cc22356deed6217d5b7c400cc128ba4d4d36df25b9bb1de054cf35499877b4ac

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c367c4c9b65ddc10dbe1443535fdf350N.exe
Size

94KB
MD5

c367c4c9b65ddc10dbe1443535fdf350
SHA1

f9024c47b82ca10eebe9c1f05d56b7aff0f19c4c
SHA256

cc22356deed6217d5b7c400cc128ba4d4d36df25b9bb1de054cf35499877b4ac
SHA512

ec22d8196b56a3952728cc957e84a0e32e0b28693ca5e6c6644b9f96baadee73cbc94d616f707e50cd31fe2bb46bab43f304f55d5fce3ceae623f35cb81a49ef
SSDEEP

1536:Wj0z80osh48iVCaAriLR1We2LTS5DUHRbPa9b6i+sImo71+jqx:k0nh4bVNVl1+TS5DSCopsIm81+jqx

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcnleb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blnjecfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhofnpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blgddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclppboi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfjllnnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepadh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debnjgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dibdeegc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aehbmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcnleb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbcbnlcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aehbmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffkhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpnpqakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cemeoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c367c4c9b65ddc10dbe1443535fdf350N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bifkcioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bikeni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dedkogqm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c367c4c9b65ddc10dbe1443535fdf350N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bifkcioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amoknh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmimdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aioebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmimdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpgjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpgjpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clbdpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abgjkpll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepadh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbcignbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cleqfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amoknh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blnjecfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cplckbmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbmlmmjd.exe

Executes dropped EXE 42 IoCs

pid	Process
2316	Aioebj32.exe
3712	Apimodmh.exe
4520	Abgjkpll.exe
3548	Ammnhilb.exe
2660	Aehbmk32.exe
3012	Amoknh32.exe
1956	Albkieqj.exe
388	Bfhofnpp.exe
3964	Bifkcioc.exe
2400	Bclppboi.exe
4492	Bfjllnnm.exe
4532	Blgddd32.exe
652	Bcnleb32.exe
2500	Bikeni32.exe
3728	Bbcignbo.exe
2208	Bmimdg32.exe
2280	Bpgjpb32.exe
5024	Bfabmmhe.exe
3060	Blnjecfl.exe
1512	Cefoni32.exe
4720	Cplckbmc.exe
4360	Cffkhl32.exe
1140	Clbdpc32.exe
1448	Cpnpqakp.exe
1972	Cbmlmmjd.exe
3596	Cleqfb32.exe
4180	Cboibm32.exe
4480	Cemeoh32.exe
1656	Cmdmpe32.exe
2464	Cepadh32.exe
3924	Clijablo.exe
2044	Dbcbnlcl.exe
2356	Debnjgcp.exe
320	Dmifkecb.exe
2672	Ddcogo32.exe
3488	Dedkogqm.exe
4432	Dmkcpdao.exe
2876	Ddekmo32.exe
4792	Dbhlikpf.exe
4764	Dibdeegc.exe
1264	Dpllbp32.exe
3212	Dbkhnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cboibm32.exe	Cleqfb32.exe
File opened for modification	C:\Windows\SysWOW64\Clijablo.exe	Cepadh32.exe
File created	C:\Windows\SysWOW64\Clbdpc32.exe	Cffkhl32.exe
File created	C:\Windows\SysWOW64\Kqfaoo32.dll	Clbdpc32.exe
File opened for modification	C:\Windows\SysWOW64\Dedkogqm.exe	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Dmkcpdao.exe	Dedkogqm.exe
File created	C:\Windows\SysWOW64\Abgjkpll.exe	Apimodmh.exe
File created	C:\Windows\SysWOW64\Amoknh32.exe	Aehbmk32.exe
File created	C:\Windows\SysWOW64\Gjgmjh32.dll	Blgddd32.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Piifjomf.dll	Bpgjpb32.exe
File opened for modification	C:\Windows\SysWOW64\Cplckbmc.exe	Cefoni32.exe
File created	C:\Windows\SysWOW64\Fqkiecpd.dll	Aioebj32.exe
File created	C:\Windows\SysWOW64\Aehbmk32.exe	Ammnhilb.exe
File created	C:\Windows\SysWOW64\Clijablo.exe	Cepadh32.exe
File created	C:\Windows\SysWOW64\Fbelak32.dll	Cepadh32.exe
File created	C:\Windows\SysWOW64\Jgfdkj32.dll	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Aioebj32.exe	c367c4c9b65ddc10dbe1443535fdf350N.exe
File opened for modification	C:\Windows\SysWOW64\Cepadh32.exe	Cmdmpe32.exe
File opened for modification	C:\Windows\SysWOW64\Cemeoh32.exe	Cboibm32.exe
File created	C:\Windows\SysWOW64\Mdphmfph.dll	Bclppboi.exe
File opened for modification	C:\Windows\SysWOW64\Blgddd32.exe	Bfjllnnm.exe
File created	C:\Windows\SysWOW64\Abbbel32.dll	Debnjgcp.exe
File created	C:\Windows\SysWOW64\Ddcogo32.exe	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Gpgfeb32.dll	Bifkcioc.exe
File created	C:\Windows\SysWOW64\Cmdmpe32.exe	Cemeoh32.exe
File created	C:\Windows\SysWOW64\Dkakfgoq.dll	Clijablo.exe
File created	C:\Windows\SysWOW64\Gpngef32.dll	Dbcbnlcl.exe
File created	C:\Windows\SysWOW64\Bfhofnpp.exe	Albkieqj.exe
File created	C:\Windows\SysWOW64\Lgkkbg32.dll	Blnjecfl.exe
File opened for modification	C:\Windows\SysWOW64\Clbdpc32.exe	Cffkhl32.exe
File opened for modification	C:\Windows\SysWOW64\Cleqfb32.exe	Cbmlmmjd.exe
File opened for modification	C:\Windows\SysWOW64\Bfjllnnm.exe	Bclppboi.exe
File opened for modification	C:\Windows\SysWOW64\Bmimdg32.exe	Bbcignbo.exe
File created	C:\Windows\SysWOW64\Ngllodpm.dll	Cffkhl32.exe
File created	C:\Windows\SysWOW64\Cepadh32.exe	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Debnjgcp.exe	Dbcbnlcl.exe
File opened for modification	C:\Windows\SysWOW64\Dmkcpdao.exe	Dedkogqm.exe
File opened for modification	C:\Windows\SysWOW64\Bcnleb32.exe	Blgddd32.exe
File created	C:\Windows\SysWOW64\Blnjecfl.exe	Bfabmmhe.exe
File created	C:\Windows\SysWOW64\Mnjellfo.dll	Bcnleb32.exe
File created	C:\Windows\SysWOW64\Cmiikpek.dll	Cboibm32.exe
File created	C:\Windows\SysWOW64\Dbcbnlcl.exe	Clijablo.exe
File created	C:\Windows\SysWOW64\Nffopp32.dll	Dbhlikpf.exe
File opened for modification	C:\Windows\SysWOW64\Apimodmh.exe	Aioebj32.exe
File created	C:\Windows\SysWOW64\Boipkd32.dll	Bfjllnnm.exe
File created	C:\Windows\SysWOW64\Hgfjbh32.dll	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Ddekmo32.exe	Dmkcpdao.exe
File opened for modification	C:\Windows\SysWOW64\Cefoni32.exe	Blnjecfl.exe
File created	C:\Windows\SysWOW64\Dmifkecb.exe	Debnjgcp.exe
File created	C:\Windows\SysWOW64\Mckfmq32.dll	Dibdeegc.exe
File created	C:\Windows\SysWOW64\Bbcignbo.exe	Bikeni32.exe
File opened for modification	C:\Windows\SysWOW64\Blnjecfl.exe	Bfabmmhe.exe
File opened for modification	C:\Windows\SysWOW64\Cffkhl32.exe	Cplckbmc.exe
File created	C:\Windows\SysWOW64\Neiiibnn.dll	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Cefnemqj.dll	Abgjkpll.exe
File created	C:\Windows\SysWOW64\Dpllbp32.exe	Dibdeegc.exe
File created	C:\Windows\SysWOW64\Idbgcb32.dll	Dedkogqm.exe
File opened for modification	C:\Windows\SysWOW64\Dibdeegc.exe	Dbhlikpf.exe
File opened for modification	C:\Windows\SysWOW64\Ddcogo32.exe	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Dedkogqm.exe	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Cbmlmmjd.exe	Cpnpqakp.exe
File created	C:\Windows\SysWOW64\Befogbik.dll	Cmdmpe32.exe
File opened for modification	C:\Windows\SysWOW64\Dbhlikpf.exe	Ddekmo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1888	3212	WerFault.exe	135

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bifkcioc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfjllnnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabmmhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blnjecfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cefoni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cleqfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c367c4c9b65ddc10dbe1443535fdf350N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhofnpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddekmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcogo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmlmmjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cemeoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apimodmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Albkieqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbcignbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpgjpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clbdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepadh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgjkpll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammnhilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dibdeegc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmimdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clijablo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbcbnlcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmifkecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dedkogqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcnleb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bikeni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffkhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cboibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpllbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amoknh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cplckbmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpnpqakp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Debnjgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aehbmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclppboi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c367c4c9b65ddc10dbe1443535fdf350N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabmmhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cleqfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aehbmk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgeebem.dll"	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiiibnn.dll"	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clijablo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dedkogqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehepld32.dll"	Bbcignbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabmmhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cefoni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c367c4c9b65ddc10dbe1443535fdf350N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmimdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blnjecfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blnjecfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll"	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcnleb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffkhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkebqokl.dll"	Amoknh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bifkcioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abgjkpll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoclajjj.dll"	Aehbmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjellfo.dll"	Bcnleb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpnpqakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c367c4c9b65ddc10dbe1443535fdf350N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Albkieqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bifkcioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfjllnnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfijgnnj.dll"	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfjbh32.dll"	Cplckbmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amoknh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgmjh32.dll"	Blgddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bikeni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdqcf32.dll"	Bfhofnpp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclppboi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffkhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpnpqakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckfmq32.dll"	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojahakp.dll"	Bikeni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipekmlhg.dll"	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c367c4c9b65ddc10dbe1443535fdf350N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclppboi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbcbnlcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aioebj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 492 wrote to memory of 2316	492	c367c4c9b65ddc10dbe1443535fdf350N.exe	91
PID 492 wrote to memory of 2316	492	c367c4c9b65ddc10dbe1443535fdf350N.exe	91
PID 492 wrote to memory of 2316	492	c367c4c9b65ddc10dbe1443535fdf350N.exe	91
PID 2316 wrote to memory of 3712	2316	Aioebj32.exe	92
PID 2316 wrote to memory of 3712	2316	Aioebj32.exe	92
PID 2316 wrote to memory of 3712	2316	Aioebj32.exe	92
PID 3712 wrote to memory of 4520	3712	Apimodmh.exe	93
PID 3712 wrote to memory of 4520	3712	Apimodmh.exe	93
PID 3712 wrote to memory of 4520	3712	Apimodmh.exe	93
PID 4520 wrote to memory of 3548	4520	Abgjkpll.exe	94
PID 4520 wrote to memory of 3548	4520	Abgjkpll.exe	94
PID 4520 wrote to memory of 3548	4520	Abgjkpll.exe	94
PID 3548 wrote to memory of 2660	3548	Ammnhilb.exe	95
PID 3548 wrote to memory of 2660	3548	Ammnhilb.exe	95
PID 3548 wrote to memory of 2660	3548	Ammnhilb.exe	95
PID 2660 wrote to memory of 3012	2660	Aehbmk32.exe	96
PID 2660 wrote to memory of 3012	2660	Aehbmk32.exe	96
PID 2660 wrote to memory of 3012	2660	Aehbmk32.exe	96
PID 3012 wrote to memory of 1956	3012	Amoknh32.exe	97
PID 3012 wrote to memory of 1956	3012	Amoknh32.exe	97
PID 3012 wrote to memory of 1956	3012	Amoknh32.exe	97
PID 1956 wrote to memory of 388	1956	Albkieqj.exe	98
PID 1956 wrote to memory of 388	1956	Albkieqj.exe	98
PID 1956 wrote to memory of 388	1956	Albkieqj.exe	98
PID 388 wrote to memory of 3964	388	Bfhofnpp.exe	99
PID 388 wrote to memory of 3964	388	Bfhofnpp.exe	99
PID 388 wrote to memory of 3964	388	Bfhofnpp.exe	99
PID 3964 wrote to memory of 2400	3964	Bifkcioc.exe	100
PID 3964 wrote to memory of 2400	3964	Bifkcioc.exe	100
PID 3964 wrote to memory of 2400	3964	Bifkcioc.exe	100
PID 2400 wrote to memory of 4492	2400	Bclppboi.exe	101
PID 2400 wrote to memory of 4492	2400	Bclppboi.exe	101
PID 2400 wrote to memory of 4492	2400	Bclppboi.exe	101
PID 4492 wrote to memory of 4532	4492	Bfjllnnm.exe	102
PID 4492 wrote to memory of 4532	4492	Bfjllnnm.exe	102
PID 4492 wrote to memory of 4532	4492	Bfjllnnm.exe	102
PID 4532 wrote to memory of 652	4532	Blgddd32.exe	103
PID 4532 wrote to memory of 652	4532	Blgddd32.exe	103
PID 4532 wrote to memory of 652	4532	Blgddd32.exe	103
PID 652 wrote to memory of 2500	652	Bcnleb32.exe	104
PID 652 wrote to memory of 2500	652	Bcnleb32.exe	104
PID 652 wrote to memory of 2500	652	Bcnleb32.exe	104
PID 2500 wrote to memory of 3728	2500	Bikeni32.exe	105
PID 2500 wrote to memory of 3728	2500	Bikeni32.exe	105
PID 2500 wrote to memory of 3728	2500	Bikeni32.exe	105
PID 3728 wrote to memory of 2208	3728	Bbcignbo.exe	106
PID 3728 wrote to memory of 2208	3728	Bbcignbo.exe	106
PID 3728 wrote to memory of 2208	3728	Bbcignbo.exe	106
PID 2208 wrote to memory of 2280	2208	Bmimdg32.exe	107
PID 2208 wrote to memory of 2280	2208	Bmimdg32.exe	107
PID 2208 wrote to memory of 2280	2208	Bmimdg32.exe	107
PID 2280 wrote to memory of 5024	2280	Bpgjpb32.exe	109
PID 2280 wrote to memory of 5024	2280	Bpgjpb32.exe	109
PID 2280 wrote to memory of 5024	2280	Bpgjpb32.exe	109
PID 5024 wrote to memory of 3060	5024	Bfabmmhe.exe	110
PID 5024 wrote to memory of 3060	5024	Bfabmmhe.exe	110
PID 5024 wrote to memory of 3060	5024	Bfabmmhe.exe	110
PID 3060 wrote to memory of 1512	3060	Blnjecfl.exe	112
PID 3060 wrote to memory of 1512	3060	Blnjecfl.exe	112
PID 3060 wrote to memory of 1512	3060	Blnjecfl.exe	112
PID 1512 wrote to memory of 4720	1512	Cefoni32.exe	113
PID 1512 wrote to memory of 4720	1512	Cefoni32.exe	113
PID 1512 wrote to memory of 4720	1512	Cefoni32.exe	113
PID 4720 wrote to memory of 4360	4720	Cplckbmc.exe	114

C:\Users\Admin\AppData\Local\Temp\c367c4c9b65ddc10dbe1443535fdf350N.exe
"C:\Users\Admin\AppData\Local\Temp\c367c4c9b65ddc10dbe1443535fdf350N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:492
- C:\Windows\SysWOW64\Aioebj32.exe
  C:\Windows\system32\Aioebj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\Apimodmh.exe
    C:\Windows\system32\Apimodmh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\SysWOW64\Abgjkpll.exe
      C:\Windows\system32\Abgjkpll.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Windows\SysWOW64\Aehbmk32.exe
        
        C:\Windows\system32\Aehbmk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Amoknh32.exe
        
        C:\Windows\system32\Amoknh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Albkieqj.exe
        
        C:\Windows\system32\Albkieqj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Bfhofnpp.exe
        
        C:\Windows\system32\Bfhofnpp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Bifkcioc.exe
        
        C:\Windows\system32\Bifkcioc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Bcnleb32.exe
        
        C:\Windows\system32\Bcnleb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Bikeni32.exe
        
        C:\Windows\system32\Bikeni32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Blnjecfl.exe
        
        C:\Windows\system32\Blnjecfl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Cffkhl32.exe
        
        C:\Windows\system32\Cffkhl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\Cpnpqakp.exe
        
        C:\Windows\system32\Cpnpqakp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Cepadh32.exe
        
        C:\Windows\system32\Cepadh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Dbcbnlcl.exe
        
        C:\Windows\system32\Dbcbnlcl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 400
        44⤵
        Program crash
        
        PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3212 -ip 3212
1⤵
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3364,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:8
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abgjkpll.exe

Filesize
94KB

MD5
25d3e36eab4d2b4a9e13a938508541e1

SHA1
8e8a3b55a139fea25352eb67cf897fc5a772efd1

SHA256
de33303ae3c0f660e43e8e05ea47c3ae83c3a2d958e01e1013a305eb736c15ae

SHA512
0760316056cacd5ddad25dc0282e4cff9a789dbcd1216ffc75f0f49614d53d757bf7ef1e7e5b1dc2ffd064e3c500489a602cdb4e092548ea9fa85273008a7002

Download Submit
C:\Windows\SysWOW64\Aehbmk32.exe

Filesize
94KB

MD5
8816512b2cfeaf540431bbc462c93ffa

SHA1
258aaed150333d1efde5d4a2c380cf7320119de1

SHA256
fc2107dc2a42b17bc6253822c564918eabfa0aa9bb1317193164d372c62d5daa

SHA512
a8443cd568a6af3d1950c4daf16464bbff3d29f03157afc83b42651d9735ac7d1999b75e7d091f32b96cb2611abb01c181a9bb5f9d90008eaee54fe7b5822221

Download Submit
C:\Windows\SysWOW64\Aioebj32.exe

Filesize
94KB

MD5
25311fc86713ce8868a6f9f758b144de

SHA1
b7e9487e5f15329bb402e308ecf7f295e5e1cb8e

SHA256
bf13b5c59dbfa66e21ef7a4d77182be0080ca922a871042fb4c57b526448f4da

SHA512
9473e53e074587aee73ba21d580a6603fea5f786f66bc717f6f57e1185abecc341fed7c8adcaef961e2b387468f01a1665119b140da8af804b7e5ab52fbf6de8

Download Submit
C:\Windows\SysWOW64\Albkieqj.exe

Filesize
94KB

MD5
8b2b0bca9c9d606331c08656d2720549

SHA1
5709729da3c14972dd087435f00c531d1be061cd

SHA256
6a9729222eb4394e4c0b9402fffc803342d5bae69edd3c62987d268f4e21736a

SHA512
5b5e85ac2fa4771c8cc5e8e4f590358da45b7db1bf9fad747489b6d7790790690d7f9c9381e317676dc9abea1b1cb297b193012b1b4135485cfa878392e1df95

Download Submit
C:\Windows\SysWOW64\Ammnhilb.exe

Filesize
94KB

MD5
00572c4676ec15a28d76752a5d62ebb6

SHA1
6df16fd42783367efb197a191bca8c0f726dd342

SHA256
5e89b9ebee1714237602b7c654bff21a5b2d857c20a3212efe7f47e3e4c9fea0

SHA512
f08adf821bf1d6e95ced71e510df090e4a0995dfa1af26150293e67c557600e21899ff1d7436e232e85e83448421750ba90edbbab6012b6bd3eec630c84310ea

Download Submit
C:\Windows\SysWOW64\Amoknh32.exe

Filesize
94KB

MD5
6c4ee9c50f9081fdb6c1f401e272eee6

SHA1
fc28c754fe35642626dd9722c9e6c31a74019590

SHA256
f3007ed7c2ef08a23b7817f3dc18483186ae04408b2a7131a578f1d5c8fc042b

SHA512
9f2aaca30722340488652ac15e4290bbc91a2f66c926cf95965352e6a67f54a01c7b5a821709deebf551c41dbf7090e584adb20bcc994672d5cf34cf0fa6ef60

Download Submit
C:\Windows\SysWOW64\Apimodmh.exe

Filesize
94KB

MD5
8355eff487a68a2d9331950057742ff9

SHA1
bba1ff312efcccf326f9781925d518fc3c83a414

SHA256
09d4ba3dd81207b4b8dc2501325aff9d0482508188c27afc3426c21949983816

SHA512
a28450630b9b6f7449a54efd4bba7e723248d05e3a93d085334eb1f6aa0a0cfb6c4d53f0fe514a01d5c67560ae00d0c234c312d782d7352e0e026329d464bd74

Download Submit
C:\Windows\SysWOW64\Bbcignbo.exe

Filesize
94KB

MD5
3b825fde4e746fb6c79ddc85495cb93d

SHA1
a7abb3e2d012352f7b09d777da3facb6b76bb479

SHA256
149392e1369c90de8b71c42e6e8b34bedef27c71a111dcf8da54d131480d9dc5

SHA512
1f2fbcb645e44206166e8fb6340db94a2559012861b5ca8f2419d5862568e25a6c818ed730118772b043f9ad9cfadc8e5e551c886f5009362f8465819662f997

Download Submit
C:\Windows\SysWOW64\Bclppboi.exe

Filesize
94KB

MD5
6de9f63223ac2d3a4ca7279a2ffe2d96

SHA1
31965c66bcee7dc8ac85ec27dc4b572a088ce3c1

SHA256
be5a76dfa566d0f1e8cf8a2743ff8ff94c93685739cd96bdfc36e4115f8cd62f

SHA512
5105b99e996f9da2bd9b13d7297e213b83945e87c23ca0cea29b554f2aaaf72f7d2c1e8cea2fc209ac56e715ce3b13c4fa2e2005b4bb368ebf9d80bbd13e36b8

Download Submit
C:\Windows\SysWOW64\Bcnleb32.exe

Filesize
94KB

MD5
e3275d3ef53c0870ca73bca2b1b88664

SHA1
921c49985f4a63dd98eaea342315ef0f82ea1330

SHA256
320a9778fa5556c19e5a67b05acdc3e740579cb742e5c64f1e0343abee755407

SHA512
eae94003dfe5e05fbf386f14d1f5ffc27dd35f0c31c3be78ef388a1de75b1e4693c7f7bd58690d7bf09301472060312e0b3dc0b8036bcd3ee0d9e70a76fcecab

Download Submit
C:\Windows\SysWOW64\Bfabmmhe.exe

Filesize
94KB

MD5
5c04ef6de1226676720b4b52ae2186c9

SHA1
b544e00aac93d84c2d4968b931dea70b789d6387

SHA256
b32c76f6f55bb9286bbf4497cf4f7dd16f670ee5d273f3fb073a5ad7f9376c1c

SHA512
389dd52ffac2b001405169716f7ef001cfa7da22723f4bda2229e280e3b06f2d1b656fd976aec4cbd94df3c22485adb5e9c58e754c845698434bb06437ff67f9

Download Submit
C:\Windows\SysWOW64\Bfhofnpp.exe

Filesize
94KB

MD5
4d8a608c4b785c9488fd7e8846d5b2a4

SHA1
71f5c4ebb367832ec2c9de4580d6374df4379638

SHA256
e08a5029d3ec0fbdfb3be45623e2ec4810da8a3d7716e3a4216b6ed0390ca010

SHA512
967b7759f07f15ed547a230c0ecd1e7ba0d239b261d4a05ce3ff00f6f21865de6647c0f979d12547bd574ed973920b236854fb19e66480ecff3a120e490df30f

Download Submit
C:\Windows\SysWOW64\Bfjllnnm.exe

Filesize
94KB

MD5
2458222e5eff0984c8dea34fa01e04d1

SHA1
c7576c3a6517716f0f779e1375aae8016bebc415

SHA256
24acd643dcc80251c2d74c050fbf9368190add289132c839bdce7dea66cad69e

SHA512
686d46236bde83cf47b66aae443899c13e1b43aae0576e68e6ab1c804a24134d9b28e31751ac57a5a2b30922f89bdd21984309582a0245d6221187784746cca2

Download Submit
C:\Windows\SysWOW64\Bifkcioc.exe

Filesize
94KB

MD5
3a9056df1f6bea5500f26b3fa183331b

SHA1
4ebf85e4879e3b97fdbc26745f460c06dc3c1a38

SHA256
dc78297fc9786b1f93a8af80d9737f18acb21cccd43d13748acd2886993c8b48

SHA512
2a4d24a86cb3021c6b1b1a59e897ac428d03b35af93ccc87d851d7d47612af916c3b4748add7298d9929979fbd88eea71e4e56e9bc383c30b97a0029d79e2afe

Download Submit
C:\Windows\SysWOW64\Bikeni32.exe

Filesize
94KB

MD5
8d4e349dce99b64fc74a05bbb6e63f1e

SHA1
73f51376a6bb331ef9acbeded807963e2f07f4ed

SHA256
b94d15dc07983dd1f8f39bffe461958f8263689f66bc3c6e9dd85ce4ae257bff

SHA512
d3ddfc6dc91c077129da36cf9f0d54517e8df9d7322f164a8e0a15374d0f277b7eda3b09708a961c652c394d14dcf222e43c753238fa8a32f92f6ca468ef681e

Download Submit
C:\Windows\SysWOW64\Blgddd32.exe

Filesize
94KB

MD5
6aea1f002a5a28dd02c21aaf645be07d

SHA1
366d4dd63d50cfb9920e9dbbcad32a4ac07d3614

SHA256
10c0511b76352622a018b8cc111bacb8ad729724c67314065ba24e0ca94ceae1

SHA512
398feeaa77f1214ce35aac18079848007ece13a4a139ddef7e125bb832bcdb03f8c3511a0d89af3142cc115d4b7f2713f14f474812e6d49ebcd98ded9167e301

Download Submit
C:\Windows\SysWOW64\Blnjecfl.exe

Filesize
94KB

MD5
1b9d516abe3a1369a6b40b89153e4751

SHA1
c78a2f6a4cc7e29f11e1a4f92d9cda8ce4c747b4

SHA256
d5d61f20f2dc84e61b7734a9dd0f75cd2b27e3549c0fb3a394bd21083b38104e

SHA512
9fa3c34cf313a64897d099a203b3cea0091e3d73884fd37d7e9d05a9351ad056f7b979aedbfc93cfcb4b55e2bf83a9e840c07356b4530c8b1977fa0c9a2601ee

Download Submit
C:\Windows\SysWOW64\Bmimdg32.exe

Filesize
94KB

MD5
3c110ff1e096ac0e7d9a688651afae44

SHA1
13d50e4257d789d97bc4f56141ed1ebde126a3ef

SHA256
72ec503a30074fc544db48533fad623a05e4f7589ca6875c32cb1e5df485abb8

SHA512
be0a15fdb6a203f9b2c9538ad399e4d2c9794b6a4e5f2c336837bbdd15cba0e57d6b0286f9ebc4dc31ea565cd0d9369505fa6d81c9d6b313b7ae98e33db8c141

Download Submit
C:\Windows\SysWOW64\Bpgjpb32.exe

Filesize
94KB

MD5
ecdc9a46d2711d714a888f67b41dbca5

SHA1
2347927c6582391df45d6d5d4578be93048e6cc1

SHA256
ff629ee0d66009d9f2b6f85c843cd6206760f5645df9825424dfcfaf87c8427f

SHA512
aac5424cb6244053cf45d991757141ccb76d6733d8755ef957133d5e8edcc7a4ba98a0862784d90b16fb5b96bbca463be5ee27cfe9a18b34b69a72d34374d288

Download Submit
C:\Windows\SysWOW64\Cbmlmmjd.exe

Filesize
94KB

MD5
0918f559792a53163d7496ef7645e203

SHA1
87895b45766166f491b7ac8ec1edcbc7152c382f

SHA256
4448cbd403c564cd6666b27668c7af47d1dd7f5fc5729d503a335147ce1becdf

SHA512
10f1955de321f382adf4e723cfde64686c884314a78e71bdf70160a43014ee7a88a711a73f57bcf6ca186826a7a224891bc3472f20263754c78dd2a6b9828b32

Download Submit
C:\Windows\SysWOW64\Cboibm32.exe

Filesize
94KB

MD5
a16d4f2f505b7d4543d29f5264e66d4e

SHA1
3369d01412dc74cde91705a7f3d4611e8cbb14b5

SHA256
837e4c4e2fec9a16ea7c979cbed6b612f301a00c8579354eb469a6d63f673a31

SHA512
febfa2493b84d2443f906edfb7ce6fbe8e902c7ce5425efc8c0a98d635f467acbd203c00e1f7adaa67584bebff7d091b28d1425f2aea6e57b0f607a8d06988e6

Download Submit
C:\Windows\SysWOW64\Cefoni32.exe

Filesize
94KB

MD5
637046e1460fe6fda5a9c051e91e465b

SHA1
22fdf9bd3ed549fef1c32cfdd9edce6bc1b38fd9

SHA256
54d9a03ded5c2991416bda0ba51c5ce6b770e7f6198728135b0310e7e1858aa3

SHA512
15b87344309b8dc5d6f1e43c958e01f964226c1841a4b5ae73db843967e33b9ac8d4b0164e41e5c84eb55690f2173ff92a6d861641bc827323362f6bb8e79038

Download Submit
C:\Windows\SysWOW64\Cemeoh32.exe

Filesize
94KB

MD5
4c35037d805c2eff745d08764af43224

SHA1
6a667440694cbf5b0b21cde844d7d47f53413280

SHA256
aba62777700646c79c52bdd4a368889c5d6c4d6990de8cee2a32a3a622c08422

SHA512
ce591f2069b4b78ca782b80ab805e924ec4850bd174e3929ecf0b834ecf217a15b31ed535b73664c115d8b86b04d3ad0130ae72d14f951e58801ce116ef2d254

Download Submit
C:\Windows\SysWOW64\Cepadh32.exe

Filesize
94KB

MD5
7c6971a243e09e05a0e04e7c06c08d95

SHA1
84ccbe940cde87f26acfb3422f1f36195ea666ea

SHA256
ff129df14403bad63eb54c998d3682e483529307212e098178752c116820bc03

SHA512
70ca52857171daff0e2118aa4b70b264f67c26d9479540855ef8caec90a93f73b54175342e00602e23098e60f80a24036f8e391eefd1f31061b9aea3603b4282

Download Submit
C:\Windows\SysWOW64\Cffkhl32.exe

Filesize
94KB

MD5
682a13f90f126eecf73671e4eccb8c56

SHA1
5ab3c257739a8d05293f4f5f83d614170a2a3b42

SHA256
8ec2a999da22523048551d05646fc26d5a7113de39819840e3623ca4ccf5c08e

SHA512
875d2e2f62ab63a32010df0b56f8c9b17daccb9ac2fef5ed706fc37fcd8f4e08b4fba3fe08fd564cee00409d576e010524e26026f73138d017dbe3c7554668b0

Download Submit
C:\Windows\SysWOW64\Clbdpc32.exe

Filesize
94KB

MD5
3a4c539e40fc05b17b044626c5cd745a

SHA1
9f16532663561ffe26a1915fdd8e5e48cae281c2

SHA256
44fac166ab4b6e0c430c34365cb42ab26996b6a255cb94b9ef0b0b3a938878ff

SHA512
36c03416229f70fe5c21a1f3921662705eab329cc4b6e6049083425accb31cd6cf2d40575998dc71d938991c3fc54a89c32165d710cf9ae99f864b80faa74158

Download Submit
C:\Windows\SysWOW64\Cleqfb32.exe

Filesize
94KB

MD5
0d25c88dc10263effe66d1e748636731

SHA1
24ccbb83b90d4dc8be2e403a25a5343274d2deaa

SHA256
8916ee1e057f1270f5bf9a4e9a59261165b88e570a1851ca8ee246bba0cae479

SHA512
b7787a2928192ee877fdfbdd44462a86ee8a6b8406da0766bf468f2d0d930ff6849e21654e01fafa3a068acb9f1c8e17a20cb35562b4d470852dcc0838355707

Download Submit
C:\Windows\SysWOW64\Clijablo.exe

Filesize
94KB

MD5
46281ccf94a3fb380b2a3084dc0cf95e

SHA1
db229f5b2bf3d9957039d35f95095c5e9231752d

SHA256
f645a16c57fe7f121af14e39eda1c81ddf78cdb63624a8c229eca49bb7b78037

SHA512
9e07caee0515aeb84c9981200af1dc67d6443f958e005bcfa1037c488e997e08b8a7b2dba8721dae3809d494ef533e10a6ec1ffb78f06622359f45efc7b0c0df

Download Submit
C:\Windows\SysWOW64\Cmdmpe32.exe

Filesize
94KB

MD5
a384b0b17a403cb871ba0a9633b54cc4

SHA1
dfb017710cd15e789d540659689be8c95d0f7656

SHA256
2442ac65c92709e09d71c659942913ba8ce3fd941cc22c349708641a01ef289e

SHA512
7d4033235d4fe2f45be1009bf9ee40420eab86c42647e6645a3c096dfb665cae73ea91100da64ebf68c4cf8d1778aa04a6450f3ad86e0e18b53bc5dbed1704e8

Download Submit
C:\Windows\SysWOW64\Cplckbmc.exe

Filesize
94KB

MD5
c2242e3ec88639fc44ebf5c512db2e82

SHA1
a7aacc254fd008318580c097037f7d085d7ab483

SHA256
572df86fc2ea91849b6291e59d55db57ff65cc089dad3d72d7bc57ebc657b788

SHA512
88f885096f30d18f64f6518a3a124b41016c7c4df218b89b8adc62fa013290a949aadea5826851e6cd03bc93b72a4e1d0eb5dd3e6512e93b45b1396befaf2713

Download Submit
C:\Windows\SysWOW64\Cpnpqakp.exe

Filesize
94KB

MD5
6ffa59c5ec42fc12e24c3a4a0dc96ebe

SHA1
5519994f90e06f6d639ec691544272debb57de3e

SHA256
6bd62ca8596dea53874abded9955df7b96a712f677572ad6f04d2defb6d023e5

SHA512
4f3206178f45cfa10ad3b45adaaeeba62001a58fe0c2d77e425ee67a6347d7a737c91390d0ad9ad552ef50a7ebde53c3f4041a325144381500c11c06533183bd

Download Submit
C:\Windows\SysWOW64\Dbcbnlcl.exe

Filesize
94KB

MD5
37e10ecbd97bd32a1783ff2ad9574ca2

SHA1
a169427960ec881a1c645477c5fa370b8063dc2c

SHA256
7152b80867ec5be6a4ed651e6ebe7a7e9efa51b6e21ce5d9295e288d2e27f294

SHA512
5c47bd0c5d0d4080f4a671f9103e6b6e3d838746a8051ee650e4ac930fcaa7211abaa2c04d966f5be2323a84f5a36b324c00a73fa092ee6580d59fc00bf606e7

Download Submit
memory/320-326-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/320-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/388-349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/388-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/492-355-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/492-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/492-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/652-344-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/652-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1140-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1264-319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1264-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1512-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1512-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1656-331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1656-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1956-350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1956-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1972-356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1972-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2208-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2208-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2316-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2356-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2356-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2660-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2660-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-325-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3012-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-318-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3488-324-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3488-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3548-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3548-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3712-354-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3712-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3924-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3924-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3964-348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3964-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-221-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4432-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4432-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-332-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4492-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4492-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-336-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4792-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4792-321-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads