njrat | b80747f0bc219435e511b606fab7301eb9b9f0d45ae7058a61db448aafc9a0c1

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbe19a1130bccde071164cd19e631770N.exe
Size

337KB
MD5

dbe19a1130bccde071164cd19e631770
SHA1

d828ac5c60e5fcf4222fa6053082fe711fbfd465
SHA256

b80747f0bc219435e511b606fab7301eb9b9f0d45ae7058a61db448aafc9a0c1
SHA512

bdd8d705192c6bf0ab134cdf1358b8ee1496ca30e145acd89525b59df76a30d7fae07742c40b82f792c791836351121f5c7720d0b3a7d66319a62013f418a326
SSDEEP

3072:X2HNegccl0YgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:G4cl0Y1+fIyG5jZkCwi8r

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dbe19a1130bccde071164cd19e631770N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dbe19a1130bccde071164cd19e631770N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 27 IoCs

pid	Process
2704	Abpcooea.exe
2968	Bhjlli32.exe
2084	Bjmeiq32.exe
2676	Bqgmfkhg.exe
3056	Bmnnkl32.exe
1684	Boljgg32.exe
2856	Bgcbhd32.exe
2872	Bieopm32.exe
2312	Bqlfaj32.exe
1060	Bbmcibjp.exe
2624	Bigkel32.exe
1596	Bkegah32.exe
2384	Cbppnbhm.exe
2992	Ciihklpj.exe
2548	Ckhdggom.exe
2080	Cbblda32.exe
2528	Cileqlmg.exe
1676	Cpfmmf32.exe
920	Cagienkb.exe
2364	Cgaaah32.exe
2096	Caifjn32.exe
2024	Cgcnghpl.exe
2004	Cnmfdb32.exe
1544	Cegoqlof.exe
2816	Cgfkmgnj.exe
2688	Dnpciaef.exe
2732	Dpapaj32.exe

Loads dropped DLL 57 IoCs

pid	Process
2280	dbe19a1130bccde071164cd19e631770N.exe
2280	dbe19a1130bccde071164cd19e631770N.exe
2704	Abpcooea.exe
2704	Abpcooea.exe
2968	Bhjlli32.exe
2968	Bhjlli32.exe
2084	Bjmeiq32.exe
2084	Bjmeiq32.exe
2676	Bqgmfkhg.exe
2676	Bqgmfkhg.exe
3056	Bmnnkl32.exe
3056	Bmnnkl32.exe
1684	Boljgg32.exe
1684	Boljgg32.exe
2856	Bgcbhd32.exe
2856	Bgcbhd32.exe
2872	Bieopm32.exe
2872	Bieopm32.exe
2312	Bqlfaj32.exe
2312	Bqlfaj32.exe
1060	Bbmcibjp.exe
1060	Bbmcibjp.exe
2624	Bigkel32.exe
2624	Bigkel32.exe
1596	Bkegah32.exe
1596	Bkegah32.exe
2384	Cbppnbhm.exe
2384	Cbppnbhm.exe
2992	Ciihklpj.exe
2992	Ciihklpj.exe
2548	Ckhdggom.exe
2548	Ckhdggom.exe
2080	Cbblda32.exe
2080	Cbblda32.exe
2528	Cileqlmg.exe
2528	Cileqlmg.exe
1676	Cpfmmf32.exe
1676	Cpfmmf32.exe
920	Cagienkb.exe
920	Cagienkb.exe
2364	Cgaaah32.exe
2364	Cgaaah32.exe
2096	Caifjn32.exe
2096	Caifjn32.exe
2024	Cgcnghpl.exe
2024	Cgcnghpl.exe
2004	Cnmfdb32.exe
2004	Cnmfdb32.exe
1544	Cegoqlof.exe
1544	Cegoqlof.exe
2816	Cgfkmgnj.exe
2816	Cgfkmgnj.exe
2688	Dnpciaef.exe
2688	Dnpciaef.exe
2584	WerFault.exe
2584	WerFault.exe
2584	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Abpcooea.exe	dbe19a1130bccde071164cd19e631770N.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bieopm32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	dbe19a1130bccde071164cd19e631770N.exe
File opened for modification	C:\Windows\SysWOW64\Bhjlli32.exe	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	dbe19a1130bccde071164cd19e631770N.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	Bjmeiq32.exe

Program crash 1 IoCs

pid	pid_target	Process
2584	2732	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbe19a1130bccde071164cd19e631770N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	dbe19a1130bccde071164cd19e631770N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	dbe19a1130bccde071164cd19e631770N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	dbe19a1130bccde071164cd19e631770N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	dbe19a1130bccde071164cd19e631770N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2704	2280	dbe19a1130bccde071164cd19e631770N.exe	31
PID 2280 wrote to memory of 2704	2280	dbe19a1130bccde071164cd19e631770N.exe	31
PID 2280 wrote to memory of 2704	2280	dbe19a1130bccde071164cd19e631770N.exe	31
PID 2280 wrote to memory of 2704	2280	dbe19a1130bccde071164cd19e631770N.exe	31
PID 2704 wrote to memory of 2968	2704	Abpcooea.exe	32
PID 2704 wrote to memory of 2968	2704	Abpcooea.exe	32
PID 2704 wrote to memory of 2968	2704	Abpcooea.exe	32
PID 2704 wrote to memory of 2968	2704	Abpcooea.exe	32
PID 2968 wrote to memory of 2084	2968	Bhjlli32.exe	33
PID 2968 wrote to memory of 2084	2968	Bhjlli32.exe	33
PID 2968 wrote to memory of 2084	2968	Bhjlli32.exe	33
PID 2968 wrote to memory of 2084	2968	Bhjlli32.exe	33
PID 2084 wrote to memory of 2676	2084	Bjmeiq32.exe	34
PID 2084 wrote to memory of 2676	2084	Bjmeiq32.exe	34
PID 2084 wrote to memory of 2676	2084	Bjmeiq32.exe	34
PID 2084 wrote to memory of 2676	2084	Bjmeiq32.exe	34
PID 2676 wrote to memory of 3056	2676	Bqgmfkhg.exe	35
PID 2676 wrote to memory of 3056	2676	Bqgmfkhg.exe	35
PID 2676 wrote to memory of 3056	2676	Bqgmfkhg.exe	35
PID 2676 wrote to memory of 3056	2676	Bqgmfkhg.exe	35
PID 3056 wrote to memory of 1684	3056	Bmnnkl32.exe	36
PID 3056 wrote to memory of 1684	3056	Bmnnkl32.exe	36
PID 3056 wrote to memory of 1684	3056	Bmnnkl32.exe	36
PID 3056 wrote to memory of 1684	3056	Bmnnkl32.exe	36
PID 1684 wrote to memory of 2856	1684	Boljgg32.exe	37
PID 1684 wrote to memory of 2856	1684	Boljgg32.exe	37
PID 1684 wrote to memory of 2856	1684	Boljgg32.exe	37
PID 1684 wrote to memory of 2856	1684	Boljgg32.exe	37
PID 2856 wrote to memory of 2872	2856	Bgcbhd32.exe	38
PID 2856 wrote to memory of 2872	2856	Bgcbhd32.exe	38
PID 2856 wrote to memory of 2872	2856	Bgcbhd32.exe	38
PID 2856 wrote to memory of 2872	2856	Bgcbhd32.exe	38
PID 2872 wrote to memory of 2312	2872	Bieopm32.exe	39
PID 2872 wrote to memory of 2312	2872	Bieopm32.exe	39
PID 2872 wrote to memory of 2312	2872	Bieopm32.exe	39
PID 2872 wrote to memory of 2312	2872	Bieopm32.exe	39
PID 2312 wrote to memory of 1060	2312	Bqlfaj32.exe	40
PID 2312 wrote to memory of 1060	2312	Bqlfaj32.exe	40
PID 2312 wrote to memory of 1060	2312	Bqlfaj32.exe	40
PID 2312 wrote to memory of 1060	2312	Bqlfaj32.exe	40
PID 1060 wrote to memory of 2624	1060	Bbmcibjp.exe	41
PID 1060 wrote to memory of 2624	1060	Bbmcibjp.exe	41
PID 1060 wrote to memory of 2624	1060	Bbmcibjp.exe	41
PID 1060 wrote to memory of 2624	1060	Bbmcibjp.exe	41
PID 2624 wrote to memory of 1596	2624	Bigkel32.exe	42
PID 2624 wrote to memory of 1596	2624	Bigkel32.exe	42
PID 2624 wrote to memory of 1596	2624	Bigkel32.exe	42
PID 2624 wrote to memory of 1596	2624	Bigkel32.exe	42
PID 1596 wrote to memory of 2384	1596	Bkegah32.exe	43
PID 1596 wrote to memory of 2384	1596	Bkegah32.exe	43
PID 1596 wrote to memory of 2384	1596	Bkegah32.exe	43
PID 1596 wrote to memory of 2384	1596	Bkegah32.exe	43
PID 2384 wrote to memory of 2992	2384	Cbppnbhm.exe	44
PID 2384 wrote to memory of 2992	2384	Cbppnbhm.exe	44
PID 2384 wrote to memory of 2992	2384	Cbppnbhm.exe	44
PID 2384 wrote to memory of 2992	2384	Cbppnbhm.exe	44
PID 2992 wrote to memory of 2548	2992	Ciihklpj.exe	45
PID 2992 wrote to memory of 2548	2992	Ciihklpj.exe	45
PID 2992 wrote to memory of 2548	2992	Ciihklpj.exe	45
PID 2992 wrote to memory of 2548	2992	Ciihklpj.exe	45
PID 2548 wrote to memory of 2080	2548	Ckhdggom.exe	46
PID 2548 wrote to memory of 2080	2548	Ckhdggom.exe	46
PID 2548 wrote to memory of 2080	2548	Ckhdggom.exe	46
PID 2548 wrote to memory of 2080	2548	Ckhdggom.exe	46

C:\Users\Admin\AppData\Local\Temp\dbe19a1130bccde071164cd19e631770N.exe
"C:\Users\Admin\AppData\Local\Temp\dbe19a1130bccde071164cd19e631770N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Abpcooea.exe
  C:\Windows\system32\Abpcooea.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\Bhjlli32.exe
    C:\Windows\system32\Bhjlli32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\Bjmeiq32.exe
      C:\Windows\system32\Bjmeiq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 144
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
337KB

MD5
2a8e4e0b27175b8bce70446b89a6deb2

SHA1
295acb6f42fc0dea156e5d3f86b1a681939003cb

SHA256
a90c287c7bc2ace33b1e5ec68c33dc5f0b50d9fa187fd5a1d6304d6c821fe6ce

SHA512
2f5845227fae123a1fb6be20fd2d7128458c712cf3e61c2de15e9d1e02896a9b1934417fd4150bce374bf7eff56226c76c2f21c9e0bafb3f6d0d0531ada822be

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
337KB

MD5
94d5836666f60dd88d4c7b2ffd073ec2

SHA1
2ffe42819ae8cb79d1d38a634e5f1d9073bcf625

SHA256
75b5714bd82637d3b9024588b586cba6476e9688d9bf2418511e3db8eff3b3d7

SHA512
cace6faf90844c1b1a1b344790bf01ee58a1b5a0498c61ec2590634b05381f1db672fbc3830fd3291a5f82332f8bad069bd505619444da334865156afe748203

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
337KB

MD5
df7d90b0c2a5e0f7afa882df1ce9783c

SHA1
75400a81cbf17a5c798c4e7df8d79e67db3dd77e

SHA256
1704e46346a1bbe6b3216730cd9eb4ac8da03b1b89e14cdc87862011e9e10328

SHA512
5be29500e6709d8674ddc89f618a634e137a285ebce8e159e286b041ee9f4174558775cd97b1849da043eb51767be0ec9b588049a3aebe3850ff5abacd8d9b97

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
337KB

MD5
ab45c86dc175488e14bd73f5d9425bbe

SHA1
d1576e20d4d483ccfd3e8653d01c746ae74ed772

SHA256
d826f29220d79398a0887f27425c9ce6f87f3be8c974e8f9b97b4b1078c8bbc9

SHA512
990cb8f4d34865cbb7927aa97ed83d1d2685d61ef3950ae0f3eea8d0482f398bc97a8ddd3f3ba7e6825f490016d25ad2d790b48edafb5008af9f73eeac972099

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
337KB

MD5
e90f05b9e25486ad1e040526a5f1a1a7

SHA1
c092fa98a68ba3e104313b289511cef63998a62a

SHA256
0a7ab812510dd8228f0b1cdbdec01a72ff268541362e4b164e3c1d48cf85b2cf

SHA512
fffcbae4a8a76697d18aade1e41a33a049e8e9acae8908dc790fc8c45e1e275a5edf79142a9bd8deae3f6c38d165b8bae798cc4f4b11e678d1a2e97251310c73

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
337KB

MD5
d80ab16367a175d0bab5ee8dbad29e55

SHA1
1ad72138cf0951ecbe5f739a3197c6414dabd90e

SHA256
623b07e19712fd64488f988df65a274719edba76ef9c328272651d96f6c95b12

SHA512
f50720ad76ebce012f6db68324e1cf2554ffe9e2f6e1bf548352e39a1650577797a8eadffdf04bf28fbd2e8fe09f9a5a138403cf76c5e49a51c5535fde252a8c

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
337KB

MD5
321fed6e17d123eff16ed298b4c434c7

SHA1
bb931541c9b20c5b09cec004dc37a556818e79f3

SHA256
b21736b50be8c476dcaabe5a944db2290249994aec9b84bf61988b8f200bca4e

SHA512
d711479fceb32bc966e636036c95321ab87bb07e124f28ff2bb15da04ab22ee98df4ba85fe50b782ea954b99fcabc68836a3a2c1ef2131e4b6ba4c00c6d477fa

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
337KB

MD5
8e371f28c60b11a49c85bf00db19b74c

SHA1
12ba3e60a8938fb3ca092bf9f4e6ee4e1442c664

SHA256
131dd35d6290774f8286b730189f7be9c510a586e0f95d3653b8ee598fabd351

SHA512
64310f34abcaa98dc91e32977d2e5a6bf3a920239550ebeb2e7d8fa73d80fc0dd92fa343588e0a02d458e65fc66b1fb36f7566b1414c0849d81be21e1100cc92

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
337KB

MD5
46c4e314fab6d4bbc085f6a6d2f23517

SHA1
375edde281989c9de9aa06217c38df2e263981cd

SHA256
1b84eddc4e3d811e9c8346c00a0a4dd18497f2dd39249154cd45e43e32060cc4

SHA512
9daf03ffbd41de0f8aadcb25279325b47576d0ab085bfa384408b204db3023c7a0676a21eb8794fe2365e635a91d29b726cddf477bd7cc3b49ae7d1db6d6e547

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
337KB

MD5
5a4fe2f5cc03057cdf44504455b27206

SHA1
56fa679764b8022968abafc5ba91855bfba9446e

SHA256
198deb306127b529885eb80a9004bfc7e4e2df8d361be92a3d0703da3796b25e

SHA512
f5e21503040f667e2f4b5ec0bfb895df7619a1b955dc3b226fd717fd25544b448c2b51d0cecfee2f6784b81802a95fc530f86dd30a81779b8b9844c7a347ad09

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
337KB

MD5
2afc19a85613999a7c5692794deee05b

SHA1
9e331063d59e3d14b4b06e665370ffa5197dcba5

SHA256
255449156073295c975d5c68065d2f6e0e395f5a4a4aaba272a720db8f18f408

SHA512
c36e16209ce24823ae3e78f58ce2f766e4917bd32c43fe56b67e1db13f5124172c1155fee4b45beea33ec91c80b918590fdc8e2c0073bd7efda2bf7261238fbd

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
337KB

MD5
285fc6a2fccce2b01bcfe29088564c01

SHA1
656d0cf6134050442743997013f83fd7acc647fb

SHA256
3ebc9dec185dacd10ef1ca88f7c77c82d46e3ad38c90c91f04770d7f17f08474

SHA512
2697b4bfa646fd148ccc0d7dab68f554271b2fffd484db56b4c0d9cb4fda2bbd4491fdcfc8b5ef872979a10a61409594427aa408fb346734ff96325e8cce123a

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
337KB

MD5
58dcad8a9c1bb6c758192f43fc5a32cb

SHA1
2f7650578fd232290f326ea6e98db7cf95e60abf

SHA256
3a6cd6f601dd3375056abe089a95b8adc6a8b14a0b8919e3ba09775080bc1429

SHA512
61e9a840caf0f05986411dd3634f949e68be713b0125b2bcb0c4eaf5021a8acc6f0b648e95a3573c679455d5274b5d9a600be525a55e04d60dccf28cfd500921

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
337KB

MD5
7392fc87751f28941cc01427e70dd335

SHA1
234df994a0cf83c050722e37542b649083e56ded

SHA256
b52bbfa4b316262d3ca899f6f5ba69ca1311b6eff5b2484459b3e18897cac1bb

SHA512
b60a91f2f86b0549f088ec8c95ffb42cd302255849cecc56ec60c4c63edcd6ef72fb763a169f0606d0328a63ef5022cef2308b5b2ec4feb35cb7d66357d2ade8

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
337KB

MD5
a59a125541f69970b6b8d1511e78ad71

SHA1
1546bca38555c9d3280e3577bb629d6db8b39d81

SHA256
7931a5c41df827a540eedf2c1b55a52a1df5019ec77794c93422adcdfa5bccca

SHA512
0f814393ef4ed9ed8c31dd55f3eeab3549b34b6ee2d64425a37aec122c7a0a97b790e313821f23f9b9c833c57379af97cec4b1be648aa38d25d82a50c7cfb300

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
337KB

MD5
d32dcd0ab0a9f7905a566d51b719f687

SHA1
523e88dc9f6a294890e6fcf04ce30fc205944aeb

SHA256
983f4a04199e04aab79c4c32e363463da99d1258384e53f73d23efd6aeb68532

SHA512
01b9913e6754c6d01005b71cf2502e281289bbb73a90d2e38941d6aae81cff0ffbb2d2b0596fba2fc9eb53214350dabedf161a726e5374c933d69e0c97d60d6e

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
337KB

MD5
b7eeee1171c8cd641ce02dfa480f5da1

SHA1
e700a7b3246949c149230edf63c43df0ab8f0dd2

SHA256
f7b082d5beab243bbeeba145aaa3ed47fece4484b8184a6b6987ec562c9ac530

SHA512
94263390ff75d68dbc26440b137ecab405737eda3b4a64300c6e8ec86343d32e63088f44c4a2f321a7198c0b50fa64cc1f685ed21ec137f8e0072f9e9a246434

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
337KB

MD5
3a83a24fbd084f48c46b5c369f36a578

SHA1
37a63aba39c4f696594e6f7e151ddb574f88ef05

SHA256
db3886c81956fc22d064a1ab662503a558c0762f806d9510766ba8dd2dbc31dc

SHA512
b091ed398679a6acebb40921f7066ac13f880be304d010f6ca63a44c6f9cfc38eb6580ad1e07ee74b243a5a2d6172cadcf3dc37ba0d01ba6bd905ab0a4a1878d

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
337KB

MD5
c34f3839a880a5e9841be7e52a1bbf2f

SHA1
72598aae9c71aeb4d935be13ba1b4921d31e279b

SHA256
fab146dbe521b27108753e21e109d3358cca58ced23a74b6299ea7488b7e3d3c

SHA512
dbe36181909622f027a98e4bbfafce78935abfea819e1c94ab7d7418fa90eda9a67dbb71b41154ad5fd3cb5fc23b0e143abe94dda0766736857614957a8201f9

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
337KB

MD5
f02fd300d456fd6abb58ad8110fd3a6b

SHA1
0a21bdc6d76450490e4537d510e4cdc5d974274d

SHA256
e44f2114f53b6950b5d7a76fb8c688b752edea2e26a9ca649945f6b620b29b70

SHA512
ebe0d0ce6bf81ad80fece1df424272c6ce2a776055676e3ce7c8a331c3487e6b2509e3c270e90e7e4f214698b78277a6c5b638e60819d3b2e13f943c40cd851b

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
337KB

MD5
53491f4c06c77aaaeb2ad3499874d5bd

SHA1
e94a19207a423e00dfe5706387f1d8d97b9ffb21

SHA256
d8f41d5a9153fa3619f52e395fa3f025ca00a21f35ed42fe64f2c9900b4aef2f

SHA512
1d78dd712c57ab2fb38abe51b773f923347d30680110c41bca6e3f23300bc5c04c278df67f9149f6b7d9e9a98bfbdbdfc3de9e1589fe873b757914df82a031a8

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
337KB

MD5
9082b99c42dd90bc00875309df515ed7

SHA1
8df6f7ad8da617505e02c7c49390bf1bb57c62d3

SHA256
eaa4ec848e8a49c078f5778dda9d2b86aad12d0195e427f4ad6e83ebb084b11d

SHA512
48de77c58f759dc5c4b613f323dec318325ba90b04771a711e2c2ac47c1f39f4e91309d60bff0dc130e646a91e19fa026a8d8df4b8e3b4315ac129d271574c67

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
337KB

MD5
730863bf37fe291c8bd8ed89485419f1

SHA1
0ee4f914e1deea16a280785693aee1a1e3276ebb

SHA256
1814e552475dcb673837e5f2482f432d8d93d2cbb26140d71af5589abc832c26

SHA512
eca71a1e8ba7cd79fe7ebe71d939eaf1a2b0a81e02ebc8f18263cb668f9a5b3101fa3e9fc65d4cf2932f368e44b4aba80b5151747844a34c748280b89036223c

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
337KB

MD5
607511c7bca69ed82bfd515a27f665c0

SHA1
bcd84eb5eccbb069f653408f136951e1f574cea9

SHA256
86289e39b00b2394b241a341266cf88853e6ce7fa1b561b4cf49473357e39607

SHA512
75416e57b4cbe445fb60a7efdaf551f12717a556b6a1c5f980c17cff12b7d07f33d83ba5c7f97355cc580b77a34ddd3993c92e52bea774fc28f0c8c84ce59e43

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
337KB

MD5
5ba367671c5bc17938c09cac6ac63399

SHA1
e92e9eb3ac3b65d38295b46ec0259512fefc7429

SHA256
3beca986817dc938f0ac5299643df09c6f3aa2cda44cbfe6ab82f89972b7b67f

SHA512
208b853e34740dff77736fa1af8f54e0b554a0c50f27cb773733bc7995c4ea5fbba27e4bd4238c7f6df5111a020314a81bd97c855e05092329b3ad1eb6ef4ef2

Download Submit
\Windows\SysWOW64\Abpcooea.exe

Filesize
337KB

MD5
569e494547daa5b4ab9b3d648f315a8d

SHA1
86b9a4dc4709a79c2261bef2cbcb513cc0351e7d

SHA256
ae4fc5298af29da858c7b5fe3a1c70c01f52834f73b8f14ce2e4abbdf1c4f955

SHA512
3a191d579cfaa3a585bee32db160196c760a5772c2359513d9bb3da509733ebc80f5d9a8574cc922e05ad33adbb895bef938c1f2c1043dd099968508d9eca642

Download Submit
\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
337KB

MD5
7c29e94ffb9de568aa44a0e89fbeef66

SHA1
7ac00345d45bdad0997f1bde1977467e9eddc07f

SHA256
2e3337dac493772b33d003744249cd096ed5edb7cea79f7d1e94772af7d19926

SHA512
286ecef88b2cdb4684b8c7436232d1546317679bb8df7294eb1a316d272f2c06a19fbb11e4ccc7c9e81ab167cae462d726a3ed77a7c244f7addff2ac10399bff

Download Submit
memory/920-269-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/920-268-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/920-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-153-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1060-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-319-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1544-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-318-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1544-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-181-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1676-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-259-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1676-258-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1676-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-98-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1684-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-308-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2004-307-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2024-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-296-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2024-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-297-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2080-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-233-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2084-50-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2084-61-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2084-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-289-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2096-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-402-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2280-18-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2280-401-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2280-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-17-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2280-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-139-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2312-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-276-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2364-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-198-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2384-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-244-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2528-243-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2548-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-222-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2548-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-226-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2624-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-167-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2624-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-71-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2676-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-340-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2688-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-341-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2704-27-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2704-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-329-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2816-330-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2816-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-125-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2872-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-41-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2968-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads