132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170

Analysis

max time kernel
106s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe
Size

443KB
MD5

fbcc862c4d0857955f2dd4471f221050
SHA1

aa2bf96aa25e8e65dc2ca73af5fd8dc352ec0ace
SHA256

132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170
SHA512

3c9e243c9ba279d05532c64ad05445d3f2073e6dfba9243089a82c128d5f2e3647a9204603de75fa872d55eeb4f301a48aae3a27376899b9f6590d71d250f252
SSDEEP

6144:gRUJKSw67+U97zeXmRL13n4GAI13n4GAvs0PEpNF0pNO021fv13n4GA3uKjwsze+:gR5SwWf1J1HJ1Uj+HiPj

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe

Executes dropped EXE 64 IoCs

pid	Process
2120	Bmkjkd32.exe
1804	Bebblb32.exe
1784	Bganhm32.exe
1304	Bfdodjhm.exe
4312	Bjokdipf.exe
1920	Bnkgeg32.exe
3456	Baicac32.exe
4516	Bchomn32.exe
208	Bgcknmop.exe
2064	Bffkij32.exe
4640	Bjagjhnc.exe
1732	Bnmcjg32.exe
4408	Bmpcfdmg.exe
1712	Beglgani.exe
1288	Bcjlcn32.exe
4000	Bgehcmmm.exe
3256	Bfhhoi32.exe
3928	Bjddphlq.exe
2376	Bmbplc32.exe
1120	Banllbdn.exe
4792	Bclhhnca.exe
1672	Bhhdil32.exe
336	Bfkedibe.exe
4872	Bjfaeh32.exe
2508	Bnbmefbg.exe
4840	Belebq32.exe
4712	Bcoenmao.exe
4656	Chjaol32.exe
3316	Cjinkg32.exe
1364	Cndikf32.exe
4048	Cmgjgcgo.exe
4388	Cabfga32.exe
2416	Cdabcm32.exe
3148	Chmndlge.exe
4268	Cjkjpgfi.exe
1480	Cnffqf32.exe
5012	Caebma32.exe
864	Ceqnmpfo.exe
4364	Chokikeb.exe
2928	Cjmgfgdf.exe
4444	Cnicfe32.exe
2136	Cmlcbbcj.exe
4380	Ceckcp32.exe
2124	Cdfkolkf.exe
912	Cfdhkhjj.exe
2568	Cjpckf32.exe
4988	Cnkplejl.exe
2404	Cajlhqjp.exe
1068	Ceehho32.exe
4948	Cdhhdlid.exe
4744	Chcddk32.exe
2152	Cffdpghg.exe
2580	Cjbpaf32.exe
1412	Cmqmma32.exe
4736	Calhnpgn.exe
4384	Cegdnopg.exe
1856	Ddjejl32.exe
1892	Dfiafg32.exe
3920	Djdmffnn.exe
4484	Dopigd32.exe
2848	Danecp32.exe
3232	Dejacond.exe
3988	Ddmaok32.exe
4776	Dfknkg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe

Program crash 1 IoCs

pid	pid_target	Process
5548	5468	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 2120	696	132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe	82
PID 696 wrote to memory of 2120	696	132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe	82
PID 696 wrote to memory of 2120	696	132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe	82
PID 2120 wrote to memory of 1804	2120	Bmkjkd32.exe	83
PID 2120 wrote to memory of 1804	2120	Bmkjkd32.exe	83
PID 2120 wrote to memory of 1804	2120	Bmkjkd32.exe	83
PID 1804 wrote to memory of 1784	1804	Bebblb32.exe	84
PID 1804 wrote to memory of 1784	1804	Bebblb32.exe	84
PID 1804 wrote to memory of 1784	1804	Bebblb32.exe	84
PID 1784 wrote to memory of 1304	1784	Bganhm32.exe	85
PID 1784 wrote to memory of 1304	1784	Bganhm32.exe	85
PID 1784 wrote to memory of 1304	1784	Bganhm32.exe	85
PID 1304 wrote to memory of 4312	1304	Bfdodjhm.exe	86
PID 1304 wrote to memory of 4312	1304	Bfdodjhm.exe	86
PID 1304 wrote to memory of 4312	1304	Bfdodjhm.exe	86
PID 4312 wrote to memory of 1920	4312	Bjokdipf.exe	87
PID 4312 wrote to memory of 1920	4312	Bjokdipf.exe	87
PID 4312 wrote to memory of 1920	4312	Bjokdipf.exe	87
PID 1920 wrote to memory of 3456	1920	Bnkgeg32.exe	88
PID 1920 wrote to memory of 3456	1920	Bnkgeg32.exe	88
PID 1920 wrote to memory of 3456	1920	Bnkgeg32.exe	88
PID 3456 wrote to memory of 4516	3456	Baicac32.exe	89
PID 3456 wrote to memory of 4516	3456	Baicac32.exe	89
PID 3456 wrote to memory of 4516	3456	Baicac32.exe	89
PID 4516 wrote to memory of 208	4516	Bchomn32.exe	90
PID 4516 wrote to memory of 208	4516	Bchomn32.exe	90
PID 4516 wrote to memory of 208	4516	Bchomn32.exe	90
PID 208 wrote to memory of 2064	208	Bgcknmop.exe	91
PID 208 wrote to memory of 2064	208	Bgcknmop.exe	91
PID 208 wrote to memory of 2064	208	Bgcknmop.exe	91
PID 2064 wrote to memory of 4640	2064	Bffkij32.exe	92
PID 2064 wrote to memory of 4640	2064	Bffkij32.exe	92
PID 2064 wrote to memory of 4640	2064	Bffkij32.exe	92
PID 4640 wrote to memory of 1732	4640	Bjagjhnc.exe	93
PID 4640 wrote to memory of 1732	4640	Bjagjhnc.exe	93
PID 4640 wrote to memory of 1732	4640	Bjagjhnc.exe	93
PID 1732 wrote to memory of 4408	1732	Bnmcjg32.exe	94
PID 1732 wrote to memory of 4408	1732	Bnmcjg32.exe	94
PID 1732 wrote to memory of 4408	1732	Bnmcjg32.exe	94
PID 4408 wrote to memory of 1712	4408	Bmpcfdmg.exe	95
PID 4408 wrote to memory of 1712	4408	Bmpcfdmg.exe	95
PID 4408 wrote to memory of 1712	4408	Bmpcfdmg.exe	95
PID 1712 wrote to memory of 1288	1712	Beglgani.exe	96
PID 1712 wrote to memory of 1288	1712	Beglgani.exe	96
PID 1712 wrote to memory of 1288	1712	Beglgani.exe	96
PID 1288 wrote to memory of 4000	1288	Bcjlcn32.exe	97
PID 1288 wrote to memory of 4000	1288	Bcjlcn32.exe	97
PID 1288 wrote to memory of 4000	1288	Bcjlcn32.exe	97
PID 4000 wrote to memory of 3256	4000	Bgehcmmm.exe	98
PID 4000 wrote to memory of 3256	4000	Bgehcmmm.exe	98
PID 4000 wrote to memory of 3256	4000	Bgehcmmm.exe	98
PID 3256 wrote to memory of 3928	3256	Bfhhoi32.exe	99
PID 3256 wrote to memory of 3928	3256	Bfhhoi32.exe	99
PID 3256 wrote to memory of 3928	3256	Bfhhoi32.exe	99
PID 3928 wrote to memory of 2376	3928	Bjddphlq.exe	100
PID 3928 wrote to memory of 2376	3928	Bjddphlq.exe	100
PID 3928 wrote to memory of 2376	3928	Bjddphlq.exe	100
PID 2376 wrote to memory of 1120	2376	Bmbplc32.exe	101
PID 2376 wrote to memory of 1120	2376	Bmbplc32.exe	101
PID 2376 wrote to memory of 1120	2376	Bmbplc32.exe	101
PID 1120 wrote to memory of 4792	1120	Banllbdn.exe	102
PID 1120 wrote to memory of 4792	1120	Banllbdn.exe	102
PID 1120 wrote to memory of 4792	1120	Banllbdn.exe	102
PID 4792 wrote to memory of 1672	4792	Bclhhnca.exe	103

C:\Users\Admin\AppData\Local\Temp\132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe
"C:\Users\Admin\AppData\Local\Temp\132de43bf8a8e7a33a2c7c5a47db95014c66a570ff1924816c58fd3dd6a9c170N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:696
- C:\Windows\SysWOW64\Bmkjkd32.exe
  C:\Windows\system32\Bmkjkd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\Bebblb32.exe
    C:\Windows\system32\Bebblb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\Bganhm32.exe
      C:\Windows\system32\Bganhm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1304
      - C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        31⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        69⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        82⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5468 -s 396
        88⤵
        Program crash
        
        PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5468 -ip 5468
1⤵
PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baicac32.exe

Filesize
443KB

MD5
4c661a64e214ea43a7a9c29c08796f31

SHA1
301c852b3039a52711ef676fe962c84c7ed38b5c

SHA256
55e741147f08e8bad7c6bf60adeca6819b86de72bc7c4ac406c38bcf8d316557

SHA512
26eed9b32570c8897951633839a4ebc2373c2798571ef4f10ef71c7d2ce0e702975cbff456073ae70bc874b13dca624ea0e48d80d30a314653eda45630e03aab

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
443KB

MD5
31186e34d288a84f236d5883f41722f1

SHA1
b2f2199f8664fed48abee9a004fbacb36bf03f54

SHA256
bc796b7c7ed75e1b5a56a8880e21daea20b46d38408901b386b4bb8e7779e7ab

SHA512
43b97c5c7f919c8b13b67cd66afcbb72edc97984e0ec56807c9061023b5fcbcf77531df2170292d536a00e05382050b8dc088868a4429375d2fba36665cb1069

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
443KB

MD5
9593631ef772605310481fad7c55dfca

SHA1
29afc1023885b59ea1193c583bde810492bd8849

SHA256
67264ad51726923945c51665cecf13874b5b4490a1f8e5f8d14acff16efe60eb

SHA512
31ce856acdb6f8afb823055a643ecdc2605b62f131c9b47cdb02b6b9ea25055c773d15a61a7b867e804cbf9c28fa8b6f02c0e21c681377109b9041cfcb21f7ad

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
443KB

MD5
0c20c585942da1f52514c7c380077d58

SHA1
0fdb4ce1abfbb5a8e9aedfbe84e0895edd6c8881

SHA256
cd8aa73ab90fd075bea3ac7bbcc241d9cc5eb8236b8aacd9c7f0f976b582f2cf

SHA512
edd9f3ab4815bc0543ba821c17a99b3b5f43ca2b2b713246a9c973780ea5e6df2cb2d85bd4bf89bb03a256c4a0c2430b0987170b7817aeb035527b7a91a48d05

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
443KB

MD5
95ee57c1b35c7655d75632effcef7866

SHA1
f4592e48bd91939b4d247781d9388548f4eb1d20

SHA256
da58c54c14c245760c638706b07352acd05a0ce6a4029362c385804141d007aa

SHA512
ac6a06aa7adf8f43bf8222f62c242acf78faf59457f60b73d0ada146ea1c36c21188ff51a04d2ee412fe36de7916d763e6519b27603ea64e090b088dcb77c9a9

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
443KB

MD5
043388439f1f03fe22f23a471970a2ae

SHA1
7852c1fb1d827c0408b48097b5108d046db38285

SHA256
993ad3ab2111493975e13b2b00a0dc1ad9d50d4efee2d20b4f36adbe3b5066fe

SHA512
afb4269842b60d558a190000f728a8c98ffd9f8059b9f536e3effed9f9afa4e6622f49c1ffee435c4bcaf144838de6b3fd41705337a098c651be08aee70e126b

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
443KB

MD5
27a987903affcb56444e1cb1da411308

SHA1
10afffc69602cef9d1b6ce7209c7da288d0952eb

SHA256
3daec5bc059b6c9b61d98f26bb5df8159171dbc7bb236d7669aeb3f6db1b4bed

SHA512
2f906fd1a3805b78c8103bb8a086bc45b81e499dea1a1c1a8adb61a978f28fc5678100d3ccdb875976b01174921c7e5fdcdfcffec561b2215c6e2cc4c291c879

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
443KB

MD5
149eac51d941da8c48558ebecca5d291

SHA1
1b519ba13459e0ead1220ae65d06d15d0a85579c

SHA256
08c5d34792512bc71ffae7fd5e99b260efb85db910c0f02b37dd1bba08132383

SHA512
557412ae81c7616172a9cf35ab34dbfb1961d733ed86a7176b66873b1f16d166f41b88212491769f570974cd81d48e84259d72b229a080d0036cc978cef61b0d

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
443KB

MD5
4b35b73d098c4ba7c9df82a980b635aa

SHA1
9795442c0c50837a191431fb6e17fa239fe38dd3

SHA256
c3d4d2a0547ec4e7ff680fa327f9fb5df31db8ad15c1219448decf822918c4b4

SHA512
cc7a2086dc85d09c935cee4f5ba7c4f52e8f46a73474d9dbf0f161fcc12b9169562de0d1cc29974f96b8558d18380327f1897a488c477d2047c3cf241809502a

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
443KB

MD5
b2d1ef33be8b37b306752d80ecc537fd

SHA1
83fa2ef1064b02cb599b5b06164f7fa0cbd436da

SHA256
bab6a2b1eec04b8d128825e1695eb8cd3f680d55c5e420f9220e7433e179f1d7

SHA512
af87236bc83bec01b28d74751e17d113a33b9147bcd43c325a21c12f6c56f317400115a77ba1a0cdd86ad53c47d95ff0b53e824127905c6c01357310d11ffbb8

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
443KB

MD5
15dd127d8ab5d1c1d5cac9f432cc84dc

SHA1
42fb58d00ffea4c00f01e1c68f3e310caadc41aa

SHA256
60651aa233468f7ed4d72e09d5fc4cf810a724360c6b944419ce62677d5e8b76

SHA512
7cca3ccae8a6f1039b59935a297d1a17b96641ec161810d4bd54496e1253c6baa1dd4880605ab5ca1996a5233ebb42d8fce3b6b0099f7171a2bce47c2aedae25

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
443KB

MD5
6e0e489dcda5014db6ba950fc093a997

SHA1
fada118e38dd76a356228ac139df78d9aeaaaf8d

SHA256
c5a2a731f1cc4adf96ef5bd82d5cf4524fc16672c0d3822430a225a74faaafa6

SHA512
e5cd49c969260a0de0333ac7e4639923c0a033ca38398bd6a5aec145c0ca3b231c2aa8b6785c8ea319902d1e7c68162d64dbb4f9efcc14995b565177c266910c

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
443KB

MD5
9dae6bdf0adee6b84dbf46223e21fc89

SHA1
358e9969e0aac1af2e2bb6b376f296bb611dcad5

SHA256
1c3193f842cbc409db724ae3a36e70fe89a5fc1df93568fef523b94cd5ae4a8c

SHA512
261b7070da7d0fd75ce0fe31623a59590b44aa218ce594c5853a404b83f46e39dbba3ecb98bcd9a0445ea17d7e56f9d58d1c333f84ac537cf2a10284b839b9bd

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
443KB

MD5
546b51462e36c0d7dfe440d21e3266a3

SHA1
1cfd8842f5067c7edbf8ca5a96356dc3faa47618

SHA256
b39874a949db5a00d0c76b6ab5a83f50026e6a44f847e91e51dc001f47847087

SHA512
f47d18045cf310026a289dee908abb4997eb3cb4b84edf8ade47d8a027ccd75c67b8ae551b7894b80c6af8e82e1ff18ebe4db4949a372e8592b15b05bcad666f

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
443KB

MD5
21d085c5343c2d61927bb1cae07d40f1

SHA1
18776b66fa7b0735bd5695df8a838a273a86e03e

SHA256
ead0d4f5a043bedee0717fb72b74d6f3a89adc16efb6a0928884ca90c9511315

SHA512
3b7ec0ff6ba4aa8634bde010a0bc031841b73cacbbf418ddd4cee8e4f78800917a74ae495a3718976063504635e83bfc8ed9c867bbc7d6d1bff12f19ddb29508

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
443KB

MD5
d77847dfdda9d3681f3b88ac466732f2

SHA1
5c6c092180e516d35a76c450776966e81943a922

SHA256
2e48a2f01ab6375285b3c40e2b77962f9af281fad02b8e541cfff630c7ce307e

SHA512
55a5a3be8d07c1c085640d722c67af18929105a44bc8113ed7c0ba4b875cfee85ee504556ac6af251caab814cd6c350686b30246218d40f8c228f2a56c9d9689

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
443KB

MD5
89b5649a046a7d36b04677eac39ee8ac

SHA1
c8bc6221e6ec97df2e1966e22d4a410c460f4474

SHA256
67765c4a399c7ebb31747d53cc4a9317e1bb185cd9bef49104e3d2d14d92a0ec

SHA512
2349b549901ee30b28283b652ab22819e6ec3f1d9b986da8bfc94ddd26fca7bfd71641236b9975c61eda1d8d76f2e696e70f9d6eb6743305615d8e3016933ae1

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
443KB

MD5
b9cedb24861fc86ea052b01dcf4685e2

SHA1
cec1057c67313bd2e2c8752db58751c70cb6b779

SHA256
18ce1d2e4ec7dfe9a6a2f2945c2333367c328770aed34c9820303c7a536fc9b3

SHA512
094a58cb60ab849663c63a33ffc055459c3904f806368232c357df7b8431b6c5025b3bd4c587a436ff1d57cbccc80219903f34dae4da722a9fa3071d5783e5fe

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
443KB

MD5
45c78c07334625a92fdd2a8186aa4276

SHA1
ee033840cb639aa1d94f9af90c110ed365057f24

SHA256
f49b65e35d9cc8341ac18f0b8489d064d3eb265ba470077ba2af73eceeec3d09

SHA512
f0fac5bca36cd508709d746f961154266cca656eea14ed459308ffaa5b08f868b989b03ff380bcc8a4cd99cd8398d3461f4bbf1f66e734a33f0ab6131d8bea01

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
443KB

MD5
19b955eab5ffd50ac922885939100f80

SHA1
9cdb570218f07f693fdf4e8c4dc54bebaa731fd4

SHA256
a5f0dd92c7694ec7c2e65511f14b50c577fc792e6de602f630cb4d2dc4bdf155

SHA512
08fbcc4253de171d9a0f3f63dfa5ed1dee30cb5e6dd4a098c59c9cd0bd0cfef2ff07272d2245e8a3cb1b434485c34c94be6042170777d9d0748fe57ae76b57ff

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
443KB

MD5
5db9313710f1667087d7ca8dbd4bc99f

SHA1
5bb481e682915c577683dab579b576adecb590d3

SHA256
830639f60dca1e123e0fb06436c9f11c7b984a436c6f87eb17d73733d0532f15

SHA512
1d5f6000b7918815881422d9901e12a4f8bf32e8d59549bf1de0cb07132f3ce65508d7ff2f6da509580522d2810f317fbfd281e6cf7b168828ed797028b52846

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
443KB

MD5
d442409c6b293eafce5d170604548e9b

SHA1
6f2216a81b6801999080bb92bfea90c108c27b2c

SHA256
f195cad11e2763e0722b2ddc272216b2c34241fe218cf4543a71fdebe533fd3b

SHA512
a05283ac33228fe6b037b1cf66629c049b29e19ec3002ba3c3b3aa8f164d907d241b0a87e8d108bc00cba1435a03d9c3adda592b380662a637b6b78d803f64da

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
443KB

MD5
df7adc39b65f774a97aad27189faecbe

SHA1
2c779d215aef4a5ae97098d778017d0b7fa61762

SHA256
756c1548c7fcafa247ac37424ccd59d944712f914e06388c46710cd589017c67

SHA512
c0a733c8ffcd5f477c0769018cc34d688a6390652a5911ac2a3f8ff7aab1989eb2ad42725c354e79ec2ff5e899359c191c6314fe107a74c93fc31da51632eaea

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
443KB

MD5
e10dcb226ef4d3ad3d1a1766cd32458f

SHA1
28a1806b7a3ecf76d7b82c5a7fd269041b66ec20

SHA256
75044b5c0908a723c38866be0a6c67d921869eb7cef07ab2669b60fff81e1001

SHA512
5b8cc4fe3433318c1b64e6a2782c6737fcaa8056f345107abc0bef373c34002452f5eda66d0862f71ec4c4492ab8cb6b10c180222c2ecfc674f22b76a3ae69e8

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
443KB

MD5
686667181d4ec947f7e9232efc48bfe6

SHA1
14ccba09ae8a51b5dc664b3fb0f341e2130ccc28

SHA256
b41a04a8374845239eab95b304e00b5df384e46d5634389e9f5198c29e25a890

SHA512
cea60c07a3777e730a127b946bcd120f29c6410cb5a31f1362a7549f2e87b52851d49925781977b87387ec84d78f98567afab60288ca9fb187279eb581f346c8

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
443KB

MD5
7a1a6b6fdde99731dce6995e89ac6623

SHA1
bf71334d924eb47ed917dfcc3702d9ca8031dcff

SHA256
600e889ad311b1d66f626344521351f78085a4d4ae5936238efef2758401a0c5

SHA512
e0a5e2c39e2aa46a7785a812fc9703d77ca69bb647850a83af4334017580c8d7f3889221db0f6397b8c61e226301c3955cab3773e46bb8865d5844619fc212e5

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
443KB

MD5
68391938a766ea01a826e57c446886e7

SHA1
ed4f941d371fc10d8e1c5ae341a714e6affb7529

SHA256
bcada282038ffd041034a3b95f912d82bc924f398d7d4c95280f5df63ae48b4f

SHA512
41f35e196d4626420029f71c267081f6dd52146213c88cd373c3f312ac14b13bd58d70bd9f6e330223760308bc70658d33474ad9d95a48bb8dcf2cc0a1d429a2

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
443KB

MD5
efb10afd3a3b02ed5a62aa72717914e2

SHA1
cb69def8e040c231f6eaefdfbeecfb67daceed92

SHA256
1a3618209bb9514f6125872fadfc8560224300ee7ed164ea573f00b472a9cb23

SHA512
6533644624654d5477eb4d2c558e1718c1b6788788d605ac89381def350addefe11d4f59f84e06927db106f001cbb1ba7b731f927df4c7e2608132b4fe9c2cee

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
443KB

MD5
f5c9b5fa1bc42f98790ffb7833d64f96

SHA1
da39e661b0738cda8531d1648e4d357c6cdf9fce

SHA256
24bfd96fbc11bd77002e15c5de2fe8b2446b13aba999ca97078ab5e1d75eb9c9

SHA512
b038e98c28060ab6645be9b5c0ff0c6167c15e43dd3cdd85cb0153fac12c27f5caa12d3ff5d58e000e48b8747c542b3d8086c2650a9b53757bd8a81b72fc4778

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
443KB

MD5
f13e3cdc5e7a120287d76391d496c36e

SHA1
b354f3be9f4eceee63cb222eac759bdf8ae9a1d7

SHA256
bae30c9d7f5a586a2d63a64b0be3ae9e5e9f3ac6b5412a9015d77bb0d1f029bb

SHA512
e7cb9dece1e29dce185971dc3d0c118611f933b00010e72d3121f428e382d3396ff72083d1cbfcf3332f7d52313c79597f484a840c209bb639ba1165d89f2095

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
443KB

MD5
311d849c2c0bcf786a4e414d266e877b

SHA1
ded63d3250e00f829d9c15fbf13a55349940b7cd

SHA256
1ef7b213b14e94c54df8ec8678c5f0c471b26b568f126d7ed264614e0fe2b613

SHA512
4cd3b16ebce18f2a2869514b39f214e638e12614d7588ebd1394846206febea2239477843e43af75428d67ab16dfa2ed47d858f4a2e4d5972fc88cb4517d89db

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
443KB

MD5
072c47c9dd4170d554e5c1bc662a72be

SHA1
9ca090b0e791bb858c22b8fdb42e111f55d81419

SHA256
f2e4a7025375a81e33a9214243cac6a460f1a6f7ba0b3d12e7263a2be1fc9b40

SHA512
eda2c60e01381653bdc47cce34d89d23644ee6edd356aa182311125920634a90de590b19f7fdc9a75c9cfa123fcea3001c50f61ee965d32f798b4bb63903a388

Download Submit
memory/208-503-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/696-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/696-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/844-558-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/864-624-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/864-523-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/912-610-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1068-602-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1120-514-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1268-552-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1288-509-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1304-499-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1364-640-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1364-515-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1412-592-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1464-526-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1464-554-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1480-521-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1480-628-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1532-562-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1712-508-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1732-506-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1780-570-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1784-30-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1804-17-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1856-586-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1892-584-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1892-525-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1920-500-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2064-504-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2120-8-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2124-612-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2136-616-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2152-596-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2240-560-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2376-513-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2404-604-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-518-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2416-634-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2508-650-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2536-568-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2568-608-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2580-594-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2644-564-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2848-578-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2928-620-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3148-632-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3148-519-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3164-556-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3232-576-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3256-511-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3316-642-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3456-501-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3852-548-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3920-582-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3928-512-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3988-574-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4000-510-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4048-638-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4048-516-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4268-520-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4268-630-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4320-550-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4364-524-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4364-622-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4380-614-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4384-588-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4388-517-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4388-636-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4408-507-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4444-618-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4484-580-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4516-502-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4640-505-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4656-644-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4712-646-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4736-590-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4744-598-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4776-572-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4840-648-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4872-652-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4948-600-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4988-606-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5012-626-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5012-522-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5056-566-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5180-545-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5216-543-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5248-541-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5288-539-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5320-536-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5360-534-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5396-537-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5428-532-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5468-529-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5468-527-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads