9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd

Analysis

max time kernel
95s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe
Size

55KB
MD5

e05bdede102ed6722155767d08bfc1f9
SHA1

df84e0816a7a61163df3cd1503bbef79dbb8a561
SHA256

9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd
SHA512

ff5f094cad30e7d85b3283f8d5998e8ff68febd3d985f82ed9f6ba468c53275445b4cc68363a5659e51c058650c6c66edcdaffbbecf39c37d8ce0ed5198b0eff
SSDEEP

1536:VuJixb4IqT7ZEUtDjHBQzQQqc0/zTT3lx2LC:sYB4IqT7ZpBQ/q3/z8C

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe

Executes dropped EXE 45 IoCs

pid	Process
3716	Aadifclh.exe
2920	Accfbokl.exe
3312	Bjmnoi32.exe
4316	Bmkjkd32.exe
5032	Bganhm32.exe
1580	Bnkgeg32.exe
1140	Baicac32.exe
4812	Bchomn32.exe
1076	Bffkij32.exe
4452	Bnmcjg32.exe
2916	Bcjlcn32.exe
116	Bjddphlq.exe
3492	Bmbplc32.exe
3064	Banllbdn.exe
540	Bhhdil32.exe
1000	Bjfaeh32.exe
3608	Bmemac32.exe
2296	Belebq32.exe
4260	Chjaol32.exe
3332	Cjinkg32.exe
468	Cmgjgcgo.exe
1960	Cenahpha.exe
2028	Chmndlge.exe
1708	Cjkjpgfi.exe
1624	Cnffqf32.exe
5016	Ceqnmpfo.exe
2700	Chokikeb.exe
4420	Cjmgfgdf.exe
5056	Cmlcbbcj.exe
3324	Ceckcp32.exe
4784	Cjpckf32.exe
1208	Cmnpgb32.exe
5084	Ceehho32.exe
2016	Chcddk32.exe
4276	Cffdpghg.exe
2092	Cnnlaehj.exe
752	Calhnpgn.exe
2228	Cegdnopg.exe
4352	Djdmffnn.exe
2880	Dopigd32.exe
4760	Danecp32.exe
3104	Ddmaok32.exe
2504	Dfknkg32.exe
4412	Dobfld32.exe
372	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2788	372	WerFault.exe	130

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 3716	1348	9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe	85
PID 1348 wrote to memory of 3716	1348	9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe	85
PID 1348 wrote to memory of 3716	1348	9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe	85
PID 3716 wrote to memory of 2920	3716	Aadifclh.exe	86
PID 3716 wrote to memory of 2920	3716	Aadifclh.exe	86
PID 3716 wrote to memory of 2920	3716	Aadifclh.exe	86
PID 2920 wrote to memory of 3312	2920	Accfbokl.exe	87
PID 2920 wrote to memory of 3312	2920	Accfbokl.exe	87
PID 2920 wrote to memory of 3312	2920	Accfbokl.exe	87
PID 3312 wrote to memory of 4316	3312	Bjmnoi32.exe	88
PID 3312 wrote to memory of 4316	3312	Bjmnoi32.exe	88
PID 3312 wrote to memory of 4316	3312	Bjmnoi32.exe	88
PID 4316 wrote to memory of 5032	4316	Bmkjkd32.exe	89
PID 4316 wrote to memory of 5032	4316	Bmkjkd32.exe	89
PID 4316 wrote to memory of 5032	4316	Bmkjkd32.exe	89
PID 5032 wrote to memory of 1580	5032	Bganhm32.exe	90
PID 5032 wrote to memory of 1580	5032	Bganhm32.exe	90
PID 5032 wrote to memory of 1580	5032	Bganhm32.exe	90
PID 1580 wrote to memory of 1140	1580	Bnkgeg32.exe	91
PID 1580 wrote to memory of 1140	1580	Bnkgeg32.exe	91
PID 1580 wrote to memory of 1140	1580	Bnkgeg32.exe	91
PID 1140 wrote to memory of 4812	1140	Baicac32.exe	92
PID 1140 wrote to memory of 4812	1140	Baicac32.exe	92
PID 1140 wrote to memory of 4812	1140	Baicac32.exe	92
PID 4812 wrote to memory of 1076	4812	Bchomn32.exe	93
PID 4812 wrote to memory of 1076	4812	Bchomn32.exe	93
PID 4812 wrote to memory of 1076	4812	Bchomn32.exe	93
PID 1076 wrote to memory of 4452	1076	Bffkij32.exe	94
PID 1076 wrote to memory of 4452	1076	Bffkij32.exe	94
PID 1076 wrote to memory of 4452	1076	Bffkij32.exe	94
PID 4452 wrote to memory of 2916	4452	Bnmcjg32.exe	96
PID 4452 wrote to memory of 2916	4452	Bnmcjg32.exe	96
PID 4452 wrote to memory of 2916	4452	Bnmcjg32.exe	96
PID 2916 wrote to memory of 116	2916	Bcjlcn32.exe	97
PID 2916 wrote to memory of 116	2916	Bcjlcn32.exe	97
PID 2916 wrote to memory of 116	2916	Bcjlcn32.exe	97
PID 116 wrote to memory of 3492	116	Bjddphlq.exe	98
PID 116 wrote to memory of 3492	116	Bjddphlq.exe	98
PID 116 wrote to memory of 3492	116	Bjddphlq.exe	98
PID 3492 wrote to memory of 3064	3492	Bmbplc32.exe	99
PID 3492 wrote to memory of 3064	3492	Bmbplc32.exe	99
PID 3492 wrote to memory of 3064	3492	Bmbplc32.exe	99
PID 3064 wrote to memory of 540	3064	Banllbdn.exe	100
PID 3064 wrote to memory of 540	3064	Banllbdn.exe	100
PID 3064 wrote to memory of 540	3064	Banllbdn.exe	100
PID 540 wrote to memory of 1000	540	Bhhdil32.exe	101
PID 540 wrote to memory of 1000	540	Bhhdil32.exe	101
PID 540 wrote to memory of 1000	540	Bhhdil32.exe	101
PID 1000 wrote to memory of 3608	1000	Bjfaeh32.exe	102
PID 1000 wrote to memory of 3608	1000	Bjfaeh32.exe	102
PID 1000 wrote to memory of 3608	1000	Bjfaeh32.exe	102
PID 3608 wrote to memory of 2296	3608	Bmemac32.exe	103
PID 3608 wrote to memory of 2296	3608	Bmemac32.exe	103
PID 3608 wrote to memory of 2296	3608	Bmemac32.exe	103
PID 2296 wrote to memory of 4260	2296	Belebq32.exe	104
PID 2296 wrote to memory of 4260	2296	Belebq32.exe	104
PID 2296 wrote to memory of 4260	2296	Belebq32.exe	104
PID 4260 wrote to memory of 3332	4260	Chjaol32.exe	105
PID 4260 wrote to memory of 3332	4260	Chjaol32.exe	105
PID 4260 wrote to memory of 3332	4260	Chjaol32.exe	105
PID 3332 wrote to memory of 468	3332	Cjinkg32.exe	106
PID 3332 wrote to memory of 468	3332	Cjinkg32.exe	106
PID 3332 wrote to memory of 468	3332	Cjinkg32.exe	106
PID 468 wrote to memory of 1960	468	Cmgjgcgo.exe	107

C:\Users\Admin\AppData\Local\Temp\9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe
"C:\Users\Admin\AppData\Local\Temp\9f875b1148c1ff423fa84163fd3e4a75f23b2bf993ef5f586875311e781a25fd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\Aadifclh.exe
  C:\Windows\system32\Aadifclh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\Accfbokl.exe
    C:\Windows\system32\Accfbokl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\Bjmnoi32.exe
      C:\Windows\system32\Bjmnoi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3312
    - - C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 224
        47⤵
        Program crash
        
        PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 372 -ip 372
1⤵
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
55KB

MD5
eddb33b78915e71c545fbbdc8d3d37a2

SHA1
5c855a1bf7daa36845117f246735356f30bc76a5

SHA256
acdafdaaba58372b78a3379bb0805ce5ebb643fa810e805828ea2361aaf65e66

SHA512
f796c0f48bc285e72b16ee645aa27053bef8c35740d9ef612c6014dc5ecf8c7f0fa9e124152519305dc35b370bc77921232cbb56f6adb2be169926be611d7f17

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
55KB

MD5
adffa63096e456abfce83756ed4eebc7

SHA1
786afeb088ffbae7a914d44d9347366de4e24f1f

SHA256
1b57194d5ffbf274755482a730eda7cde4ba77b7dc37db8f35f625891e2373eb

SHA512
26a737acebc8e6519bf8bb18cec9ded1f4984b2d776631c6a0e78ab6c08e036d88a61e82504f8a2b9e413ff44ae8150e954afaada211b054bee8224f237bdba1

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
55KB

MD5
746adb3a9f786d54b9526ee7dc5a47fc

SHA1
573b999ef975b6d92b74152eea8ab87d900aa2b5

SHA256
f42792b6139daf67637b2bc296e9bcc0251235e37832b7410cc0a2ee3847090f

SHA512
5afb537147d6b2209b4f66317b894264bd61048baa238454b19134e5936faeb463f706e4ede27d04c318f32a3f2fb27a6a1b82d74a0aacd7ec99e689606bd430

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
55KB

MD5
9a311db62e6224f68715e9b8759f3da6

SHA1
2f55550cb1e74df40c5a00f42e78f7ac4b2c7c28

SHA256
8801bf6c6b9d34280dbff2f390ccf7be5333d3207a637ee08311eb783d47968a

SHA512
344c0e112ef5ec83bf5b9fe0b2f3c4a5d6ee79fef8f13658eed72481ecaddce3bd84195f235b4829f6357a402fb3b77d4bca1bf803c3a238db3375f4c3b95356

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
55KB

MD5
fa55ad74d0f1fc828f6df7a618f91c0a

SHA1
e3ff54c37e8530778cfc0a8c6d4f5dc7db768ded

SHA256
e5829526c7b6be01646f62056906ad6199644b7b63bc143e23a97806cb55cc6f

SHA512
1ae0d1f26a3dde4619056d23c1a263e930e4e5f3842ba24d93a8d80515317131e26a7dae01b6649017032b8c4cede30fabbb09616bdd63083083baa5aafed891

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
55KB

MD5
7c01455b77c689dce70297602cef254f

SHA1
a5c6b6be5402a836bf324fda7d68ffa160878511

SHA256
88dc647d256005f33d1c20b45aed107dcb61d96ff42235bd3eb4de7b93808669

SHA512
b1e0d9a07b8d17e3d88c52d685dc8b7c46f37bd01d737d405b72c4dbd9e2c499452d62ce3803ef9f54d89b5b354d9b69d54c1e4fde63d43622f623b984e75c11

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
55KB

MD5
e6335be16b7d127ea925b7fa7cc9f04c

SHA1
13a1da7dce1820e154cd9b814293499db902627b

SHA256
f2260aa0e30e4e1e9dd8d3ad3e8da3dbc6b77329babbf183b582fb0c7e03364a

SHA512
46b92d50db6844321804a93661021357fe8a16612d71744810fed8127bd6d3adbe5bc1cf3c2903d67e257eb43b83c0465aca144611ba9169a4026dd94dbfdc71

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
55KB

MD5
933f01f9af279aef93f6f1310a341896

SHA1
accf518745c4a7111fa9eccfa51bbab6a9f05931

SHA256
f3dc287c77fba7846c74bc92201d1b50142227bee4bb274145ee1ebd884a0b30

SHA512
3af0a9dc7ed682fd0a9725e084694cc14f81a279525bc64e3b01b40aba0ce8419f1b1e0288a0dd5a6207a4b5f5771174b374917f093befb1805963b490fa1631

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
55KB

MD5
056f8ab048595d46ac89673061c79656

SHA1
27d3c7fc8eb5532d0e500faf1eef809aff270414

SHA256
e1de3a27e27d52926aa79f13db863ef585b386cbb9f5c9a256d9ff03fb41def0

SHA512
fa6c9c0b892fc0234c36fcfefceba2e35006e44f9cfcb660708a68f105d95ccf95cdbabf2dc4019e4be8a865551f8b1472ae88d31e9f358b75330089c54ab276

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
55KB

MD5
fd163691fcd02f90d8cc64fa406c6593

SHA1
2ca542b72cc31624207a4dad3b679f91db95871f

SHA256
f0e73205783357f3548fbad5c1b5b1e1580b3bf6af7bbc7e8fe423685d25ead7

SHA512
e90e8800a4f38900d977f7cb8eee0d4c9a2fd7d59d63573f9dacfb418733c44edc4c86c895d663c0205675fd9e7a2f81e88841c34631fa821f6079dfa7ad4a95

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
55KB

MD5
e628aac4872741e4ecbf42c4a5dc9dd1

SHA1
1a9568f16bee11f9423db4e5a65c31e3d7292d5a

SHA256
f7c68a9d945533a021f091d10e9379b5de42851d04dccc4bb46def378f23a313

SHA512
8086bb99e6325406da0d7b4b0ba497e007827267a9d76fe4895b3c505af4750e6fcc70800bf2ad6fcfbf06325e726e4d93374a1a52740b1d139e3500b06ca3da

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
55KB

MD5
bb148977266e7f282f38356632e9e1d4

SHA1
120cb898f1ad1310d47c6e216dfb17f30d19eedc

SHA256
dc26fa1f8ab69673bd12e193f5580411682c73ad5a3521dc9f43bf95b1e48083

SHA512
53c5e577e1490780b585babbafb72657f10494a0411a99173e2742ceaf9a579a598a92018222dbb5303302a35da76d82d534bf0b7a63a490d853798fd5010c3a

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
55KB

MD5
75fca7f64d5a4627d2f7a33c80120d19

SHA1
1d36799d5adc8b40c1e15e3f790ca6c906f06d91

SHA256
35d96e1bd1a8ce0ec1620be5a4cf7af4cc8f9ffbd93626bcbb36f53774903aed

SHA512
02d4da7d5578f029416f4fd5ab9fff7d558f3b5e5a01fa61a784547b8333a9df3dd2b0462b6e587915a1c54485220aa06192f3fee82c050045cb246c453ff869

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
55KB

MD5
22e2e89f52ca48494e2783ed09f9688c

SHA1
d7cee416a4e7e648cbb749780115297f39dd7789

SHA256
25dc737fe91a75c45ec4f5d541665bdd1a4bd8d848285aeee3965fc7c5240dc2

SHA512
85cb661dc92c4c8abb57867fff6f322428e3be3d247f6dd4592a4603e44268239184ef3394235c51fe30581e2da7912536c0db33f446d3e09ae8eaa5a23250b4

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
55KB

MD5
707dbfa183902652e18d89529e118f1d

SHA1
34b5912a5dd4cf2224bf496df090d4b7baedc46d

SHA256
037e78e5f1ef5fb0f61f7503eba651432dc0992c920dd434ae4eda5b80323b25

SHA512
6a2fe040433f833d638719787b31e6b7b662e6b34ffc42cea888e25afa6acc4f2c2cc7144e455da9390649b169071c5e0949a8ec64a5c6baa60ece078eb7837c

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
55KB

MD5
d6207ae458525030cffd89fc386a5f5a

SHA1
5d0fa2fcf5f638c7131ae6e93a948b6171958bd9

SHA256
16591f5b3056e21c1daf1fb0205bc79f31cccd4ff9a33eee48f42778270bb345

SHA512
81d11d57815f1465b024d3561f37eca3e792500691f66d077294139b78358b1342b6bdc5a06b8dbaf47f1fd739f5c606ba8138d5f6a0140c87210a963890d52e

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
55KB

MD5
7b765c6f543ae06a1a2efd4d5efac396

SHA1
37151f5ef6d2fdb7951ab1bc643f64b386804b12

SHA256
cf31e53b12f8d0ff68d61c1af349f2b9f9648d34bdbb786cf36d531d61f5db39

SHA512
6d4994c172d13ed4483a226d598186637bc60b403450b7eb8985dd3dfb990763dbc3823328fcfda70d034cee5c5f20d06bb2e717bff78fe672da7f4c78cea219

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
55KB

MD5
069a76c4c1a62395e6433d78b7644b2b

SHA1
c72d28cd1837607b896b609cda1b52466282ce3b

SHA256
09cd8a865b92047d2b5e8191c494907e1f97acd551f05c13f2dcf77dc0fa14ea

SHA512
99502024ada372b83c133b90d48708f58edb41cb22d9ef0ee007e8ccbd692a3299ad7d04cf28737048681967126e3508ec1d9c149f7321f468a7e212f745a147

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
55KB

MD5
8ac99eb247e317c2238955b3e9d790fa

SHA1
09be17113bee6e17ce058fdbff810dd825d4c53f

SHA256
46ae9d186361f2da3fc982fd3e85e389712493cb75086c5c6e7a4a9d12b19b83

SHA512
42106c6e11815ae13fb870258c38e82f6569513afbcfa1cb1d8dd381afd35ed5a82cca1aeb4ef1cca74459fe88d6ad1485d7b2a8a8e8aa92a1348aa562ea9865

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
55KB

MD5
93b8050d88a669644339d16c9cc23436

SHA1
f9716acdc0adbeb42f2c8c639082549de62a73ac

SHA256
789cdaa8241ba389151f9344efe70875b1fe1377970b0cdeb2f29e577cd64ed4

SHA512
521b4e75330c26c791e2fcadae8a8052b2ed63dbac4a308e6771be9731a80b3ef63f6b857edbb25f8c77d341414999ff5b3a410e221c85458ff211ee96e0ff87

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
55KB

MD5
b3f88f7e0afd199a61dfda2438755e17

SHA1
c942d0b6b65adef7365bec38e7fef571e5f5bdf3

SHA256
b342b096043109f0d7ecfa18e0f47dcdfec622b1b93fc417ebf828e4d2192fec

SHA512
004205ef85927e0c5799e24ea88793c2d36da647b3a1831a09d0d4c6fe1d159bfc362bddf836010309b2faa6d5b676a9a0f9f320c1e707365c0236c0f8395e76

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
55KB

MD5
7a095959d8cb273de485301946f2f2f0

SHA1
a4b53d27867f776043b3ecf1cb27c269875a5769

SHA256
bd44df202f81e0ea53b482b1ddfb511f869f000dbd440185fa70c69d4fcdf0b5

SHA512
1f55537d1b4face280b0fb1417ac9140347f50e2c56616742977453f1f4a609c95b401a25912c9faba47cef037f12e6d966e28a37c1cb74989e2dd5248d08430

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
55KB

MD5
2a4f3d3bc9e58657ae5843c966b7983e

SHA1
ac8b67238b27e2a873db1eee7d9ad7302ce9a03b

SHA256
8bd41b662ba69da9bab756547acf647914afd1bb67d018770c3a5a1db6bf8e62

SHA512
b5b8fb12a8ca541ead30f37988a74c7a20a70c6768300995cd4fdb2d62b202679c093f2f4ae8f16ce336a1d6cc4739573ff7bf14ff8e77c1031df63e4d4920e5

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
55KB

MD5
5c7ad7dc286778b369d819c33616a321

SHA1
8b9bc0d61dfdf8967968fb68fd06ad2088b15c27

SHA256
73403578cd4f5f952e384766fbf6ba4e65e269556640538ff8e44aa9ac6e7911

SHA512
496ef179bde86004633f831555a36ed3bc9fa64dc4af4fb2375967546a12dfa3369fb3e2be59d206cafb4133a132eca70aafb8b9e5b40c77aa46238963245cb4

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
55KB

MD5
4d060295c39a480727fd231cb8ecbbc3

SHA1
4746d392a3bc7ed1ad21304f7a15411c55243bec

SHA256
c7b1b7e62be307ee045ac31a0ada2b4ddc3eea28640c37b22629f8a312a72e34

SHA512
0c201fbd26a91be3c80e0c7f8642c061cb08c21a47209bcbc9f4a87cb7f05e131d3a658298025cfbe6d077b465263e7f4bcbb04e7acd44bfc3b088e1b212efaf

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
55KB

MD5
6f474a8ff2b25a4a52c71171ef65a339

SHA1
0bdb0078867b122fe289df7c76349e84301fb4e1

SHA256
ee1bd81eaaf9689789d0ca5acffef61406459693c4f4df03d2a2575def611e22

SHA512
b207955150e9f744bc77446fc231cde56d9d67001e6b5e0ef4faa92ee31350195c8aa1d8acf9d95e7e2536b107dd4ce880905b52f9c02f2c6296096bcb5ddd1b

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
55KB

MD5
aa018d612b96d6d0bd8e85adcfe0c945

SHA1
9ee893fa53bf4ab382852eedcd3c3bfea7e716c5

SHA256
c2535ae18918da9b2c438a2c5d86bedef0763c9e237e3b3d939a5414c8fbeb4c

SHA512
4d5708d34b11e45523e5e55df5e5e11d376cc660e08a09e8debe4f530121e38b7133c1e06d9186c3c4e5b7a02490859592b618bbba8f87ae2ff646bb284adf28

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
55KB

MD5
bb4ade75a86f15213967ea4da90ce50a

SHA1
df21f22293a3b5356c09f6de90ccee05b35e4170

SHA256
968f92fd21503cbe6a91a423eeec4fb8e4bd7a3cf52d880476785ff5eeaa412f

SHA512
084301f25ff2625cf126c047fb64c414fe4c9b38cc80f0415354a6b0c91ab942b0067158a89c48ac0bc981c03c57e6d3a51fbfa10b85ae277ffb3bfb1f674bb5

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
55KB

MD5
a176d3e8fffac2da29ff89b8f5e74680

SHA1
4fb28f00234c5f3421e8629ab1567851a97edadd

SHA256
430132685d5605124553ae0ef29efcc257a4de483775e9e5906f5cf7c98510b3

SHA512
5506435e932ceef48af10f924447a1e25c9803f94489e619dd3d4e7a1a90e0581ebfeaa10929585ae0a3bb6f76e26b0321830765e98e4bb28cc772d41cd3af12

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
55KB

MD5
c6277c71c7fe366cd3f577a86c4a1d16

SHA1
52342503ff973a3043605bd2649eef3413a2829b

SHA256
4e56e348e5cc7893174a65f7d6eca6aa693ffb114e5599a5f2a7eee346db9c13

SHA512
a66a281dab7b7113f15433f04961180490158d23c86f7844582ed3c1a99059766a77f42aabca6bf89ad70828d30544bc3cffe1e322e8f9663a08de4c528bc84b

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
55KB

MD5
17bc5923afb90126778726f4f9147dff

SHA1
b66d7379e63434b2c9a5c9314ba077cf5ed1ed30

SHA256
a5da5a503422a5ea21102b41e85659d8d6326190bedd00da790d82dbb768e262

SHA512
4eda4e9530347c39a517be49b5f1c3e1f4d1fa84c95dd9d738e851e41ad49e8ce3d62deae9decaf027539dcf8f0c8bb5ab44c3d5523bbbe13344f1af0b76ac82

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
55KB

MD5
498ba0ae320ec3c6923b573ee2388b4f

SHA1
28b74d0d42965bd5e60c26569a83ecd86fbe5520

SHA256
5ae654c551c2d81ee3bdfd28dfdfa7246c1d4093a867cc25a5476588a0473c13

SHA512
a59d1954d7e3314f837b1c4769683edf02fe5bb9273452c0ba2d71a15e31ae5853a7f1883dd219f1102460160f128bce74a2aa141c1b0fd031c6e56925003788

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
55KB

MD5
048e48132a5a7298ea8746e9918a04a5

SHA1
7f46f2aa4aa4549725b6956775c938c6fadbf2d3

SHA256
b8471f204f732506169d34cce3739d1b52d7299b00e7eec7baa3525be1b1ab07

SHA512
fdf952529ba6f9298fc5ec0beb233528bb6e8b8e05208833f6a2afb324d06017411dc0ca49b57a7b2e3006f8fca38f2991c6dbcbf6e967d0c28633897fc76c08

Download Submit
memory/116-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1348-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads