2e913c9c89fe4f5140dd531c292eb17b60c43ba26ac7914ad2460460cdf67cb0

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6054d4894b5af8b002844ef36d914170N.exe
Size

64KB
MD5

6054d4894b5af8b002844ef36d914170
SHA1

95150ec8b66a7077e6f590ef6804cf4234e9ee0f
SHA256

2e913c9c89fe4f5140dd531c292eb17b60c43ba26ac7914ad2460460cdf67cb0
SHA512

6258987c06651d14c383dd49187ed824fda76ef93225bffb9b084d842088c3206cf33ab2d4398098bb65dbb402652312aea4e42e52a18212829d49045c15a516
SSDEEP

1536:358ucshSUcpagrQdnaa0HeyUT94UXUwXfzwv:dcs9cg0bHeMQPzwv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejobk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpllbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdgolq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afceko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acgfec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acgfec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bikeni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejobk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdnelpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6054d4894b5af8b002844ef36d914170N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clijablo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfoclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afceko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afeban32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beaecjab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blknpdho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bipnihgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfjeckpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apngjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbefln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clbdpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbfoclai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6054d4894b5af8b002844ef36d914170N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcpika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbhbbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdgolq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cekhihig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Almanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bihhhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcpika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bldgoeog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmmgof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Almanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afeban32.exe

Executes dropped EXE 44 IoCs

pid	Process
3712	Almanf32.exe
4520	Afceko32.exe
3548	Ammnhilb.exe
3836	Acgfec32.exe
924	Afeban32.exe
3596	Aidomjaf.exe
4640	Apngjd32.exe
1304	Bejobk32.exe
1708	Bldgoeog.exe
2656	Bclppboi.exe
4208	Bihhhi32.exe
4488	Bpbpecen.exe
2288	Bbalaoda.exe
3220	Bikeni32.exe
4940	Bcpika32.exe
1228	Beaecjab.exe
1980	Blknpdho.exe
4904	Bbefln32.exe
3556	Bipnihgi.exe
3208	Cbhbbn32.exe
2904	Cefoni32.exe
3036	Cdgolq32.exe
2684	Cehlcikj.exe
1580	Clbdpc32.exe
532	Cbmlmmjd.exe
1476	Cekhihig.exe
4388	Cpqlfa32.exe
4504	Cfjeckpj.exe
2144	Cmdmpe32.exe
4024	Cdnelpod.exe
2184	Cfmahknh.exe
1736	Ciknefmk.exe
832	Clijablo.exe
2508	Ddqbbo32.exe
2996	Dmifkecb.exe
2876	Dpgbgpbe.exe
4552	Dbfoclai.exe
2004	Dedkogqm.exe
4856	Dmkcpdao.exe
3432	Ddekmo32.exe
3624	Defheg32.exe
336	Dmnpfd32.exe
4680	Dpllbp32.exe
3100	Dbkhnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Igqceh32.dll	6054d4894b5af8b002844ef36d914170N.exe
File opened for modification	C:\Windows\SysWOW64\Aidomjaf.exe	Afeban32.exe
File created	C:\Windows\SysWOW64\Beaecjab.exe	Bcpika32.exe
File created	C:\Windows\SysWOW64\Nfcnnnil.dll	Clbdpc32.exe
File opened for modification	C:\Windows\SysWOW64\Dpgbgpbe.exe	Dmifkecb.exe
File opened for modification	C:\Windows\SysWOW64\Ddekmo32.exe	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Aidomjaf.exe	Afeban32.exe
File created	C:\Windows\SysWOW64\Mnjellfo.dll	Bbalaoda.exe
File opened for modification	C:\Windows\SysWOW64\Cdnelpod.exe	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Mckfmq32.dll	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Apngjd32.exe	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Bbefln32.exe	Blknpdho.exe
File created	C:\Windows\SysWOW64\Cbhbbn32.exe	Bipnihgi.exe
File created	C:\Windows\SysWOW64\Cfjeckpj.exe	Cpqlfa32.exe
File created	C:\Windows\SysWOW64\Afceko32.exe	Almanf32.exe
File opened for modification	C:\Windows\SysWOW64\Blknpdho.exe	Beaecjab.exe
File created	C:\Windows\SysWOW64\Haaggn32.dll	Beaecjab.exe
File opened for modification	C:\Windows\SysWOW64\Cekhihig.exe	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Mondkfmh.dll	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Ciknefmk.exe	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Jgfdkj32.dll	Dbfoclai.exe
File opened for modification	C:\Windows\SysWOW64\Almanf32.exe	6054d4894b5af8b002844ef36d914170N.exe
File created	C:\Windows\SysWOW64\Dfiefp32.dll	Acgfec32.exe
File opened for modification	C:\Windows\SysWOW64\Bcpika32.exe	Bikeni32.exe
File opened for modification	C:\Windows\SysWOW64\Cpqlfa32.exe	Cekhihig.exe
File opened for modification	C:\Windows\SysWOW64\Cdgolq32.exe	Cmmgof32.exe
File opened for modification	C:\Windows\SysWOW64\Afceko32.exe	Almanf32.exe
File opened for modification	C:\Windows\SysWOW64\Bldgoeog.exe	Bejobk32.exe
File created	C:\Windows\SysWOW64\Cehlcikj.exe	Cdgolq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfjeckpj.exe	Cpqlfa32.exe
File created	C:\Windows\SysWOW64\Cfmahknh.exe	Cdnelpod.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Bejobk32.exe	Apngjd32.exe
File created	C:\Windows\SysWOW64\Ppbeie32.dll	Bihhhi32.exe
File created	C:\Windows\SysWOW64\Cdgolq32.exe	Cmmgof32.exe
File opened for modification	C:\Windows\SysWOW64\Ddqbbo32.exe	Clijablo.exe
File opened for modification	C:\Windows\SysWOW64\Afeban32.exe	Acgfec32.exe
File created	C:\Windows\SysWOW64\Elgide32.dll	Bbefln32.exe
File created	C:\Windows\SysWOW64\Ibnoch32.dll	Bipnihgi.exe
File created	C:\Windows\SysWOW64\Bclppboi.exe	Bldgoeog.exe
File created	C:\Windows\SysWOW64\Bipnihgi.exe	Bbefln32.exe
File opened for modification	C:\Windows\SysWOW64\Dbfoclai.exe	Dpgbgpbe.exe
File created	C:\Windows\SysWOW64\Dchhia32.dll	Cmmgof32.exe
File created	C:\Windows\SysWOW64\Kfhfap32.dll	Afeban32.exe
File created	C:\Windows\SysWOW64\Bihhhi32.exe	Bclppboi.exe
File opened for modification	C:\Windows\SysWOW64\Bikeni32.exe	Bbalaoda.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Acgfec32.exe	Ammnhilb.exe
File opened for modification	C:\Windows\SysWOW64\Bipnihgi.exe	Bbefln32.exe
File created	C:\Windows\SysWOW64\Dpgbgpbe.exe	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Cefoni32.exe	Cbhbbn32.exe
File opened for modification	C:\Windows\SysWOW64\Clbdpc32.exe	Cehlcikj.exe
File created	C:\Windows\SysWOW64\Fbelak32.dll	Ciknefmk.exe
File created	C:\Windows\SysWOW64\Ddqbbo32.exe	Clijablo.exe
File created	C:\Windows\SysWOW64\Cefnemqj.dll	Afceko32.exe
File opened for modification	C:\Windows\SysWOW64\Bihhhi32.exe	Bclppboi.exe
File opened for modification	C:\Windows\SysWOW64\Cefoni32.exe	Cbhbbn32.exe
File opened for modification	C:\Windows\SysWOW64\Bclppboi.exe	Bldgoeog.exe
File created	C:\Windows\SysWOW64\Bpbpecen.exe	Bihhhi32.exe
File created	C:\Windows\SysWOW64\Bikeni32.exe	Bbalaoda.exe
File opened for modification	C:\Windows\SysWOW64\Beaecjab.exe	Bcpika32.exe
File opened for modification	C:\Windows\SysWOW64\Cehlcikj.exe	Cdgolq32.exe
File created	C:\Windows\SysWOW64\Cpqlfa32.exe	Cekhihig.exe
File created	C:\Windows\SysWOW64\Clijablo.exe	Ciknefmk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2056	3100	WerFault.exe	138

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bikeni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blknpdho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbefln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipnihgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbhbbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgolq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clijablo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Almanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmmgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmifkecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cekhihig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afeban32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidomjaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apngjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bihhhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpbpecen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cefoni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmlmmjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afceko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammnhilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejobk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcpika32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defheg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldgoeog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cehlcikj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clbdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfjeckpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddekmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpllbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclppboi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbalaoda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beaecjab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dedkogqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgfec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6054d4894b5af8b002844ef36d914170N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpqlfa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdnelpod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpgbgpbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfoclai.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihlnd32.dll"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjellfo.dll"	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhkja32.dll"	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbfoclai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dedkogqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Almanf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpbpecen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojghflb.dll"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6054d4894b5af8b002844ef36d914170N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhkkpon.dll"	Cefoni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofndo32.dll"	Blknpdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdnelpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmnpfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcpika32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blknpdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefnemqj.dll"	Afceko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnoch32.dll"	Bipnihgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaohckm.dll"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfiefp32.dll"	Acgfec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbalaoda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcpika32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdogqi32.dll"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beaecjab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bipnihgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdgolq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgfeb32.dll"	Bldgoeog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclppboi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clbdpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciknefmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acgfec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclppboi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbfoclai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbhbbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelak32.dll"	Ciknefmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idbgcb32.dll"	Dedkogqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6054d4894b5af8b002844ef36d914170N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bihhhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaggn32.dll"	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdgolq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbehfpe.dll"	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecnjaee.dll"	Cpqlfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpkgac32.dll"	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcnnnil.dll"	Clbdpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgfdkj32.dll"	Dbfoclai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Defheg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 3712	3772	6054d4894b5af8b002844ef36d914170N.exe	91
PID 3772 wrote to memory of 3712	3772	6054d4894b5af8b002844ef36d914170N.exe	91
PID 3772 wrote to memory of 3712	3772	6054d4894b5af8b002844ef36d914170N.exe	91
PID 3712 wrote to memory of 4520	3712	Almanf32.exe	92
PID 3712 wrote to memory of 4520	3712	Almanf32.exe	92
PID 3712 wrote to memory of 4520	3712	Almanf32.exe	92
PID 4520 wrote to memory of 3548	4520	Afceko32.exe	93
PID 4520 wrote to memory of 3548	4520	Afceko32.exe	93
PID 4520 wrote to memory of 3548	4520	Afceko32.exe	93
PID 3548 wrote to memory of 3836	3548	Ammnhilb.exe	94
PID 3548 wrote to memory of 3836	3548	Ammnhilb.exe	94
PID 3548 wrote to memory of 3836	3548	Ammnhilb.exe	94
PID 3836 wrote to memory of 924	3836	Acgfec32.exe	95
PID 3836 wrote to memory of 924	3836	Acgfec32.exe	95
PID 3836 wrote to memory of 924	3836	Acgfec32.exe	95
PID 924 wrote to memory of 3596	924	Afeban32.exe	96
PID 924 wrote to memory of 3596	924	Afeban32.exe	96
PID 924 wrote to memory of 3596	924	Afeban32.exe	96
PID 3596 wrote to memory of 4640	3596	Aidomjaf.exe	97
PID 3596 wrote to memory of 4640	3596	Aidomjaf.exe	97
PID 3596 wrote to memory of 4640	3596	Aidomjaf.exe	97
PID 4640 wrote to memory of 1304	4640	Apngjd32.exe	98
PID 4640 wrote to memory of 1304	4640	Apngjd32.exe	98
PID 4640 wrote to memory of 1304	4640	Apngjd32.exe	98
PID 1304 wrote to memory of 1708	1304	Bejobk32.exe	99
PID 1304 wrote to memory of 1708	1304	Bejobk32.exe	99
PID 1304 wrote to memory of 1708	1304	Bejobk32.exe	99
PID 1708 wrote to memory of 2656	1708	Bldgoeog.exe	100
PID 1708 wrote to memory of 2656	1708	Bldgoeog.exe	100
PID 1708 wrote to memory of 2656	1708	Bldgoeog.exe	100
PID 2656 wrote to memory of 4208	2656	Bclppboi.exe	102
PID 2656 wrote to memory of 4208	2656	Bclppboi.exe	102
PID 2656 wrote to memory of 4208	2656	Bclppboi.exe	102
PID 4208 wrote to memory of 4488	4208	Bihhhi32.exe	103
PID 4208 wrote to memory of 4488	4208	Bihhhi32.exe	103
PID 4208 wrote to memory of 4488	4208	Bihhhi32.exe	103
PID 4488 wrote to memory of 2288	4488	Bpbpecen.exe	104
PID 4488 wrote to memory of 2288	4488	Bpbpecen.exe	104
PID 4488 wrote to memory of 2288	4488	Bpbpecen.exe	104
PID 2288 wrote to memory of 3220	2288	Bbalaoda.exe	105
PID 2288 wrote to memory of 3220	2288	Bbalaoda.exe	105
PID 2288 wrote to memory of 3220	2288	Bbalaoda.exe	105
PID 3220 wrote to memory of 4940	3220	Bikeni32.exe	106
PID 3220 wrote to memory of 4940	3220	Bikeni32.exe	106
PID 3220 wrote to memory of 4940	3220	Bikeni32.exe	106
PID 4940 wrote to memory of 1228	4940	Bcpika32.exe	108
PID 4940 wrote to memory of 1228	4940	Bcpika32.exe	108
PID 4940 wrote to memory of 1228	4940	Bcpika32.exe	108
PID 1228 wrote to memory of 1980	1228	Beaecjab.exe	109
PID 1228 wrote to memory of 1980	1228	Beaecjab.exe	109
PID 1228 wrote to memory of 1980	1228	Beaecjab.exe	109
PID 1980 wrote to memory of 4904	1980	Blknpdho.exe	110
PID 1980 wrote to memory of 4904	1980	Blknpdho.exe	110
PID 1980 wrote to memory of 4904	1980	Blknpdho.exe	110
PID 4904 wrote to memory of 3556	4904	Bbefln32.exe	111
PID 4904 wrote to memory of 3556	4904	Bbefln32.exe	111
PID 4904 wrote to memory of 3556	4904	Bbefln32.exe	111
PID 3556 wrote to memory of 3208	3556	Bipnihgi.exe	112
PID 3556 wrote to memory of 3208	3556	Bipnihgi.exe	112
PID 3556 wrote to memory of 3208	3556	Bipnihgi.exe	112
PID 3208 wrote to memory of 2904	3208	Cbhbbn32.exe	114
PID 3208 wrote to memory of 2904	3208	Cbhbbn32.exe	114
PID 3208 wrote to memory of 2904	3208	Cbhbbn32.exe	114
PID 4284 wrote to memory of 3036	4284	Cmmgof32.exe	116

C:\Users\Admin\AppData\Local\Temp\6054d4894b5af8b002844ef36d914170N.exe
"C:\Users\Admin\AppData\Local\Temp\6054d4894b5af8b002844ef36d914170N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\SysWOW64\Almanf32.exe
  C:\Windows\system32\Almanf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\SysWOW64\Afceko32.exe
    C:\Windows\system32\Afceko32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\SysWOW64\Ammnhilb.exe
      C:\Windows\system32\Ammnhilb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3548
    - - C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Bclppboi.exe
        
        C:\Windows\system32\Bclppboi.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Bihhhi32.exe
        
        C:\Windows\system32\Bihhhi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Bikeni32.exe
        
        C:\Windows\system32\Bikeni32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Bcpika32.exe
        
        C:\Windows\system32\Bcpika32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Bipnihgi.exe
        
        C:\Windows\system32\Bipnihgi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Cefoni32.exe
        
        C:\Windows\system32\Cefoni32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Cdgolq32.exe
        
        C:\Windows\system32\Cdgolq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\Cpqlfa32.exe
        
        C:\Windows\system32\Cpqlfa32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 400
        47⤵
        Program crash
        
        PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3100 -ip 3100
1⤵
PID:956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acgfec32.exe

Filesize
64KB

MD5
25caa00a7b9d182eed53a749c51140f5

SHA1
fbfd6bea2b4be7355c50f8063f8cb0c6cd6d6613

SHA256
28e329789064834de16873eb948c6a32d786cf8d59642c15e2871f155e362f0d

SHA512
14abf28021f3afa89ad4975034050ffc8e5eafb328c000b5a7d6f9b87c68d9b1fbe84645b6cb03cb3ebec6bd7e8ac4efa45ed2244a9c71419760bccaee61b331

Download Submit
C:\Windows\SysWOW64\Afceko32.exe

Filesize
64KB

MD5
b1fa271f71bea0768828916567fc9d1d

SHA1
a40b0e2399dd41a107c13237d3e8ce021b58705d

SHA256
f0d9346f21e5242e5931eb8c8b443919c1988201925a8e3ddd3c912e756c9a65

SHA512
f7d2d14b63fe357008671a1601360cab52b70245ac23a5025b5dc5a95b2490b04b3d354a987c42297bc86c6c5f9a4d886a4f3e1701b27239dd23fec131bd6dd7

Download Submit
C:\Windows\SysWOW64\Afeban32.exe

Filesize
64KB

MD5
5b38c33f9262f40f5f2e7866eff4e07b

SHA1
6c223c1a373e6c60ceec859a90013875aa6b2c84

SHA256
0d561e4a191a38395ef7e588fb1167575b9bf046ed6f6bac6c8ded6c271837da

SHA512
2ddb4c3a08ad812936b9763a0bb81a46656b92cee8d1691b8532513d3808255d8d0b40ac1f2cd0845d5dcedd8595d5f5877879c6576d5af10f48ac036331dd8e

Download Submit
C:\Windows\SysWOW64\Aidomjaf.exe

Filesize
64KB

MD5
d99856e5006988235b404b5a8a5e80bc

SHA1
246230237baef920932aadb5e748ebb206166c06

SHA256
ef2fe5bdb0345fb36eb54a0bef489d2b473a649cec1d558e8827e591fb1f04da

SHA512
a6a63ef8232c13d170852f44f6a4d272098382bcbe110ebec65df867863f3423775db39a78a8283473eec4d2b88d00a52ec0028aa1574b6dfb35a43c667f06b9

Download Submit
C:\Windows\SysWOW64\Almanf32.exe

Filesize
64KB

MD5
abf9026e217d27bb9d24fc61184d81b1

SHA1
b8dbe47e9106e066383175e4e68fe29f1295713e

SHA256
46beec8d1390e0f5582a08305bd06783c032a72c5fb7b23a491572c970b9bbc9

SHA512
e881a624db8ee742ba4d04510e4b52510a01f718179cf8d24915a8194ad2701fceff34d3851631ebe95487f96b532b3f546e7c90a99ac10e7728220ed04a9336

Download Submit
C:\Windows\SysWOW64\Ammnhilb.exe

Filesize
64KB

MD5
ad4b489350642d13d19a4848cb9b7b0f

SHA1
d4d28ba29b03d776209b084b1d5406255eb72deb

SHA256
e051ae404a58ac5691a87ba5d103ba60db6d0ef6b7efb235370f7bed59628517

SHA512
b8a9f637b0011d169820010f56ed25c1f08dd121e27f5c162fd5fef58ae4e086c7637c6fdd5723f62b7d33c64a678ba65dc036fbd970cceaf39683f390d1d68a

Download Submit
C:\Windows\SysWOW64\Apngjd32.exe

Filesize
64KB

MD5
39854f2b4d42ac23df914eddce811e0b

SHA1
8f9429b78012ecdee6e773f2f3236c91e1a440df

SHA256
d2ac863244f447d683fa75c0ba417041a22170df9f817078ff41d42913f74ae8

SHA512
6c499eb2234f03e380dcc3fe44ee5abea5b1600fa69afd842e246f3225231420ba3dba471d9f18e8c5689c327abd2144a30a3fe320ab31ce8168f447e2bbb496

Download Submit
C:\Windows\SysWOW64\Bbalaoda.exe

Filesize
64KB

MD5
9da365aeff895b11287b3178117eb14b

SHA1
89fe79d1ca035596702c4dd7df75f516bd5a9e2c

SHA256
64b7eb727b8349f2d8a79ef150543f97f4bfd1108eb6087947e2b97e56e8c83c

SHA512
33e96af3088cba32ab0d09065fcea1a4259048cd3beba6743146108af57bc8ab29412979ae80cb95b6b9c9990a7a169878011b9267789d92b93b1d880c18431c

Download Submit
C:\Windows\SysWOW64\Bbefln32.exe

Filesize
64KB

MD5
90bf70abb71ca68dda27fd578a0dca1a

SHA1
c5e2887a9af61002f1ada68c92beb827a734a573

SHA256
1489a0bd1678de2e304e1c1896df7e9835ce93e2ac998ecfa30d3fa913a802ae

SHA512
5af9714475d5cc4365bd6f5ab42ab7e9c60e85f4eb59fdcaf4cf415fd59717d887137d0e06665b9dbbc52d1bc3938075099520d2c8b4d6a302213b7514710944

Download Submit
C:\Windows\SysWOW64\Bclppboi.exe

Filesize
64KB

MD5
23ebea2ebfb855c6d6793f6d7951e3d6

SHA1
1cdb3b8053bc8325a8ed577400799a6ec21901e4

SHA256
d46923883e3735af491d72a49400493867262b6286fb5b0de864fc1102c3e4dd

SHA512
c4835d9432400f0efcf493eff4b835bb312082db5c0913feea1bba24718a101d87be7c27869b14cb0f7216268ba2b2cef4d1098561911df4114275438b2fbd1a

Download Submit
C:\Windows\SysWOW64\Bcpika32.exe

Filesize
64KB

MD5
9140d32a2f551d6c0827709e8289dc0f

SHA1
d757d02d89f891bec1a90e46210480db9d40d2d5

SHA256
d0bb4aff39c8cf9b2262562fefb4cd4c12fddacca83ed81eb12e5e2a0d9aabdc

SHA512
075ea265984756410ae7602f70956418215dee8c6734c7405a1055bb3f0ad1dd0ef8a5c69e064043d540f8fbc96a539a5f9f10a2c6e7fe4d53456747cb248825

Download Submit
C:\Windows\SysWOW64\Beaecjab.exe

Filesize
64KB

MD5
635bdce44b1e17ea9a6a869bf90797df

SHA1
1b89130fcc6964821a71100743a585fa90182b4f

SHA256
d0dd20c6ddadcc3e1914d041b877c22dcba1e4146e0499460528eeb25076253c

SHA512
63b6e63d7d82c8df74e9b571ec55a8b783c9d620d582cef8dafd5c0b109198fc58a6aaa1a93fc2ef4a665717968ce1ae67a3655c5f013db2a77d3cbee6c5b154

Download Submit
C:\Windows\SysWOW64\Bejobk32.exe

Filesize
64KB

MD5
fdefeb9c983c2eec472ca22fded68d83

SHA1
4db65d910976379ec6cfb1dc18bc34ef481cc272

SHA256
88fe596e0d435ff9ec99dd154bc01f9871e950c5633794f1042b4b086451b0fa

SHA512
f9d1e2f35926504ad409fe7904451eaf4ec3636083f60e6755c03be5a37ef084a20dbdf1c46b6cb2db91f6d7a437f0cc2f8d4b01958e290d05197d03f9133f95

Download Submit
C:\Windows\SysWOW64\Bihhhi32.exe

Filesize
64KB

MD5
74d5992b57f325a4d103cfb83ba2e794

SHA1
ec38d91e67780b546ba4436a108ffc6a068312d7

SHA256
64729c69a39ed21fd81e83e16769ac3c37ecb160fbd90c9fb889aede9f149345

SHA512
48d3c9dcbb19ebacee65f278381b7c9d7e7c39d16e29eec0da6c8ac9ed227cb0f669e785ce59486fb21c296c99cb27c170d1cc8c432da10eb5daa2be1203727f

Download Submit
C:\Windows\SysWOW64\Bikeni32.exe

Filesize
64KB

MD5
470bb84961c75a4f8f6f88a5edaa9446

SHA1
0dba4fd2a494ee5ed8f5e645f7ee396e5fb2f08f

SHA256
dcbeac8c2f98d8df0dc9982688d87a158501f4049d40826672958f610f6112f6

SHA512
16ae27bb5c65393c18768a5e43702827cf963488106c9450eaa856557b99aec90eb8fcc13faf9da859e8c10afde70404a465ebf9fe6b69545d3560aa75621cee

Download Submit
C:\Windows\SysWOW64\Bipnihgi.exe

Filesize
64KB

MD5
0e773377c943e94e2bdae2eac4407e5f

SHA1
444def054b75e9d817bb94261cffca1a3a1e228e

SHA256
588b3e5ba94ba24d8209d5b3deb7304783693dabbc084859e642157fb99ce366

SHA512
6b3704039beccc048ab812d99a91c5f8bf672d20caa338da4e2c340a4866fc384f4651c06a42b71749cb0efbb656ca7dca0a9c9ffd27c462e61af63dc060cb07

Download Submit
C:\Windows\SysWOW64\Bldgoeog.exe

Filesize
64KB

MD5
57464e7cd110b6b586eadf551a042dda

SHA1
cfca00e7f9035df3dbe6692a5b72cdf80623b1b2

SHA256
22f29f12adec1db6e899495a0025f9cbd4ee6054bfefe644aa9d8c01336dba45

SHA512
85500fcb208819cfbf69c83a0419478d8c0660f22815ba9f39934d8a9ed1051eb962393d3a5a9fa92f18d4044537075580fba78f5deebfd38ea122f7686409d3

Download Submit
C:\Windows\SysWOW64\Blknpdho.exe

Filesize
64KB

MD5
d7d0d15860732ca2988787700db26451

SHA1
9457dd64bb83f84b19c9f05dd3adcd2923f8ac3c

SHA256
7ac4687b8694c86c1030d467f58d16e38ae0b4e0c92b9e335bfcc90f3cd24434

SHA512
b486a5979c6f97fb338b36d082a8a5049ce7c8f5b083da11f160c6e296ddef3367f694fdfb379b7462c7b55bd6f336978c13c79da5ee7c6d35d854b98d45caf3

Download Submit
C:\Windows\SysWOW64\Bpbpecen.exe

Filesize
64KB

MD5
a33f7defd2741280fffa25f738d3d237

SHA1
3163b927ecb30e5fcd02332f4f5d9ff21845c6e4

SHA256
dc8fd9800f40ee53f2e1f24496d89e5f28d47989bfe133ca4ecfbd92b00ed04b

SHA512
a953b06e6c0be18eaca11083652aa033be1673de9cda7761cd97f08cd1a1293270fbde714c0ffb67bb261cf5d6e748212003b966601d68b15d0eea34e60279ba

Download Submit
C:\Windows\SysWOW64\Cbhbbn32.exe

Filesize
64KB

MD5
c28b2bf6a27942160e67078f6d592a71

SHA1
a3dc88aa6286a6605900a0b009d555e81c61e077

SHA256
ab1ad52d15408113719146dc684af63365c9a00b2b0971623ecda4d3102410c9

SHA512
eadcf11a18d37a13409901cf4303164ab24cbfe48d27910fdc5f8fd844ba40d3b4511f5b48e30de85170621e10d7b1749cb8d7cc16f14e8cb08853b8d71b2d70

Download Submit
C:\Windows\SysWOW64\Cbmlmmjd.exe

Filesize
64KB

MD5
15e044eca8558c095680f56fb4b72045

SHA1
b40896f71fddc30f9847fe5a95daf26f4bf90958

SHA256
4398ffd9ae20ca5fac8da2adad8f7b868a6bbc06de5e1829b44e0dbef6aebf74

SHA512
997278c1be8a36efa5f5ed9bbf744d7930cea3197b798347639787248f1cd39ae05b79556d6633d0ed5e886a59b8d1da705c16378dd064455c0583ba16162b74

Download Submit
C:\Windows\SysWOW64\Cdgolq32.exe

Filesize
64KB

MD5
0a168eefc53375c685361228239beff2

SHA1
8bbd763d88e14ac4ee4c83f8c719131ed673c5b7

SHA256
5625e526dbb4a68e8e5803a5e06a00582f422bfa10866c38866345e435b5d365

SHA512
5ae4af0d3151debb0e84afc154057e254966d51e34207416557e254245e5335c153744c3fd8a723f058ae9305283774d229260b64c85df4927358e485c692471

Download Submit
C:\Windows\SysWOW64\Cdnelpod.exe

Filesize
64KB

MD5
28cc10658c5ecb8fa9f4e4247381f6db

SHA1
b22e7fa1057a756bd27a0b04ea2f541d65942275

SHA256
09e502ea8f5bd7589dcffc2bb4332d5174de45971145cc94830d2b82851bcf86

SHA512
0066008173b2958a861b39ddf8c6151bffbe1336e76643bc0313959fcf9e4168e700af07fde2f4a54ee2578332132f03901577f23227faef64a167aecf5a1d68

Download Submit
C:\Windows\SysWOW64\Cefoni32.exe

Filesize
64KB

MD5
10a1f1aeef703584c2fa1974159309f4

SHA1
a6ddd91c3fbd0a3f3a28f92afd1a6ceba3f6fcd2

SHA256
4718af1941799670e816766448fc2f0e9401c32c377dd818e3c6de13355b75aa

SHA512
f5e5b0d422024c74bf9552b52fe54a79e0cbbd482abc76a74d6eabc25bf87f837db57f7052a8f2157fde83482605dd4924333af92243dd8b816433eb7c2b357d

Download Submit
C:\Windows\SysWOW64\Cehlcikj.exe

Filesize
64KB

MD5
4fe1756ad065827d0574f2d1a570f913

SHA1
d1f2c4ba5e99ace06f90bd4085867d034005bef4

SHA256
6edbaf0d4960a83ea3f11af874a251808018ca723fefe309e32c0f826cbe87eb

SHA512
1cf4bf5c729a737080f0130fb8c86d594b349d0280bdd5bbcbff55c3bd4e4a1b7113db34b5928dad8e7e4355c261dffda0f1644f89b7422852b458035c279f38

Download Submit
C:\Windows\SysWOW64\Cekhihig.exe

Filesize
64KB

MD5
f114cd4ad793d66e6b6535797bff91b2

SHA1
f3a7e5574e8af4e5fced0fd0cf7f2b5b6a948939

SHA256
147758e25660b323d33c1699ff3f47df91c9961cfbc26bcd71486fc73f34584e

SHA512
74ff66e81db1ca69f5be57f0d212ef18df2110564075dfd5b4eb7ed0cfc9adc078d2b651ef84e9b3eeff0c506937c0907595861ce9587e318109b68787b5b3e2

Download Submit
C:\Windows\SysWOW64\Cfjeckpj.exe

Filesize
64KB

MD5
c5ab1e6ad764fed55e2b8f1f68eef606

SHA1
a85212c63195d2ae77ceccac289b8ddbf78e3ed9

SHA256
e3ba90cfe989892c71be084f338b95c03b8ba9f1e555fc1f6224333ad80022a4

SHA512
d84b0b2aa8e097b6ea68c24a70c2a35c5bea55932d0013cac1e12e7d4e99a84e4e7969ee10c4795c35ea87c528ea2140a3b21bbf5fee084facb11f32e1b66110

Download Submit
C:\Windows\SysWOW64\Cfmahknh.exe

Filesize
64KB

MD5
0a458b7d214c7167a98f353969a67474

SHA1
8c58264067a0b52b34415b6726bb7806006212b8

SHA256
b966a1f52dbd67bcc54f7104065fa1ac19f952cb75fd664cc39d4774c3e44ce3

SHA512
1e4e4452c21ee6340de651b464ec6fd0d10539390b1de4d153c15f463e03a092091d8637e4d89d07cd9842f7c57b974ca72bd5c519a50fd46c06a73ba531b186

Download Submit
C:\Windows\SysWOW64\Ciknefmk.exe

Filesize
64KB

MD5
50c14a87ef26e9ae4c652e2c2037d0f4

SHA1
34e50fd610a86d0af2ae7c7482e6438c6fbc5320

SHA256
0a9401a1bda8bbcaef627ea3afe28dbda4962407e3fb47c4932a3f797cc2c7e7

SHA512
45d2e2ca73a862454c11d7a3fc8a05367015c6a0a52aa3046f02bd5a21bb12d28c679bdfb45ba33932adf220800293848ec544f3cca7a6ef7791599497f3ec78

Download Submit
C:\Windows\SysWOW64\Clbdpc32.exe

Filesize
64KB

MD5
c2ddf31f45c292e38be55b26d1c5cb92

SHA1
59570c8fb18f7a0ffbfffec099a67e8e5a1b005f

SHA256
6a2464ea6cd134d52a1b64cfd0bb24f7a738b15f7a279a766c62734a3e21a3da

SHA512
9104f65a60651b74ed420d47ae300156ecccf6c51baa2e1313b6d5cb6260ece47a26a683c3b8c0be2245cdc34d0ddc987668d9108d04b689cdd8f2cbcef07ec5

Download Submit
C:\Windows\SysWOW64\Clijablo.exe

Filesize
64KB

MD5
56071e91ec83c40279ea0794f13b5871

SHA1
c15ac1eb2dde90e8083e93881a1e703432f3332f

SHA256
d997505c9c2a30027e79ad18a05e8c0e82f1ea9e771b21b2f74b3a04c37ab775

SHA512
ee03069ad966ed0151004c3fb1ea1b1026fb442501854e7ce47851241996168a3d8da412600fde9539c35c66883e18dc8c458c246bdbf63a68bfb30eca4a902f

Download Submit
C:\Windows\SysWOW64\Cmdmpe32.exe

Filesize
64KB

MD5
08d782421b420685f64ea7d7dd2f897a

SHA1
a882aaf3cdd4efa9a528a8609cd7fef44094cf4d

SHA256
20b8a90e216d1208e515a407845398bec7cf9d95ad3bc884298b84cf5176f5bb

SHA512
dc26f9ab27322f51ed27e47a0bf3dfa332f5bc82650fd3dcd1b4c89c153b73d1cfee9955cb7b4bd808a37c6053c87eaa05b98bcef83c03d4acdec80ee0a3ba66

Download Submit
C:\Windows\SysWOW64\Cpqlfa32.exe

Filesize
64KB

MD5
77ef09ce4baeb201491a6f791803b104

SHA1
1d5e967d20923f7dcf336b9e2b80c7de217980b2

SHA256
fa372622946ccd41fc1c3bf1ca82fa241efd725bcb78ce50ee706846032ea489

SHA512
c0b142525fe5f243a6ecc8c152c694e11eb74f22c8f3d8e2618889ed0f0f0da2972b3b131e89a847cc0e8538188cead1283953ff2d6fd1affa82ce533557af7d

Download Submit
C:\Windows\SysWOW64\Dmifkecb.exe

Filesize
64KB

MD5
aa10d9a3b5ec3f2e40cc2900cbd433e5

SHA1
bb48e647fe0ea69a7717383e897c444e828057cc

SHA256
a59225ab3a0d599a031f3a07e5b29f13dc1a54a800ea7f280127755cab1a9db3

SHA512
e96feedea4d46626eda46f14be40bbd505d4c7e51770f58727713994cb15bdf69d4d3e95b537a4b767f6f1d92834c5197a4f86bdf9ccdd2645870891fc56aa92

Download Submit
memory/336-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/924-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/924-405-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1228-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1228-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1304-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1304-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1980-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2508-349-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2508-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3220-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3220-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-409-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-403-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3624-336-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-415-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3836-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4284-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4284-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4388-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4488-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4488-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4640-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4640-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4680-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads