1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9b

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe
Size

80KB
MD5

b843ef7ce8efc2cf9559b47ab51c7e50
SHA1

ade37f0a3c944604ef4460e104f632803d14fb53
SHA256

1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9b
SHA512

8c000b954af18f8081c6c08985eb3cc1f07a91bde8649ec44042fcb0860e9186cbe6a2e44d338fd0529b09d21bea79202d2e0d145b0e7bf8cfb7c7e600cefcae
SSDEEP

1536:ylrlEalwsniftW6yq6g+gUZ4Y9SMNBSr6yiVXN+zL20gJi1i9:ylayiftW6rPIBS3iVXgzL20WKS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe

Executes dropped EXE 40 IoCs

pid	Process
3612	Adgbpc32.exe
4168	Ajckij32.exe
2728	Aqncedbp.exe
4696	Agglboim.exe
4212	Amddjegd.exe
2984	Acnlgp32.exe
2604	Ajhddjfn.exe
4928	Amgapeea.exe
2760	Acqimo32.exe
1696	Anfmjhmd.exe
532	Aepefb32.exe
1892	Bjmnoi32.exe
3928	Bagflcje.exe
4564	Bjokdipf.exe
1764	Bchomn32.exe
3304	Bffkij32.exe
3588	Bmpcfdmg.exe
4832	Bcjlcn32.exe
3960	Bfhhoi32.exe
3468	Bnpppgdj.exe
4032	Bjfaeh32.exe
1428	Bnbmefbg.exe
2600	Cfmajipb.exe
2324	Cenahpha.exe
4756	Chmndlge.exe
1508	Cmiflbel.exe
3208	Cmlcbbcj.exe
1348	Cagobalc.exe
880	Cnkplejl.exe
4324	Chcddk32.exe
372	Calhnpgn.exe
2340	Dopigd32.exe
400	Dfknkg32.exe
2736	Dhkjej32.exe
2712	Daconoae.exe
4188	Dkkcge32.exe
2704	Daekdooc.exe
1836	Dddhpjof.exe
5080	Dhocqigp.exe
1252	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dfknkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2284	1252	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cnkplejl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3612	2356	1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe	82
PID 2356 wrote to memory of 3612	2356	1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe	82
PID 2356 wrote to memory of 3612	2356	1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe	82
PID 3612 wrote to memory of 4168	3612	Adgbpc32.exe	83
PID 3612 wrote to memory of 4168	3612	Adgbpc32.exe	83
PID 3612 wrote to memory of 4168	3612	Adgbpc32.exe	83
PID 4168 wrote to memory of 2728	4168	Ajckij32.exe	84
PID 4168 wrote to memory of 2728	4168	Ajckij32.exe	84
PID 4168 wrote to memory of 2728	4168	Ajckij32.exe	84
PID 2728 wrote to memory of 4696	2728	Aqncedbp.exe	85
PID 2728 wrote to memory of 4696	2728	Aqncedbp.exe	85
PID 2728 wrote to memory of 4696	2728	Aqncedbp.exe	85
PID 4696 wrote to memory of 4212	4696	Agglboim.exe	86
PID 4696 wrote to memory of 4212	4696	Agglboim.exe	86
PID 4696 wrote to memory of 4212	4696	Agglboim.exe	86
PID 4212 wrote to memory of 2984	4212	Amddjegd.exe	87
PID 4212 wrote to memory of 2984	4212	Amddjegd.exe	87
PID 4212 wrote to memory of 2984	4212	Amddjegd.exe	87
PID 2984 wrote to memory of 2604	2984	Acnlgp32.exe	88
PID 2984 wrote to memory of 2604	2984	Acnlgp32.exe	88
PID 2984 wrote to memory of 2604	2984	Acnlgp32.exe	88
PID 2604 wrote to memory of 4928	2604	Ajhddjfn.exe	89
PID 2604 wrote to memory of 4928	2604	Ajhddjfn.exe	89
PID 2604 wrote to memory of 4928	2604	Ajhddjfn.exe	89
PID 4928 wrote to memory of 2760	4928	Amgapeea.exe	90
PID 4928 wrote to memory of 2760	4928	Amgapeea.exe	90
PID 4928 wrote to memory of 2760	4928	Amgapeea.exe	90
PID 2760 wrote to memory of 1696	2760	Acqimo32.exe	91
PID 2760 wrote to memory of 1696	2760	Acqimo32.exe	91
PID 2760 wrote to memory of 1696	2760	Acqimo32.exe	91
PID 1696 wrote to memory of 532	1696	Anfmjhmd.exe	92
PID 1696 wrote to memory of 532	1696	Anfmjhmd.exe	92
PID 1696 wrote to memory of 532	1696	Anfmjhmd.exe	92
PID 532 wrote to memory of 1892	532	Aepefb32.exe	93
PID 532 wrote to memory of 1892	532	Aepefb32.exe	93
PID 532 wrote to memory of 1892	532	Aepefb32.exe	93
PID 1892 wrote to memory of 3928	1892	Bjmnoi32.exe	94
PID 1892 wrote to memory of 3928	1892	Bjmnoi32.exe	94
PID 1892 wrote to memory of 3928	1892	Bjmnoi32.exe	94
PID 3928 wrote to memory of 4564	3928	Bagflcje.exe	95
PID 3928 wrote to memory of 4564	3928	Bagflcje.exe	95
PID 3928 wrote to memory of 4564	3928	Bagflcje.exe	95
PID 4564 wrote to memory of 1764	4564	Bjokdipf.exe	96
PID 4564 wrote to memory of 1764	4564	Bjokdipf.exe	96
PID 4564 wrote to memory of 1764	4564	Bjokdipf.exe	96
PID 1764 wrote to memory of 3304	1764	Bchomn32.exe	97
PID 1764 wrote to memory of 3304	1764	Bchomn32.exe	97
PID 1764 wrote to memory of 3304	1764	Bchomn32.exe	97
PID 3304 wrote to memory of 3588	3304	Bffkij32.exe	98
PID 3304 wrote to memory of 3588	3304	Bffkij32.exe	98
PID 3304 wrote to memory of 3588	3304	Bffkij32.exe	98
PID 3588 wrote to memory of 4832	3588	Bmpcfdmg.exe	99
PID 3588 wrote to memory of 4832	3588	Bmpcfdmg.exe	99
PID 3588 wrote to memory of 4832	3588	Bmpcfdmg.exe	99
PID 4832 wrote to memory of 3960	4832	Bcjlcn32.exe	100
PID 4832 wrote to memory of 3960	4832	Bcjlcn32.exe	100
PID 4832 wrote to memory of 3960	4832	Bcjlcn32.exe	100
PID 3960 wrote to memory of 3468	3960	Bfhhoi32.exe	101
PID 3960 wrote to memory of 3468	3960	Bfhhoi32.exe	101
PID 3960 wrote to memory of 3468	3960	Bfhhoi32.exe	101
PID 3468 wrote to memory of 4032	3468	Bnpppgdj.exe	102
PID 3468 wrote to memory of 4032	3468	Bnpppgdj.exe	102
PID 3468 wrote to memory of 4032	3468	Bnpppgdj.exe	102
PID 4032 wrote to memory of 1428	4032	Bjfaeh32.exe	103

C:\Users\Admin\AppData\Local\Temp\1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe
"C:\Users\Admin\AppData\Local\Temp\1de476805c5fe16ee4c470efaaaf2fada28bb2b2cbf0f6b22d714225dba2fb9bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\Adgbpc32.exe
  C:\Windows\system32\Adgbpc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\Ajckij32.exe
    C:\Windows\system32\Ajckij32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Windows\SysWOW64\Aqncedbp.exe
      C:\Windows\system32\Aqncedbp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 404
        42⤵
        Program crash
        
        PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1252 -ip 1252
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
80KB

MD5
32ccee439e8e620123c601d7f9f8f1d5

SHA1
6b9d0df0692e48bbde60c3b28164ee7909ea6e3e

SHA256
706f69a43614395e40f80d7691d813945adaf9cc70d89d0ba7f3f5fc1e7019a1

SHA512
4f1e58043c5b9653fe66269491f0e365abfd99c64477f7662dd915d0fca228486a526007ff2d2a282f836716b4d48013817e44bbcdfd41218c9f4607564d00fc

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
80KB

MD5
d0dbddc181e83e0b09a009303fb2e60e

SHA1
d25876e6e04118b123635677b1ae1f0b2f210684

SHA256
410ee1370413fa1db6a3207b38185e15ced7871ff9b92f0bf61441c25bdd99f1

SHA512
b1ccc8864e1231e49e9fc96603cc48c2d33f330321b448501aa64e67e8fbbf812291e9ee203b14815455f90310caca72a0a07a2d4093f1db9beb31bda9a15a1b

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
80KB

MD5
1bd4f3492f0d6a6eedfba35d1efc2030

SHA1
d0f713102a70a629d5c12690a4cebc3bd27eaedc

SHA256
ab6f4622b47911f79a8e1f96b2ceb492cfe5ce018bcb3ae91e9a8130c5cabd11

SHA512
ff978639a54187e5c6a0bb6b88c9e3a30059a349f8dc9aaef5042be662534ea1658e2a5b7f81af45e5402d3b994341ede26fe1edf47e49053b45bec4eac54b59

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
80KB

MD5
e972640ee3ff5c75058a02eadb016121

SHA1
53de31225e9b62d3b6e9ac09a1e3c3aa80c9ad9b

SHA256
10832c3c749693b4b5e1baf4a119ed09e60b3b68b04ac01c7ddfa649fd7f09e7

SHA512
a382ed5b48e7d981467e851a18c8259be85aaf5a5828d940a3c46ac4820d4ddcf5a5e822927e7d21e0359fe1cc1acd0dc3866523afab97880ed09d87bdfc7d10

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
80KB

MD5
f937abd77133f68abe70ce55198f15f4

SHA1
873de903061dd21568437401d85be9f606bc7512

SHA256
092d5ebf87d3789b2e1792482647d212034c107dfe312bc15dc0c0f995e9044c

SHA512
4c474fc968a357d159c7862a0886dbbed1082a33389ae0dff1490f3d1887e73413274183d2b288e1a28fa6f8cf0d3990990e9d0c36b750cb18522448a9d86eee

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
80KB

MD5
50014ae6ed8a4e47a990f4c15810175a

SHA1
3231da609c82c54237610becbb23d0f1812a726b

SHA256
52cdcc997dc568d1ca6c9fc40065c13223bc03e55e9f4917cb39106b54550362

SHA512
36650ad29a6a1d7b4c06720ceca9e1adb285da0ec092375f4020a975da9b44e9fdd72279dc8f3c9de58e0b2516c51fa1310d2b997210af705d6f9aa5e8d2030a

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
80KB

MD5
48163557a6536c337f525bd878d4abb5

SHA1
89109a0cc74582dd21d04aa76fdc823343422420

SHA256
b8f60789547b3105878afd5b4e57d4ea26bca361bf5e2a7e99cbaac9c62ee37d

SHA512
2b6650af8b20dc00ff582e8d678430fe01facc0b4579378dbda663b0bc91dbee14d3e95b29a8b49696606affef3369ad21da43632e68811d7fc7ed15e987e5b4

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
80KB

MD5
e2976ff23ada88524158d51add8e7f7e

SHA1
d12536f1e21d8730d7b0a0ae1b29c22f81ac2500

SHA256
629cbb075baa43f17cb46cead197dcd9db87b84eb305c86fc9983c302c95c751

SHA512
8bb41d5b3b9678ac762826e11a436aab118cf70b47a785a9927bf524e143c5acf10e75633292715e5d8d7a7a268f9430da2368380efd6de58f3b8b1571d70dc8

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
80KB

MD5
e6aded76299536592ccbe8447bcd5ea5

SHA1
12f3e655ff2cca7a17d505eb39f89c2fe3dac250

SHA256
f72fe877cd72776b841745a4cbcac37594efa97b0048106b64c128a5937257d5

SHA512
3d5dd948d15f13727d80dc4557e9319a180025ac766f58c6ec411372ee4ee6e807eee7c96e12026c9899d36f7c357a6e1e914036887aa5d792b5209bc4375487

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
80KB

MD5
f83709761071e98a34609ba23ba73234

SHA1
db2dbbd3ea4987d76be90e01398e4c29c46c8344

SHA256
75029ce8b8e6f6032db1ccb4f3cbc8d4dd39df94a37d4d5f8b8bea96ddc1c9e0

SHA512
71124da0967e983d00d1cb42e492cc242f0802c47da888f7a6520dbf756c34319ab03f7b0db5d44d1886f0f3f80ef5428ee88ac42d6cd085b7a6ed0e5d3c3d1c

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
80KB

MD5
3a28ec4e4b15e401619831fba2a7e4a9

SHA1
47fac0f7df150aea35b3af54f3bada4f4e660fd0

SHA256
c6aa457a3ec45f1b70a7aa1be7ce0f06499f874bbdec157bd4b577121c483b69

SHA512
9f020444d3f8f4bf3e5e6fa756012ad7242d0c84cbfd47084fd0d74357fe4456bf91884b3511aac04dcc832d4ca5e7dec611fe4e119f2ca9d56c315be9137e64

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
80KB

MD5
5dcb055e8fa66863c6d0840ab0b7e08b

SHA1
8b710934f321ca2b1aea28a20c66ce120d27b9f3

SHA256
d8fc1530de510379093016391d96205f3ecf41bb1f7040c81e75a5ed926a579e

SHA512
0c439c964ff2555d40bf0093ce443f9901e834396941cc5e0ab3563c319c61f882a83e2c005a234f00278cd3b28d8ee11ab4fed270943c415fd68f11f77659d8

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
80KB

MD5
0f4ea7a11ab8b102c20099e35ae10a6c

SHA1
90dd19690c1fbf591b219e2f95aac05181b5fbec

SHA256
7d235a6f1bd9b7bc949f1fdd25c75634438e6acb6f4918433be07c9e9132bfc1

SHA512
18af286a71e394bdd2782b9859579c1ddc8a652675798627cd64f6e8fbebb526d92a46459aa25c957f042ba6df397eace293108c2e877d40c55f657eba09c8e9

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
80KB

MD5
fe747be0668d2f8a51dc62a2293b5084

SHA1
523cd04942470a0a1173473a2e7f0fc3957396b8

SHA256
786b10a7889b7ca69376daa6829a6e948d81fcff3499ae59b2c39e8424d60bdd

SHA512
4618a93f5274f5e0e7e91dadabe6fa508f43ec49140d4dcf5030046a1ca8c5cd8980c1f17b2ad4f942ffc93a7cf5a686314fdb2f8cfe0632de1880bf96a271b1

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
80KB

MD5
ce7b0f3896c973d0b3e79c405916b46b

SHA1
66afd5d548477203a5708876fba5b034995dcfcd

SHA256
6a489f4fa18bc74e2556b6b0c44076ea5b2492425698c76a03e1337679b8eaf4

SHA512
94c9bb88a476e08c8d681aaaf4b6448a7129c247dacefa8b4b429b9b50b260134b97597e4624d6e1a28df6827864fa135e34eac5992e9ea807725733b0fbfbc8

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
80KB

MD5
d9b5b0bc206765b547c79fea572bbc0c

SHA1
ff5bfcf39a1328ead6312304488db6f7fd166b6a

SHA256
c256fce3fcaed9c1dde5683972420a7034ed0e0f351abcec8b0b0f73479bf183

SHA512
0dae049e1caea0d3645d8791989ad0f154dffe16417c1621cb647b94fef82dec35be26dcdbf63a676096bf78b4304fe24d912863fd86ea43b993b7bc35ad84b7

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
80KB

MD5
9692985e9d95afb053b748e6e745a6f2

SHA1
c803565441e6e867a0d22f8a2531c5f7c0f6e39b

SHA256
2f54ac2e0a4ccb48c9f8d185b7f993f7190e27679ef7fe9ada05a8a1d4c5f002

SHA512
189e1382f68a4a081e42ec0638fcbca29703b93d34687a3372184cb70c21706fc45e832d550535e226f3ab19a1534d26178161cacd8c4ab2d2b41d1a4077b80e

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
80KB

MD5
ee664fdfeda8dc6f1abb3fbe0c9bd575

SHA1
f612a07fe2d926821539abc2d4fe01905f1688f5

SHA256
f19cbf3f7f7f4be4a3bf2f933039afb1f0c96cd8e8e27ce323a8e3f0f109ced9

SHA512
2ba58b34a1d9cf2a717217bac7954c4429e5dde13f76f30383618aabd0d80b8fdba35e7301f5cdc27fc4863c7db55f1c9b3ab2cace8a362d90451ee65dab8b8c

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
80KB

MD5
b506baa64bff1f64a020d631ce06b712

SHA1
db50b3b1209f51c74e4d5d4db35193959c9d41e6

SHA256
94640d32591dd6d5e837a8305f337f9f4d34ded1950268d0c04b642c362e0c96

SHA512
baadcf8faaf325985a94e427049a92949efb78ac771cf256edc7e715f188909abf50b74affe7343911862b1059c434accc77d58f242229d9ce99488cc006c0e1

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
80KB

MD5
1d794eb3e55ead753efb05c00830dd5f

SHA1
e59fdc272e796348f04ae408659bdb3011e23730

SHA256
831d54f0f2c81a1b3a982d02ba589e86129bb0d94f86c7980df342a959e501ca

SHA512
9f255954783a9f03d5a4f51d6b9ec1089725941a5c29770ff9872e1bc9fe09d0d4b28eb4c304d5c1df932d86dc18e56c14cf5ba8d700149c538b83c6241b620c

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
80KB

MD5
3294745ceba1d8d5a4e6ed0f2d736e79

SHA1
5b168a643d81837952e54e28a16214977b50e779

SHA256
bb5760c7164439b6d54d15218806c87da3a994fbfb332564417d7ba2d96ad0e3

SHA512
2723e25e8e61bf3972a33669bb74d1609c64d940634fdc2dee615f3e8d7c63811957a088a66b0b28bd64bd47d8464cb9ea4d2302c60ad6d4b0eac158aec80fb1

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
80KB

MD5
373c4e64ae929633da4339ece32ce200

SHA1
2d91252caec98ef8a7e5e5756ebd0166bf081c1e

SHA256
a0d79765ac07c60d3808338a65b932823ce4790aa82a77380c252484ea0f2c56

SHA512
3655108e1e060996a0aa70f3ca6ce153970f18b9da28559595181158cea1981cb50658626f48c935141cc3659e165e6541cdd6e68b02f639300824917b954dbf

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
80KB

MD5
df387f08c1758c3e24405e9bb6fd8981

SHA1
2e235b9f1f70d92bd782d6d4d966b8420ee9e19b

SHA256
c4483c6ada3303bd26635f671b1b5455f1d10e63f90c8f2f297b722361ad71d5

SHA512
aa90d19560a33492660c684361d2deae7ac83d7ffc8856e680503e004f86702dda31c1b560aa1f66b20f9343e8aab34b0ce5c0b5fa0ded3be50c318bf6f8d57e

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
80KB

MD5
d3841135e5f3a171d344ee68f27e6735

SHA1
40e47350077f189f55a7238822fd3eb94740da89

SHA256
b85e407479ef13a24d2ebd18457e711026e0926bd413e5ab2dc49a672f927d78

SHA512
b4e0baf07ceb9bc42af3dfb62a0020a8d00f8247e5c924601c75966d56619c07485bb06a2dcb745b86351b991c955d47028b3a04c665ea5d66dcf990d2b18201

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
80KB

MD5
7b8290ec03c86ffb3a043261b6dd594d

SHA1
10263ca3c39c4cfbd54490a2a015aaf384a11c39

SHA256
dbbca6269473b49c5d7f8325e8d2dfe1c756f430c9f072f2270ffdaa0bf65ade

SHA512
0d3240384e37a988a2d3804f7792e1c40d62242916a4fefcc5bf7c1ad3ed5caed7b2d22120e9e53b8b309b913fa7d0ad70d9fd2bbbf2781af88404cd876faffc

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
80KB

MD5
01bd1bb8d97cab9cabae270dcf85f9ce

SHA1
3670ce73080c4403d7fc5804ca6f61f568b740e1

SHA256
a5556c17a34c4ec41fc99f6a5ab50c6b239eae440cc7b1eed75600dcf6730ae9

SHA512
44c31a54eee04609c6cefbcab4bc0de5a591340a3b45b48a42beee559a09b6770f35bd01d4955a8921cfa2a53b30cfaf0480a5407645b2801713737209931c50

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
80KB

MD5
389c8a51e55e69b435318d5728ffd2a3

SHA1
a89941c14259361e6fe1c17d329ace0611deb4bf

SHA256
3d6ecb81bdccd9efcca1ee9f02c1660f884486a49ff8f138c2b9d2eec926ca72

SHA512
ec8e269800e8556fd2033ce4ce953a3766c16641919be399fc1da94876cfa4d2061abb29a680614bbef6e8e29cc135a778117a6b23cf2df33991f125bd47873a

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
80KB

MD5
d6547c684290ec4f247387cea255aa6a

SHA1
ba71b712d3f4094fa6abc8e1c7837125c139ddb8

SHA256
61456b534fee781664b4336b840412b6afd3dfabedded1e83be3025af3aa3cb7

SHA512
bffaf99463c932e8def23baec3e79349a4b0e017233186dba88e37299dc49044909fc688544ad2c08ea5501d13d72c051029da006127e4c3200693500f66d616

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
80KB

MD5
75c246717b33736725fb0db09600bf42

SHA1
c1f4030863dbf741ccf4cdd38f9832a9ac16b541

SHA256
1d0f9e581774937c9468c101e3f995d82632ac74a399ccc3e989bc1e7862ec16

SHA512
5e02e0eeb7a017d69fded212b53ea7f0f3064bcd7a6bb8e9daded5f4d9649f7a6efa27c1a82b623110eaa5c03711031802f2524498634ba7dfe5c7d3815576d7

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
80KB

MD5
89de1afdbf3e359b30c3de0d6884fc78

SHA1
7eb99d8e86fad6f2e3a7f5f96f622229ae1ae3ce

SHA256
dae1a4db11cf97afffc4849eed2b47946dba8ac1b636dd71091fcf50437d3a3d

SHA512
e621523186f2eefdbec0d85923b4da20f18a0edb203980538c5470371c4a46da4756d50825b384afccdf6e4e7dc08038aa704cd8bd3c36dc00aa3f5a5137cec5

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
80KB

MD5
729445a301359eefaebefe94cffbd766

SHA1
eae9a022f1fa242ba9571acc42a39d4659276497

SHA256
a032f2c56453e0cbf45560576370e45740d8570179e57c918260ca6794ea5d07

SHA512
f8ea33197d16b1da35f73886638ffa37f229a3dd1fc611a23a9917415362595d0e43d6ae037f3eb7b22155b9c0ab28e573e6ec535d2b4757b0ccdb7cda5a8416

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
80KB

MD5
4c774a5476fbca5a17faacaf5160e4c8

SHA1
5cc57216b949dfd24cb9ff5175dba0b78ac47cce

SHA256
aa1b4b9199e816639d1bd9cc806e99cdc0a60787f8ff2bd105e6b7a875d44e67

SHA512
7565e2a9e09aba9e754461f8fe7a88fa3ea687673edb16db7488cdca24d036367ffb8ecd9a6a9cdf0843974d1f9c6cc3b48bff7b80f9a07b4db365b7e5aa4868

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
80KB

MD5
8b8d5eb61c60ce50645ae82da6220a4a

SHA1
49e365d1249c2355adcb08665654a61b6576534f

SHA256
e35ffdb536640e7df79945460a8ae9aa96839fae8a91333afc352abfd52c35e8

SHA512
bd816d376a6c9df5db5359003a17247481e3174804ec52ac9670ecaa193ecc4323560b071f3d273a43c16c0a65ae155e176e6e54e2844ec259f2f5588da0c800

Download Submit
memory/372-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/372-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/400-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/400-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1252-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1508-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1508-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1696-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1696-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1764-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1764-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1836-337-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1836-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1892-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1892-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2324-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2324-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2356-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2356-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2356-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2600-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2600-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2604-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2604-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2704-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2704-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2712-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2760-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2760-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2984-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2984-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3304-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3304-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3468-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3468-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3588-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3588-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3612-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3612-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3928-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3960-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4032-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4032-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4168-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4168-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4188-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4188-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4212-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4212-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4696-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4696-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4756-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4756-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4928-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4928-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads