57149e9987ec67c9e0b6f1367685b584624733163d6ba921895c98d26113d675

Analysis

max time kernel
108s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 19:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

faf228cd20380588057f4cd2bfec0c80N.exe
Size

187KB
MD5

faf228cd20380588057f4cd2bfec0c80
SHA1

4a5f38721fb26c0349a6b420c62a180da23ed8e9
SHA256

57149e9987ec67c9e0b6f1367685b584624733163d6ba921895c98d26113d675
SHA512

3517029ebaa4a11716f4d1a4a9c397964284155968c320cdbaff836084768d226cd3f92955dd07f1e4df4ae31a14fd4a8194938083dab88e038cbb73261f8f5d
SSDEEP

3072:97S+ljn44rhMSpMiVgtRQ2c+tlB5xpWJLM77OkeCK2+hDueH:JBljnXhpMiV+tbFOLM77OLLt

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	faf228cd20380588057f4cd2bfec0c80N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe

Executes dropped EXE 44 IoCs

pid	Process
4304	Bagflcje.exe
2728	Bfdodjhm.exe
4872	Bnkgeg32.exe
3820	Bmngqdpj.exe
2632	Bgcknmop.exe
4284	Bnmcjg32.exe
4748	Beglgani.exe
2068	Bfhhoi32.exe
5068	Bmbplc32.exe
2612	Bclhhnca.exe
2740	Bjfaeh32.exe
2940	Bapiabak.exe
1864	Bcoenmao.exe
3752	Cfmajipb.exe
4440	Cmgjgcgo.exe
4732	Chmndlge.exe
2600	Cjkjpgfi.exe
1076	Caebma32.exe
4940	Chokikeb.exe
1184	Cnicfe32.exe
1152	Cagobalc.exe
4804	Cdfkolkf.exe
4028	Cnkplejl.exe
4960	Cmnpgb32.exe
1564	Ceehho32.exe
3264	Chcddk32.exe
1520	Cjbpaf32.exe
4536	Calhnpgn.exe
4480	Dhfajjoj.exe
2076	Dopigd32.exe
916	Danecp32.exe
2608	Dhhnpjmh.exe
1352	Dobfld32.exe
1284	Daqbip32.exe
1300	Dhkjej32.exe
3484	Dkifae32.exe
2820	Dmgbnq32.exe
3460	Deokon32.exe
2140	Dfpgffpm.exe
3148	Dkkcge32.exe
3492	Daekdooc.exe
3472	Dhocqigp.exe
3120	Dknpmdfc.exe
3428	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	faf228cd20380588057f4cd2bfec0c80N.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	faf228cd20380588057f4cd2bfec0c80N.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2508	3428	WerFault.exe	129

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faf228cd20380588057f4cd2bfec0c80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	faf228cd20380588057f4cd2bfec0c80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	faf228cd20380588057f4cd2bfec0c80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	faf228cd20380588057f4cd2bfec0c80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4304	3604	faf228cd20380588057f4cd2bfec0c80N.exe	83
PID 3604 wrote to memory of 4304	3604	faf228cd20380588057f4cd2bfec0c80N.exe	83
PID 3604 wrote to memory of 4304	3604	faf228cd20380588057f4cd2bfec0c80N.exe	83
PID 4304 wrote to memory of 2728	4304	Bagflcje.exe	84
PID 4304 wrote to memory of 2728	4304	Bagflcje.exe	84
PID 4304 wrote to memory of 2728	4304	Bagflcje.exe	84
PID 2728 wrote to memory of 4872	2728	Bfdodjhm.exe	85
PID 2728 wrote to memory of 4872	2728	Bfdodjhm.exe	85
PID 2728 wrote to memory of 4872	2728	Bfdodjhm.exe	85
PID 4872 wrote to memory of 3820	4872	Bnkgeg32.exe	86
PID 4872 wrote to memory of 3820	4872	Bnkgeg32.exe	86
PID 4872 wrote to memory of 3820	4872	Bnkgeg32.exe	86
PID 3820 wrote to memory of 2632	3820	Bmngqdpj.exe	87
PID 3820 wrote to memory of 2632	3820	Bmngqdpj.exe	87
PID 3820 wrote to memory of 2632	3820	Bmngqdpj.exe	87
PID 2632 wrote to memory of 4284	2632	Bgcknmop.exe	88
PID 2632 wrote to memory of 4284	2632	Bgcknmop.exe	88
PID 2632 wrote to memory of 4284	2632	Bgcknmop.exe	88
PID 4284 wrote to memory of 4748	4284	Bnmcjg32.exe	89
PID 4284 wrote to memory of 4748	4284	Bnmcjg32.exe	89
PID 4284 wrote to memory of 4748	4284	Bnmcjg32.exe	89
PID 4748 wrote to memory of 2068	4748	Beglgani.exe	91
PID 4748 wrote to memory of 2068	4748	Beglgani.exe	91
PID 4748 wrote to memory of 2068	4748	Beglgani.exe	91
PID 2068 wrote to memory of 5068	2068	Bfhhoi32.exe	92
PID 2068 wrote to memory of 5068	2068	Bfhhoi32.exe	92
PID 2068 wrote to memory of 5068	2068	Bfhhoi32.exe	92
PID 5068 wrote to memory of 2612	5068	Bmbplc32.exe	93
PID 5068 wrote to memory of 2612	5068	Bmbplc32.exe	93
PID 5068 wrote to memory of 2612	5068	Bmbplc32.exe	93
PID 2612 wrote to memory of 2740	2612	Bclhhnca.exe	94
PID 2612 wrote to memory of 2740	2612	Bclhhnca.exe	94
PID 2612 wrote to memory of 2740	2612	Bclhhnca.exe	94
PID 2740 wrote to memory of 2940	2740	Bjfaeh32.exe	96
PID 2740 wrote to memory of 2940	2740	Bjfaeh32.exe	96
PID 2740 wrote to memory of 2940	2740	Bjfaeh32.exe	96
PID 2940 wrote to memory of 1864	2940	Bapiabak.exe	97
PID 2940 wrote to memory of 1864	2940	Bapiabak.exe	97
PID 2940 wrote to memory of 1864	2940	Bapiabak.exe	97
PID 1864 wrote to memory of 3752	1864	Bcoenmao.exe	98
PID 1864 wrote to memory of 3752	1864	Bcoenmao.exe	98
PID 1864 wrote to memory of 3752	1864	Bcoenmao.exe	98
PID 3752 wrote to memory of 4440	3752	Cfmajipb.exe	99
PID 3752 wrote to memory of 4440	3752	Cfmajipb.exe	99
PID 3752 wrote to memory of 4440	3752	Cfmajipb.exe	99
PID 4440 wrote to memory of 4732	4440	Cmgjgcgo.exe	101
PID 4440 wrote to memory of 4732	4440	Cmgjgcgo.exe	101
PID 4440 wrote to memory of 4732	4440	Cmgjgcgo.exe	101
PID 4732 wrote to memory of 2600	4732	Chmndlge.exe	102
PID 4732 wrote to memory of 2600	4732	Chmndlge.exe	102
PID 4732 wrote to memory of 2600	4732	Chmndlge.exe	102
PID 2600 wrote to memory of 1076	2600	Cjkjpgfi.exe	103
PID 2600 wrote to memory of 1076	2600	Cjkjpgfi.exe	103
PID 2600 wrote to memory of 1076	2600	Cjkjpgfi.exe	103
PID 1076 wrote to memory of 4940	1076	Caebma32.exe	104
PID 1076 wrote to memory of 4940	1076	Caebma32.exe	104
PID 1076 wrote to memory of 4940	1076	Caebma32.exe	104
PID 4940 wrote to memory of 1184	4940	Chokikeb.exe	105
PID 4940 wrote to memory of 1184	4940	Chokikeb.exe	105
PID 4940 wrote to memory of 1184	4940	Chokikeb.exe	105
PID 1184 wrote to memory of 1152	1184	Cnicfe32.exe	106
PID 1184 wrote to memory of 1152	1184	Cnicfe32.exe	106
PID 1184 wrote to memory of 1152	1184	Cnicfe32.exe	106
PID 1152 wrote to memory of 4804	1152	Cagobalc.exe	107

C:\Users\Admin\AppData\Local\Temp\faf228cd20380588057f4cd2bfec0c80N.exe
"C:\Users\Admin\AppData\Local\Temp\faf228cd20380588057f4cd2bfec0c80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\SysWOW64\Bagflcje.exe
  C:\Windows\system32\Bagflcje.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\SysWOW64\Bfdodjhm.exe
    C:\Windows\system32\Bfdodjhm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\Bnkgeg32.exe
      C:\Windows\system32\Bnkgeg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
      - C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 416
        46⤵
        Program crash
        
        PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3428 -ip 3428
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akichh32.dll

Filesize
7KB

MD5
5c951b16e3822ac88ee5e6c4b4646ee4

SHA1
4ef3b7fc5da6033581106134150cb23333624cc7

SHA256
77adfa3c0593e2baf6ed93037846feeb3741201d9cfa358dc21cfa4d4caeb0d7

SHA512
89ab81d1ada051c0ff40f091a199f4bd8537d2e860673da15132afda1c9406d9c47b083e5d0b979bcddc82586aa8f889cb1ab25efeec2e79cc6da20dae144924

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
187KB

MD5
4e90e5fb0b7b88b704a19365c7a0d511

SHA1
c5dedbf5023bcfd28bf68a2809e28e3fc8857662

SHA256
3b1bfc9daa321a7bc2670c0de9a7c21b4e72c1a598a7e8207f5c827b9e9935bb

SHA512
1647050e8f7794b518b32b2c6af9eb925d8b8d6390af07dcaa6c9e75a480fc08e0a89afee3ba6c6a6196ca6f8c8f29a4ea3d037d2e6037048a7265a26b7f4e48

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
187KB

MD5
d83966bcd3a63a5757534e1aa6a6530f

SHA1
e224c4a898099cc4a51c21a3fe1f5a955238ca17

SHA256
a469ff5d0cff72b72765e140298713a5590fb722d7809cb801844056b9957cf9

SHA512
68e2d27dddac0ee45d9c92c67f4187b929ad48c5ec2d276c61680fb8568f919034ab0e1348432f7a37fd8cb715f4d3c37680481a8afac846bc2cb03ea21ad710

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
187KB

MD5
998250622c2b20ba4ec1d7a639b6f6be

SHA1
a1bbcf3fe3f2501d329e409ed330e00dca32aee5

SHA256
9213def3ab1d9cb15899d3355ce599ba88ff72a65c691febc45f9f4be35d0e89

SHA512
469d44476a462911c8cde2b83ade133e392f0e6b723e7db8d8c006a528aedbb41c840692c28e3a14a67c64e77371cfdd33556b62e63d379fb76668ce615a2aa9

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
187KB

MD5
9b7771512b01a60677cb5607b84f6fa3

SHA1
6975de220797417173d3f9caccfe6a729b4485cf

SHA256
9cde6d9affcad7ba19e6f7dca1388bf43e8cc1c13b088de484f88171bfca1ac2

SHA512
e508726a4cd2557cc788df07ce72d13289294b25ef1a5ae2f0fb093b027577c22caf7a914beafe87952a1b565eb963c163f3d1df1a7bf4b6521954f454ca0f7e

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
187KB

MD5
2748207dc9494f3852a77549e4822833

SHA1
4082a732bbd80b94b0ccf92f9c18216b28154e93

SHA256
54a23efa31519077918968353bf0d6735f2496ec3acb71260a7a2dca766e878e

SHA512
ba42ffcc2ce149b1e1195605dc484b82b22f0c3e6e868fff266043123cc76c4a0967395f35187cb221e46c97fa90ab0d7915e62d6a5f938e04c0cf66b66848ea

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
187KB

MD5
580067c017fe4c3042c08ea772f59267

SHA1
f010685fab2cd4a2a420695cdcb28cf04dd3715d

SHA256
7c47941be580698f9d637cd995bc43d59eb7d1b5d8bd14c5b6d544a243781430

SHA512
79e3c1364a8d24122c034aff7905321db7a1a9668e1c33d4d730ebc2b8e2897da6faff7c59cea837f3bffc1181952c4115be299dabd3eee4d7d517d5578c131d

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
187KB

MD5
404bbc07b43420d6b35b386da6c5fe1b

SHA1
13e28adfdfc69fc4c5ccb90bf6858f15e29abefe

SHA256
fb75c08bf1f14a02c96548b88f90ebeb7c3be33783db6fff4157a68f37ffd986

SHA512
02ad87a8bbdb791435016e82b99a6325f4882aaf7dc20bf7c33024c67e2acae7166eaecbb994b7f42ef262a9ae2a903ea5086499f6b8c7024be502ba2eaca285

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
187KB

MD5
a3c9e8a548f9121f8e8fa656f56117bd

SHA1
0b71bc071ddcc1fb8cc0564f32baf23eff5e853b

SHA256
5ab913162c85a07eced80b6a2ebf0bac5875233ebccf9066b00b0dcec0f2aca3

SHA512
24c6c047ba5dd2f8911689a9dbab3d484fddd483cadeb0bda82c648532b6bed23c6ba8e2bb20597757bf472fc55b203ab5971d3d4e20959f2a30bca18535fcbc

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
187KB

MD5
22350041038e512c777a9d2a98bf6a5a

SHA1
01517092f09661db53ca01ac1409a9907b998228

SHA256
2504d1b5f9494d6caac1415ba9bcf912c9ed4f85794e8ba765bf101fc34ce2fd

SHA512
b370abf4289d8c5548439ea25064f39733115d5fd07c8ccca513b0ec4b7167283a6bd1e302ee83f075897cf521261741ccb58d6e1297693aee3301c405fac00c

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
187KB

MD5
5e8ad29b382679a65de0e8603799727b

SHA1
1e75e6a8571f961f520aba9e5a4f4fc58f581c10

SHA256
f7a3bb6e51d4bfc849935207ec361d1aa9ea046658728bd468bd9dbc82c6b4da

SHA512
47b47f32c1013fe11e0d98abb3b6f3a7b26b92efe3bbe0ea20db8b4cfcb4316d40db5c5f5a7603d09e88c42b106dd7204fa848b8fb251908b0566a45774cb035

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
187KB

MD5
ca06a86fd9fc26ff29804e819ce7feef

SHA1
b6d27fb6717064081442ce8037198c36cce4adce

SHA256
57bd7cda8f622e2a7cfdccf7f6dbbfd1106b919e3bedbd09d0d01f64205113d5

SHA512
1bdd8186f8bdece06bbe36b9678426e754b5a95e9ca3053cf20f1814b76671c3f0f146f4ac705d24f518b7a21060890ec300a2490a78948ae9336ef7fedf029e

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
187KB

MD5
f88b32a86cd85ea9ac72d743a6c5f9d6

SHA1
223d65b44e6db2849345641358b39db2a5c7acdf

SHA256
bbde4d78cdf6ce9e0bcff93ac883d590593c4c22822290450628d0207a9cc99b

SHA512
2d6a0c91037cbaed2fd93b4b9b90e40dcd6a013d2569fd1e1f3bb879889133f61f14c2eceee6aa72be72f662ff5cac43177e3ffc60a229731c358b703b9c659a

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
187KB

MD5
44625e7f0e80829283e123eecb50d99f

SHA1
073066a0e2073bebd5c74ae7a91f76e2492ed080

SHA256
340655c998bf6bc0c8f57cabfeb5c99a677762a921e3bca6211d7a921e5f6465

SHA512
4936aba84c7e6f848f5004e15896f3ba0b8c85c207eaf3cfb221aaf57fafb5c8d4a6ccb1ae1d06e048084fd331f5b0a50b428395de803c67b6e5d480ab1ea1a8

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
187KB

MD5
a6d383c2b9b1c53df93f2017521673e4

SHA1
7a46dc8c8c215e0050a6cbbad2a923c88fa2cff5

SHA256
1b1c9c916cc1fa91e7adbc5e329a7fb07cc5099a648dabfa4c933c8a9eada1fd

SHA512
3b44f41c8b010ba78f5bc24d19e387d5cd63880cc6c236e7bd90eed61759c407b388249f78ed277ac766af34e726f8a2da427f72b2fb20476a47bc43b96ab878

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
187KB

MD5
eba9ef411002365b380e21072d427036

SHA1
3bcbae694a9751add15c2bba4441728d7d77cf2d

SHA256
4daf51d94efe796c160b214e4841fb598020510173ca7ec16b75ceed4b9584cf

SHA512
4eba130ef04d1a227f5b51f1b53e597b64a86e0ff0b3ed9359df09a98f39a44135ffbbe4225ae1712f796a22eeb3c1ca4488f4d33ef405aa33e26eadae0316f6

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
187KB

MD5
aeb39b3ea85edfcff4e2e65a4d1f97da

SHA1
2266bcff813f338c50cad6cbc48498d700b95d36

SHA256
d349ef611c8696f09760b6c6889c8bfcf8b88caf9e6764d0941c009e14be7d86

SHA512
a8a21060771008abaac05121df41b817c6993b16a612d4a042abdb021dd66c820cbdb3da504a749a057d6439801a1d0a461dde2b79c2a3daef6d8cc4af52881b

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
187KB

MD5
4607f9af1c8ccad4fa840f7018ed8c61

SHA1
3bc296dd16f8916d49bfab464ce3fe751e978361

SHA256
4d1de01fc77fb9f509d49821f1e37bb7da0555d6dbe35a1b64ec4de2b7a64ba2

SHA512
875525c8fe346fe6d83e4b7287b50edddc3c08ea0155184a27888f759147241f365b670f2333d191c40230ccce1a6c1a5d7967033e17a116f3dd26718e6433e1

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
187KB

MD5
9a9e1113b09d06a9a2ecfc6c1bcc2170

SHA1
28d498988c7d1366d22750a5bc88acf37e967990

SHA256
4a57ccbbf4e2c000c55227222484552436213234475358d375da1c9cd888de35

SHA512
622a979ae6ab8a3c7b8d62e1938fab8eb0e383b1c6c6dd1d9ab568e3908fa47b78025ef4b45d75c54605fa8cecf7610ba562bdb3469be7a6c054742bbba2fb70

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
187KB

MD5
25bb91b8044edffd4ca8580d78fc49fa

SHA1
cc8c20e0730a0026c58d73560594c767adb28460

SHA256
df0270c6d640e40ba5a0ee8161d687194200a3308c1e22ab0bc3fddbda7425d7

SHA512
353098fbe329c08c57cd3ad7835a6f631cf03895dc9cfd55827867232fbb725d3bb3fd1f7a4f3f031242bfbf23d33e0c7c07186d0b41d6f887a373caca1edea3

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
187KB

MD5
4f43f41e0133b73f019a28f5bc787a09

SHA1
b2841c44a0a70ff3d0e75e84a546862a20ecab18

SHA256
cb0478fc79364869f156cf243dcecc41fb678825e5ebc321196988f07abf8f88

SHA512
fcdac5e11e919e7599f177f840535d450c11b8bbe10b20daba89c15ebae21e5b5030fc01677efa55e74b4943c736176cb1af3d8d8b8c294cf4e10cefe2f5626d

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
187KB

MD5
71868f8682f08989a29fd9222c9dd1af

SHA1
501557ae36d8b192475695313d91fd8dfc49c415

SHA256
dc9f6cf5890215473f61f56186728a4c08123131f0199faafa728d2ce6a5193c

SHA512
e780aace7335b066728b80f580230ac708b47f74469c58606e12e6fe75deb428ddfb018a135627f626ce33eb479e663a26c734ca2f82b08386703ec098db4bd0

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
187KB

MD5
32670edc7aca8c1d00ea135235fd37d7

SHA1
c13bb36bf658686e40e5e8024fa9970b4f2485d4

SHA256
9d2aea305aaec6a94954c9db18124385e9dc22d5c67f1ca1c0bd4620a16da0e2

SHA512
403b39d44c2d28f8dde9c9efbb95362b1141a28a9e85356c44fe69ff9ff73b99b7f3b255b975bf455d7a0c89b4a87cc094ebe18f79c8408f5f29417feb889d69

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
187KB

MD5
aecdf317883c938b713cbd04a9b013b4

SHA1
2675200dc62e899f63d7d2f5d64aeaaacab85541

SHA256
4034c27bd29dffeafa1562209bd4285baf3a23a6ca1e1e19e4dd8f69fa9bba2d

SHA512
c518221e2a02b65efc616cb3f2f12f9a28d626c375f788b901f59596048c58e59b3fbb74e1425c58ef6c792bc7502fa0dede1fa9a2a5368bdfb4ecf4b682df0b

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
187KB

MD5
41afe2e85b0fb0e71baf0816444c9333

SHA1
76f9a09d8d043309d54926a712e3d424bb24567d

SHA256
0b9e210e261ee98b0d061295de008668386f0cab31662fc640f2e3678109c714

SHA512
420c6c59ccf37ef06855bc145a2a179a7c9f0c396089263189d140d3161b7fa9d4949072952f83c22be2aa1ea92c9ac65533ad988d54da47efc05a89f2c2dbf4

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
187KB

MD5
9a6e721ea4cd76c715ad25f815ed7d5f

SHA1
6080c3beab6f0b15bbbab58c5ab088a55ec07b77

SHA256
9086ee4e517c20bc7c3eac1087b578f74b77c72186a4b411ffc90a82ea8b0a8d

SHA512
be4fa839b695d075ef4dc69bf615791616df10d0bbb1a6095f8ede18c522f3bde99c63b856082e4a9e6f8dc3f9d71caf303dac59bc844c9f64ef1adfbb350cae

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
187KB

MD5
42b3b5d0d4727b77abc8af1343828431

SHA1
6d33877786aaa72f9cfb58eff7ec3758c1258ef5

SHA256
30dd4cb1a22f552137ba07fd257e821f4f1a98fd93141e0092b43217fb8cdc0c

SHA512
07209a622e6d7a773ecd67d9f9f80df63e1183cba68a64e80be0a2a0922169508e6a80b4d1fdb98910b818fea83129dc00cd47023405f45aee727527420dbfc5

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
187KB

MD5
7c4abab63a7d499728f114d9987e299e

SHA1
2dfe928e25354cab841f4fe9e7c3a65659714a4c

SHA256
4d9874393e22730d1202475086da975d5824b7b2105daf2e272b9c2661861fe8

SHA512
8da51f827a926030c35e30f8416ed58ee7d518108f18a74922e1eb7c17a8b505de63cbcc8eb023dc228f231afbfd2fdb33d344fd1497017c8474109517b2ab4d

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
187KB

MD5
3041fa687c4a99694f7017523f8da291

SHA1
d6caca0ceb2d3c403b299b11699b10efe6ec1c77

SHA256
3475f1a6ef2eb00a5015369ad0187c222857bb6844e33c313c91f0b9b350dfee

SHA512
3e478a09e30bc9c8f8a1b08bc128cdf1e759b7597ee0e28aa3a74c8fc6775e9f3020f2b5f631b128008f8425063d1515679a737ce7b0da64a48f7a32989a75fd

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
187KB

MD5
41521c43bf0be362ec5da12c92fa0ec9

SHA1
1158530844e3e904743377413b1d0f85ad654659

SHA256
a6265178998eb1b24bd5ba59cdef9d83d107645a1c91474f0b5ae362b686257a

SHA512
4a5e46cb2a6ab712be9971936280f956f1475d7b7d9ee6dde7f87d6216deca6750312b4ed4bd6dee709e37118868ba59c3f8defa5197d0cc1480fcb83b7db27a

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
187KB

MD5
bb9e9c057fadfa7c166154cb0a29cb63

SHA1
0427bfecca6f8c206ce2b07c9e5913a721cd6a39

SHA256
626efee57eb022240ec5d745dad26cafdf2ef9e8d3b8897e7780a09f63da401b

SHA512
3d4292d00888324fc11ba46f64de966b8510dfb257e127ffc6a31e5553be76163dacec3a41a787cd704ad4c751ee56b3d7331105637e3d35b93cf95f921cf691

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
187KB

MD5
93c67604a5bcc6d8072743c5ca364140

SHA1
744635e5b685521f81910e674ebda6bf66eef948

SHA256
913984b5c9fa4e0ffbe36b293a22b21e8f5c0453bb9d400c1ca352cbba29d263

SHA512
6b46cbb3c1f336ccdc4c6ed69ce2a976fcc76a715800c1bd8b1fc1ac4a4f0f8a3924c606e471343b07dd5dbe110632fee456dade712ca8fe7088072d3d1fd8af

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
187KB

MD5
8ea78e207a7e7fb7fb063d6083f4e180

SHA1
453d5fd45f0e92b47ea4895ac531f3f9e59f93c3

SHA256
4b8fc34f1a9ba27a2c694f870e29608e7a4d446607bc791cb16e36480fa562b1

SHA512
e81d181d5c03e0aa02447391587892ece3f05be9ab8a02b03d4133da4e53b4fde528da6274d6578f713815090aa8f3bb893f5acbc80ef63a82120585e83007f2

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
187KB

MD5
576a243694b81db28e6260bbc0e45a2f

SHA1
ed2574542c1e158623a5e8325b09e582b9fe5e71

SHA256
a7892a69a682ee6e7ae8105ef8b6f679ae297291fecf2334e1dc531265203493

SHA512
4f98363649461592b824cf916e035368907e3d33576da2fdb57c26c64204f24b8d1f9186292d8139171c5aaede6f727469ccae32e66b058b9d206e756010535e

Download Submit
memory/916-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3820-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads