5be332d1e8ef4ecb34856285089ac17a5bccaf9b4ff2828cae2870d67b990638

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2e19061cbea78be4285334a4e630520N.exe
Size

64KB
MD5

a2e19061cbea78be4285334a4e630520
SHA1

d9be5f99311813952ddbe092210649bdd63c104b
SHA256

5be332d1e8ef4ecb34856285089ac17a5bccaf9b4ff2828cae2870d67b990638
SHA512

9a2ce23c21b1f2a0d484c320664f3498b87e2e7fe47bcc5400291cdebf4535951facf4bb02df9906486106e16070a2e907fcefcfc5b1476a833bc382adf13d79
SSDEEP

1536:PWPneZDMJM4AOaYc+Ce2gl9Km2baeKbGazL042LLrDWBi:IepMlAOaYJCJ8tbrL0JL2Bi

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bliajd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejobk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beaecjab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a2e19061cbea78be4285334a4e630520N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aioebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bflham32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfcoblfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcicjbal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbmlmmjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Defheg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acdioc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ammnhilb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboplo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bliajd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cboibm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Defheg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afeban32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejobk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbjogmlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciiaogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ammnhilb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apkjddke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afeban32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bflham32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bihhhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blknpdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbjogmlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clgmkbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a2e19061cbea78be4285334a4e630520N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blgddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apkjddke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clgmkbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfcoblfb.exe

Executes dropped EXE 36 IoCs

pid	Process
2420	Aioebj32.exe
1744	Apimodmh.exe
3720	Acdioc32.exe
1972	Ammnhilb.exe
2684	Apkjddke.exe
3104	Afeban32.exe
1108	Aidomjaf.exe
1304	Bcicjbal.exe
1864	Bejobk32.exe
3212	Bldgoeog.exe
1180	Bboplo32.exe
2164	Bihhhi32.exe
4320	Blgddd32.exe
1720	Bflham32.exe
1564	Bliajd32.exe
2184	Beaecjab.exe
4448	Blknpdho.exe
3100	Bmkjig32.exe
3448	Cpifeb32.exe
956	Cfcoblfb.exe
2316	Cbjogmlf.exe
2740	Cbmlmmjd.exe
4552	Cifdjg32.exe
1960	Cboibm32.exe
3216	Ciiaogon.exe
2364	Clgmkbna.exe
4532	Cbaehl32.exe
4864	Cfmahknh.exe
376	Ddqbbo32.exe
800	Dfonnk32.exe
3516	Ddcogo32.exe
4540	Dmkcpdao.exe
1664	Dpjompqc.exe
3140	Defheg32.exe
2876	Dpllbp32.exe
924	Dbkhnk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ammnhilb.exe	Acdioc32.exe
File created	C:\Windows\SysWOW64\Fmbcdide.dll	Bmkjig32.exe
File created	C:\Windows\SysWOW64\Ldbeqlcg.dll	Dpjompqc.exe
File created	C:\Windows\SysWOW64\Mckfmq32.dll	Defheg32.exe
File created	C:\Windows\SysWOW64\Acdioc32.exe	Apimodmh.exe
File created	C:\Windows\SysWOW64\Gdfmgqph.dll	Bliajd32.exe
File created	C:\Windows\SysWOW64\Cfcoblfb.exe	Cpifeb32.exe
File created	C:\Windows\SysWOW64\Bkpjjj32.dll	Ciiaogon.exe
File opened for modification	C:\Windows\SysWOW64\Dfonnk32.exe	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Dpjompqc.exe	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Cefnemqj.dll	Acdioc32.exe
File created	C:\Windows\SysWOW64\Bihhhi32.exe	Bboplo32.exe
File created	C:\Windows\SysWOW64\Pimdleea.dll	Bboplo32.exe
File opened for modification	C:\Windows\SysWOW64\Blknpdho.exe	Beaecjab.exe
File created	C:\Windows\SysWOW64\Ammnhilb.exe	Acdioc32.exe
File opened for modification	C:\Windows\SysWOW64\Cpifeb32.exe	Bmkjig32.exe
File created	C:\Windows\SysWOW64\Aioebj32.exe	a2e19061cbea78be4285334a4e630520N.exe
File opened for modification	C:\Windows\SysWOW64\Cbmlmmjd.exe	Cbjogmlf.exe
File opened for modification	C:\Windows\SysWOW64\Dpjompqc.exe	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Fiinbn32.dll	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Dpllbp32.exe	Defheg32.exe
File opened for modification	C:\Windows\SysWOW64\Acdioc32.exe	Apimodmh.exe
File created	C:\Windows\SysWOW64\Cieoen32.dll	Apimodmh.exe
File created	C:\Windows\SysWOW64\Plmiie32.dll	Ammnhilb.exe
File opened for modification	C:\Windows\SysWOW64\Bflham32.exe	Blgddd32.exe
File created	C:\Windows\SysWOW64\Cboibm32.exe	Cifdjg32.exe
File created	C:\Windows\SysWOW64\Bcicjbal.exe	Aidomjaf.exe
File opened for modification	C:\Windows\SysWOW64\Bcicjbal.exe	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Bejobk32.exe	Bcicjbal.exe
File created	C:\Windows\SysWOW64\Cbmlmmjd.exe	Cbjogmlf.exe
File created	C:\Windows\SysWOW64\Cifdjg32.exe	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Adlafb32.dll	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Bflham32.exe	Blgddd32.exe
File created	C:\Windows\SysWOW64\Aahgec32.dll	Bflham32.exe
File opened for modification	C:\Windows\SysWOW64\Cbaehl32.exe	Clgmkbna.exe
File created	C:\Windows\SysWOW64\Dfonnk32.exe	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Aidomjaf.exe	Afeban32.exe
File created	C:\Windows\SysWOW64\Ciiaogon.exe	Cboibm32.exe
File opened for modification	C:\Windows\SysWOW64\Dmkcpdao.exe	Ddcogo32.exe
File opened for modification	C:\Windows\SysWOW64\Bboplo32.exe	Bldgoeog.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dpllbp32.exe
File created	C:\Windows\SysWOW64\Dmkcpdao.exe	Ddcogo32.exe
File opened for modification	C:\Windows\SysWOW64\Aioebj32.exe	a2e19061cbea78be4285334a4e630520N.exe
File opened for modification	C:\Windows\SysWOW64\Aidomjaf.exe	Afeban32.exe
File opened for modification	C:\Windows\SysWOW64\Bihhhi32.exe	Bboplo32.exe
File opened for modification	C:\Windows\SysWOW64\Cifdjg32.exe	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Boipkd32.dll	Bihhhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ddqbbo32.exe	Cfmahknh.exe
File created	C:\Windows\SysWOW64\Idbgcb32.dll	Ddcogo32.exe
File created	C:\Windows\SysWOW64\Dpaohckm.dll	Cfmahknh.exe
File opened for modification	C:\Windows\SysWOW64\Beaecjab.exe	Bliajd32.exe
File created	C:\Windows\SysWOW64\Dbebgj32.dll	Blknpdho.exe
File opened for modification	C:\Windows\SysWOW64\Cfcoblfb.exe	Cpifeb32.exe
File created	C:\Windows\SysWOW64\Nfcnnnil.dll	Cbjogmlf.exe
File opened for modification	C:\Windows\SysWOW64\Clgmkbna.exe	Ciiaogon.exe
File created	C:\Windows\SysWOW64\Cpifeb32.exe	Bmkjig32.exe
File opened for modification	C:\Windows\SysWOW64\Ciiaogon.exe	Cboibm32.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dpllbp32.exe
File opened for modification	C:\Windows\SysWOW64\Bliajd32.exe	Bflham32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjig32.exe	Blknpdho.exe
File opened for modification	C:\Windows\SysWOW64\Ddcogo32.exe	Dfonnk32.exe
File created	C:\Windows\SysWOW64\Apkjddke.exe	Ammnhilb.exe
File opened for modification	C:\Windows\SysWOW64\Afeban32.exe	Apkjddke.exe
File created	C:\Windows\SysWOW64\Bboplo32.exe	Bldgoeog.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4840	924	WerFault.exe	129

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciiaogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apimodmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bflham32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfonnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afeban32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldgoeog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cifdjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpllbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bihhhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjogmlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpifeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmahknh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjompqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apkjddke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidomjaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejobk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfcoblfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clgmkbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defheg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acdioc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blknpdho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammnhilb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmlmmjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcicjbal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bboplo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blgddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bliajd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beaecjab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cboibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2e19061cbea78be4285334a4e630520N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcogo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blknpdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpifeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a2e19061cbea78be4285334a4e630520N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjdhm32.dll"	a2e19061cbea78be4285334a4e630520N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bldgoeog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bihhhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmiie32.dll"	Ammnhilb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbebgj32.dll"	Blknpdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bihhhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaggn32.dll"	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpjjj32.dll"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clgmkbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaohckm.dll"	Cfmahknh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ammnhilb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boipkd32.dll"	Bihhhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bliajd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkiecbnd.dll"	Cpifeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bflham32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpifeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbjogmlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbaehl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefnemqj.dll"	Acdioc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afeban32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcicjbal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blgddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idbgcb32.dll"	Ddcogo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcicjbal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cifdjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciiaogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clgmkbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cieoen32.dll"	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfiefp32.dll"	Apkjddke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimdleea.dll"	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acdioc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Defheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmahknh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a2e19061cbea78be4285334a4e630520N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhpkebp.dll"	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahgec32.dll"	Bflham32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cboibm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpllbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bliajd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beaecjab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqhqndlf.dll"	Cfcoblfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cboibm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfcoblfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfonnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgmiidl.dll"	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcnnnil.dll"	Cbjogmlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbjogmlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiinbn32.dll"	Dmkcpdao.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 2420	3772	a2e19061cbea78be4285334a4e630520N.exe	91
PID 3772 wrote to memory of 2420	3772	a2e19061cbea78be4285334a4e630520N.exe	91
PID 3772 wrote to memory of 2420	3772	a2e19061cbea78be4285334a4e630520N.exe	91
PID 2420 wrote to memory of 1744	2420	Aioebj32.exe	92
PID 2420 wrote to memory of 1744	2420	Aioebj32.exe	92
PID 2420 wrote to memory of 1744	2420	Aioebj32.exe	92
PID 1744 wrote to memory of 3720	1744	Apimodmh.exe	93
PID 1744 wrote to memory of 3720	1744	Apimodmh.exe	93
PID 1744 wrote to memory of 3720	1744	Apimodmh.exe	93
PID 3720 wrote to memory of 1972	3720	Acdioc32.exe	94
PID 3720 wrote to memory of 1972	3720	Acdioc32.exe	94
PID 3720 wrote to memory of 1972	3720	Acdioc32.exe	94
PID 1972 wrote to memory of 2684	1972	Ammnhilb.exe	95
PID 1972 wrote to memory of 2684	1972	Ammnhilb.exe	95
PID 1972 wrote to memory of 2684	1972	Ammnhilb.exe	95
PID 2684 wrote to memory of 3104	2684	Apkjddke.exe	96
PID 2684 wrote to memory of 3104	2684	Apkjddke.exe	96
PID 2684 wrote to memory of 3104	2684	Apkjddke.exe	96
PID 3104 wrote to memory of 1108	3104	Afeban32.exe	97
PID 3104 wrote to memory of 1108	3104	Afeban32.exe	97
PID 3104 wrote to memory of 1108	3104	Afeban32.exe	97
PID 1108 wrote to memory of 1304	1108	Aidomjaf.exe	99
PID 1108 wrote to memory of 1304	1108	Aidomjaf.exe	99
PID 1108 wrote to memory of 1304	1108	Aidomjaf.exe	99
PID 1304 wrote to memory of 1864	1304	Bcicjbal.exe	100
PID 1304 wrote to memory of 1864	1304	Bcicjbal.exe	100
PID 1304 wrote to memory of 1864	1304	Bcicjbal.exe	100
PID 1864 wrote to memory of 3212	1864	Bejobk32.exe	101
PID 1864 wrote to memory of 3212	1864	Bejobk32.exe	101
PID 1864 wrote to memory of 3212	1864	Bejobk32.exe	101
PID 3212 wrote to memory of 1180	3212	Bldgoeog.exe	102
PID 3212 wrote to memory of 1180	3212	Bldgoeog.exe	102
PID 3212 wrote to memory of 1180	3212	Bldgoeog.exe	102
PID 1180 wrote to memory of 2164	1180	Bboplo32.exe	103
PID 1180 wrote to memory of 2164	1180	Bboplo32.exe	103
PID 1180 wrote to memory of 2164	1180	Bboplo32.exe	103
PID 2164 wrote to memory of 4320	2164	Bihhhi32.exe	104
PID 2164 wrote to memory of 4320	2164	Bihhhi32.exe	104
PID 2164 wrote to memory of 4320	2164	Bihhhi32.exe	104
PID 4320 wrote to memory of 1720	4320	Blgddd32.exe	105
PID 4320 wrote to memory of 1720	4320	Blgddd32.exe	105
PID 4320 wrote to memory of 1720	4320	Blgddd32.exe	105
PID 1720 wrote to memory of 1564	1720	Bflham32.exe	106
PID 1720 wrote to memory of 1564	1720	Bflham32.exe	106
PID 1720 wrote to memory of 1564	1720	Bflham32.exe	106
PID 1564 wrote to memory of 2184	1564	Bliajd32.exe	107
PID 1564 wrote to memory of 2184	1564	Bliajd32.exe	107
PID 1564 wrote to memory of 2184	1564	Bliajd32.exe	107
PID 2184 wrote to memory of 4448	2184	Beaecjab.exe	108
PID 2184 wrote to memory of 4448	2184	Beaecjab.exe	108
PID 2184 wrote to memory of 4448	2184	Beaecjab.exe	108
PID 4448 wrote to memory of 3100	4448	Blknpdho.exe	110
PID 4448 wrote to memory of 3100	4448	Blknpdho.exe	110
PID 4448 wrote to memory of 3100	4448	Blknpdho.exe	110
PID 3100 wrote to memory of 3448	3100	Bmkjig32.exe	111
PID 3100 wrote to memory of 3448	3100	Bmkjig32.exe	111
PID 3100 wrote to memory of 3448	3100	Bmkjig32.exe	111
PID 3448 wrote to memory of 956	3448	Cpifeb32.exe	112
PID 3448 wrote to memory of 956	3448	Cpifeb32.exe	112
PID 3448 wrote to memory of 956	3448	Cpifeb32.exe	112
PID 956 wrote to memory of 2316	956	Cfcoblfb.exe	113
PID 956 wrote to memory of 2316	956	Cfcoblfb.exe	113
PID 956 wrote to memory of 2316	956	Cfcoblfb.exe	113
PID 2316 wrote to memory of 2740	2316	Cbjogmlf.exe	114

C:\Users\Admin\AppData\Local\Temp\a2e19061cbea78be4285334a4e630520N.exe
"C:\Users\Admin\AppData\Local\Temp\a2e19061cbea78be4285334a4e630520N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\SysWOW64\Aioebj32.exe
  C:\Windows\system32\Aioebj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\Apimodmh.exe
    C:\Windows\system32\Apimodmh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\Acdioc32.exe
      C:\Windows\system32\Acdioc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3720
    - - C:\Windows\SysWOW64\Ammnhilb.exe
        
        C:\Windows\system32\Ammnhilb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Afeban32.exe
        
        C:\Windows\system32\Afeban32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Bcicjbal.exe
        
        C:\Windows\system32\Bcicjbal.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Bihhhi32.exe
        
        C:\Windows\system32\Bihhhi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Blgddd32.exe
        
        C:\Windows\system32\Blgddd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Bflham32.exe
        
        C:\Windows\system32\Bflham32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Cfcoblfb.exe
        
        C:\Windows\system32\Cfcoblfb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Clgmkbna.exe
        
        C:\Windows\system32\Clgmkbna.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Cfmahknh.exe
        
        C:\Windows\system32\Cfmahknh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Defheg32.exe
        
        C:\Windows\system32\Defheg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 400
        38⤵
        Program crash
        
        PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 924 -ip 924
1⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acdioc32.exe

Filesize
64KB

MD5
57e87796b3f142c6008b66650783cd4e

SHA1
6b512364114bf9192d5e43532a81ec0c36e3f7dc

SHA256
d51945f030d8dfe330b0d28a1c508a6be65bec206fb12369d361cdede2415187

SHA512
5d3e088efd5c70b001253a2d34eebddadd45fcdad35dd50b238dd4c703350129ca9087fc0a44803467e33cb50be39caa644088aa87b8b736b444077e8dc4b16a

Download Submit
C:\Windows\SysWOW64\Afeban32.exe

Filesize
64KB

MD5
441b339d6712dbb95020e8e45f8991af

SHA1
c6dda449e34c21d3d28d85f3a7d50bd617960fa8

SHA256
70eb2f8daf465dbe1bf1d6a3bcde3269452a63d6b5659a02af71b7567ecb5c4b

SHA512
226f97b82ecb87e7d71fbc5ce901c9e3537fc6ba533618dc62d6ce5995aae3d2fa3e59010dd4b279671ca461dbab25c06e480c5a9d9eacf85e7bd1ecb908c59b

Download Submit
C:\Windows\SysWOW64\Aidomjaf.exe

Filesize
64KB

MD5
bac4e74f86133a614e58fbd19a1035cd

SHA1
b6f3575425dc1cab1f334509535fd4911468c8b1

SHA256
1508981af443c875aea2151e4a59fd4a2182b20046e6abd0f9bb8521ba69833a

SHA512
9b5c34185d77387312698b969c2eb9879ade32ebd09449b7ec0add71e8e4916a59080a4d6c713340860da602bc2b6018718ac277e79fbf38dde5bb55f435d530

Download Submit
C:\Windows\SysWOW64\Aioebj32.exe

Filesize
64KB

MD5
687a1c6a3e3d2b4d4d239527e53c28ed

SHA1
15cfd6bf2db3a7298561756cb3107bba07842118

SHA256
12218c906f39183045b6a2efe8dc9532acacec641e199778fa7b46b0a311a70c

SHA512
61001a6730b9d500e48b7ea626e3e365937e9e2583b2ad621646674f570ab8b7f38bf528afe5c1879543255632a64c9219cc123ab1cc0ba78c502f87ca6b8380

Download Submit
C:\Windows\SysWOW64\Ammnhilb.exe

Filesize
64KB

MD5
2ce89c818fce8c5385604c44e130e085

SHA1
f9a5a825e426d9dd267b7a8ad7a22dcb3840e1df

SHA256
6535fe460445e0bbb99783d4254d667eed181a4fb6617b2736a4642823dc3891

SHA512
be5354de0c546d7b0584e013e6261236461f9e2b84696956a24be1df1466d3e9897604cb203a9dfb8078ce328e29ebc9625124b64a1c3ec1faac66c9c6b48674

Download Submit
C:\Windows\SysWOW64\Apimodmh.exe

Filesize
64KB

MD5
72516896a41c03746d44cbc64edac45c

SHA1
ebc6debedf0a54b1c5c073942ca2af0c71fd99e3

SHA256
26b1c1883bc9eacfac7233b94c0033504fd62db6cdfe632f1b86e5e15e19a0e1

SHA512
8129d3367d7b079a2e6ddaf2696489494ef62976a7304827e2f9d3099b9b44fd8f6c6fbf39e30f83f4efb895f03bf9f7cd33892350db5cf6ef6daf50fbe68988

Download Submit
C:\Windows\SysWOW64\Apkjddke.exe

Filesize
64KB

MD5
328b8c3ac6bcbc33af29c6ea3501f2cd

SHA1
6858edca4a60e7d85403d0d99c6eb237685d55d9

SHA256
5a7f7cbc1191e6f3e399c98078733fb423e108c8e4aa118307e3e0b222881069

SHA512
a3345461e0dad2ceae84a2fe091b679deae7e0a847782b64c8115085c55586f6c1a2b2dd65371cdcde305ee2afba91cc16ccbae3a871f53775b9ec16aad2e197

Download Submit
C:\Windows\SysWOW64\Bboplo32.exe

Filesize
64KB

MD5
5210be830726f6241fc6eeffe601e214

SHA1
abcb91a40f939136a86eb8e7913f9cb2832d6ac8

SHA256
4a05a82758bb6526bf8cc2f4e18aa0620b8555970ee29434c362dcf0fa92221a

SHA512
85b48e4200b432c80d41982f647025eb223f783b2e6be27c43dcd72aed05812d32ec68025ad20bfccd7eaf0ca7be7a8fb70e3c7024f6745f13882ea1c00d8dc3

Download Submit
C:\Windows\SysWOW64\Bcicjbal.exe

Filesize
64KB

MD5
b549ee623f74e674e7b107b055219911

SHA1
b6ae58c1bd1891b185cbc73b3f5339a2fdc1c304

SHA256
135d904c0e8b0749bfe46ba3c84ec5d694e78282367835b50b935e60b19e4b1d

SHA512
2ad622cac5b1213adc1dd011fa7e6765f14425cbba13488401ee93a22d90675140add5770831498d5508f74a46a7a018e3b884f982094077703ec28eca033324

Download Submit
C:\Windows\SysWOW64\Beaecjab.exe

Filesize
64KB

MD5
940b02a5c17c2ab525231d72e7810321

SHA1
b4c0aac4a9c09cca1b9f30543c31f518584d7312

SHA256
f1e77e4517680ceb721461edbdec2f372f8d14341a1a08217c73bb7b622c4651

SHA512
aa20f89603ab4c8dd650b1976a39049541583951628972e41ed68b2754c612386c2bb39c61b800291976f664a67afc765e21ffa89b91a148103a8be87442d6d0

Download Submit
C:\Windows\SysWOW64\Bejobk32.exe

Filesize
64KB

MD5
0db9bbda5f3c2428e4a209ff30f8cb7a

SHA1
f9c1fa89f312178afc8ab17d73e90281958945a4

SHA256
44f3013d728a90690e5677a12b9fbc7ffbebc8e3573120d3324745638efc4c3e

SHA512
35634a2d53ab056011914cbc010d0c3134cf6e94c2d99b9cf8fe371e6a9e766831bd2060b441f0f344a5665cbd2020467767bd7bd345b22ef8adde90f2629c16

Download Submit
C:\Windows\SysWOW64\Bflham32.exe

Filesize
64KB

MD5
e4aabc2af039b0b9895d15250055376f

SHA1
af6c00e556fbb7800dfa6dde0455df1b8c1f6bfc

SHA256
7cccc1ea820698827e8576fa0f6b5e08716ab2fbb1552b6aa73c08c0d07c3312

SHA512
a39b13324f5e3ac6c4b5bbc8c972029aadc3bc437ff68d9830cc4791c92e4e4d8f1a2e5c578a580bfd1092e14f5e0de85d438f42e898cec2b30d1c33abc4849e

Download Submit
C:\Windows\SysWOW64\Bihhhi32.exe

Filesize
64KB

MD5
3e791a85f6b1590f631fd8b1dd19e2db

SHA1
ed21bd15081bce142b733767711338f1ed23e8c0

SHA256
95ff4bb05a0d24a8b34f3dec57d523abccfa89b6f79c2b947b151334fc409ea9

SHA512
ba5d2f48bb14fb703f2cbe0037a65ae8f5a10003b9e03e511031c68216dc27058a47c7123b9c6cfaaf2aebe56cec96e0fcd49c0898f10698af2743cfa89ed692

Download Submit
C:\Windows\SysWOW64\Bldgoeog.exe

Filesize
64KB

MD5
8f09417695d11c391a9aa5ac0b38564e

SHA1
f05032814b0f468ce15838a685afa4411a625b6a

SHA256
46a82324a83bc8c7e763962610b60265069dce98b1e5cd08c9a8d8735eec9b78

SHA512
4ef8b011132879203802d771e4c632bd84dda70f548a67719e9cbc491ee40569c4bfab2580a8b7c87fa35e1b05a54c51c6201f54997b4f81ecae0a5ee67fb434

Download Submit
C:\Windows\SysWOW64\Blgddd32.exe

Filesize
64KB

MD5
3a700637573175bf30617861bc3a1c04

SHA1
d621f484aca4b647bb37517486eb98b529f4c4c2

SHA256
261b0822b22dff938ab0a2b3bb68126d16b64161dc7680a947b02af798df6dd5

SHA512
e0ff2869bb21a7892454b214773bf3e153e26916ae196e08a057f3660b24c9b05f0f011eb8f4acdbef861ef79dd3135b772d0713eabe18f780f2a49ea0027ed1

Download Submit
C:\Windows\SysWOW64\Bliajd32.exe

Filesize
64KB

MD5
745881cf5c8d24cc5a6d135c06ffc6e5

SHA1
cd481ba091f43a0234eab2e7cdd975a6c69d6c40

SHA256
4aa38fce05ad3ddbc841ac07e812acb46f809e5e470c18559e7d91c083c997f3

SHA512
331fbbac23ebca2da5832add7407d2a4e67a93aac14effbc3d9a878986fe10cdb218b2c8912e26e9fc1457c6ed6ca5e7eed55161c4207a53216b70885cc5cff8

Download Submit
C:\Windows\SysWOW64\Blknpdho.exe

Filesize
64KB

MD5
564a68208bae6d3b19479903be0efb02

SHA1
a47aa8cb04449c9893c4d3efeae9bc6865ca4777

SHA256
5d803316f6614ce958b4e80011871c59ee3e5244c19cf9fd42af4db62f53ff76

SHA512
b06e5761d4775b55122a597d7b88411198b4676567ee40f6874a37998564975026b4eed22f21792ca1fc783bde6e6dbb0b8b616949dd3105578fc1d4e96f218c

Download Submit
C:\Windows\SysWOW64\Bmkjig32.exe

Filesize
64KB

MD5
abfff8d627e35e0c891360bc32cef1d0

SHA1
93a52e46b6766b0f83c337a2e0b6cc68ccb246a1

SHA256
6c555ad4d0650cfc7bb3f80e49b9a9c161194ad3fde009889671ba85cd1ec827

SHA512
192d9d4018d06e124ee853e6f5cf1ef3b5e24c1ab20e6f10df7e13b21cf350ce639eb432eb718a91846f8ace1e2dfa466222a6292267325ff38667866985333c

Download Submit
C:\Windows\SysWOW64\Cbaehl32.exe

Filesize
64KB

MD5
145d6667dffc6e4ec1c7cc7122164c20

SHA1
422bc905950cd6757a88e65a2368638e56d5602e

SHA256
9c5779486543ee37cd8366971e9fd96812b747a783af0f1c0deade5fc4314867

SHA512
3d72609a127fee0c7f16e0344cb65178380b75c89c83888160c957c79b8f0551be7dc0c3ead9daab82d3c64ff8968d8b0f4ae2f6a93eb66a3c5386994935f620

Download Submit
C:\Windows\SysWOW64\Cbjogmlf.exe

Filesize
64KB

MD5
cc6d9d63b41c6b11dc72d66d87e20598

SHA1
d0677255729670693fc05ee083d79a83c4b0039a

SHA256
f2db182f5c02e38d8032b19cb434d9650a1a503c9e3e0fb21e894a273caebbad

SHA512
2c5ef5581ff19476859254bb9be20db88206199bd8b73e4850429f916493219ea72f3758315dcfde2f44b625d31e38db75ca72d33af4253602ae24d6c7ea99c2

Download Submit
C:\Windows\SysWOW64\Cbmlmmjd.exe

Filesize
64KB

MD5
04e70de52e6e6d226b70da9066a40ffb

SHA1
86e04b8d7aacd3faadf80acf97a09d8e1e0d711c

SHA256
aee7f8d57558738c64e11f44a03df0f7e57b387ab8d9bdda155c1dd4ef80df10

SHA512
3bff7659210dde570f5621e4bc28f63806214d51d4a1132268a78c6be882907cd4ef643618437a092a1aa045952ebaabd2027a4a2b0f9e67c8472d5efd614760

Download Submit
C:\Windows\SysWOW64\Cboibm32.exe

Filesize
64KB

MD5
556dfc9279bb11a9be8996fa24b396e4

SHA1
6af996d3a51662a4c41ff403af3df2d97e43d423

SHA256
c1a4fb20e8cc68d3b189accde71c19272982da7ce190f60aaf3f43bfe3b210cb

SHA512
3231a0e2a5dedaf1579261a1532795c3d064f6f214ddaae521dd599e91b421831de24e941919e9ce90f48487e2e6c1c96dde3b605bba9e164db3a31422a3c107

Download Submit
C:\Windows\SysWOW64\Cfcoblfb.exe

Filesize
64KB

MD5
d7e45536f0c6ab0776d4a02ce46ca09a

SHA1
ec123f4190ec298a8189bbfdd957caef4a29823a

SHA256
b379adb131c19e68f6c73d21b55adea2f3e9cae7fd2aa8ecbb5b033aa41bdccb

SHA512
ffda6efc535301c3f420acfc125314712c58ba61291115ff765bfc0c3eadde785945453340dc4d3fcdc1f413ec898109f6941b304309e22c133a89cd640b2d78

Download Submit
C:\Windows\SysWOW64\Cfmahknh.exe

Filesize
64KB

MD5
474495787a9d9144fac499f4747bb99a

SHA1
ee69b3184b7af1be42e17c51fe79c8c0d562bfb2

SHA256
0436ea313269fe86ca9ecc8ed47bc61087b50efc84c16f91a55eb65b9fd66e39

SHA512
71652a2563d51a9b75f296111635cc73f394c04715d041d0b608631345c322b6ae31ef7770e4a07c51c1401a400158e5500c317aafb2fb86cb61ffea2af6b1c8

Download Submit
C:\Windows\SysWOW64\Cifdjg32.exe

Filesize
64KB

MD5
f3ece41bf38de112ab439ceb3157afdb

SHA1
82c9876895d3fe29de126f60fc2d5cc0cce042cb

SHA256
eac76f77edb6e30e4202bea23a92d04b93338a5a75b08a102f7dcb69e39eae4f

SHA512
288612b0635b2e08d8f902edfe7feb8514b0c8ee82d4bf307d6d005ecea3b8e4558597b855734d070865a9cd8713b2b95f28f7d25895f21225197cf41236086f

Download Submit
C:\Windows\SysWOW64\Ciiaogon.exe

Filesize
64KB

MD5
72c78811dced1a8ff8c73672451000a6

SHA1
4012a1e4fe2faed38de4012251482a1a5ca91d94

SHA256
076de16692a17509eccf20f867642191ba6dd69dc92331de0a06d58078ea34ce

SHA512
ba3e7c5e44a41548c2157f32a7a168c80c80b3d4a4e2b71f07fc44cb738e87516df50a735dbb9dcb15744f55655a4b2621a0c5c7c16019528e4c20e35a08017e

Download Submit
C:\Windows\SysWOW64\Clgmkbna.exe

Filesize
64KB

MD5
edb685a30a4a38d3d069bfca858229fe

SHA1
c4d212bb392cc3527b7fa0ff2b43659b01751a53

SHA256
e00a68722f48d33d433759c6d69edaadc3385b551693c2088244585a99a0c61a

SHA512
f63f5e3118b9c3529fbd5b77f59590a9bbae402c8325f6bb8d4ca9cf4e09de0ae9ca685b4162437ff10751c680b966520e280559f5e9f42711b2ece1008ea161

Download Submit
C:\Windows\SysWOW64\Cpifeb32.exe

Filesize
64KB

MD5
1f0733e78735bea933030597978ef53a

SHA1
13e1ab07b3ceec6b50c2749a2a5611dff6051a29

SHA256
58f454c7fd9eec7d7bf67960f9779b102f5227ebf177f7f759ead89da1630678

SHA512
8723eb5f782137a0eeea0efb9a971cd535e7334f6ecf9fb99efc28a23511747828f881e0f3487ab691f9f32f29d2a4054eee1f45a7819e5b725d22d8bc432529

Download Submit
C:\Windows\SysWOW64\Ddcogo32.exe

Filesize
64KB

MD5
3924a6c43eec242375a73c178349be2d

SHA1
7e5e4189d53eeadfef4e0b98844aead6fa690ece

SHA256
85de0dfa37bec566805f78ec6c98e0c29e19f2aed96fdce0bef15d71e66f8b19

SHA512
d753e4f591ebb0aa451afa52ce36dd0421a492f9446903685b2bfcc49142e4d385dc2d61600fe0f0731638ab76c252c1df7514647016f60224d726481d7336c6

Download Submit
C:\Windows\SysWOW64\Ddqbbo32.exe

Filesize
64KB

MD5
1d1632a9bee489e784afa1f60f9f99b1

SHA1
6e7873c5b9c2fa1ce11c25a0f47b68771ddd8cfb

SHA256
5a6680e0ea1dcf56afc960f56976a0ace2ba8828491c1117bc8e5bb787ff804b

SHA512
6d5aecd78e496cf48517ce9355e92a0c91605bd7d6b23e354304f4c74d3c10eebf6e79e2d2d7ee58db0c6766bf2a7a5fe771e69a4b2feb87bce5b7cb9353dc11

Download Submit
C:\Windows\SysWOW64\Dfonnk32.exe

Filesize
64KB

MD5
aa21d83fd902250c2b2b7faf5f6506ef

SHA1
9fedc24a79c2e9855a63a940357d8ec0fdcb1ac0

SHA256
99c489cbe793f26e686e14c41f94ac98f4d80e31ecad8b71209c0aff125dc16e

SHA512
53beff4d8e8cbd8f36c43b9dbcd1a1e8aef1c10e4d9f42dd3615e1e3cc55c6debc85d65616fba51e3f09226df8bf61410ab69a3d39c9565dc3cc1759f96f2888

Download Submit
C:\Windows\SysWOW64\Dmkcpdao.exe

Filesize
64KB

MD5
af6389f9033aec1c682c5fc3a0204b92

SHA1
71a906588fbe8b1e099ed599dc17024b3a78b140

SHA256
72e96238f2a8828a49fa72147df7daee009b8a35eb345e0617e14be6c6024caf

SHA512
50a2a44f38725dee2a83b16e580fc52768d3c732409a8686e085d22623b642ba9c173cb6f4e62b1d54788b250e28034deadb6ba1a713befe13cb0223cef6c912

Download Submit
memory/376-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4320-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads