c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe
Size

350KB
MD5

67042bf2633c98f47f7a20c497700c20
SHA1

710f7053ebfef59c9f7e1d508af7ea8750fc46d4
SHA256

c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3
SHA512

8ae464256811481f252bad28d156511f542a726f4c331a923264be0d881847c6726a84d84ff657e8903bbb40abd36b59c98e036cbfc9c1dcaa2cc6e3217928d1
SSDEEP

6144:Pd8DtpHVILifyeYVDcfflXpX6LRifyeYVDc:1cHyefyeYCdXpXZfyeY

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgjgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfhgggim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkcfjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doqkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dboglhna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnehado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enmnahnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epnkip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bojipjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlpbna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epnkip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eclcon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnpjkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddbmcb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eclcon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bojipjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgjgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdngip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cglcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clnehado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efoifiep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faijggao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epeajo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epeajo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dboglhna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkcfjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cglcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clkicbfa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecnpdnho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doqkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpena32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnpjkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enmnahnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecnpdnho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efoifiep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clkicbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjoilfek.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlpbna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faijggao.exe

Executes dropped EXE 32 IoCs

pid	Process
2128	Bojipjcj.exe
2704	Bceeqi32.exe
2988	Bdfahaaa.exe
2224	Bkcfjk32.exe
2584	Cgjgol32.exe
2324	Cdngip32.exe
1568	Cglcek32.exe
1908	Cgnpjkhj.exe
1088	Clkicbfa.exe
2348	Cjoilfek.exe
2208	Clnehado.exe
2884	Dlpbna32.exe
2816	Dfhgggim.exe
480	Doqkpl32.exe
2244	Dboglhna.exe
264	Dqddmd32.exe
1628	Ddbmcb32.exe
1716	Dmmbge32.exe
1940	Eddjhb32.exe
2636	Enmnahnm.exe
648	Epnkip32.exe
2304	Egebjmdn.exe
1064	Eclcon32.exe
1520	Ekghcq32.exe
2280	Ecnpdnho.exe
1612	Efmlqigc.exe
2996	Epeajo32.exe
2780	Efoifiep.exe
2812	Egpena32.exe
2664	Faijggao.exe
2072	Fipbhd32.exe
2944	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2364	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe
2364	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe
2128	Bojipjcj.exe
2128	Bojipjcj.exe
2704	Bceeqi32.exe
2704	Bceeqi32.exe
2988	Bdfahaaa.exe
2988	Bdfahaaa.exe
2224	Bkcfjk32.exe
2224	Bkcfjk32.exe
2584	Cgjgol32.exe
2584	Cgjgol32.exe
2324	Cdngip32.exe
2324	Cdngip32.exe
1568	Cglcek32.exe
1568	Cglcek32.exe
1908	Cgnpjkhj.exe
1908	Cgnpjkhj.exe
1088	Clkicbfa.exe
1088	Clkicbfa.exe
2348	Cjoilfek.exe
2348	Cjoilfek.exe
2208	Clnehado.exe
2208	Clnehado.exe
2884	Dlpbna32.exe
2884	Dlpbna32.exe
2816	Dfhgggim.exe
2816	Dfhgggim.exe
480	Doqkpl32.exe
480	Doqkpl32.exe
2244	Dboglhna.exe
2244	Dboglhna.exe
264	Dqddmd32.exe
264	Dqddmd32.exe
1628	Ddbmcb32.exe
1628	Ddbmcb32.exe
1716	Dmmbge32.exe
1716	Dmmbge32.exe
1940	Eddjhb32.exe
1940	Eddjhb32.exe
2636	Enmnahnm.exe
2636	Enmnahnm.exe
648	Epnkip32.exe
648	Epnkip32.exe
2304	Egebjmdn.exe
2304	Egebjmdn.exe
1064	Eclcon32.exe
1064	Eclcon32.exe
1520	Ekghcq32.exe
1520	Ekghcq32.exe
2280	Ecnpdnho.exe
2280	Ecnpdnho.exe
1612	Efmlqigc.exe
1612	Efmlqigc.exe
2996	Epeajo32.exe
2996	Epeajo32.exe
2780	Efoifiep.exe
2780	Efoifiep.exe
2812	Egpena32.exe
2812	Egpena32.exe
2664	Faijggao.exe
2664	Faijggao.exe
2072	Fipbhd32.exe
2072	Fipbhd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Faijggao.exe	Egpena32.exe
File opened for modification	C:\Windows\SysWOW64\Cgjgol32.exe	Bkcfjk32.exe
File created	C:\Windows\SysWOW64\Egebjmdn.exe	Epnkip32.exe
File created	C:\Windows\SysWOW64\Eclcon32.exe	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Mgnedp32.dll	Egebjmdn.exe
File opened for modification	C:\Windows\SysWOW64\Efmlqigc.exe	Ecnpdnho.exe
File opened for modification	C:\Windows\SysWOW64\Efoifiep.exe	Epeajo32.exe
File created	C:\Windows\SysWOW64\Kfadkk32.dll	Egpena32.exe
File created	C:\Windows\SysWOW64\Dlpbna32.exe	Clnehado.exe
File created	C:\Windows\SysWOW64\Dfhgggim.exe	Dlpbna32.exe
File created	C:\Windows\SysWOW64\Apafhqnp.dll	Dfhgggim.exe
File created	C:\Windows\SysWOW64\Epnkip32.exe	Enmnahnm.exe
File opened for modification	C:\Windows\SysWOW64\Ekghcq32.exe	Eclcon32.exe
File created	C:\Windows\SysWOW64\Efoifiep.exe	Epeajo32.exe
File created	C:\Windows\SysWOW64\Pggcij32.dll	Efoifiep.exe
File created	C:\Windows\SysWOW64\Ihpfbd32.dll	Cgnpjkhj.exe
File created	C:\Windows\SysWOW64\Aiheodlg.dll	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Bafmhm32.dll	Clnehado.exe
File created	C:\Windows\SysWOW64\Dmmbge32.exe	Ddbmcb32.exe
File opened for modification	C:\Windows\SysWOW64\Epeajo32.exe	Efmlqigc.exe
File opened for modification	C:\Windows\SysWOW64\Egpena32.exe	Efoifiep.exe
File created	C:\Windows\SysWOW64\Cgjgol32.exe	Bkcfjk32.exe
File created	C:\Windows\SysWOW64\Cjoilfek.exe	Clkicbfa.exe
File opened for modification	C:\Windows\SysWOW64\Clnehado.exe	Cjoilfek.exe
File created	C:\Windows\SysWOW64\Enmnahnm.exe	Eddjhb32.exe
File opened for modification	C:\Windows\SysWOW64\Fipbhd32.exe	Faijggao.exe
File created	C:\Windows\SysWOW64\Eomohejp.dll	Efmlqigc.exe
File created	C:\Windows\SysWOW64\Egpena32.exe	Efoifiep.exe
File created	C:\Windows\SysWOW64\Lgdojnle.dll	Bceeqi32.exe
File created	C:\Windows\SysWOW64\Ngeogk32.dll	Bdfahaaa.exe
File created	C:\Windows\SysWOW64\Clkicbfa.exe	Cgnpjkhj.exe
File created	C:\Windows\SysWOW64\Clnehado.exe	Cjoilfek.exe
File opened for modification	C:\Windows\SysWOW64\Dmmbge32.exe	Ddbmcb32.exe
File created	C:\Windows\SysWOW64\Hehaja32.dll	Eclcon32.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Fipbhd32.exe
File created	C:\Windows\SysWOW64\Jcngcc32.dll	Faijggao.exe
File created	C:\Windows\SysWOW64\Cefllkej.dll	Bojipjcj.exe
File created	C:\Windows\SysWOW64\Cdngip32.exe	Cgjgol32.exe
File opened for modification	C:\Windows\SysWOW64\Cglcek32.exe	Cdngip32.exe
File created	C:\Windows\SysWOW64\Ienjoljk.dll	Cglcek32.exe
File created	C:\Windows\SysWOW64\Qgfhapbi.dll	Dlpbna32.exe
File opened for modification	C:\Windows\SysWOW64\Doqkpl32.exe	Dfhgggim.exe
File opened for modification	C:\Windows\SysWOW64\Cdngip32.exe	Cgjgol32.exe
File opened for modification	C:\Windows\SysWOW64\Clkicbfa.exe	Cgnpjkhj.exe
File opened for modification	C:\Windows\SysWOW64\Ecnpdnho.exe	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Eiabmg32.dll	Ekghcq32.exe
File opened for modification	C:\Windows\SysWOW64\Bojipjcj.exe	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe
File created	C:\Windows\SysWOW64\Dqddmd32.exe	Dboglhna.exe
File created	C:\Windows\SysWOW64\Eddjhb32.exe	Dmmbge32.exe
File created	C:\Windows\SysWOW64\Pnenhc32.dll	Enmnahnm.exe
File opened for modification	C:\Windows\SysWOW64\Eclcon32.exe	Egebjmdn.exe
File created	C:\Windows\SysWOW64\Faijggao.exe	Egpena32.exe
File created	C:\Windows\SysWOW64\Ofoebc32.dll	Cgjgol32.exe
File opened for modification	C:\Windows\SysWOW64\Cgnpjkhj.exe	Cglcek32.exe
File created	C:\Windows\SysWOW64\Ifhfbgmj.dll	Clkicbfa.exe
File created	C:\Windows\SysWOW64\Dboglhna.exe	Doqkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Dboglhna.exe	Doqkpl32.exe
File created	C:\Windows\SysWOW64\Nlaaie32.dll	Ecnpdnho.exe
File created	C:\Windows\SysWOW64\Olahgd32.dll	Dmmbge32.exe
File opened for modification	C:\Windows\SysWOW64\Egebjmdn.exe	Epnkip32.exe
File created	C:\Windows\SysWOW64\Akpcdopi.dll	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe
File created	C:\Windows\SysWOW64\Bceeqi32.exe	Bojipjcj.exe
File created	C:\Windows\SysWOW64\Cglcek32.exe	Cdngip32.exe
File created	C:\Windows\SysWOW64\Cgnpjkhj.exe	Cglcek32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2964	2944	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enmnahnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efmlqigc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faijggao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnpjkhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfhgggim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egebjmdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgjgol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dboglhna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddjhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epnkip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epeajo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bojipjcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdngip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clnehado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlpbna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmmbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceeqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkcfjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clkicbfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjoilfek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfahaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doqkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efoifiep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddbmcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eclcon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecnpdnho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fipbhd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefllkej.dll"	Bojipjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgdojnle.dll"	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddbmcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll"	Eclcon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eomohejp.dll"	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eclcon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efmlqigc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fakmpf32.dll"	Epeajo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egpena32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceeqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doqkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cglcek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddbmcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enmnahnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epnkip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafmhm32.dll"	Clnehado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaajccm.dll"	Dboglhna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngeogk32.dll"	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfahaaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgjgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienjoljk.dll"	Cglcek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnpjkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgkjp32.dll"	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eclcon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fipbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epnkip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecnpdnho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll"	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjoilfek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlpbna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcphaglh.dll"	Doqkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epeajo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egpena32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enmnahnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfahaaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhfbgmj.dll"	Clkicbfa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlpbna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpchmhl.dll"	Ddbmcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epeajo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efmlqigc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Faijggao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkcfjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdngip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clnehado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmmbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bojipjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faohbf32.dll"	Cdngip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cglcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apafhqnp.dll"	Dfhgggim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egebjmdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egebjmdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Fipbhd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2128	2364	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe	30
PID 2364 wrote to memory of 2128	2364	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe	30
PID 2364 wrote to memory of 2128	2364	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe	30
PID 2364 wrote to memory of 2128	2364	c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe	30
PID 2128 wrote to memory of 2704	2128	Bojipjcj.exe	31
PID 2128 wrote to memory of 2704	2128	Bojipjcj.exe	31
PID 2128 wrote to memory of 2704	2128	Bojipjcj.exe	31
PID 2128 wrote to memory of 2704	2128	Bojipjcj.exe	31
PID 2704 wrote to memory of 2988	2704	Bceeqi32.exe	32
PID 2704 wrote to memory of 2988	2704	Bceeqi32.exe	32
PID 2704 wrote to memory of 2988	2704	Bceeqi32.exe	32
PID 2704 wrote to memory of 2988	2704	Bceeqi32.exe	32
PID 2988 wrote to memory of 2224	2988	Bdfahaaa.exe	33
PID 2988 wrote to memory of 2224	2988	Bdfahaaa.exe	33
PID 2988 wrote to memory of 2224	2988	Bdfahaaa.exe	33
PID 2988 wrote to memory of 2224	2988	Bdfahaaa.exe	33
PID 2224 wrote to memory of 2584	2224	Bkcfjk32.exe	34
PID 2224 wrote to memory of 2584	2224	Bkcfjk32.exe	34
PID 2224 wrote to memory of 2584	2224	Bkcfjk32.exe	34
PID 2224 wrote to memory of 2584	2224	Bkcfjk32.exe	34
PID 2584 wrote to memory of 2324	2584	Cgjgol32.exe	35
PID 2584 wrote to memory of 2324	2584	Cgjgol32.exe	35
PID 2584 wrote to memory of 2324	2584	Cgjgol32.exe	35
PID 2584 wrote to memory of 2324	2584	Cgjgol32.exe	35
PID 2324 wrote to memory of 1568	2324	Cdngip32.exe	36
PID 2324 wrote to memory of 1568	2324	Cdngip32.exe	36
PID 2324 wrote to memory of 1568	2324	Cdngip32.exe	36
PID 2324 wrote to memory of 1568	2324	Cdngip32.exe	36
PID 1568 wrote to memory of 1908	1568	Cglcek32.exe	37
PID 1568 wrote to memory of 1908	1568	Cglcek32.exe	37
PID 1568 wrote to memory of 1908	1568	Cglcek32.exe	37
PID 1568 wrote to memory of 1908	1568	Cglcek32.exe	37
PID 1908 wrote to memory of 1088	1908	Cgnpjkhj.exe	38
PID 1908 wrote to memory of 1088	1908	Cgnpjkhj.exe	38
PID 1908 wrote to memory of 1088	1908	Cgnpjkhj.exe	38
PID 1908 wrote to memory of 1088	1908	Cgnpjkhj.exe	38
PID 1088 wrote to memory of 2348	1088	Clkicbfa.exe	39
PID 1088 wrote to memory of 2348	1088	Clkicbfa.exe	39
PID 1088 wrote to memory of 2348	1088	Clkicbfa.exe	39
PID 1088 wrote to memory of 2348	1088	Clkicbfa.exe	39
PID 2348 wrote to memory of 2208	2348	Cjoilfek.exe	40
PID 2348 wrote to memory of 2208	2348	Cjoilfek.exe	40
PID 2348 wrote to memory of 2208	2348	Cjoilfek.exe	40
PID 2348 wrote to memory of 2208	2348	Cjoilfek.exe	40
PID 2208 wrote to memory of 2884	2208	Clnehado.exe	41
PID 2208 wrote to memory of 2884	2208	Clnehado.exe	41
PID 2208 wrote to memory of 2884	2208	Clnehado.exe	41
PID 2208 wrote to memory of 2884	2208	Clnehado.exe	41
PID 2884 wrote to memory of 2816	2884	Dlpbna32.exe	42
PID 2884 wrote to memory of 2816	2884	Dlpbna32.exe	42
PID 2884 wrote to memory of 2816	2884	Dlpbna32.exe	42
PID 2884 wrote to memory of 2816	2884	Dlpbna32.exe	42
PID 2816 wrote to memory of 480	2816	Dfhgggim.exe	43
PID 2816 wrote to memory of 480	2816	Dfhgggim.exe	43
PID 2816 wrote to memory of 480	2816	Dfhgggim.exe	43
PID 2816 wrote to memory of 480	2816	Dfhgggim.exe	43
PID 480 wrote to memory of 2244	480	Doqkpl32.exe	44
PID 480 wrote to memory of 2244	480	Doqkpl32.exe	44
PID 480 wrote to memory of 2244	480	Doqkpl32.exe	44
PID 480 wrote to memory of 2244	480	Doqkpl32.exe	44
PID 2244 wrote to memory of 264	2244	Dboglhna.exe	45
PID 2244 wrote to memory of 264	2244	Dboglhna.exe	45
PID 2244 wrote to memory of 264	2244	Dboglhna.exe	45
PID 2244 wrote to memory of 264	2244	Dboglhna.exe	45

C:\Users\Admin\AppData\Local\Temp\c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe
"C:\Users\Admin\AppData\Local\Temp\c4a28f8bf8a4c0176c7f111a1633896e5728481e5513245278c38a4b0a71dfc3N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\Bojipjcj.exe
  C:\Windows\system32\Bojipjcj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\Bceeqi32.exe
    C:\Windows\system32\Bceeqi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\Bdfahaaa.exe
      C:\Windows\system32\Bdfahaaa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\SysWOW64\Bkcfjk32.exe
        
        C:\Windows\system32\Bkcfjk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\SysWOW64\Cgjgol32.exe
        
        C:\Windows\system32\Cgjgol32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Cdngip32.exe
        
        C:\Windows\system32\Cdngip32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Cglcek32.exe
        
        C:\Windows\system32\Cglcek32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Cgnpjkhj.exe
        
        C:\Windows\system32\Cgnpjkhj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Clkicbfa.exe
        
        C:\Windows\system32\Clkicbfa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Cjoilfek.exe
        
        C:\Windows\system32\Cjoilfek.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Clnehado.exe
        
        C:\Windows\system32\Clnehado.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Dlpbna32.exe
        
        C:\Windows\system32\Dlpbna32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Dfhgggim.exe
        
        C:\Windows\system32\Dfhgggim.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Doqkpl32.exe
        
        C:\Windows\system32\Doqkpl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Windows\SysWOW64\Dboglhna.exe
        
        C:\Windows\system32\Dboglhna.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Ddbmcb32.exe
        
        C:\Windows\system32\Ddbmcb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Dmmbge32.exe
        
        C:\Windows\system32\Dmmbge32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Eddjhb32.exe
        
        C:\Windows\system32\Eddjhb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Enmnahnm.exe
        
        C:\Windows\system32\Enmnahnm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Epnkip32.exe
        
        C:\Windows\system32\Epnkip32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Egebjmdn.exe
        
        C:\Windows\system32\Egebjmdn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Eclcon32.exe
        
        C:\Windows\system32\Eclcon32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Ecnpdnho.exe
        
        C:\Windows\system32\Ecnpdnho.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Efmlqigc.exe
        
        C:\Windows\system32\Efmlqigc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Epeajo32.exe
        
        C:\Windows\system32\Epeajo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Efoifiep.exe
        
        C:\Windows\system32\Efoifiep.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Faijggao.exe
        
        C:\Windows\system32\Faijggao.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Fipbhd32.exe
        
        C:\Windows\system32\Fipbhd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 140
        34⤵
        Program crash
        
        PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bceeqi32.exe

Filesize
350KB

MD5
7551ad20caf189fb0760158b03ddcec0

SHA1
2c55d271e11c8d69b527eb6bfc38fd426756092d

SHA256
ca572e31e83c1636daf261e5211dfc1ca51abd0a4a7adea144b93a2cd0cf63d8

SHA512
35bfb356af54a15521f57f2c18544f51b37cb067f34926fc9ab9714b50bc3acaa3c6e42a75d2575b13bbcb0c7a1532c6ca01f4ebcc622644c44051a75228b1ad

Download Submit
C:\Windows\SysWOW64\Cglcek32.exe

Filesize
350KB

MD5
e167fa72e60e866feb86afe5b66545de

SHA1
3274ae3670e71fabaf6cb476ccda1b389e02b679

SHA256
739f6efc19331b846dd08ad93e1a0758e06df38bb0c748c6f873f417a0e7c4e3

SHA512
794dd338b6a43571204815d003c731291444f6bb14cfe6dfc967418cc9dc3d0a24cb4f2fa1920c47abf14ced74a08825d20832145ad34ffd2ec82f33323c2681

Download Submit
C:\Windows\SysWOW64\Clkicbfa.exe

Filesize
350KB

MD5
16e95717c2f686a743d90d6e1c8ddd55

SHA1
c26248713009b6a42747fa61c7d2158a396b03fa

SHA256
1a0685c5ff162cff1e0806384e0471e99d30a87f511ab81170796ba845c5508a

SHA512
35238ccf16fe0563f2e3103e3633614a78c052889f3a33610d6b573a807b9a5c3a779b782ef95ff8ff072cd325dd136fcc75ccda26e6f7f5e1f0ff97bd374540

Download Submit
C:\Windows\SysWOW64\Dboglhna.exe

Filesize
350KB

MD5
e60cc08a2113462a3ac77a74fb8021b7

SHA1
50df666438432a863cc078fe73147e168aa0d0b3

SHA256
4bcc21a4b3182e4f536aa0f36c9d591636b595893d69c8f3f52e5e3b699a7958

SHA512
19bcb01a03fffa9f7a065d4576b6a85ea88f610e82de7c5a110332d06025eba5fbc240d5e8d07243af339090a8ce381bedd6345f27749419427b8f42ce6887c8

Download Submit
C:\Windows\SysWOW64\Ddbmcb32.exe

Filesize
350KB

MD5
583ead87e7b244e325e24afcd329959e

SHA1
9f02a057949343d807e58cca95f52a02501d7cdb

SHA256
cb9f8ab34ccaead69435059ff1c2c86c9ab181f479e13854dc9dd6958c05973a

SHA512
4f09905ec09d285dda9a414d8e2d71fee0c7f765be826f52f5d0ca32561750e198060e67b731a01fb7b963e242b950987f705ce8daeae8886c3beaeb3c600e40

Download Submit
C:\Windows\SysWOW64\Dmmbge32.exe

Filesize
350KB

MD5
5b3c6e176434b1302af046887e2aa41f

SHA1
e0ad49d536f94a5ffbcfe7450979e41693b1a8fa

SHA256
6551334cebda7fb7f58498d9584b366db235ffc9af30210efbe5e7c73e2480ac

SHA512
e86160b0acbaa6228284d3df79463c80eb209b7da2a8de70765d42a785d15930fd71dc525a80ab722b0a9464dc3a23f22a88d123f287661addf75876e033766d

Download Submit
C:\Windows\SysWOW64\Eclcon32.exe

Filesize
350KB

MD5
cedb94153eac9227df789175fe043bbe

SHA1
9d57399541c4897971c5f35d059e4b3f2aea0321

SHA256
ef6d04074974dd6ff047b127cdf72201cba4c8764848aaf273784475c16cfdd3

SHA512
0af76c9b0af16df037a0efebd06ab253053728232d7190579d11e98c7fd4621b433d34242e21a3e14887422a53cabddcc9e742047330d8c7fd6d87e5ef7eac93

Download Submit
C:\Windows\SysWOW64\Ecnpdnho.exe

Filesize
350KB

MD5
b619e3865ddedcfe84fef6f36c1d5e67

SHA1
04d21046c7362328eeb3d76ad89f269cfd947d3d

SHA256
1c1ea737a53bfca09bfaf1a78d15128ae4907781b19a9f436a9fab38c92bb0b9

SHA512
f0b82d58d257e0d3d60c456b9efd1562807cc1bd4556cb31da63c6ff7bbf08068b1f66c8d52a9be2b1aec145559c33f47ef7b2c9d35b38c5901af2e346a6e179

Download Submit
C:\Windows\SysWOW64\Eddjhb32.exe

Filesize
350KB

MD5
7b19432bdd94113c7eaaebc55de56dae

SHA1
266df08482cd5c7872e5e7d4477a80d6b6b10ab3

SHA256
86885429f3d56fdb06dcb3ea5502d246106d11ad93f79f957f66138320f812fc

SHA512
11e843e63e99d5dc246b9c3a2790b0478229c42ad24a26dcdb3608c7f2c89b2984580e3e169a11c642da14131c1defb203b94581526b7d22554d246cb571f9f5

Download Submit
C:\Windows\SysWOW64\Efmlqigc.exe

Filesize
350KB

MD5
475f6e62f094fba751774901efa2878a

SHA1
6672d30794ee8864418dc5325855226ded413360

SHA256
1ca45b2961e0b0622eab4798acc1c2317cf2ae896cafbd38b687604f355128cd

SHA512
f7757d1d02f022dd1978d81fd64f412336e0981a5381ffd9058fb011a3e926938419f7dbee4883f85e1d8ec5d46b9717209bf3105aa0fabb60337cd2479f4222

Download Submit
C:\Windows\SysWOW64\Efoifiep.exe

Filesize
350KB

MD5
95a3de31b3461f05e433601ddc7d2ad5

SHA1
cc4fac3c99a74853284ac859969afc00aef7b276

SHA256
ec63373eaf9a7ff5a4181b36258a59f2b4fbae95eb65631a76cf900d826699f7

SHA512
6371ee63d42298e932afe2aba0d28ada16ce9ca77f5cdc0dee30fa9f5e03106d83f6acbcf66276289ddda3416326783f5681389d598726ce0092ce8078fcdcc5

Download Submit
C:\Windows\SysWOW64\Egebjmdn.exe

Filesize
350KB

MD5
f829f12763e953e6bb55969ec64260e4

SHA1
64a011fd9deaf3b943ab04a45ce611c2d5fbaca2

SHA256
67344725bf52b230e6cbc644a237be2cf844aaf6ff82a322f13a3960c5a99b6f

SHA512
7459d8b153e1cf6e5f488b193c4d9c36e0781ace93931cc53f09f9305c24a3a3cfdf1608cf6153807e53106f6ef9c2c40e3de3b56cce0fa0069ed3f5a0c59bb0

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
350KB

MD5
52ef05cbce99c968bf94cce1a58dcbe6

SHA1
a72038c59af723da6571f3c06496f5ef315dced9

SHA256
abf690bec8c96bbb99bf971392912d4e7b1846fcbbfe38f218a943851cb05551

SHA512
684df7cf7e590949bf81be12bb2d6705d9bbdc1ea8d964f27c140f3682c66adee48637396ca073f24868d33bfa0ec6fba9602f0965b9c97b6ad02a2b2f2c0c29

Download Submit
C:\Windows\SysWOW64\Ekghcq32.exe

Filesize
350KB

MD5
a03163b2d783f3abe775e8f7cafbf017

SHA1
98092cd0d3b4dcb05e64ee0e60308ebbd930b402

SHA256
09531f014364d1fde96e6997dc226a73d03456888827ca3d28a63f56348135ee

SHA512
f773b6b77af0f54d9190771eabd44d5f8ec3e37224c96ec0b476d85596ac7baa84bde5bd181a416df50ba39cf40e89dac0209dc6096aef055167d98935ca3dfe

Download Submit
C:\Windows\SysWOW64\Enmnahnm.exe

Filesize
350KB

MD5
9c7bcc938cb281b777b07c1cc1ac3c2b

SHA1
9f8549f0139748ae2c1a931b767a9cd2a45e44b7

SHA256
546c37a26c59b45f0fd2abe0af7af9560fbaba8a05c71a3291c24ad20e38cb32

SHA512
1fb6170cabf79f2aea59e16b76a4a52fa4f47029ec5d4bdd0ec3ab75fc54dbc242330a10f418ac1da20e2f4f6ad754a3d2142a7fc48e7492d086521f1c526c84

Download Submit
C:\Windows\SysWOW64\Epeajo32.exe

Filesize
350KB

MD5
90babb1e5644b8ca93a2480da486512a

SHA1
0ff68f08e7b068cc240796be0a76d275725d703d

SHA256
cbf0baef4e4c7652039bac9c1dd3efa2d4260a3b097b1717c1b856548ef9e8c1

SHA512
1c969068bf0ba3abb3c63a3f6bcc24dfee54f61b9a497c3a76341ceb825d143b2d593ec8689f71fdd2e1d781b3fa70b69697a7cef666b483951ab551506c9f4f

Download Submit
C:\Windows\SysWOW64\Epnkip32.exe

Filesize
350KB

MD5
5c53c74e8d5c31b4031f92a7529a6379

SHA1
4b01e2b4fe0bbdf772d0446e88009017e0ef496a

SHA256
4d322cca4eabb693966330fe79144ab680d125d5407c4432fedf04196a8632d8

SHA512
6e2328a80d6fb0067ed0b069cbd81c6aaf57639230f02ae1cc56e0f689747bb37aff05c36f1ee3f811d7261474d24bc3737f941d27bcde5d4a34a3e4ed301747

Download Submit
C:\Windows\SysWOW64\Faijggao.exe

Filesize
350KB

MD5
d0f614b83dc9266c276804411b54f1ff

SHA1
426ac7020e9727e6b79538edc028a7cc51102f69

SHA256
8319a05de45b5271b3aa991b3a96888a7506e783c621b57b5a5c2cc251aede1e

SHA512
c04b61a3f99640c7f76cbffd62e74db98b74cc92a3ac055ee3f47fdffbcc6218205bd0d70b57418a1277432a45345f1c4f65b941177fa5bbb560c0a76f7e01cf

Download Submit
C:\Windows\SysWOW64\Fipbhd32.exe

Filesize
350KB

MD5
d9d49573a643f5d692656f0fe5c01be7

SHA1
fa21291aa14afdc529fd1b2aa0ef4c22292dfce1

SHA256
542fa550bb5bad8975201e33b1854b7f983d07366e1491274d6f9d3c2d1ff1d7

SHA512
17acdccbf738183816d7e4e7ef0549d8914746ca125c2f76bdeb19c1d551a48e53cd9cfdf1af8e18621e6f899972de4bb69c76ba210b9e465c2bc9310fa1bf6c

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
350KB

MD5
be8258161cb7a68a53512577d0e9213f

SHA1
cebcc972380278076f747ea87290f6d73449ef70

SHA256
1c460a183ce3abc1b46b114f4bbfb519cbc8579f5c43620e834631163ae978c8

SHA512
9c0018fa02e3521ea5cc322cf003e1369d64ce595f6633be416aa10d0da80e692ccd7254aed7610713665f17b07f331aff3b89717119fed12027e49fd35b0e45

Download Submit
\Windows\SysWOW64\Bdfahaaa.exe

Filesize
350KB

MD5
6a3d5a21d0acdd1c4c8bd7677e55f7c5

SHA1
ec2398fe059255cbee1b946f8708c259c4b35df7

SHA256
2a5e4e12d2cf8cb7a99af45d42217c6af3654e56595540d01fc9d47f505622e7

SHA512
3fa2f63b8b8f10c74234c19e5333b07061ed98ea965ca1af553ad7ff71c65c88eb1a03dec89aa5e32e0177c1497c5117fbd767a871f3c3a4b821ead9a7e670ef

Download Submit
\Windows\SysWOW64\Bkcfjk32.exe

Filesize
350KB

MD5
bfe3de7a34243e90111818b07a3e5024

SHA1
ca795d1e0ebb2b3529a75f21cac82bd506f65f9b

SHA256
5e4f3fdd88baab7ed54458c1441da2c2615dae80a2ee6b1d0df1da4a7ac18129

SHA512
053b8d5efe6612dd3132131469efa2bf01fbd22b372d302beb01efa86cadeff850109c6acc4788f021fa853701174ab5b77a9b1961f577d75ea413f40f6aeb6c

Download Submit
\Windows\SysWOW64\Bojipjcj.exe

Filesize
350KB

MD5
053f6acd2e193cc4acfa240c21a385b8

SHA1
38f45a6b71ae2e8aecb8acf4e2ba9e9ad866b548

SHA256
74aaed23ed7d94464e105f493c407731fe0785d7753ffd231ff8bb6de6c688c6

SHA512
3a43072705471e5c1bde1d286be90d33e80e142e4c7a67c4d03ad7877a5a0f2cb6c064250527ec151fdafb714c47cc18aa8f9cede97eb99ca29d19d0213ee5fb

Download Submit
\Windows\SysWOW64\Cdngip32.exe

Filesize
350KB

MD5
078daf07af4f1b0de9419eaf48fe5508

SHA1
1cd3f5cc0a68f777d3e0993ae5cf2696db68c3b1

SHA256
82d00ad359ab0be75813dd31235d32e7cad6a3d59540a500c5bc22b82bbb20fc

SHA512
822124224de00eaed5c0b46413e1b0aa3c8a79859b18a9296f8716991d92153056b82935811d7ca8c2af3fb25b2149cc658b70e01444d5436354cd630881e417

Download Submit
\Windows\SysWOW64\Cgjgol32.exe

Filesize
350KB

MD5
f79e6361c7f0e4506e1f9351d9671339

SHA1
cd89029753606aafd9f934db013aab21e869d465

SHA256
a84cd03b07bdf07779b155ff098405002ef076b0100462e845cd371dbc531f08

SHA512
3b720fee88144689198c0261f11bf9a06763cae9406711ee3d0d27034402d73e97d36cdec0a3c473f7f5b38ad957ed8e5b78790793c3bf3dc2571a3ad64ae1cf

Download Submit
\Windows\SysWOW64\Cgnpjkhj.exe

Filesize
350KB

MD5
b3c3469f48c56180ebf5388bd1f059e7

SHA1
7f0ccb07b1d4a843b91a546570750f3f56289722

SHA256
e35ddca83f6259acc83f054e3718fd5d19b79367f4815ed39b529c5b7054a077

SHA512
6fd78e3d8d7efbc8e184c3de2e38128fff2c2fa95ef34b2463962b9d548ad970f67c43b6781c40dadb2b075369d8ddf99683c2622d10a64f9aff701fc9141b11

Download Submit
\Windows\SysWOW64\Cjoilfek.exe

Filesize
350KB

MD5
cdc416ddbf6a06b3ef88687a7c709981

SHA1
11ab74f622491c2949cf4678e98c44958eee545a

SHA256
b835fe3ea1a2e8cc66faa46521de772d6e135ce7d58a7c5bf83efbe52ca813a7

SHA512
c21ad6d023f484b45d738626fc065142001d65f4565a13a250a75e25d04730ea0a1be3954b7d002d49f806047adef3dcb046dc82eef9a8dd872bd806a3d31988

Download Submit
\Windows\SysWOW64\Clnehado.exe

Filesize
350KB

MD5
a917cb9c53b93be7624d49b1e0e44ecd

SHA1
cd8804460f86387ed0ce01e454bf065932ff9f60

SHA256
b4a93536d5b002ae76e7f56f91e05289f163d79fd8112ddbfa603f7014c67941

SHA512
f2c8f8cba87afffe34a4efb0b5c81454bf75f6125c4ee4e04b7b44f5bdfa24a37183b3af96a35b74e8e4cc83c1180890a94d7f6f6d8c5411a6bf0b899e5bf90c

Download Submit
\Windows\SysWOW64\Dfhgggim.exe

Filesize
350KB

MD5
9a2e15e93cc9bdadb52e886aca17ddf6

SHA1
0ba84ead2d2f79c6318e634c655ea928ff91ad85

SHA256
2c16bd2aa41f4cac2d64345714361fa733bb1ed85c55e54664d53ff0a6a629b9

SHA512
3b58af278ecbc602da8b46816751c19efa8f506a6f98e4f6222a27e584ff4105376d4f4f8c36a28f44d12f353c0fafc566fffb78551abf76de7e0aaa7677a3c8

Download Submit
\Windows\SysWOW64\Dlpbna32.exe

Filesize
350KB

MD5
c4ca7e9522d16429c4775e5936bca192

SHA1
01f8cf6c31348c40dee80e1bf1331885bdba6383

SHA256
9b0cccb611339d9f35c4fc4261fa686fd41f4c8542fa2b7103b607e5b0de1724

SHA512
8edb8312835219b08fe8e147143504471b95dc99e8f1edd37629ec8d015d5a2eafefd2a945710e76f8c8e0515f65f1d21dcc70d15b9561cc6ac793137767b437

Download Submit
\Windows\SysWOW64\Doqkpl32.exe

Filesize
350KB

MD5
9ff6c36e5487ad02a5847847a88b7071

SHA1
cc258472e275dd872bb4718f4e8fcc23f70e866f

SHA256
8eb434b0c7138cdaead33f24e6971ce529db5a415c656b1be841e1d1de51315b

SHA512
af8f028f5f82d57416789dbe309f51267a48d4aacf4f011749bf45b708e7352eee1636b4a8836eb00f74404d3a96fb76aaddf80022c9a80937f35cc67157d1f5

Download Submit
\Windows\SysWOW64\Dqddmd32.exe

Filesize
350KB

MD5
60c5964a3e5e3c69e46037c37ba74a64

SHA1
5735b4c363bb5db82d9a518c3d32a8dcc4e08fb6

SHA256
a5631f2785fbfad1e1b3ada966895da930b04889f817d714ef0356908cb7cad3

SHA512
dd6edfc04606cae6b32fe4b09353e553cb09cee10053bb3542373ac9ea03993119f089ede6d8474f45578ddf959627c1ad669430472576bb094cea1110aeac46

Download Submit
memory/264-224-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/264-501-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/264-220-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/264-213-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/480-203-0x0000000000290000-0x00000000002E9000-memory.dmp

Filesize
356KB

Download
memory/480-487-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/480-196-0x0000000000290000-0x00000000002E9000-memory.dmp

Filesize
356KB

Download
memory/480-195-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/648-274-0x00000000002F0000-0x0000000000349000-memory.dmp

Filesize
356KB

Download
memory/648-270-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/648-275-0x00000000002F0000-0x0000000000349000-memory.dmp

Filesize
356KB

Download
memory/648-511-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1064-288-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1064-515-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1064-297-0x0000000000320000-0x0000000000379000-memory.dmp

Filesize
356KB

Download
memory/1064-298-0x0000000000320000-0x0000000000379000-memory.dmp

Filesize
356KB

Download
memory/1088-117-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1088-477-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1088-129-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/1520-307-0x0000000000290000-0x00000000002E9000-memory.dmp

Filesize
356KB

Download
memory/1520-517-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1568-91-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1568-99-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/1568-473-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1612-328-0x00000000002B0000-0x0000000000309000-memory.dmp

Filesize
356KB

Download
memory/1612-521-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1612-319-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1628-225-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1628-503-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1628-235-0x0000000000280000-0x00000000002D9000-memory.dmp

Filesize
356KB

Download
memory/1628-234-0x0000000000280000-0x00000000002D9000-memory.dmp

Filesize
356KB

Download
memory/1716-505-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1716-236-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1716-248-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/1908-475-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1940-507-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1940-254-0x0000000000290000-0x00000000002E9000-memory.dmp

Filesize
356KB

Download
memory/2072-373-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2072-531-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2128-13-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2128-450-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2208-481-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2208-143-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2208-151-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2224-467-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2244-197-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2244-499-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2244-206-0x00000000002F0000-0x0000000000349000-memory.dmp

Filesize
356KB

Download
memory/2244-209-0x00000000002F0000-0x0000000000349000-memory.dmp

Filesize
356KB

Download
memory/2280-317-0x00000000005F0000-0x0000000000649000-memory.dmp

Filesize
356KB

Download
memory/2280-519-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2280-318-0x00000000005F0000-0x0000000000649000-memory.dmp

Filesize
356KB

Download
memory/2280-308-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2304-286-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2304-513-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2304-277-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2304-287-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2324-471-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2348-479-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2364-11-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2364-380-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2364-379-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2364-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2364-448-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2584-77-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2584-469-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2584-65-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2636-267-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2636-509-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2636-255-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2636-264-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2664-369-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2664-529-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2664-368-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2664-362-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2704-452-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2704-38-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2780-347-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/2780-525-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2812-357-0x00000000002D0000-0x0000000000329000-memory.dmp

Filesize
356KB

Download
memory/2812-527-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2812-358-0x00000000002D0000-0x0000000000329000-memory.dmp

Filesize
356KB

Download
memory/2812-348-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2816-180-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2816-181-0x0000000000250000-0x00000000002A9000-memory.dmp

Filesize
356KB

Download
memory/2816-485-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2884-483-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2944-381-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2988-459-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2988-40-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2988-47-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/2988-382-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/2996-329-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2996-523-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2996-338-0x0000000000290000-0x00000000002E9000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads