3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad

Analysis

max time kernel
33s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 20:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe
Size

94KB
MD5

34c0c8875d44786895d6fc463519f582
SHA1

70b0bc1569b5e7598479aa432f9a32faaadb1f17
SHA256

3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad
SHA512

267815d1ee3c72fe9f805c0a66b3fc4bf06b07c95189ba7e5caa956948856c0cb839c7feec8b0029b492679a6b9ad3001ff4dc4b750f649f6408cd9a4e5b61b0
SSDEEP

1536:ZfzVbLLaInXYqbUdhnjNsgD2LHVNMQ262AjCsQ2PCZZrqOlNfVSLUKkJr4:9zR/aIXYqAdhnBxgHHMQH2qC7ZQOlzSZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eikimeff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epeajo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncolfcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncolfcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eclcon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efjpkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eikimeff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djafaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbbinig.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bimphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckecpjdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faijggao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnabffeo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjjpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddkgbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dochelmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahelebm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epnkip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epqgopbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eclcon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhiphb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efjpkj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiilge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakaaepk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cccdjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgqion32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojeomee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eebibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eifobe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dboglhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efffpjmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bahelebm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqmpkfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhiphb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efffpjmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlpbna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Empomd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecnpdnho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epeajo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjjpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dboglhna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Embkbdce.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bggjjlnb.exe

Executes dropped EXE 53 IoCs

pid	Process
2696	Bimphc32.exe
2760	Bahelebm.exe
2092	Bkqiek32.exe
2600	Bakaaepk.exe
3004	Bggjjlnb.exe
408	Cnabffeo.exe
2848	Ckecpjdh.exe
2168	Cncolfcl.exe
2896	Cjjpag32.exe
2772	Cccdjl32.exe
1176	Cnhhge32.exe
1668	Cojeomee.exe
2080	Cgqmpkfg.exe
2960	Chbihc32.exe
1648	Ccgnelll.exe
956	Djafaf32.exe
1940	Dlpbna32.exe
1676	Dkbbinig.exe
1760	Dbmkfh32.exe
2408	Ddkgbc32.exe
1000	Dnckki32.exe
2452	Dboglhna.exe
628	Dhiphb32.exe
1296	Dochelmj.exe
2652	Dbadagln.exe
2840	Dqddmd32.exe
3000	Dgnminke.exe
1524	Dnhefh32.exe
2940	Dgqion32.exe
2064	Dmmbge32.exe
2584	Ecgjdong.exe
1764	Efffpjmk.exe
2888	Empomd32.exe
2616	Epnkip32.exe
2148	Egebjmdn.exe
2040	Eifobe32.exe
2028	Embkbdce.exe
2416	Epqgopbi.exe
1780	Eclcon32.exe
2100	Efjpkj32.exe
2136	Ejfllhao.exe
2436	Eiilge32.exe
856	Emdhhdqb.exe
1564	Ekghcq32.exe
2972	Ecnpdnho.exe
2484	Ebappk32.exe
688	Eikimeff.exe
2744	Epeajo32.exe
2016	Eebibf32.exe
1592	Fllaopcg.exe
3060	Fpgnoo32.exe
808	Faijggao.exe
2160	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2372	3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe
2372	3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe
2696	Bimphc32.exe
2696	Bimphc32.exe
2760	Bahelebm.exe
2760	Bahelebm.exe
2092	Bkqiek32.exe
2092	Bkqiek32.exe
2600	Bakaaepk.exe
2600	Bakaaepk.exe
3004	Bggjjlnb.exe
3004	Bggjjlnb.exe
408	Cnabffeo.exe
408	Cnabffeo.exe
2848	Ckecpjdh.exe
2848	Ckecpjdh.exe
2168	Cncolfcl.exe
2168	Cncolfcl.exe
2896	Cjjpag32.exe
2896	Cjjpag32.exe
2772	Cccdjl32.exe
2772	Cccdjl32.exe
1176	Cnhhge32.exe
1176	Cnhhge32.exe
1668	Cojeomee.exe
1668	Cojeomee.exe
2080	Cgqmpkfg.exe
2080	Cgqmpkfg.exe
2960	Chbihc32.exe
2960	Chbihc32.exe
1648	Ccgnelll.exe
1648	Ccgnelll.exe
956	Djafaf32.exe
956	Djafaf32.exe
1940	Dlpbna32.exe
1940	Dlpbna32.exe
1676	Dkbbinig.exe
1676	Dkbbinig.exe
1760	Dbmkfh32.exe
1760	Dbmkfh32.exe
2408	Ddkgbc32.exe
2408	Ddkgbc32.exe
1000	Dnckki32.exe
1000	Dnckki32.exe
2452	Dboglhna.exe
2452	Dboglhna.exe
628	Dhiphb32.exe
628	Dhiphb32.exe
1296	Dochelmj.exe
1296	Dochelmj.exe
2652	Dbadagln.exe
2652	Dbadagln.exe
2840	Dqddmd32.exe
2840	Dqddmd32.exe
3000	Dgnminke.exe
3000	Dgnminke.exe
1524	Dnhefh32.exe
1524	Dnhefh32.exe
2940	Dgqion32.exe
2940	Dgqion32.exe
2064	Dmmbge32.exe
2064	Dmmbge32.exe
2584	Ecgjdong.exe
2584	Ecgjdong.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Elfkmcdp.dll	Dnhefh32.exe
File created	C:\Windows\SysWOW64\Epnkip32.exe	Empomd32.exe
File opened for modification	C:\Windows\SysWOW64\Ekghcq32.exe	Emdhhdqb.exe
File created	C:\Windows\SysWOW64\Dilmaf32.dll	Bahelebm.exe
File created	C:\Windows\SysWOW64\Kmcjeh32.dll	Ckecpjdh.exe
File created	C:\Windows\SysWOW64\Acnkmfoc.dll	Cnhhge32.exe
File created	C:\Windows\SysWOW64\Inhcgajk.dll	Dlpbna32.exe
File opened for modification	C:\Windows\SysWOW64\Dnckki32.exe	Ddkgbc32.exe
File opened for modification	C:\Windows\SysWOW64\Faijggao.exe	Fpgnoo32.exe
File opened for modification	C:\Windows\SysWOW64\Bahelebm.exe	Bimphc32.exe
File opened for modification	C:\Windows\SysWOW64\Dlpbna32.exe	Djafaf32.exe
File created	C:\Windows\SysWOW64\Dgqion32.exe	Dnhefh32.exe
File opened for modification	C:\Windows\SysWOW64\Egebjmdn.exe	Epnkip32.exe
File created	C:\Windows\SysWOW64\Ogadek32.dll	Efjpkj32.exe
File created	C:\Windows\SysWOW64\Eiilge32.exe	Ejfllhao.exe
File opened for modification	C:\Windows\SysWOW64\Cccdjl32.exe	Cjjpag32.exe
File created	C:\Windows\SysWOW64\Dochelmj.exe	Dhiphb32.exe
File created	C:\Windows\SysWOW64\Dqddmd32.exe	Dbadagln.exe
File created	C:\Windows\SysWOW64\Kabgha32.dll	Dqddmd32.exe
File opened for modification	C:\Windows\SysWOW64\Efffpjmk.exe	Ecgjdong.exe
File created	C:\Windows\SysWOW64\Ngbpoo32.dll	Epnkip32.exe
File opened for modification	C:\Windows\SysWOW64\Efjpkj32.exe	Eclcon32.exe
File opened for modification	C:\Windows\SysWOW64\Fllaopcg.exe	Eebibf32.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Faijggao.exe
File created	C:\Windows\SysWOW64\Emdhhdqb.exe	Eiilge32.exe
File created	C:\Windows\SysWOW64\Bdohpb32.dll	Cnabffeo.exe
File opened for modification	C:\Windows\SysWOW64\Dboglhna.exe	Dnckki32.exe
File opened for modification	C:\Windows\SysWOW64\Dqddmd32.exe	Dbadagln.exe
File created	C:\Windows\SysWOW64\Diaalggp.dll	Dmmbge32.exe
File created	C:\Windows\SysWOW64\Mqpkpl32.dll	Embkbdce.exe
File created	C:\Windows\SysWOW64\Aeackjhh.dll	Ebappk32.exe
File created	C:\Windows\SysWOW64\Cnabffeo.exe	Bggjjlnb.exe
File created	C:\Windows\SysWOW64\Gmaonc32.dll	Ddkgbc32.exe
File created	C:\Windows\SysWOW64\Ecgjdong.exe	Dmmbge32.exe
File created	C:\Windows\SysWOW64\Empomd32.exe	Efffpjmk.exe
File created	C:\Windows\SysWOW64\Eifobe32.exe	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Bahelebm.exe	Bimphc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjjpag32.exe	Cncolfcl.exe
File opened for modification	C:\Windows\SysWOW64\Djafaf32.exe	Ccgnelll.exe
File created	C:\Windows\SysWOW64\Mgnedp32.dll	Epqgopbi.exe
File opened for modification	C:\Windows\SysWOW64\Fpgnoo32.exe	Fllaopcg.exe
File created	C:\Windows\SysWOW64\Bafmhm32.dll	Djafaf32.exe
File created	C:\Windows\SysWOW64\Hehaja32.dll	Emdhhdqb.exe
File opened for modification	C:\Windows\SysWOW64\Ecnpdnho.exe	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Dbmkfh32.exe	Dkbbinig.exe
File opened for modification	C:\Windows\SysWOW64\Eifobe32.exe	Egebjmdn.exe
File opened for modification	C:\Windows\SysWOW64\Epqgopbi.exe	Embkbdce.exe
File created	C:\Windows\SysWOW64\Eccjdobp.dll	Ejfllhao.exe
File opened for modification	C:\Windows\SysWOW64\Bimphc32.exe	3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe
File opened for modification	C:\Windows\SysWOW64\Dbadagln.exe	Dochelmj.exe
File opened for modification	C:\Windows\SysWOW64\Eclcon32.exe	Epqgopbi.exe
File created	C:\Windows\SysWOW64\Kfadkk32.dll	Fpgnoo32.exe
File created	C:\Windows\SysWOW64\Idcoaaei.dll	3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe
File created	C:\Windows\SysWOW64\Ckecpjdh.exe	Cnabffeo.exe
File created	C:\Windows\SysWOW64\Fcphaglh.dll	Dnckki32.exe
File opened for modification	C:\Windows\SysWOW64\Embkbdce.exe	Eifobe32.exe
File created	C:\Windows\SysWOW64\Faijggao.exe	Fpgnoo32.exe
File created	C:\Windows\SysWOW64\Ihbldk32.dll	Chbihc32.exe
File created	C:\Windows\SysWOW64\Eebibf32.exe	Epeajo32.exe
File created	C:\Windows\SysWOW64\Cnhhge32.exe	Cccdjl32.exe
File created	C:\Windows\SysWOW64\Dnhefh32.exe	Dgnminke.exe
File opened for modification	C:\Windows\SysWOW64\Dgqion32.exe	Dnhefh32.exe
File created	C:\Windows\SysWOW64\Eclcon32.exe	Epqgopbi.exe
File created	C:\Windows\SysWOW64\Fpkljm32.dll	Eebibf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1160	2160	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egebjmdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Embkbdce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbadagln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecgjdong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cojeomee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnhefh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiilge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eikimeff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckecpjdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncolfcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddkgbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejfllhao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emdhhdqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epeajo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhhge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djafaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dochelmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epnkip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecnpdnho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlpbna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnminke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnabffeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmmbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chbihc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbbinig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eifobe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eebibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkqiek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjjpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efffpjmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhiphb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakaaepk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bggjjlnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Empomd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faijggao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahelebm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efjpkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbmkfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dboglhna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgqion32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cccdjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccgnelll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fllaopcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclcon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgnoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqmpkfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnckki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epqgopbi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaajccm.dll"	Dbadagln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eebibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cccdjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncolfcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Empomd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjeh32.dll"	Ckecpjdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnedp32.dll"	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emdhhdqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpgnoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chbihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbppmob.dll"	Dkbbinig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomohejp.dll"	Eikimeff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bimphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkbbinig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnckki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgnminke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkljm32.dll"	Eebibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emdhhdqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhibidgh.dll"	Efffpjmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eclcon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejfllhao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecnpdnho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebappk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebappk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efffpjmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpfci32.dll"	Dboglhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll"	Emdhhdqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbmkfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccgnelll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpcfn32.dll"	Ecgjdong.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngbpoo32.dll"	Epnkip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Embkbdce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eiilge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckecpjdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epqgopbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejfllhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kecfmlgq.dll"	Cojeomee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnabffeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dochelmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okobem32.dll"	Dgnminke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnhefh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efffpjmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eifobe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fllaopcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baboljno.dll"	Dbmkfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbadagln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaalggp.dll"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihbldk32.dll"	Chbihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bggjjlnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkbbinig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcphaglh.dll"	Dnckki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhejoigh.dll"	Dochelmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiilge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnhhge32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2696	2372	3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe	30
PID 2372 wrote to memory of 2696	2372	3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe	30
PID 2372 wrote to memory of 2696	2372	3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe	30
PID 2372 wrote to memory of 2696	2372	3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe	30
PID 2696 wrote to memory of 2760	2696	Bimphc32.exe	31
PID 2696 wrote to memory of 2760	2696	Bimphc32.exe	31
PID 2696 wrote to memory of 2760	2696	Bimphc32.exe	31
PID 2696 wrote to memory of 2760	2696	Bimphc32.exe	31
PID 2760 wrote to memory of 2092	2760	Bahelebm.exe	32
PID 2760 wrote to memory of 2092	2760	Bahelebm.exe	32
PID 2760 wrote to memory of 2092	2760	Bahelebm.exe	32
PID 2760 wrote to memory of 2092	2760	Bahelebm.exe	32
PID 2092 wrote to memory of 2600	2092	Bkqiek32.exe	33
PID 2092 wrote to memory of 2600	2092	Bkqiek32.exe	33
PID 2092 wrote to memory of 2600	2092	Bkqiek32.exe	33
PID 2092 wrote to memory of 2600	2092	Bkqiek32.exe	33
PID 2600 wrote to memory of 3004	2600	Bakaaepk.exe	34
PID 2600 wrote to memory of 3004	2600	Bakaaepk.exe	34
PID 2600 wrote to memory of 3004	2600	Bakaaepk.exe	34
PID 2600 wrote to memory of 3004	2600	Bakaaepk.exe	34
PID 3004 wrote to memory of 408	3004	Bggjjlnb.exe	35
PID 3004 wrote to memory of 408	3004	Bggjjlnb.exe	35
PID 3004 wrote to memory of 408	3004	Bggjjlnb.exe	35
PID 3004 wrote to memory of 408	3004	Bggjjlnb.exe	35
PID 408 wrote to memory of 2848	408	Cnabffeo.exe	36
PID 408 wrote to memory of 2848	408	Cnabffeo.exe	36
PID 408 wrote to memory of 2848	408	Cnabffeo.exe	36
PID 408 wrote to memory of 2848	408	Cnabffeo.exe	36
PID 2848 wrote to memory of 2168	2848	Ckecpjdh.exe	37
PID 2848 wrote to memory of 2168	2848	Ckecpjdh.exe	37
PID 2848 wrote to memory of 2168	2848	Ckecpjdh.exe	37
PID 2848 wrote to memory of 2168	2848	Ckecpjdh.exe	37
PID 2168 wrote to memory of 2896	2168	Cncolfcl.exe	38
PID 2168 wrote to memory of 2896	2168	Cncolfcl.exe	38
PID 2168 wrote to memory of 2896	2168	Cncolfcl.exe	38
PID 2168 wrote to memory of 2896	2168	Cncolfcl.exe	38
PID 2896 wrote to memory of 2772	2896	Cjjpag32.exe	39
PID 2896 wrote to memory of 2772	2896	Cjjpag32.exe	39
PID 2896 wrote to memory of 2772	2896	Cjjpag32.exe	39
PID 2896 wrote to memory of 2772	2896	Cjjpag32.exe	39
PID 2772 wrote to memory of 1176	2772	Cccdjl32.exe	40
PID 2772 wrote to memory of 1176	2772	Cccdjl32.exe	40
PID 2772 wrote to memory of 1176	2772	Cccdjl32.exe	40
PID 2772 wrote to memory of 1176	2772	Cccdjl32.exe	40
PID 1176 wrote to memory of 1668	1176	Cnhhge32.exe	41
PID 1176 wrote to memory of 1668	1176	Cnhhge32.exe	41
PID 1176 wrote to memory of 1668	1176	Cnhhge32.exe	41
PID 1176 wrote to memory of 1668	1176	Cnhhge32.exe	41
PID 1668 wrote to memory of 2080	1668	Cojeomee.exe	42
PID 1668 wrote to memory of 2080	1668	Cojeomee.exe	42
PID 1668 wrote to memory of 2080	1668	Cojeomee.exe	42
PID 1668 wrote to memory of 2080	1668	Cojeomee.exe	42
PID 2080 wrote to memory of 2960	2080	Cgqmpkfg.exe	43
PID 2080 wrote to memory of 2960	2080	Cgqmpkfg.exe	43
PID 2080 wrote to memory of 2960	2080	Cgqmpkfg.exe	43
PID 2080 wrote to memory of 2960	2080	Cgqmpkfg.exe	43
PID 2960 wrote to memory of 1648	2960	Chbihc32.exe	44
PID 2960 wrote to memory of 1648	2960	Chbihc32.exe	44
PID 2960 wrote to memory of 1648	2960	Chbihc32.exe	44
PID 2960 wrote to memory of 1648	2960	Chbihc32.exe	44
PID 1648 wrote to memory of 956	1648	Ccgnelll.exe	45
PID 1648 wrote to memory of 956	1648	Ccgnelll.exe	45
PID 1648 wrote to memory of 956	1648	Ccgnelll.exe	45
PID 1648 wrote to memory of 956	1648	Ccgnelll.exe	45

C:\Users\Admin\AppData\Local\Temp\3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe
"C:\Users\Admin\AppData\Local\Temp\3b8558afa7a3529759e82abae6e68f79ebf02f0cf224fcd59f1711255a2b7aad.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\Bimphc32.exe
  C:\Windows\system32\Bimphc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\Bahelebm.exe
    C:\Windows\system32\Bahelebm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\Bkqiek32.exe
      C:\Windows\system32\Bkqiek32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\SysWOW64\Bakaaepk.exe
        
        C:\Windows\system32\Bakaaepk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Bggjjlnb.exe
        
        C:\Windows\system32\Bggjjlnb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Cnabffeo.exe
        
        C:\Windows\system32\Cnabffeo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Ckecpjdh.exe
        
        C:\Windows\system32\Ckecpjdh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Cncolfcl.exe
        
        C:\Windows\system32\Cncolfcl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Cjjpag32.exe
        
        C:\Windows\system32\Cjjpag32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Cccdjl32.exe
        
        C:\Windows\system32\Cccdjl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Cnhhge32.exe
        
        C:\Windows\system32\Cnhhge32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Cojeomee.exe
        
        C:\Windows\system32\Cojeomee.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Cgqmpkfg.exe
        
        C:\Windows\system32\Cgqmpkfg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Chbihc32.exe
        
        C:\Windows\system32\Chbihc32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Ccgnelll.exe
        
        C:\Windows\system32\Ccgnelll.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Djafaf32.exe
        
        C:\Windows\system32\Djafaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Dlpbna32.exe
        
        C:\Windows\system32\Dlpbna32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Dkbbinig.exe
        
        C:\Windows\system32\Dkbbinig.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Dbmkfh32.exe
        
        C:\Windows\system32\Dbmkfh32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Ddkgbc32.exe
        
        C:\Windows\system32\Ddkgbc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Dnckki32.exe
        
        C:\Windows\system32\Dnckki32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Dboglhna.exe
        
        C:\Windows\system32\Dboglhna.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Dhiphb32.exe
        
        C:\Windows\system32\Dhiphb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Dochelmj.exe
        
        C:\Windows\system32\Dochelmj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Dbadagln.exe
        
        C:\Windows\system32\Dbadagln.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Dgnminke.exe
        
        C:\Windows\system32\Dgnminke.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Dnhefh32.exe
        
        C:\Windows\system32\Dnhefh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Dgqion32.exe
        
        C:\Windows\system32\Dgqion32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\Dmmbge32.exe
        
        C:\Windows\system32\Dmmbge32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Ecgjdong.exe
        
        C:\Windows\system32\Ecgjdong.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Efffpjmk.exe
        
        C:\Windows\system32\Efffpjmk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Empomd32.exe
        
        C:\Windows\system32\Empomd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Epnkip32.exe
        
        C:\Windows\system32\Epnkip32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Egebjmdn.exe
        
        C:\Windows\system32\Egebjmdn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Eifobe32.exe
        
        C:\Windows\system32\Eifobe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Embkbdce.exe
        
        C:\Windows\system32\Embkbdce.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Epqgopbi.exe
        
        C:\Windows\system32\Epqgopbi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Eclcon32.exe
        
        C:\Windows\system32\Eclcon32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Efjpkj32.exe
        
        C:\Windows\system32\Efjpkj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Ejfllhao.exe
        
        C:\Windows\system32\Ejfllhao.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Eiilge32.exe
        
        C:\Windows\system32\Eiilge32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Emdhhdqb.exe
        
        C:\Windows\system32\Emdhhdqb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Ecnpdnho.exe
        
        C:\Windows\system32\Ecnpdnho.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Eikimeff.exe
        
        C:\Windows\system32\Eikimeff.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Epeajo32.exe
        
        C:\Windows\system32\Epeajo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Eebibf32.exe
        
        C:\Windows\system32\Eebibf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Fllaopcg.exe
        
        C:\Windows\system32\Fllaopcg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Fpgnoo32.exe
        
        C:\Windows\system32\Fpgnoo32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Faijggao.exe
        
        C:\Windows\system32\Faijggao.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 140
        55⤵
        Program crash
        
        PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cccdjl32.exe

Filesize
94KB

MD5
fe9a58730163f7cccd702220904816b2

SHA1
ccec3412846dfbc254697e1e8a1dc414e5a50089

SHA256
e277d88932c53ab60dced3ebdfc14d157fbe610315d7e8a525429ed770583fa2

SHA512
49730f78ed5635f477f874648dcf8cbd22da0205f9bc9ecfc9284f60691cac4989509bc9b10aa00e1c574b5669461ca01f10b236b3b76d82aa1dc3b1cbaa9751

Download Submit
C:\Windows\SysWOW64\Ccgnelll.exe

Filesize
94KB

MD5
2b83f441c5a8415d8e0243dd6aeeeab6

SHA1
b6a189acc01c9fbac0f410b60173b742d7f12a06

SHA256
15b53a7a3f6df41dcaad8af133ee3f35a294da767ef74c6ce350d44e7367daa4

SHA512
6e6db9b76fb32c3ee167860521a3675b4f5262d4aa76dd61c5d4d03d8ad1ac3bc675c499c9bfc0eb3af07d8b0c3cd375601e5b5e36b9a6ebdeb4f187b5429211

Download Submit
C:\Windows\SysWOW64\Cgqmpkfg.exe

Filesize
94KB

MD5
6137a09679f9a98e16ff7c57a8723627

SHA1
3b87870ae2c6dfd467450ac99ad24592a27c46b5

SHA256
aa29e5df45c601cd5800fe7b28880e6243f3d4b951506f6e0b5b0eeca4e22d9a

SHA512
e0d21112d7d2bcccc0f643d018e7db6436416aa157c7f311a2926c7a35582b0b8146fafb9b86e00c35322356e8a90bb19f632663c5ecb8f04b5d8b2db69d1a1a

Download Submit
C:\Windows\SysWOW64\Chbihc32.exe

Filesize
94KB

MD5
69293e140b2037204772da9b63cb058c

SHA1
dbb2eaedb24aaad96bc30dce26cfe9ad60866eed

SHA256
1492e83920352b48f23f4bd0100987eb839a4e1d74127bdda8df68990a9c322a

SHA512
54a3ce805a796a3391b5b504d9b3b622063f25740ab00f1d56d7e74f1002c807869647b1084ab785bef6e59661ca86e2798255f024958b59fde27ab3a410dc8f

Download Submit
C:\Windows\SysWOW64\Ckecpjdh.exe

Filesize
94KB

MD5
54da35ce407e355a95c4872338621331

SHA1
e0e5340d02a12be87b02e47dde48b4aa70112580

SHA256
64d41aced61890e376bde87f4dbc6d8d42f8755abd6690c2a0a3afe4939399a6

SHA512
115a8b1cc5266bce8c0e69f3462bb3ca367b9d493a33815de7b1d13b0fb6e9d1cbcdeaea4280a6fa3490dc970ec9d3251497f5969107941cb14c4d9c9e776a9c

Download Submit
C:\Windows\SysWOW64\Cnabffeo.exe

Filesize
94KB

MD5
dd60fce7d1710ac8eb07997c018f3276

SHA1
93ad32c4596a8cce766b18a313c349d82b310882

SHA256
d19e3dde0f1385611358792b51da542e45e460b41a71692c4610a9e9197e6e09

SHA512
db73c82e9d9d9e562013a28ff6d16e4154584b0875c4dbf618834eb0df263f7e7b72d8a84b5141d251515377e588f7289a74a37da879338c4e6094ab032d093e

Download Submit
C:\Windows\SysWOW64\Cncolfcl.exe

Filesize
94KB

MD5
c052c3272bde11787148f1f3d4e4d0e0

SHA1
e98215c58384e63753b6727c32e38925b5978fba

SHA256
6ca68d48dbe97d8ea8ebdd68308c690f7e3aa7bc739ddd71f7689789cbfda882

SHA512
937cafbf878a505d1c61bf2a7add24bb3a71955dee9245337ed8a5bce76b01740e18e04751f8838e17a219f23690e3bc34969ee1ac668cae75b53ad418c4d1e3

Download Submit
C:\Windows\SysWOW64\Dbadagln.exe

Filesize
94KB

MD5
d1c339ba578991bb87993c664d276f59

SHA1
25df5887e67eea49407a210cfa26583778cebcf8

SHA256
9fe1614507c2d7c9102815386e5da257319a6b18ecf3cf7d97e3deef077dd183

SHA512
76948cf20392771cb7aa851494bcef19b0156e0baf4885efecb3797ba0b298fdaf7ae9386b86a66c91f8cef912be983b012f20c17c050964446ebc210c052632

Download Submit
C:\Windows\SysWOW64\Dbmkfh32.exe

Filesize
94KB

MD5
ca510c98109db62222184085cfb1f16c

SHA1
2c531704002fb53c13283461965a0dd99bb87694

SHA256
02a1157254b8234c048a344af86d368244ab5680335bf2358ca8be1c2e9043e0

SHA512
5fbe19c15a167ebfe9ff21928899be5a92500844195af6d43e15169c02f6b441bf1d2aef7927de6c22835b4cf9ae76150073ec9eae4ebc0b2f2d62c14ad0ee68

Download Submit
C:\Windows\SysWOW64\Dboglhna.exe

Filesize
94KB

MD5
a1d483d3f40301885c64d1730f8d9377

SHA1
7239f21263c141d3009c532b0264b7da0a7145e5

SHA256
6f6efde188d90ca97bce67eb914384eccb2838cf012e557367878904512b4b9d

SHA512
64ca3e31d950b764158fbee5cf98b66e916fb72a3d9c160e629c06ff617308014561c3979cdcfb260813473268b110fb5d8ffc3a60f017c11f980cca666fc36d

Download Submit
C:\Windows\SysWOW64\Ddkgbc32.exe

Filesize
94KB

MD5
660f5e54c8212f7a4787cb49eeb18ec6

SHA1
1bcf7e1a20c7c628bbb7b4eaa51a5cbbf13b9d91

SHA256
de7b4f4a0b3ad1a191475495c3691604c13adcface63245f11fd32bc0ab396e8

SHA512
7304bf754175d6af9e5022d6844e4f311ca4e8f12a7488571971630ca81a83d662cfa62c36711e659ada00104f14d3f420715434142a493304c659792b121375

Download Submit
C:\Windows\SysWOW64\Dgnminke.exe

Filesize
94KB

MD5
849348c691d887b0984dbb9ffc2cee00

SHA1
00f345e01b91b306e12414c20badefca017cf242

SHA256
f8486e493ca768de4ddaaa6c578e5f79a37ced4d23cb62cb74a503b06d1badf3

SHA512
dc2bbbea95ece8ca571707b4a03c633199d46716a69f96ae4cc5f3b6ebd0f2569174d3effd02d38f0bf4c8bef27d4fba5340af53da6bdbdeab6d9a675c3b3f5e

Download Submit
C:\Windows\SysWOW64\Dgqion32.exe

Filesize
94KB

MD5
f6e1a019702b71e49cab595bf85e3b0e

SHA1
b73b74280a8e5f74521bc76aeb09e1666d65b25a

SHA256
04c253191a14b3b0a01d24406afad31875352d6b121b888850c9af02804da6f7

SHA512
a17dc952cf2d5ad85452ec66b1b2e05f2e925a8cbf19f86b0b9165a2bf1a05e80ae48be820892f9c61ac8b5f4362bfd4bd3340ec6e52841997d0070bd13fccec

Download Submit
C:\Windows\SysWOW64\Dhiphb32.exe

Filesize
94KB

MD5
27163b6676a7850a1f790ae3d4785aa5

SHA1
3c23304f59ccba91f4eba01e15deb0835b46a690

SHA256
344142ce9871c96ed2fe668d96beb0c56e3f76fc10af666cd05d06838ff7fce6

SHA512
75d70fd618ff16983bee03fe6ca354117da4ffe0c3afa1d5e91785a40084c6cb2ca47e6fdc5a3b2140daa595d9185d6ac3105d06b61f0526c558ea9888ce94c0

Download Submit
C:\Windows\SysWOW64\Djafaf32.exe

Filesize
94KB

MD5
32893e7adead3f55482071e1ea02e32f

SHA1
9cd508a249fc750e53bb149ed3699bcc04c6ba9d

SHA256
770bb2c756b06c04d232d1daf54a0b0f5596e54b9e0b736037bd2465d63c775e

SHA512
0ad66e35073cab721df1ee0211e9475d01a3766470a3bc8d14419c5f7a85d572cf0fd4f4571ab01668718bde4cef6f2f0013f52c09f6ca0daf8a8df1368d27b3

Download Submit
C:\Windows\SysWOW64\Dkbbinig.exe

Filesize
94KB

MD5
a76f9566fcad66e8f23f04aff00bc2c6

SHA1
32605391f14127aac213c8cb5d8a8aa399dd052c

SHA256
511ea956b0b0d531ead11aec83ac787bf505715234fe9eb2ac61afe65101bf3f

SHA512
d6f63fbcc546706a8c0bbeecb0b5d2f443d6c2e58f26527462a62f5037e3ec6fdfeb2f50668331fa11a592becc4619123ebd888e81399dde2168d9707ec944bd

Download Submit
C:\Windows\SysWOW64\Dlpbna32.exe

Filesize
94KB

MD5
0c7b195723fbb1c980494cd5f242678a

SHA1
61f051c6eb96561f8f01617b6245a429dcdeb57c

SHA256
e37e280640a655b6c4590fb17d7bc8bada6dc645e64e5dce15435fcba3e202ee

SHA512
fd952306ef4b7bb06e7708cbb37c4eb90d9a2b9764e77aaa0de01f7c7626f5bbb3514b7e245fc511009721294f8c1ac24f0930cde361870ac8e89463b4094a2e

Download Submit
C:\Windows\SysWOW64\Dmmbge32.exe

Filesize
94KB

MD5
daaf610c86313fe2a50830a0b409ef57

SHA1
e926d671d5dfbc318ec26954dbd518685c0a5899

SHA256
772788670e83195dcd5043b4d3273180057e76ecaeda8e2bc2c730de265356bc

SHA512
ca3d4ee3494b3b5a740e138fb6f61697f4669a4dc8de27ae5f90cfa8b0524dd3094fbf6c323ce2b54091bc866e4f22a47c06f0573c3f2281fe2129a944e6c87b

Download Submit
C:\Windows\SysWOW64\Dnckki32.exe

Filesize
94KB

MD5
068efa040510a5c4565a96e73db14171

SHA1
77bd4546eaf8632849aa15e974966a52c2e89b4a

SHA256
908114a8a597f1a2ba00edf9c1790337adbd7b31a5a614e160edd5e4c9edf120

SHA512
ebe1dbbebcdfdf720efed18572232c495178b1e5807a72d522fb08eb9b7b408300f497e884f78d0e846c25c0a61d6f8e163de1a8f9af185e25e3888a0525ba22

Download Submit
C:\Windows\SysWOW64\Dnhefh32.exe

Filesize
94KB

MD5
e9ac9db8d2bbeb320656a0abd33513fc

SHA1
4ba8f60fbb39a6924c4a2e920b8974ccc394b0ce

SHA256
c19a2041fb25decc4f40228bb474e96fa8af1d2725ab44eb8dec1faf1c7f9f04

SHA512
41e469c4e483b1ac01d9076e51d2f8d13165653e30eda6b5be1263d0830e2c9717433c787d97f7449fc78c739358aa2d8271009f2cecf4d7b3af4bdb8fdc428b

Download Submit
C:\Windows\SysWOW64\Dochelmj.exe

Filesize
94KB

MD5
23a3969d66ca55991327a3c3c7c6c3d6

SHA1
f0f44ecc1dcf0a449257a568f03073108a000afe

SHA256
6473f2ed0ccbc06689f7fd186e297bb67451678f0c1abf586cebd37dc0d30834

SHA512
a8eecad78a1bbd8d40bf3bde0c5f62b8c4609f968c3b6e4550a1cc38acb6af877c9a4c078b4514e7f19c7db460c19f8ea485585ffe38546331f6d9f067483fbc

Download Submit
C:\Windows\SysWOW64\Dqddmd32.exe

Filesize
94KB

MD5
8c0ee42688bb08d1798706ea27a7a5ce

SHA1
23a83787c5a08f48ae436401014af7bcaeb46875

SHA256
91ded33761fafcb63b301e5ab0f8641152dc23d488f1f4eaa9bc907bfd20b04c

SHA512
1310d047e03f324ceffec3fc761d3fa532ef44a8b2ef257f9789b5b9bbd9fc205b66334978c0b4bdb6df15ae7082027efb349b09875d95368b309c07dab5f6ce

Download Submit
C:\Windows\SysWOW64\Ebappk32.exe

Filesize
94KB

MD5
9fe62eedca7315aa86ac163a780f7bc8

SHA1
2af25a1142e72e5b2bced17e4fdf74116ac20e30

SHA256
b44f4f207b495fe4a3bb5f2b65e73587ca8784ae1d9742cd2f85b0ec6455d57f

SHA512
be10b1bcb7fd7977ef7905fe8253237773b21d1e76580ee85d9ebe28fccd24c1783601afd4bc40f4a17a1a6580c6a9676d71a814f876721442be383110816972

Download Submit
C:\Windows\SysWOW64\Ecgjdong.exe

Filesize
94KB

MD5
2671d32ba16fd24c1f10f66beb2a80b5

SHA1
4b3ed4b9a2d27b83b1be81de20c58eff4788ddfc

SHA256
fd331c6adb0d20f376af78bcfe718857c00d31e9b4ef768657bb21e2d6c8cded

SHA512
18c3fc91af25bc181032e4dcad8ddaa3b43216c42de98779d3a10b66320397c2024331565ee5ce3bb66fc18eef5aac66ce5e971af869d1217cde279c6a77c6a5

Download Submit
C:\Windows\SysWOW64\Eclcon32.exe

Filesize
94KB

MD5
aa2736cfd2ee5a2cf5b38d1fe3c7b4d3

SHA1
898e02769e453d83617319d2c50c45443ce7e4c0

SHA256
1282c53826ce6d4e2025b2f8d3f110686c9bbe0de2092ddd1fb6a34c96496858

SHA512
0b2b0245c4b535277164e109d47ef6791338b830520de4d3a48fdde1983ad0fdaa0dbd662c38a3107326c7f820d0f2508994f5c3ddd2e0f0016042c78db82830

Download Submit
C:\Windows\SysWOW64\Ecnpdnho.exe

Filesize
94KB

MD5
2b29f3efd6e9cd3c24d8310ccf79536b

SHA1
8f17d791bbb03d25a5be0911fec1f13f25586075

SHA256
ccc80f08edec3d7e9f03d2f57da10b76176190c1514269a63f56a8e53b6a8d7c

SHA512
5e12014ad5f83d364d2caf52a232b193fa400ecdf610cc996965fb3e51ed362acfc484779b1e3bdbc819e0f14958c7dc6aa46a10504f7fa783f718191edee561

Download Submit
C:\Windows\SysWOW64\Eebibf32.exe

Filesize
94KB

MD5
7d9f860dab3d572413aace19047751dd

SHA1
50aba57713b47667f6686164e1196830c45eaff9

SHA256
a38b0324369f42331edf95c00371e74ec9592d372610cb1548e1c6843887169b

SHA512
14946673b06bc0c305f5fde2a146498440c3f8db8b0c1597cb4b0d7fa60914cf13b685f8bea0089f19ec0fa87384d10df61921bd6d4c70e252340a44e4074ad1

Download Submit
C:\Windows\SysWOW64\Efffpjmk.exe

Filesize
94KB

MD5
7cbd55ca9b4426dbcadb76fa08c650ba

SHA1
639b17a1ecd9dc5b9734bd7ba5ad37f51cc97de0

SHA256
562c9bb4ed372c80542ab70f29e9392649012e254ae9449b36fb42c7dd3a5f43

SHA512
aea387f2cdf2094ccae6ccdab8ec447c4bb6f8d353394b091a7d3384fc8e414523de7d38ee2191745cef326495199749fcbb1ea01bf9c2f0d8fc2243e5bf3b6e

Download Submit
C:\Windows\SysWOW64\Efjpkj32.exe

Filesize
94KB

MD5
86386364c197d6f2ec5605d052dc00cb

SHA1
d24f8ea325355d74170eb656c9bbaa9ba168ebf9

SHA256
92ad0d19453fc2c403ac2872ff51592d541843a41233d8ec7ba5859aab55ae10

SHA512
82a30450cee6cb6e702c3714f579c1704551a897ac956749a5cffbab57d02645471215a471faee47c8fd1e7df96d5b7118f04ac25d12d5bc9cd9fb8dbabe992f

Download Submit
C:\Windows\SysWOW64\Egebjmdn.exe

Filesize
94KB

MD5
484eb89622c0c911e1197fcd4d1f76b9

SHA1
bfa4723a4c06286b0cf28906ec2cd2ec390acceb

SHA256
1fe8a85aef88ab80a86d2c62e631b2b6a2eac52a8086dd8f2240d4f018a472ae

SHA512
6e53e17cfaf1dd73931037fed22f9d80451b06837880375ad8367fb6b6203429a1aa0f862e05cffeb5245ca29c3dd8f0b48145517a8332369df5467b21823614

Download Submit
C:\Windows\SysWOW64\Eifobe32.exe

Filesize
94KB

MD5
681ef51905f2800b2193d9a5f6b623fc

SHA1
8a706dd479f5f4afff19278c717fee8fa2a1e5eb

SHA256
e197892a8056605a38612485fda4cacb464b27f4bcaf6ccf31df5e236e2b2c8f

SHA512
61741064cf44dbe648fdcf5b840d474b5661baad1690b16748eba717ca32bf6fb1d00755b6857d03cdccd75053b7eca23a1d4831f97718162f23ece8d82d510a

Download Submit
C:\Windows\SysWOW64\Eiilge32.exe

Filesize
94KB

MD5
fdac6a25c9f4f7b9b15431ccff91c23f

SHA1
4db3da987d2fdb1da0df42841bfff578ed6c9768

SHA256
255d824b8c1e0b80e564cb0a91556d9a9ea31a920a6b389bce0651e13edaeba2

SHA512
16ce9518142ab69c0afe875ae00b68ee3b42edaabb46fcfd0c399cc56f8abe4e109003e33e7a042c730a4a0115747b4224eb2acc976d1c8440f2e3e624176344

Download Submit
C:\Windows\SysWOW64\Eikimeff.exe

Filesize
94KB

MD5
9ba348da03886607f956763c4d306d6b

SHA1
b27d0649dcbcd31ed73967fea8276a7d83950817

SHA256
65e2ee7a3e0cd81366e14226ae43dd6dd7ee4a0afb0962d1a8b698304a547c11

SHA512
8dc58a5116dedcb272276cbe1fe60c310fa37ab1a33beba99e1a2c38804662e984ef12c24446b5b53cfb8c11552137a0a230e8c60344084aa3c87929a593bbe9

Download Submit
C:\Windows\SysWOW64\Ejfllhao.exe

Filesize
94KB

MD5
e589d59489f08abad7503e80d2084658

SHA1
435468457b23c845e5c8afb3e2801e4b1bd0cb6f

SHA256
126bc3df69593cd7ef4e1cde281207d966fe766c1a79625ed1f4dd109753a120

SHA512
f8a130b6566223bc01e1d8b14ca87c9478c3a82a68a46f196569634a4f4797aaf6cdd9d6a64444d29677a3a7077c62ea4087f55fa9afd2b8c0ee66d1965b1cba

Download Submit
C:\Windows\SysWOW64\Ekghcq32.exe

Filesize
94KB

MD5
9e0420a368534b2197e42979506d305a

SHA1
baa0f4c53379f88c8d3ca222518fa9dfbaeb41bc

SHA256
7dbd21157f98c83f1db68ec721fdf009aa9d8d30e6ce3fc49d231e69417e5b60

SHA512
bfe4b166d1fceb2925f09eeef8f204486c23ab2b3c386b337adf664bec8ae9ab18fedbac11fb77e3b6614e0e482aa3f72f5cfbbc5258cdcdbb964f81774a3bf0

Download Submit
C:\Windows\SysWOW64\Embkbdce.exe

Filesize
94KB

MD5
8dd85c463f1b6b00628b04a55dd4bb1a

SHA1
ee61a5e9481dd0d5434074f11976457613d01089

SHA256
9f3242e985afb828bd1afe3195f696732877622c4f8ed05935f891d88b662925

SHA512
84951fda5c173f9ad7cc3ad1e16ad2e140289bf086cba9b2961f14b9d468d415f12fc3f3545e3a5676955790a2a73368743d99a22c1b7bf25ddad4f8b7f6a96a

Download Submit
C:\Windows\SysWOW64\Emdhhdqb.exe

Filesize
94KB

MD5
c89777953826bcc3ae786bd405c7f02c

SHA1
79f34ab93a5e39befb6e44145040ce77f51b9b97

SHA256
5aa767dc05a31967c5e51cb3689fa7450b944f6ac59f421b9d7734ade14604d5

SHA512
550d7363dd14ae0ce8b12e03df6535f38d6e23190ceede57043e3dab526ce144af77a2fd9cfb5350651b51b47cf3c94aaf1dca8857b62cca1cff8e3a93f7ec49

Download Submit
C:\Windows\SysWOW64\Empomd32.exe

Filesize
94KB

MD5
b1a73b090b7b25fdd32361bd67793d6b

SHA1
bdd2e91929d36694587cfd35d60eb89ef320d487

SHA256
2296da6438661c96548f851f5f3472b974a5610de38de9b00e650f116e7e8028

SHA512
27db865bb673b47df7bd1419dba7cfbbfde073344e39011f18a9b141bdaeaed91eade7e2608040a49aa3b85f778c781dcd1e4eb90357a1b6c1bb8fe0fa457dd2

Download Submit
C:\Windows\SysWOW64\Epeajo32.exe

Filesize
94KB

MD5
27f1c810e2c7bc386d676eca2ed038bf

SHA1
dd1a72228b8df75da43c6ed323e845e5edec42c9

SHA256
c7bb8aac9b9c7b22e3e11e9bf9ea1e3240e16997fe2052b9a967db6cd4b025f9

SHA512
c98860dd550d93da831408243261a64e1576362d1cf2b1ca6b20117a8227a654383de6c7f2ff5a6377d9118fe4f47aa2e8b95c6c3e64a5097a519b139a9ec182

Download Submit
C:\Windows\SysWOW64\Epnkip32.exe

Filesize
94KB

MD5
e9ac359ebede3ebaad6e141139a80c95

SHA1
7185758f853dff13b5a61595098ff1fcc4e24284

SHA256
f4ba09dc047d509489df5fc7b6beb2219651748d13a8868cf4a39c39b75eb617

SHA512
ef90f368a56fd894fe2c47911e61ed8e7953701526f0194ae5db137f475cd59be7ad1dd0f44a8f7db48bfdd723f129761969e677a9e7f1009ae2d7f772cf16c1

Download Submit
C:\Windows\SysWOW64\Epqgopbi.exe

Filesize
94KB

MD5
61021c6f8df6f45ea5ae4ef098b2401b

SHA1
f972d2dd9d3831a1867beb342148403f8fd73df7

SHA256
ec62d63497b9d75e9402ed1856267863988375723ff82d179d2b0fd23f960694

SHA512
9e3c783f7e2c11ee6822f14a1970a6cf703e2c5c472ea6eaed4da94c62e781769e751b5aecc32656ce8c53cd6ae0545a60192a2e18a303fc5a76e62b5180ca5c

Download Submit
C:\Windows\SysWOW64\Faijggao.exe

Filesize
94KB

MD5
4bd8be1e33e3416f029070dee1456643

SHA1
080100e847b3f2b11000d1917687a11036e16795

SHA256
f24ae7e3401d66af2838d6a7ea5cb7cc7b9b51ab71d4d823c3b430375e3f0603

SHA512
dfd9668a834b71cb9cd866c41bf62defd83b308958b7f942c71626b493dd14480c7c95aaa38bb8e2327fdae61faba81a5c3f60975d01ef5b817b3b52ec1fdfa2

Download Submit
C:\Windows\SysWOW64\Fllaopcg.exe

Filesize
94KB

MD5
a6ebfde87f63c41606199631892a88fe

SHA1
6fd0f6154eec972a334803cd3de318fa64649e6f

SHA256
83294670c9f400572dc5d2be9d90f239f792ff0de5be731e0ab27ebc090cc9e1

SHA512
6d9ba54a9ec6c92ff25c8ab13315113f05c924f990253b9cad73e23db1267b2fb757e55d3da4eed516218903ae83c437833070694b179da704f61c17bbb8e3f5

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
94KB

MD5
541005f9dec56378b4dcf04a17a9d646

SHA1
1e42fdefecdf4acb3409ee9217e8edad9f0f66de

SHA256
0cc46f138977a2bea48fe130df4d21346521d804708c57a5af1333a0ec197c40

SHA512
0b455c63e89095606a04c8421d5aac28f2beede1a7c554fd45cfdfd194fa3066d5e309595958babfef5bd274ada501d04fcaee6a110fee0017a790de68e1ef6c

Download Submit
C:\Windows\SysWOW64\Fpgnoo32.exe

Filesize
94KB

MD5
1d888ead951fb949ae75f08e993fa207

SHA1
13382e391d8a1d33779b324bfa10629a6ba6d4df

SHA256
ac1e1c2d77d5d8152884c2731bdc1e3fb8b7406ae55d69e7ac82ea1e4cc006fd

SHA512
05e81afbc7a4b2f270e64e93a00db440cde58d0ff3b045f8ea158bc5404e904d6b263172a279690345b56dd776fb8462fa855039d1c647f28bd9beb1ec02fe34

Download Submit
\Windows\SysWOW64\Bahelebm.exe

Filesize
94KB

MD5
574d26902ef055cb9771294b7301e477

SHA1
dc9b1c6e7d6fa85cf0231de4839dc57ae5e37f94

SHA256
49a51bf269a1625853f4d22d4786c3f69c7375b15c586d05dea7a45e0300dd2d

SHA512
d1ade93aca53f8042f9a630d4ea6b7c32e788d752304e8817feadddd5e183ddf185c5c5be3dc1243e04c2a40d49d1e3f3d0dbdfd2e4d57882fcf938c107fabb6

Download Submit
\Windows\SysWOW64\Bakaaepk.exe

Filesize
94KB

MD5
fb7606393390d062293a8b50431064e7

SHA1
66a544dbce73f31590ebcc3eb683591c24a5846a

SHA256
5a86999567938af7a6f278cb946de4dcb3d59dc65cd70dcc27d4d16b3eaa6d11

SHA512
41b7b97ae72362281eb0757202cf5a84252f9347142f510067b8d070d92f429836e690d43e23713edd8dd771e2d583102d43287c41ff534542326d833771eeea

Download Submit
\Windows\SysWOW64\Bggjjlnb.exe

Filesize
94KB

MD5
ca56df10367a64f204ccd1da06d9ff00

SHA1
cb05fa76bd8c3fbba0a981b2dc1864077713cbcb

SHA256
3655a6f49c4d8c5aff07732282aae363fb2f53490978b6a3801b968b95f7d6f4

SHA512
8319872f6fb47bdbf71e05a0ba908ba1cb234f42b8ef3798296eeba8096c47b6f52debee22df577386c1aa1146d79b937433ee5595dc07a8c00586a2a939f854

Download Submit
\Windows\SysWOW64\Bimphc32.exe

Filesize
94KB

MD5
fdcfbea0304d03a9cc84037de27b1788

SHA1
62a29ec17f93037958c1a2aa655dae20c6a30be2

SHA256
fe8e7540324617c05173de6726c9a38ef9e77bfc540b2d958d52d9b9620632a0

SHA512
91555bfc40d1f3e0c433477dce59f3473978221682a65c02d0b6d7c7937e2a3dc2035dbc65fa3a36c143e7388595991b3a6cb085409980aa743e2a4c7955f090

Download Submit
\Windows\SysWOW64\Bkqiek32.exe

Filesize
94KB

MD5
0f5bd8ba3cb8de407fa8f44e2ba470e5

SHA1
f1e8c9cdc4b02259b8c2fffeda936eb8ad8852fb

SHA256
688746e7979f01eccf2a53cc4aca4c62e64c46928e0eec4060f9594c95711029

SHA512
abf30727e6c606c68f51b436b17baee0296281bc52002f9620ddefe348ed3f23628c2da88cca9d703733167d907e5e17896292aa4edc536c4a5490242bd34144

Download Submit
\Windows\SysWOW64\Cjjpag32.exe

Filesize
94KB

MD5
951e9bdb45f661cdb56b62db54beb730

SHA1
489ab09f584e49f9b1ef9056dc6ed574a23e309f

SHA256
64026ee2fb870922abcdb06f5ef8afef294013e22f1f5bc675a44dd4103f5265

SHA512
edc5e474997e81a59f520330c0f362eef726ee7fa3fe05c42bfb39f51b735783bf8a0474015d692616e7a10108844b298148e017acecfd69a2f3fc14543d181c

Download Submit
\Windows\SysWOW64\Cnhhge32.exe

Filesize
94KB

MD5
12cba6ef6fffcb65521bd170e1eca2ef

SHA1
fda2e2c2f6b8884ff02ce48954e6f284ecdeaf8e

SHA256
14a39761923507b435c31266cba683762265494b860d2f31763faca2158b46ea

SHA512
7b8907357ce0636c7f9c931c11f0cf707426f3c8549f13f42d88be4134c91bdf361471e4884579efa1a90a6694f3e46d38e2d2cc6b5156ceaef17f725e2a94e3

Download Submit
\Windows\SysWOW64\Cojeomee.exe

Filesize
94KB

MD5
bd04df7848b101949dc4e82beab23016

SHA1
84e3dd493328ff2ada08421831388bc6798ec4f7

SHA256
6615d08896b7d99894e7e5e876365245e3e1a5b36c8895e1aea21722f49691fc

SHA512
231618f47daf51ce193dd49c83f076431be045c9599588278cea65a60b871fe98e3d54ba739544d92cad69baa6366a3967814cc276d5cf2a7877f173f13646fd

Download Submit
memory/408-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/408-99-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/408-85-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/408-93-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/408-150-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/628-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/628-319-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/956-246-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/956-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/956-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-298-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1176-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1176-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1296-367-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1296-366-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1296-334-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1524-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-375-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1524-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1648-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1668-243-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/1668-188-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/1668-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1668-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1676-312-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1676-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1760-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1760-282-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1760-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1760-277-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1764-417-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/1940-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1940-257-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1940-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2064-395-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2064-431-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2064-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-245-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-256-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2092-51-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2092-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-131-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2168-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2372-9-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2372-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2372-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-324-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2452-307-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2452-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-349-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2584-407-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2584-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2600-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2600-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2600-129-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2600-61-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2652-373-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2652-339-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2696-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2696-25-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2760-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2760-34-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2760-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-160-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2840-350-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2840-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2848-115-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/2848-101-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2848-110-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/2848-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-427-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2896-195-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2896-147-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2896-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-148-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2940-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-379-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-384-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2960-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-219-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2960-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3000-365-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/3000-399-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/3000-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-84-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/3004-83-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/3004-145-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads