7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe
Size

188KB
MD5

d0614e60bf379e32211c4ca5363b94a0
SHA1

eb3924f4c4214ef5f2750a0bb5039f95a03695d7
SHA256

7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90
SHA512

bc507a487e099603268bb53303db20deba964861d61e2d3c504db10fac0981786eb4c9386a526ce8c859e97ab7274c57aef8f25ce3f7dac22f3d19b4ee3b72cb
SSDEEP

3072:B2l9i3ewvoPgsSBRFKh1AerDtsr3vhqhEN4MAH+mbPepZBC8qzNJSKrDco:33eKsSBih1AelhEN4MujGJoSoDco

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe

Executes dropped EXE 38 IoCs

pid	Process
1460	Agglboim.exe
3524	Aqppkd32.exe
1220	Agjhgngj.exe
3044	Amgapeea.exe
3560	Acqimo32.exe
1700	Anfmjhmd.exe
1000	Aepefb32.exe
1792	Bjmnoi32.exe
1216	Bebblb32.exe
2280	Bganhm32.exe
1064	Bmngqdpj.exe
1292	Bchomn32.exe
2616	Bffkij32.exe
1620	Balpgb32.exe
3380	Bgehcmmm.exe
2956	Bjddphlq.exe
4604	Banllbdn.exe
5028	Bhhdil32.exe
3772	Bjfaeh32.exe
3988	Bcoenmao.exe
1408	Chjaol32.exe
1856	Cabfga32.exe
4788	Chmndlge.exe
3036	Cnffqf32.exe
3792	Cfbkeh32.exe
2624	Cmlcbbcj.exe
3556	Chagok32.exe
3868	Ceehho32.exe
3960	Cegdnopg.exe
4436	Dmcibama.exe
3356	Ddmaok32.exe
900	Dmefhako.exe
4072	Dfnjafap.exe
4448	Dmgbnq32.exe
2676	Ddakjkqi.exe
1668	Dogogcpo.exe
428	Deagdn32.exe
1048	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Chagok32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	1048	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 1460	2800	7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe	81
PID 2800 wrote to memory of 1460	2800	7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe	81
PID 2800 wrote to memory of 1460	2800	7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe	81
PID 1460 wrote to memory of 3524	1460	Agglboim.exe	82
PID 1460 wrote to memory of 3524	1460	Agglboim.exe	82
PID 1460 wrote to memory of 3524	1460	Agglboim.exe	82
PID 3524 wrote to memory of 1220	3524	Aqppkd32.exe	83
PID 3524 wrote to memory of 1220	3524	Aqppkd32.exe	83
PID 3524 wrote to memory of 1220	3524	Aqppkd32.exe	83
PID 1220 wrote to memory of 3044	1220	Agjhgngj.exe	84
PID 1220 wrote to memory of 3044	1220	Agjhgngj.exe	84
PID 1220 wrote to memory of 3044	1220	Agjhgngj.exe	84
PID 3044 wrote to memory of 3560	3044	Amgapeea.exe	85
PID 3044 wrote to memory of 3560	3044	Amgapeea.exe	85
PID 3044 wrote to memory of 3560	3044	Amgapeea.exe	85
PID 3560 wrote to memory of 1700	3560	Acqimo32.exe	86
PID 3560 wrote to memory of 1700	3560	Acqimo32.exe	86
PID 3560 wrote to memory of 1700	3560	Acqimo32.exe	86
PID 1700 wrote to memory of 1000	1700	Anfmjhmd.exe	87
PID 1700 wrote to memory of 1000	1700	Anfmjhmd.exe	87
PID 1700 wrote to memory of 1000	1700	Anfmjhmd.exe	87
PID 1000 wrote to memory of 1792	1000	Aepefb32.exe	88
PID 1000 wrote to memory of 1792	1000	Aepefb32.exe	88
PID 1000 wrote to memory of 1792	1000	Aepefb32.exe	88
PID 1792 wrote to memory of 1216	1792	Bjmnoi32.exe	89
PID 1792 wrote to memory of 1216	1792	Bjmnoi32.exe	89
PID 1792 wrote to memory of 1216	1792	Bjmnoi32.exe	89
PID 1216 wrote to memory of 2280	1216	Bebblb32.exe	90
PID 1216 wrote to memory of 2280	1216	Bebblb32.exe	90
PID 1216 wrote to memory of 2280	1216	Bebblb32.exe	90
PID 2280 wrote to memory of 1064	2280	Bganhm32.exe	91
PID 2280 wrote to memory of 1064	2280	Bganhm32.exe	91
PID 2280 wrote to memory of 1064	2280	Bganhm32.exe	91
PID 1064 wrote to memory of 1292	1064	Bmngqdpj.exe	92
PID 1064 wrote to memory of 1292	1064	Bmngqdpj.exe	92
PID 1064 wrote to memory of 1292	1064	Bmngqdpj.exe	92
PID 1292 wrote to memory of 2616	1292	Bchomn32.exe	93
PID 1292 wrote to memory of 2616	1292	Bchomn32.exe	93
PID 1292 wrote to memory of 2616	1292	Bchomn32.exe	93
PID 2616 wrote to memory of 1620	2616	Bffkij32.exe	94
PID 2616 wrote to memory of 1620	2616	Bffkij32.exe	94
PID 2616 wrote to memory of 1620	2616	Bffkij32.exe	94
PID 1620 wrote to memory of 3380	1620	Balpgb32.exe	95
PID 1620 wrote to memory of 3380	1620	Balpgb32.exe	95
PID 1620 wrote to memory of 3380	1620	Balpgb32.exe	95
PID 3380 wrote to memory of 2956	3380	Bgehcmmm.exe	96
PID 3380 wrote to memory of 2956	3380	Bgehcmmm.exe	96
PID 3380 wrote to memory of 2956	3380	Bgehcmmm.exe	96
PID 2956 wrote to memory of 4604	2956	Bjddphlq.exe	97
PID 2956 wrote to memory of 4604	2956	Bjddphlq.exe	97
PID 2956 wrote to memory of 4604	2956	Bjddphlq.exe	97
PID 4604 wrote to memory of 5028	4604	Banllbdn.exe	98
PID 4604 wrote to memory of 5028	4604	Banllbdn.exe	98
PID 4604 wrote to memory of 5028	4604	Banllbdn.exe	98
PID 5028 wrote to memory of 3772	5028	Bhhdil32.exe	99
PID 5028 wrote to memory of 3772	5028	Bhhdil32.exe	99
PID 5028 wrote to memory of 3772	5028	Bhhdil32.exe	99
PID 3772 wrote to memory of 3988	3772	Bjfaeh32.exe	100
PID 3772 wrote to memory of 3988	3772	Bjfaeh32.exe	100
PID 3772 wrote to memory of 3988	3772	Bjfaeh32.exe	100
PID 3988 wrote to memory of 1408	3988	Bcoenmao.exe	101
PID 3988 wrote to memory of 1408	3988	Bcoenmao.exe	101
PID 3988 wrote to memory of 1408	3988	Bcoenmao.exe	101
PID 1408 wrote to memory of 1856	1408	Chjaol32.exe	102

C:\Users\Admin\AppData\Local\Temp\7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe
"C:\Users\Admin\AppData\Local\Temp\7da138967ae72c7bf4c4b20f46c38e42ee5cd7b13603918082bf3a0160f96a90N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\Agglboim.exe
  C:\Windows\system32\Agglboim.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\Aqppkd32.exe
    C:\Windows\system32\Aqppkd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\SysWOW64\Agjhgngj.exe
      C:\Windows\system32\Agjhgngj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 416
        40⤵
        Program crash
        
        PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1048 -ip 1048
1⤵
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
188KB

MD5
f43fa7be97067afde813ff87dd3fc963

SHA1
ec519e6e443f3027d1ccf580c82b5a639fc9342b

SHA256
b48a86a374ad04514bbd1826ce5b6786a20ae77ec1a45d2880d63cda20b63cc6

SHA512
6b30144d09e90b510eeb0a7fb6a4376649920320d00678c18f69431414e5e7d48d75cbf2c9077b7e57f92f7413a222eb0eeebe541e8ea4698c45f6f691a57eac

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
188KB

MD5
954551962129c6d9b46599c418beaf1b

SHA1
3a7c21a2ef0bb815ccb7a10643d0cc350133f020

SHA256
65ea941fe81a3882273ef71dad078aa4d753f84352dade3095db888d8f4d2d4b

SHA512
00c39738fd537d48451efe4f796fc3ed7d2aa55227c29128a0db2c37aa71b732516955daacb2056090118d62c319cda428bb17c92ff453d96057b1a1d35c66aa

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
188KB

MD5
8ad72f437609e17dd18499254ef1d273

SHA1
000c62a2639a42967a6f4f710ea569102687f4bf

SHA256
1bb2a15eb1975899f67e06f3e0eb0382111cfb8f4a4b85816c0b365a550b0d4f

SHA512
7fb1b6425a4156f3fe2990c1fdf34d1ceb54d6b4d96eb3a469ad06fd897e8c78e945197a54c1ce44472c6d973cce426ea577973b387d13e80741120f0696962e

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
188KB

MD5
7aa70f73cd15dd9a64c6fc7832437821

SHA1
ca36d41b6278a0c060c22571b1543082a2c2e56a

SHA256
31bb7d623d9ceff89a12d407e65d81c0317a34abb874dc2dd83eb2528902e382

SHA512
b2ef024022086c5bb750a479656d48977f36172656cb38ecaf037e4485923d4267a768cc834cca71ace7ca518db5d8adc1c95ddaa1b75f80a00483574b232a8c

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
188KB

MD5
eaa6737fffddac14d987c1b51eff5063

SHA1
9674dd855d59c3e092194f31f9bf4329629843e8

SHA256
65e263b29a781338a89b76b2d25cc9a5685b0ce6496ddf37bb608a49a95dbb10

SHA512
11d18cb8fd681f421b3a7a3c2c46ed6fecc8c424bfd9bf5d06793528da9ca500554aae85696de7e3f38043c17c3b078b5159ba1a9cdd79cc250a2d05b5bc91c0

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
188KB

MD5
446f8b487c77109cc39035336ec79b3b

SHA1
a7609da3c1043d2c182180b3649d23e598d03594

SHA256
6466a55fbf54b190056aad1a69f096aebad87a0b2c3e8305aa9f212814bc9724

SHA512
dbe909bde9ed82a3fcd460c3a983c6a5e3399d1591ec5fd32dce20163bb5c220375720a5efc3ad42a48058628f2a97b8558bb5ee5938094783f9813936b86fd0

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
188KB

MD5
6543073343cc392d9b6a9ac1f2a4be8d

SHA1
75c9c7ad0ca1125dbc9a8c88974fa49712df3849

SHA256
5f76fbc3f5f23ac6949dfbe786d65ecc4398cc7ee0a1b0cda70bef2034133fe7

SHA512
14c95282ca275bab5fd8b15c315261f5ed8b5f2c0e462b60f088138844166b6f9e0fef199805a17a5efffad16141c3f86a172481cd9d0160ba940de835dc778d

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
188KB

MD5
06ab2ae63eb0fbb868bc3aaf6473537c

SHA1
718bd61d3fea7d757105d8e80b2d7e7762c88792

SHA256
24bc94683ea3038de207eaa9dc61b3910d2f691362be77bec315ee432de8161f

SHA512
c46fc6d09213d8a1683022225dc694bdb951b8c3ff4e253326f259258d11f8dc6c091428e3af3965a06b610ba25ed4c44268a9060617b208bf60c0df103aa17b

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
188KB

MD5
5fb5abc35797255ef626a7ee9a877194

SHA1
2738b0f51762c8fbb77ed762bd29f086198bbdaf

SHA256
c0abbecb8e95e3dfbf9a327e75a6a0b078eb2fe0ebf4fb5a4c68a4753080a0b3

SHA512
f3025d7c54ead5d2ba05e9568a7cda2136514fa2fcbc3b03dbe1ed78c974f02255f9c2af3aad9c5928cd0772fa306a5cea142f25be0e930a9367670f1c6f29cb

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
188KB

MD5
63e32a00585cfc0875ad7fd4bcc1578f

SHA1
7dd33c92d8c2097cdb68ec27c3165bc218085fbe

SHA256
c2f8b6853ff1aa871e7284011bbdc58c14ee2904b33d13d0d79b32ef6182bb6a

SHA512
7c3e296f43ef8aaacab194f913710b815ed32a3cd0f704642ddb0f6a8bbf43f642781ac66d8e573978359081764b4c479bd0e99e8b89d0518a7ac8b2e231ed8f

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
188KB

MD5
78cc8c4cb81c53d91d381ae3a71fe80d

SHA1
febf035215c4f2acc7aacf9e9531a1f9f114e433

SHA256
038bab982a48ef683fe0f76eae4975d5320f0b897581f97734f4131a51371c0b

SHA512
d1ff43126db62278e254b5de3ca57ff208d70bae4d23a60c458693df7fff70fe089f5fc200b32998d30438b2afef240a3ab0e2f9da4e58484be1c70e9c0765b6

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
188KB

MD5
ac47071079203695f755e5a557bf573a

SHA1
0664c3540e379c4a3edc2bc475f6d263a8d45c79

SHA256
14773392ce6233f967c3e280eff2f747b72ec93e831762393ec551833dcba361

SHA512
d1ebd8a740ae64c2658723d32449518c0ed3ba7da08ff2bdbc4c42292c967ae061a37a8fbfb768f835dc8e9d1ddc82e55ad2626e52cbe5ca6f7a1ac0895823d3

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
188KB

MD5
25e7e4c40149138ebdc414b18211f056

SHA1
fd329f5f2f51bb992cc00d70572f4c8884c0a49e

SHA256
b5b6f498ff57a6512a6c21d376897dfd22e952758645322996299a63355e9d2b

SHA512
a7e09eaab054cdb20fff39aa7d1be30c6aa9567e05c96d988aafdc555f1b5b128c9fff1f80869018504752e5c34e8030142727fc5c858fe18dc05559b17a006c

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
188KB

MD5
e5dd555ae18077e1c0d7943c9a9589df

SHA1
8a521d19a2ff1ae304f164d82828fecb01544dfc

SHA256
59c9f74726b1667b855e0b861c2f8eee342c789f34d82162592fa00f039daabd

SHA512
f986fd5d32da0e34d155af2902438b9c474b72cc996734cb57f243e29623d090b972678b89511294e73c62dff318ec8638f986fe4ea8a7d29e1349a911d67101

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
188KB

MD5
2c8f4af7d69dfb5cddd38f77653d9239

SHA1
5e9352855c6f62fb3338620788ad4e4f495b22a4

SHA256
aaf3844859305648d099e818022e826c9f22878accff986d2630dc66acceee2f

SHA512
7cbdcb0f3f57a44a1a027206e645c774f1d8e09b307b267bec1aa9b9786379c6a712e22fcb4fee218bf216f21a9ba7bf46c86949e818f5ff1dc5b68ea9f6d03b

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
188KB

MD5
dcd95cd3a7508b9681e0dcab86e27103

SHA1
f4ca0c0332c2aa97b0a3d6f7d00f2023cb537adc

SHA256
c763cbdac6963a0e03d0a43bbe1ca53d5bfa065ad2d18e67e215f93aab1020c4

SHA512
6c332f103f0cbac6eb3c47dd8289b1c78d0ced243406fe787b85a328620d4d9f2f63242a49b71cd4e338c0137d3ba535d5cf77c55e1df30cc23f48a7cf270970

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
188KB

MD5
0b6b2a6691439cb7af87ef4ad6e2b4a7

SHA1
22de742f2f49247e1e3258702168ca48fb155309

SHA256
24ae284c18ebfe8be8dae3bacf8e40380f029406e72c5d1308a3f72634a91d13

SHA512
4a3e2e63590f6378f46e1d12d2251f83f411e77a7bd8ba29606729dffa29f7e1873dee0b5f97bc7b0e9b79a42c6da7f24cc780240ad3109dc954153fc2bdcbdf

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
188KB

MD5
ef1bf351ffb131ea025dbd5fdb68f738

SHA1
53868412c7b95a64cb86d0c71ff1fec5616d44ed

SHA256
8214ba3c9560053c24d6a6b65095ca729891505a42517366fa91413afd7dcb47

SHA512
09718c8556114247eba9a4f2e720523016962e5ef4b17ec8feb192f314b2752411bca6b81e75b3ad87aee4a760e10802a7c4c1052c86daa8b589b7d34a0f0681

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
188KB

MD5
5929d3035d354482cc7f67f12d672487

SHA1
535d57e4709c6280f370d740cc43d5e9c0c6e27b

SHA256
7d688596dd76ec58c887ba284a6aa73f3c4a4defa692a65517c481cd7bd302b5

SHA512
dd0cd1f8ee6783341bcc121896aa707692d599803ecfafd12aed2e006e81a469d5447128d0b060bebb0c10cf93c293f1b1020ba40ceade1589c684223e804641

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
188KB

MD5
0ea9dd80a5ef94131d2e78d52e31c793

SHA1
55b4e1c91100d446c8cd79d42fdc925b69085613

SHA256
11ec70b23f3a4d759f4ff2f62796db66e97df8567a2e24cdda5fa12f3a654c06

SHA512
bd7758241018fc4f5813a8a28b90412bd0bfb4bab6effe3fc64d4d3b5df2238057ceecf37dc841d56e90aa293206db05b532d9e81f9ae02edcb689335e367e8f

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
188KB

MD5
670a0ee5a4926c009ea5c0f8ad34b86c

SHA1
4f848575a959eb7005e9d8b5fee600e9398fbb99

SHA256
7dcaf4142aa4762d30659b3a7f5b1099e75c583fad5d6b95437dee68efd2bd2d

SHA512
94acd414bdcd42373dc5ecc7b866edc757dd35eab3f984a1d16da4d2ad1dd787f8caa22044ec08ab1f4c6e408f35305c17403ff9652adacec8214b2ee99bd99d

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
188KB

MD5
98d48aba2f1bb03bd4e3564067a6b202

SHA1
ca0b4479599f2370f8b2151b91ca0e0ef5d7eba3

SHA256
e9a72827fc89d0deaab72de0f9e2cc768b682251eaf611317da10ea889b43fdc

SHA512
e10d29e5bbb20eed4837a1a21290eb57117dcf09f1e7a249ee2a0e857d65a3979d4f3221ba748bcc6618686560168d0e917e94d8964d26c60758464a44ab4254

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
188KB

MD5
d2b341637c56b8216ffe77b081db2bfa

SHA1
5751579e17e109b6967a0b8f0a15110055ca8968

SHA256
ff51b8f3abb474de1e61140abb35392dfd416afb9c5e720a417f5acf36f4816f

SHA512
74787078a7d87ca7b36dbf11ffb82b653c03911008c3426d26f8f6057708659cd6ba15de3a1bddd3a4e22c601d2c2136f71ad67328704199362925097284a7a4

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
188KB

MD5
d1af2d1d4eff4ef74db48928f3c317c8

SHA1
8b31ae61e86793924d4268a7a36773498f929772

SHA256
3ea4540944a32e1af13d65d9e1c557a707698706fa22cb5f528317f4c49bd055

SHA512
1f5ac84322be1e43a40ab5d3c8af54b5bcc106eb46e4eafe0da0ad58739066ccc6a674ca67d4086bafdbb5b44dce0fefb02551ffb10dd2cca2bca8b492928d7b

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
188KB

MD5
f2d2d4a0fbd55c23596404648125b150

SHA1
931083a8266f8ed4fd6e1a9dc2985eaa05f5d72c

SHA256
fa2aa084e0934dfb5c961fe7be878f5eac6d6f3fa82f813af88b48d61c57ab29

SHA512
bdcdf831e210dadec36e6c759d996190fc044acb6fecc9f054247cf1c380e09d13d5b2ed2d3891b30e6f1e55f447ebcd79f85d743a01c49f0f39641428549bdf

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
188KB

MD5
c0304b9a3de9660a9d1b16452d4258a5

SHA1
20977ee29bcea2f2344f903774f2bc4511071dc5

SHA256
510f3811a5b8ce36db8f1ab5aa93e68f7b8c05b8adea4fa97516a0b9250c1780

SHA512
1e1e9cd6dae538c4c2a5553aa922f652b1d301f56c6b35205906e6dcfcb37e858d57f88b1a0f7ed0730543bd0a542f4563de0e3562627f1c8434eb2dcf271549

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
188KB

MD5
7b06aedcc1fa7fe8fdac9b039e957120

SHA1
ffafd4a0a6c32f19b51dbb45a3b8bf4fab620eb7

SHA256
f627e4d5a96ec5810d6eed98628e0e989188dc96fd2450cfdfd3ed087887b48b

SHA512
4a6e4370b994a74fd07f38fafbb4a06431e53b17b1fae7805c060fc2b2b244e63b4c77f2057080252012a6358f3540988f974b7ee415a2612950e1eb01c6fa3b

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
188KB

MD5
170c37d93ef60baa19b6ed489a717c58

SHA1
b420351deb43c048d57b17b64065a2ecf55dd661

SHA256
0dd8f1b4a573df4ba512f53e89b433ace4d1ae4f11e845c8df8cb24398f019ad

SHA512
0d7c0bf40372ffbfcc71d663d38783d1088b34c5fc8dca83169b837010e611fa64e492556fd390c1f0841ae97e587292e13957c65b1c2ae45d79fb4bc086f367

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
188KB

MD5
a7a796caf71aa9b5b0317f5c1ad9706b

SHA1
04e71afa64ae3e56cfe565a91b57e014c7026de2

SHA256
c4c34defa3a6ef8e5d786d1faceb642df67dc859f6c1ec996a2ddfe5d4be430c

SHA512
988f3093795bb241253199cbfe39595f04df3f0e6bd8794da2be2d7963c0a31fe6b49aee29b6489dcd12485442205fab124897a6625a6c98582fb60d8f95b1d4

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
188KB

MD5
7014cce88706427d2564894a533890ed

SHA1
0e4798c754bf03207662525c4fd81337b146afb1

SHA256
2fc60bc36e621485c4632ebca754db15e3c68fb9e65be066d6dbb6d852e84039

SHA512
a2f89fa6a8c57a9344d78e6663f0c2420359eddd4ec80ee0abea347db27e8d638cc3336b5bb0560db56e0c0b805b2716ce88f86fa0c9e0a9cbea6993c95d9dd9

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
188KB

MD5
402563c428c590a82069271a095caf28

SHA1
e77406eaef4f65b7317380bf007c59bb88dd4be4

SHA256
9abeea24b516f3155171d0f5844311652cb3383e7d7f238eddca96758576f9be

SHA512
faec9b08004a1e8cf6cdfad0ce174b99f19c4ef0890c295bfb69e1b451b959f8d0cf164aaf8e4ce2d842bb6af877a2ee41561d8cae09b70c14f9330df50cd927

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
188KB

MD5
869b399cac3d6b0f20d8f05015b690ae

SHA1
d57b4f0314cc165d0a45e6dec1bcca630fcc1275

SHA256
a21d3067b7ef50020041d580167857d37b3605498bfc87aa218cbe29161ecb90

SHA512
9f3c90dee3a0b0f079036d0467c996ceda4b0080d50c5ca4f16b9189c5e032ec0a029e9ccdc781cbb7ba2df387049666af829e4d57cc7fae041cba642fe1e005

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
188KB

MD5
d3fe39d6bb6857eb96cd73f6782e2721

SHA1
1a2a763b9d567d3d56ec14d089897283cb2d0414

SHA256
3df65d28c9de38268e0ca587440a8b93c08ef7db309247991c63984c60bb983b

SHA512
1be484c248cd226f8ca381d746735c356d827c2cd73091e51cb36a54f34f7cba61c2110655f3e2ce2a68e2d314453be1cb302495b0c43d87d4f7fa2f754e6acb

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
188KB

MD5
6bbaa2dad3c6417913b1b7c69d1767a3

SHA1
d89bbc5d9040d54cb496bc9892dab4b0996dece1

SHA256
57a5231957eae86459db51431c4f7d14396d4f97fde77fcd23a296759ea5563a

SHA512
e589c54d535cacdcbd436227c1e5604a167d287f6e8a7ecb667d0c639433e1c8eadd5b65ecfd0c9c00bced40a740b605c4aee22b4e2138af429a4ba0e07a5c05

Download Submit
C:\Windows\SysWOW64\Mglncdoj.dll

Filesize
7KB

MD5
206e20fc0263d768fd8e9384bc2e9eea

SHA1
f9128d5e1059d3ee45342d6f8ff6d323d3076e97

SHA256
398f9d4c84cb5eeb30acc15ece7c3caf7ae3ab1bc50d0a9b23156511865d03e4

SHA512
13fb3ea169a4d3ae4e1080e1082cae7376efaa9b4e10c262ebd8859b281976fbd22e34badf421cdb1c174903b945f74fc31f60c8141ae2a9a91a73479ea72f34

Download Submit
memory/428-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1000-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3772-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads