6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc

Analysis

max time kernel
130s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc.exe
Size

427KB
MD5

c80ad5bc46886cb921a9d2782d5553c5
SHA1

61aa8a61169bf19706d55b7dddbff4733d59802a
SHA256

6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc
SHA512

7769d459d1454b99a4f49a66c75723286922d508755c22cbd8b1d6387e59e633a75876da3e205d4a8c7fecf0f953b6238d27fb9d8e9610e716aa984e0a6d987b
SSDEEP

6144:6Vj+9uHyFSTYaT15f7o+STYaT15fAK8yfMx/D4LJZPlVcxqy1:KTYapJoTYapz8ye49vWq

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe

Executes dropped EXE 64 IoCs

pid	Process
2736	Anmjcieo.exe
1912	Aqkgpedc.exe
2532	Aqncedbp.exe
3272	Ajfhnjhq.exe
4440	Amddjegd.exe
2304	Andqdh32.exe
3540	Acqimo32.exe
2492	Anfmjhmd.exe
4340	Agoabn32.exe
4992	Bfabnjjp.exe
4196	Bcebhoii.exe
5060	Bfdodjhm.exe
1812	Bnkgeg32.exe
1988	Bmngqdpj.exe
2380	Baicac32.exe
4084	Bchomn32.exe
1464	Bgcknmop.exe
3968	Bjagjhnc.exe
840	Bnmcjg32.exe
4184	Bmpcfdmg.exe
932	Balpgb32.exe
1604	Beglgani.exe
2020	Bgehcmmm.exe
212	Bfhhoi32.exe
1688	Bjddphlq.exe
1992	Bnpppgdj.exe
220	Banllbdn.exe
4320	Beihma32.exe
4836	Bclhhnca.exe
4508	Bjfaeh32.exe
4516	Bmemac32.exe
2900	Bapiabak.exe
3488	Belebq32.exe
1892	Bcoenmao.exe
3592	Chjaol32.exe
4204	Cjinkg32.exe
4932	Cndikf32.exe
3584	Cmgjgcgo.exe
4384	Cenahpha.exe
1128	Cdabcm32.exe
2600	Chmndlge.exe
2960	Cjkjpgfi.exe
2296	Cnffqf32.exe
1348	Caebma32.exe
4436	Cdcoim32.exe
5016	Chokikeb.exe
688	Cjmgfgdf.exe
2972	Cnicfe32.exe
2768	Cmlcbbcj.exe
4876	Ceckcp32.exe
5092	Cdfkolkf.exe
2288	Cfdhkhjj.exe
5132	Cjpckf32.exe
5172	Cmnpgb32.exe
5212	Ceehho32.exe
5252	Cdhhdlid.exe
5284	Cffdpghg.exe
5324	Cnnlaehj.exe
5368	Calhnpgn.exe
5408	Cegdnopg.exe
5444	Ddjejl32.exe
5488	Dfiafg32.exe
5524	Djdmffnn.exe
5564	Dmcibama.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe

Program crash 1 IoCs

pid	pid_target	Process
5396	4052	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2736	2812	6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc.exe	84
PID 2812 wrote to memory of 2736	2812	6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc.exe	84
PID 2812 wrote to memory of 2736	2812	6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc.exe	84
PID 2736 wrote to memory of 1912	2736	Anmjcieo.exe	85
PID 2736 wrote to memory of 1912	2736	Anmjcieo.exe	85
PID 2736 wrote to memory of 1912	2736	Anmjcieo.exe	85
PID 1912 wrote to memory of 2532	1912	Aqkgpedc.exe	86
PID 1912 wrote to memory of 2532	1912	Aqkgpedc.exe	86
PID 1912 wrote to memory of 2532	1912	Aqkgpedc.exe	86
PID 2532 wrote to memory of 3272	2532	Aqncedbp.exe	87
PID 2532 wrote to memory of 3272	2532	Aqncedbp.exe	87
PID 2532 wrote to memory of 3272	2532	Aqncedbp.exe	87
PID 3272 wrote to memory of 4440	3272	Ajfhnjhq.exe	88
PID 3272 wrote to memory of 4440	3272	Ajfhnjhq.exe	88
PID 3272 wrote to memory of 4440	3272	Ajfhnjhq.exe	88
PID 4440 wrote to memory of 2304	4440	Amddjegd.exe	89
PID 4440 wrote to memory of 2304	4440	Amddjegd.exe	89
PID 4440 wrote to memory of 2304	4440	Amddjegd.exe	89
PID 2304 wrote to memory of 3540	2304	Andqdh32.exe	90
PID 2304 wrote to memory of 3540	2304	Andqdh32.exe	90
PID 2304 wrote to memory of 3540	2304	Andqdh32.exe	90
PID 3540 wrote to memory of 2492	3540	Acqimo32.exe	91
PID 3540 wrote to memory of 2492	3540	Acqimo32.exe	91
PID 3540 wrote to memory of 2492	3540	Acqimo32.exe	91
PID 2492 wrote to memory of 4340	2492	Anfmjhmd.exe	92
PID 2492 wrote to memory of 4340	2492	Anfmjhmd.exe	92
PID 2492 wrote to memory of 4340	2492	Anfmjhmd.exe	92
PID 4340 wrote to memory of 4992	4340	Agoabn32.exe	93
PID 4340 wrote to memory of 4992	4340	Agoabn32.exe	93
PID 4340 wrote to memory of 4992	4340	Agoabn32.exe	93
PID 4992 wrote to memory of 4196	4992	Bfabnjjp.exe	94
PID 4992 wrote to memory of 4196	4992	Bfabnjjp.exe	94
PID 4992 wrote to memory of 4196	4992	Bfabnjjp.exe	94
PID 4196 wrote to memory of 5060	4196	Bcebhoii.exe	95
PID 4196 wrote to memory of 5060	4196	Bcebhoii.exe	95
PID 4196 wrote to memory of 5060	4196	Bcebhoii.exe	95
PID 5060 wrote to memory of 1812	5060	Bfdodjhm.exe	96
PID 5060 wrote to memory of 1812	5060	Bfdodjhm.exe	96
PID 5060 wrote to memory of 1812	5060	Bfdodjhm.exe	96
PID 1812 wrote to memory of 1988	1812	Bnkgeg32.exe	97
PID 1812 wrote to memory of 1988	1812	Bnkgeg32.exe	97
PID 1812 wrote to memory of 1988	1812	Bnkgeg32.exe	97
PID 1988 wrote to memory of 2380	1988	Bmngqdpj.exe	98
PID 1988 wrote to memory of 2380	1988	Bmngqdpj.exe	98
PID 1988 wrote to memory of 2380	1988	Bmngqdpj.exe	98
PID 2380 wrote to memory of 4084	2380	Baicac32.exe	99
PID 2380 wrote to memory of 4084	2380	Baicac32.exe	99
PID 2380 wrote to memory of 4084	2380	Baicac32.exe	99
PID 4084 wrote to memory of 1464	4084	Bchomn32.exe	100
PID 4084 wrote to memory of 1464	4084	Bchomn32.exe	100
PID 4084 wrote to memory of 1464	4084	Bchomn32.exe	100
PID 1464 wrote to memory of 3968	1464	Bgcknmop.exe	101
PID 1464 wrote to memory of 3968	1464	Bgcknmop.exe	101
PID 1464 wrote to memory of 3968	1464	Bgcknmop.exe	101
PID 3968 wrote to memory of 840	3968	Bjagjhnc.exe	102
PID 3968 wrote to memory of 840	3968	Bjagjhnc.exe	102
PID 3968 wrote to memory of 840	3968	Bjagjhnc.exe	102
PID 840 wrote to memory of 4184	840	Bnmcjg32.exe	103
PID 840 wrote to memory of 4184	840	Bnmcjg32.exe	103
PID 840 wrote to memory of 4184	840	Bnmcjg32.exe	103
PID 4184 wrote to memory of 932	4184	Bmpcfdmg.exe	104
PID 4184 wrote to memory of 932	4184	Bmpcfdmg.exe	104
PID 4184 wrote to memory of 932	4184	Bmpcfdmg.exe	104
PID 932 wrote to memory of 1604	932	Balpgb32.exe	105

C:\Users\Admin\AppData\Local\Temp\6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc.exe
"C:\Users\Admin\AppData\Local\Temp\6c56a15d10e357d97d5fcf9d7e437069b34502c8fbaebef0b8bc1acfbe30d9fc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\Anmjcieo.exe
  C:\Windows\system32\Anmjcieo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\Aqkgpedc.exe
    C:\Windows\system32\Aqkgpedc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\Aqncedbp.exe
      C:\Windows\system32\Aqncedbp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
      - C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        34⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        67⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 396
        89⤵
        Program crash
        
        PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4052 -ip 4052
1⤵
PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
427KB

MD5
fdbec3cb1b91bf54ea9176cbbdf0faf7

SHA1
e93bde657f7e9a5d3e620d0650dd08e459c057e4

SHA256
0e78bcf9fa0243996dff80b55a8db65c3e90269ed7b39e8295d28116f55d86bc

SHA512
ac50309f8f85d20fd235af14c46188a84c211369426522ffe9bccac5e3faa9fc91f00c0cbfb628eb1369587b72e8473466d04764c605eb10bd668dbab39ea02c

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
427KB

MD5
953f6cb0f16f10ac82f4d5ba47bed5f3

SHA1
87e7cd29dfd8a9de1fa1609657afe93ef73df440

SHA256
67fad7ae390e5f1440e16d89382e69d626d02248b6c3e438373bf1ae3e39aa86

SHA512
f65315f99e8501b6a89c5a2375612c99a2052dc63b4aec88fd75fe0fc506fa60edc294c53253b53d18969130b25e5e6f28a94d204e0d0ce12650d4ddc4500be3

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
427KB

MD5
3ed090498487a2a350f0f1b0a248c8ea

SHA1
6a7dffd639ec615f246508225db321d74cc1c22b

SHA256
a92cc2a2da87e61ab264a2f45faa9ef66f4859fa15147689280540793de4921f

SHA512
6a237c2b8bfee3acf8b7de913d22c28f7ebf60aa0f42b880e13700a6a1866d8f6e8580b85da662cd6a72fddec59c3d92616f1607fafd0dbafc8d5e41ca9da185

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
427KB

MD5
70fa7acd3ce29e38b1cf8e9dc79934cd

SHA1
9c6f1e2b4eb7ea286722e392bb560669e97defa8

SHA256
84643aa69c0dd444f7e4e96534d5fb5ef5723e103553fb8169c7e4ca665e454d

SHA512
0e4eb87cc3bea352ea192dce179af73df6e7ebe45ed895e573e0277335d74ea5c58293a9c108042fc08d1eb3a841e986cbc6c0e23bbedc0d6149fb4853fe411e

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
427KB

MD5
56beae2459ba4afbceb1b77912876141

SHA1
28fcb3f6dae9d232013dbd1bd7916b20914f5719

SHA256
0ad188de232f2c6bc45b85bdc6a52b19bedb4e12259ad50c1679c52235bcc198

SHA512
02a7ed7b4ab184029b73d25791c11ab3e15df53dceacd7624c436d826df90d99f3008ee9068d5d99e1a2372e1e0bc8c197bebd2c7ec7b9b82378b2122697bc7c

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
427KB

MD5
17fa7abaf090203e2fabf4509bd2c009

SHA1
d62b11793a78ec9f8e48b5817776d7396c7ec4ec

SHA256
68b0791a892acc21c1219a01e256cb2f81cc99d5b1a3031149e6b65b91a6c03c

SHA512
6f17a448453185d23435b1cb0022070883e337976f5e08337bc5db961bb39e19316605d48ccf2a67a42060d7b48f9d5ed7b7fb70218e6bd1327d7dd730cbee13

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
427KB

MD5
7502d07c0fca1ccdb5d6acd8238d77f4

SHA1
8d604ec0b02ef0cea70f0d28c6710907b43d7674

SHA256
51bdbec704449c7fcd072fb72f5e8a2e60551425b7ad0f054bda4669aa9de582

SHA512
341baad8cb34e400e41ae6caa9a8e85dbc1735427af56e41fa4bad40f5b6b27522e6d95cdbc7ea6a7bc37d97588579a91c76570549956d7f5fe57bea9b67a130

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
427KB

MD5
379372a8f63c4aeaf52bf4a0ec38df5e

SHA1
b109b38c7cd9ef34ac91e488175165cb83566795

SHA256
41e11d04fd9b03238d24deefc360455a5895d46cfa64a2782a9f021b60edd607

SHA512
fe6a75c0d29dcf202d4ff042ddc045fd817e626f97c75ca70f18063ca5f6c727657ce79f0df1e817deeae4081b3e1af27138bbb19364d2f99806308715c22b15

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
427KB

MD5
79994147b599e3c137371f234b65c3fe

SHA1
c6d62746114abbbd97d59885f54a27b87ec89636

SHA256
3c8f0164f22b19563cbf2b39d02772fe5820f3d47fb784f2073ce4d080b9ccbc

SHA512
0cf3c79214bcc753addb58d2fef911d34ed27bbc1e57a68a0585627ed8237d3dead6e2b5e83e08fbe5626bbadf18569e0a3081dfbdb148f3c8cf649363ff601e

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
427KB

MD5
e3e0c820c45772393d7c1974ecc8a391

SHA1
8c6f8468e64dcd34d86deb64768810d45ecfd791

SHA256
4ceae8e4ac3391cb65e48da5e4e88fcfaf21801473964507a5b1130f55ef9139

SHA512
e7ec2ec7a90d415f1fa92336877be14142e1b6771ed9cc90429f05c4c1bca44531a750c11a72e5f666c578a6eac67c273ca66efa301efee4cf9bd63ec1ec5a67

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
427KB

MD5
81710b7e26936a587130494ff5789ca5

SHA1
469b695b7ee50c58e0cfb2030ae52ddd74842126

SHA256
9507ae851ad55f461142c0ae7ba6d654b5870970a4923c011fe52c907ad72645

SHA512
1afa4e1934ac61f377b88260a1e68b9d5d61937941999970015ce4535a37a3d148e3cf6049b8536123296a5ff9efdbd8a2db036c85b03540af2139fc22e19e27

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
427KB

MD5
917a34652a13e8c048709bfd645d34ae

SHA1
0b0f90b7d367d2d31b589db5109f5d74dba69109

SHA256
5d50a950e73b8abd2a4030dbc28232cd31efb098a34e0df7ee4fd391a615ff34

SHA512
4761221c6ca848bf56426848feb00d0024e0343677f865dead82d5ca5bc2ba076cd84860031486192f490a3eb5cd6d8bc8e0c28c6899837869248bbccefd43b3

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
427KB

MD5
bccb6ce51c11304e22b5d748ddfc5851

SHA1
bdea3730a80a5ec18078392623b8c65c545aae31

SHA256
5ad964648d09ec5b6ffca3a0655d1004bc21ca3fd6e554a7d1fefb904d800b0a

SHA512
58d904d0e6f6d41ba3370cf8e20ec9c41c05c53e971fc386c12ca7bc5d808cd656c252df20ce0cb9f96da1669f1d3e3df2244df2b8664717b27c7714345a2601

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
427KB

MD5
237f02c0c9bcd3100c5885f0e82fec53

SHA1
d71a5c476c70bd5829dc78e5337aaca6538046fd

SHA256
323fc296fe429928681cf65d8d886f83bb099fc3360f799e0a3ae07c4bc540fd

SHA512
4e68041a45d4eef75cb1eddbf2f895733fac9cf44cfa5425e7ad6cbadbe92c2a7eba2a6e3384f6f9ff497b43c994bf4067d8194e610dd6a8294b33ddbda1245c

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
427KB

MD5
e049e38bf171e65e7fc88e7e3702d4bc

SHA1
4bb9f9d8275bfcfb38f3eaa2d87d1f76ff92d937

SHA256
daf00fe26fde5ce773534654e90f89b12b561d2cf5c412346a1339fce181cf8f

SHA512
9e0fb20cfa4c6c1d6c3b3f1b9c11c053c5ecb87455e4c66f76e2328e4fe529d99d38c980626dd3704e3345c18c4d062acd59d597f56520bd85502829adc73d5c

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
427KB

MD5
7f27d9e6abe9467f98b00ef72409fba3

SHA1
42cf147ad446c923696ace42ec7b507638808f0e

SHA256
075d096221280dc1765e6a5146205e89a583733e41ec03e18dfa10d77d27dfee

SHA512
b7d41ca01367a178e9b96835ba690e5017c828c327b4ff2e2c0e87315a94d4435afa25e593abf4943f797568fb66b7818d8c135e8a9e7f727ac86dffa48be50f

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
427KB

MD5
e1dfdab832f839a82d8b7b72e95d94f5

SHA1
3c558a9202032fb8c2a001a6c561210dc071fb49

SHA256
eb8cfc08e3c3e436159c610ed5445f63fb0d55bf6596eafed1fb63eb3c1c9906

SHA512
f38f2eaae2d89e5c5f44fe3a678ee73414686ee060b88b6c0fe593d38cd9982d5ab271473c1f9ce7040951e1f478066f422a650f3a83718cba253b0ecb31a2fd

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
427KB

MD5
bd79b20836c7efcfc66b074918dc3180

SHA1
17bb15ee24dc161e639096922c0b2f35ba2909d4

SHA256
d9ec8414600e01d4ac39bb08ed3c45e6e801528708017d91bf5e5dbc15f813b7

SHA512
b496687dbd33961bd15e5bd895dadffc6d5564b529264e753b65bc2e2e9845139dbc1d0dc8a1c312f444ac1d556ed877c0697fb1df4bea714abdeaffcc511399

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
427KB

MD5
4720d709f52319b5fce8a7df30543197

SHA1
5edbfbc31cf890c885327470c2203fe0413ea137

SHA256
a7aaeb2660860b89bd908e5e3b3f53b1c202f2f47976245dd703efc3ea5ff1e3

SHA512
f2c01052757cc3809b8c98112bb5f25bdbe4b040b80d2fce62da5b40334cf1cf2fe5e5407daa500518b270031141b90f099369184427ef75b6e77c8d5721ba24

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
427KB

MD5
813ad279a21af9e2fd9386c0c0b38a4f

SHA1
228b9a12f68d4be19a6546b8226ed3e1546ef22c

SHA256
95221f479f14e6783416ec3d7347f433a3f5c67c7d6c0d653ea624d868d917f0

SHA512
208a5cbfa63d46a371f38dba54fda9a9dd86f6086351da91b525b14c497d54929e6460a00ab079ebf1ea15268ae5bd0a734ef960a3d401499bbb2a1d6fa0afae

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
427KB

MD5
7db0e001d9faa8c9d837883f340cd7bd

SHA1
ba52937211a4b7e2bb2a9b8ea30b7c83e1ab3b06

SHA256
01ddc41bee9fad779dcddef7053f421874e31d186c71452b20ca0fe305782f85

SHA512
8f54186f40809141fd98d2558bb498d8532c3afdc5d80465e49b88b32dac8d938b35a7ece76156c32edf20584929e8e4d57625cad5dce0aa9520918e5625fb8b

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
427KB

MD5
a02ec44ccf131ef395863d809c4dff3c

SHA1
a3113fec87b15b07c1387e36a61cc560248763d0

SHA256
0e70d09ca58ffb5dcf186ca1f61897f66e591df1500cbbb301fe9350924a5239

SHA512
16f476b08762ba11f6d8c574ec25a0c7c105d2b16537228be3f0dcac96080333d4118d89609afa82da6915d8fb8092c7e042e8eef98ab2dae408b94800c61f61

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
427KB

MD5
2564abfc7a783d5e6481fe3d3ae5db7b

SHA1
3be146293794a1b9f649039331e97695c9a61cf9

SHA256
0c70f2219553b1161e92474cfcdd698c768409bf3aa09de0dbb39d55faf946be

SHA512
01e744445ba6608a3bbed40f0a70a595ef6e4b9a530b4e9fba67908421aa5be8c2b1ebaeeecb90f740e0a88d7c52f26dc3c667c64cf6679c67d72b5c6cd75698

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
427KB

MD5
efffc736b69899c6869e6d28aeba6c42

SHA1
f55f3e32c731d5bafa9e8dea8316f28bbaa2755b

SHA256
8866601a8f901e3b7c0cb161a939ba86b0fc23858e116429243c7941df7f26e5

SHA512
b09ea85527818db5001a02afedb93831df7f555b41aa2be84869f141789955d1648f270cfab1e7ab7d5d73a37314a93d3b0903216ecc19f40ca25f3ff4a242fe

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
427KB

MD5
5dfaf6bc146ccf67856d02d8d82dda50

SHA1
aa9c36b94d662ee4be968c4a067cb39608fd56b4

SHA256
cd606ca3cd8a16f6f4c628ced061e139e4830eddb6929338b664bc2a8ee53580

SHA512
fde4b5a8ff9066b8fc4bd8ade2f557608621b54747ab2bb0d17a30dcbe8e0e522b8ab84b627a16018d08a332b2d1db7bb17429b9e047e9ee6a1fa0f32b5dbab5

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
427KB

MD5
395d1aeea59660aaf0b51ce33b37eff6

SHA1
253ebb8e45e28e28c5c797ef71fa1747bb912adc

SHA256
be34eaa8204e21c788b961051ce111ae6219ea62003068fd5a5fc9afe8ae3f95

SHA512
192a6f0047d3393275a8cd7174b04de2f5129d8c44fc32844f70886ba53bd8ffee977e7940063b30c812c3bd319540109d11143f1402f537f11125951e0aa87f

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
427KB

MD5
94c5be4d57f97ed6821f10dc1f256245

SHA1
b59947e13e37ec9ccfa2891400417b9bfc53dcae

SHA256
d6dc43d2e37fbbd12583787ff769f2dfc62d3a852eb10f59f3cae06e8e339e15

SHA512
c858d92d9430fff138c0091cb8c3252121806b65f58f94b7a9a342b28d13bf86a5362767095b000a62b357900b2e32fa1237b41b86c13ccc93c319ad22c4c32b

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
427KB

MD5
165939e5484bf3b517e84639a750843a

SHA1
95b00eee19187c7801d11affd2dd490a11e86064

SHA256
cd5c4d03caba947019d9ecdbc256f4aec6e64d9dd78ea27cfe90ee3ec6b3e8cf

SHA512
2e2a0866540f5edd927e067c3b6f322719505db5f398625286efecfc344f5e8a411cd40dec404d8b69e7aab033d15d8fdd862d21113d13575d430daae42ca209

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
427KB

MD5
8b9cd424a887a6f28718fa61007e3926

SHA1
ef001d8e1a42662718f80bfdd107d9c4437c8107

SHA256
a3fce8c00f08d0a3520403245624bf338008db3f466a3eb4ec75a1b1aec44429

SHA512
291ad91a6f7b2c8192e29a28bbd3eb39ec969067a8b44494e97cd3d5e3b7e6559db195538cd017b24e8f04208392fce771aface6c3343f0e0b71cbbe6badd89f

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
427KB

MD5
4988ac30540e62b65988e85d31a5cb0e

SHA1
df704ad52b90c6ecaba76fb8bec241f6496fb35a

SHA256
de3d46d93450a0a6b74983a7600cd197c6592ec0c13c2e45f1ccc7eaba4017f8

SHA512
5d5d57d85b71968be5f3c5dca480dc173f340085a6ce43bdff5312093114d555ef61134933d79b7d81e18888396bb08fcdc2eed3adee6fc29788165bf13aec7d

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
427KB

MD5
0eb600ffb74cb49afeacda6e021ec761

SHA1
6aa41ce72d4484a3609cd693692c10fe3018030f

SHA256
de7dbfe0f816da26378cb2c062f99d1f8ba369ef8da78275af6dec9f2dbbd306

SHA512
1538a7aa848d900b9a5bb7658c5c33a02c0b50c0a6a349147dd84a76e078369da2191bee822638a4bcfe54450d1ee527a33d0a3ff688adccd7a15a5cc2f7fa5f

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
427KB

MD5
47325b75e154758f89bff59abeb467dc

SHA1
57cd11e1548f0c8cacc078e977180af4dc1d7551

SHA256
eb34e4eea5767f3ac7f04c560ffe63918cc10a892d50187c8422cce7b516bc75

SHA512
1c932bc74667de83c11d4022492ad5c8b92102b1f70d54363c9886d8968ecd7c2a5188959160c02736a48325315844324ce2f92fdbb15ff335fb85b22da2bd24

Download Submit
memory/212-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2900-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5172-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5212-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5252-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5284-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5324-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5368-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5444-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5524-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5564-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5604-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5652-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5692-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5724-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5764-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5804-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5844-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5888-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5924-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5972-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6012-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6044-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6084-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6128-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads