW64\Ekghcq32.exe

Filesize
80KB

MD5
da12c9a2349d71a90b347b5626505546

SHA1
fff386756b4f6a6f1aad07dd3cec1225fa013c98

SHA256
8eb78175b7cbeb69afbf9621a009eaee010f1d03047019689a66cd95882f6875

SHA512
7fa9ffcfc2db78e3f4c5fc8d2edebb38c8929b48eedf084e48e3640c23181874b3787594c4a6eeb95455889906494eac134a434f08a59ed935b866db7d2cfd45

Download Submit
C:\Windows\SysWOW64\Elieipej.exe

Filesize
80KB

MD5
701b3a1da2f31ababf32f8c47391c208

SHA1
35c24c278137162e12a1437566bc2517c4ec7a2b

SHA256
760d2d7fa01cf32a0a1c71463cb41e7d27ad23b91ffa16d9d1ae8dbaf7c1d22f

SHA512
911030f70fc31620de3fcad93722f4975d996ce93f6e135d41c126334cd98bcd48ac594f33eecacd21a9b4634eaf2504895c0ca28f0f24a85059f8e04134d4bc

Download Submit
C:\Windows\SysWOW64\Emgdmc32.exe

Filesize
80KB

MD5
805299abffb52361cb87cc00ff918cf7

SHA1
c8deb8de9742d1e0ee05f05e9408d0b4f096b19b

SHA256
997873f755e29e487720d9b79b14b378fb1b07a20212516f4d2c63388075e187

SHA512
e8a56f1791f66c2002a3c4e0ab5f842530a28fa51d0e2f95bb7d0f89184b95ff53293d9978bc13eb6b41e04ced8addf95394a74fc6ec6f06c93b49f90f4cbbf1

Download Submit
C:\Windows\SysWOW64\Enmnahnm.exe

Filesize
80KB

MD5
dfc79cc10ab79e28cec47a0d106a3632

SHA1
32b7365ec3a67a4860c6a601e730ce16117c851a

SHA256
ffa0de6e4487b0169eaa404b47fb21b3b8167609e9d6dc3b024c372d56062a67

SHA512
52cfa35a27731adbfe817157e1e9410dfd992a25c79be070c20cc6d73118ab535da6a729b96ea5f9654207cd76a75c0f3630edd04d935b00bf2f74eddee23f19

Download Submit
C:\Windows\SysWOW64\Epcddopf.exe

Filesize
80KB

MD5
b6ade2b9c2b930903667bef2d79dee0f

SHA1
32ac9f3a5b74447530aa7e1e4c272e2b7884517d

SHA256
144499a3a72427e777b5534a7d28a8bf5de2f00cc19f587f1a2212cd718ea54c

SHA512
7686d3b734c4b33eca0e4626387dc10bb3dbb5251e09d818c09fa7df917b0b93dda88286fddb00891865126e9dd90b5c675311efc7c3364b06d60f7aeafaeb6e

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
80KB

MD5
df9ee7aecae9f43803b17e95109ca01d

SHA1
1c236208a2297dc7227d9c7c9b226fcbae6a01c9

SHA256
13186013ba8a077601fae700672c6e09fa76330f36197014493cf3ee01369b3a

SHA512
3abd539b6647e33747c64bdb51a97c8fea62563f15fce9bf4136d7a92623ec9dd7326a7f39efddbd64fb00bfb7aacf422e36ef1906b1433472c24116ea3a45e5

Download Submit
C:\Windows\SysWOW64\Eqngcc32.exe

Filesize
80KB

MD5
1f21139dd72d0bf51a9851b519b969dd

SHA1
0d9c5e1aef5691dd5f8c1130d77f7c8d0753be54

SHA256
a0b4ca52b66641bcf96788a9e66cc7bd1535ff77d295df325ab25c8d50a4bb47

SHA512
b348ea2a48fbf7f7ad3cb0220f9cc589454c75ac2105acbb88cae2a9bb175f8fae3d2b8bd1f5e28a1d4fa347499fbc5b32d533b9d825681eb7b7684a715d89cc

Download Submit
C:\Windows\SysWOW64\Faijggao.exe

Filesize
80KB

MD5
b0bd1a5eb00b274705d4ad191d838299

SHA1
634b1a09879820fe25e3c85ba7c5e5d4f6939c04

SHA256
aae363c30a18199a84d5f7cb1d6b177ebaa256833bd282095ede34dd8e2b5489

SHA512
bfa28bdc25343a2b05c63338cc5c03f7f3a5745251d9db34d32ca55178a2379f5904635a2fa3faa08d16aab7a991824e162ff23ff710b4f4755df75f7a2fc2e6

Download Submit
C:\Windows\SysWOW64\Fedfgejh.exe

Filesize
80KB

MD5
b7be61d162d6f156660c4e9fe6fdeb16

SHA1
f1115d3d12280aa246147bfccafb70f3d331ce94

SHA256
126223e79de50e9ae42409b3558c6ea1016022cce998bf34c3fa650c21b16470

SHA512
807d74b49c0a756d1a508dc91c4f571104e67eee638776e796baebcf714929f9b9127054a165c331323ec82c21aa44cfdb51089a6cbc9556663e57901370da00

Download Submit
C:\Windows\SysWOW64\Fhbbcail.exe

Filesize
80KB

MD5
37e733e6a9871551f374170d9be8b82f

SHA1
dd905d2282160390b3d4ec3cc65faa7da3ea7c0b

SHA256
4b0f66456a9a75e9b8d6b7c23cdca5b705ddd62fd9b6b5a7d6e115e5d124aab0

SHA512
4a644d9ffcccaa4ba8a5daf3eeeaa87ff5851ad4bf65c3224fcaebae93dd0d35bfef6c598ea22faa871870dfd34d9512328d940552267779f28d7c2d8a621b84

Download Submit
C:\Windows\SysWOW64\Fllaopcg.exe

Filesize
80KB

MD5
0a4d751e5d0df6f47fbea036e8bfdd04

SHA1
ccdd3108c4c783a7a3ea0d0b57026438415c6d82

SHA256
766ec8e22cc2b95cf37772b3cb514a9013d86cc5184ac7fc4f0ee336b9a96e05

SHA512
5bb6c10f5c1c13e0c733d102008eb6bcaaabaa8868a11a57914ae4f633ef630f30323dd1ae94edf712fb29026d042a7f2f29a3488a25fd2da9d20eed107dce8c

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
80KB

MD5
f33ef7ccc94be3dcc6d6b2f5408254cb

SHA1
5b9024c97b471de06ff2d48d26ef72e0140e5e7c

SHA256
b528d43ad9f3d790594054d433793ed21c8daf1f7d2f74dfc5044e956151a935

SHA512
38323dd235b385a940070b32b222fa9d6ef2ac197d5a70a454a20d8e2f80f3fed360f7c8498b2d1f9771cc53765a5b9dc55195c5a6825fbfca44e2e7b636a65b

Download Submit
C:\Windows\SysWOW64\Fnjnkkbk.exe

Filesize
80KB

MD5
f8640ff8f5757fcc4a2bde888d4bc69f

SHA1
6dc6a07453998c3f115e605b818df3f8d3c705df

SHA256
c272b8879b5c8fc2ff8be2f74b90190ebdcb22b59ce4c705c535a86fdce669d7

SHA512
6fa48c0e1c515d53c4a7935dbb8190f0583476f0f00f4d1d98d5a31273c2547d1c57205875c155a4ac348a579423aa26bd0bc152107d1dbdc01b280d321066e6

Download Submit
C:\Windows\SysWOW64\Fpgnoo32.exe

Filesize
80KB

MD5
152642e2698b972029df95699ca2546b

SHA1
c552647927bab5cfcdfc8b9649c6cad614bd1830

SHA256
c000652b39ed1ebec700279005f487cf0109af6f0a42c521ca200de69688f80c

SHA512
1d677fa4832ba9cb58563b19c5bb2c0398280da9322eb464cef206f78fa82718a3e37f5b1f15a99821542f98fba0588429ba0233ecbbc03b6dfe6530b509332a

Download Submit
\Windows\SysWOW64\Bakaaepk.exe

Filesize
80KB

MD5
316058ff1dc4cf20b3642553ae64b3dc

SHA1
c03ec44dc864e887c7ff1d58c857cea8266ca900

SHA256
a234a4146aac28b0261f8e2a40039677974490cb5064619500098e3ae5d9b663

SHA512
56072cf44dfd4aa41d7c9eb4f8c26115e4c31c14295891c329d46904bec455e4fec6fa493a4f324847bf20d958508371dea5fb9df74ef33c3b2663d5e591fbf1

Download Submit
\Windows\SysWOW64\Ccgnelll.exe

Filesize
80KB

MD5
f78235e7ce2fbd68af19e354be8cf624

SHA1
c3489e742845df75c8a0d85f42fd0fba873799d8

SHA256
50a21f5231c49ca21b888d1e0add8111a7481066de07feea2814eb161c186af3

SHA512
3210eb94f1dd8bb35d25737a0182fe95ff5f8305cfdce37a614af17e848d94209b634d7fb1fbecbcace04c7c71e772bb20c5b2db4cc8c1f4ebc9cdd5e3d65c52

Download Submit
\Windows\SysWOW64\Ccqhdmbc.exe

Filesize
80KB

MD5
534ce8a636559f9a42b6ee2ed7a7f316

SHA1
3a9f6c0566dfe8528e9ca343353328345d0d56c8

SHA256
b6afad61f68ef3dfe48638eb03359a266c32715f604cdfbfdb019ccfe4ca4102

SHA512
3faaad383ca08cd7752a3fa02911862b0f17b98ac582288d225b6d9bccb98e6d1d677bffafd7023630189e908ffbf550a6a5f592c71aa521f868e880bd2740ae

Download Submit
\Windows\SysWOW64\Cdkkcp32.exe

Filesize
80KB

MD5
e32d71e39ab227c053be12e168ed0cbf

SHA1
add65874b2c7e53d4b82c52f6d6b5055c0fdb07d

SHA256
ff9e0fb24b061910c1d4c3f2ac3fd0481fb66a947c989a2be215797f3ebe037d

SHA512
818dbadc9607d6bd248e3e15af76240c5791669021b0bfe1dcbf528a5c48dfe3d70163f01e28559c66aa708d7c599f221c4add80ff4f804fe98b6e0a1716af51

Download Submit
\Windows\SysWOW64\Cfaqfh32.exe

Filesize
80KB

MD5
67145c0a41d21e6a3af73daad996aeec

SHA1
ffb114a13112c549db39e34e62944f1e6415ab1f

SHA256
31d88c42f22afeb769af9b14ce0213ec70b0c3ec33edaf134d22c60dbeacedca

SHA512
8ab99205f8a7e8bc795e823b37ed6914dff0d3a5aa97c7e5e5836f9271ea7465cbbc3f3c18290b85aba2a2eec46016c6474af2c5d5464304851464d9b447ae7a

Download Submit
\Windows\SysWOW64\Cgqmpkfg.exe

Filesize
80KB

MD5
ef3c39b87f2d48dbc10efdc8781bb0e9

SHA1
0dbfd0b406314b3a730ea1b7f88d91c4bf8934d8

SHA256
0fd45490de4defb547343ecfc206ec23d726a9492691cb19c5cdc21b32d85651

SHA512
f65fcf6b9d4e22d7842f1b158eb476d5c88e4edbf9435fe0776a36bc718b0e98be73a0df4cfbf52988937c0bbdf950570c0f43f7908be4d2a2da777a27a92897

Download Submit
\Windows\SysWOW64\Chbihc32.exe

Filesize
80KB

MD5
c6f938f0a347141a3aaef308ac51cd71

SHA1
67cde945e84c4c026d5a8687905b27c17c0fed17

SHA256
262863fdf9a36a43d6effff45dbcc7e72203185b48e25cc4945546688ee1c3aa

SHA512
8c4e4aa61ef34d3ab4160e32104fd08762f6e9a03a1b44e24612c091fc261f4f9af1c9678f9d7b26afe251cf2c882a88ee5b245b21da6058b2ae1c413c124c11

Download Submit
\Windows\SysWOW64\Cjhckg32.exe

Filesize
80KB

MD5
e335a68ba3171ede1804f29b65e4c4c8

SHA1
0c4755c497b859625802dece2eacd174ba8ba0ae

SHA256
4451dc11bd3ca040a13276ce832a3413ebd1d940359e4cb4147c9e8b516a3214

SHA512
0da53598ea1fb267b8b31dddb3a8690ce29e9cd92305ded343080582668ee4eb56925db334b4e8fb2aeadcd7a252243a61dedbefb6a37f7e86a999fc84cce284

Download Submit
\Windows\SysWOW64\Cnabffeo.exe

Filesize
80KB

MD5
dc9617a8136770f46dfe731a29088cad

SHA1
d44636610d65205170953f3e19f8563117e0aad7

SHA256
9db98efcfe84b63a9f1238abdb582f1a393bfae8ae7ab2876e5638ac95d98782

SHA512
e6c07778954f17660c2c59f185d8288cd07e8ac13217686dbfb4f1029a1a072f7ab2abade5e8c9a7ac7cf8d45da02ac8affb8120f5efd46e83c9e2d559cce52d

Download Submit
\Windows\SysWOW64\Cnflae32.exe

Filesize
80KB

MD5
0c94f022a457b941d6f33901577d59d8

SHA1
c69cfd1c218d8bfd9ff8de3cb930e80944e96253

SHA256
d283f020b410992d0d88db566d1bc25d54ada727929dd10dbefc0b2d39bdaede

SHA512
4c49737eeff89973760906676cccb605a29472a27bb7fcca3cd5d55b80851b47cc2302d2d5db53f866771abd04f0cad416c178fc3a5ec2c2ad200111effc7b32

Download Submit
\Windows\SysWOW64\Cnhhge32.exe

Filesize
80KB

MD5
d4dc5b0873c02d7002a7e716780b00e0

SHA1
be7d56c2d4a55aea9c832e2e06a69475bfff0fe2

SHA256
5f73632e8a1b2e4f30d02844e0e37955fdef91db3cdafd200c769aa9b69487a3

SHA512
42703bb24ade6074f208e6634f1224bc9e94363e593d9a83b436eea6c6bce64266f10ef87569bc24d80bf25f08db7ef018159f5fa5ea786eeb7fd163e411e3f9

Download Submit
\Windows\SysWOW64\Cojeomee.exe

Filesize
80KB

MD5
bf86b7b6b86faac9814797a58921a5b5

SHA1
4959497af895be3214875800a7e826541292a428

SHA256
1e99b38fb57e2b6108fc796747f8980cfad79a1a8dbf707576c58318799bd672

SHA512
98790b7abe3d767fbb76eb176539cf0536fe78cce8383fa9bd4738b3292bef8033ef0764ba132b25a11652989cfb71dca2793994fc1547bf336102117feb9881

Download Submit
\Windows\SysWOW64\Cpdhna32.exe

Filesize
80KB

MD5
3ab5e8ab22ca4df1380c59a65b89f22f

SHA1
b5ff3d65fb8870de76b596f2b38f35e293b42795

SHA256
72ab59a58cf6f55ac0dfa9130a12a05b3f1e1318d08815aff8046355f6a0e345

SHA512
c7739f950eef9a71b113028bb64cc265664e6a42a18ef4edbfa7e03af62dbd0ccfb5239459f1086a90fc61305767da294c0748df075a5b9d675300b0bce7142a

Download Submit
\Windows\SysWOW64\Cpiaipmh.exe

Filesize
80KB

MD5
cfeafe2c18c4ad9ef3b2fb7671894013

SHA1
b474e67150853893cd13417654e633b6dabe81eb

SHA256
f3baa9dd5dacc5e34b1bf0fbdf307a41cbf65c74707597c76b2da4c2f16a1d9d

SHA512
562b560604212903eeba85374150ea6910e957e25e779d34e1f88a235484604f5444284ae1ba4a6007f7c86dad334fb50788b7183b7801143143018400f4cb01

Download Submit
memory/432-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/444-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/444-102-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/444-94-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-180-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/540-172-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/596-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/596-450-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/596-451-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/700-408-0x0000000001F70000-0x0000000001FA5000-memory.dmp

Filesize
212KB

Download
memory/700-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/780-513-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/780-514-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/920-495-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/960-474-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/996-493-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/996-488-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1212-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1336-397-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1336-67-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1336-386-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1336-75-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1640-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-299-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1648-231-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1688-494-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-437-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/1808-258-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/1904-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1904-289-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1904-288-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1956-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-396-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1976-265-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1976-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-525-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2132-469-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-473-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2152-219-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2160-344-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2160-12-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2160-11-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2160-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2160-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-277-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2256-278-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2260-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-305-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2304-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-310-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2332-193-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2332-515-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-418-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2352-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-154-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2360-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-128-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2384-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-320-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2392-321-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2436-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-207-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2436-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2504-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2504-462-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2504-463-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2536-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-48-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2588-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-59-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-365-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2700-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2700-22-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2716-342-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2716-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-349-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2736-246-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2736-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2740-141-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2844-375-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2844-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-328-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2972-92-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2972-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads