38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2

Analysis

max time kernel
95s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 11:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe
Size

78KB
MD5

15efe6b0347cd99f8d5d8cf0b0831860
SHA1

40967c6cdba78c90feba2e970f2da5a4d077ac37
SHA256

38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2
SHA512

e3945fe1d46e78e91de004910d741a5b0c828626541d189d964d74394265d70fb81e1a931c088905104f7862ec1123e821b81c0b360eabae1f0d4c855844af5c
SSDEEP

1536:rwAwqv/caTr+1Zd5w9j9NwiO6yf5oAnqDM+4yyF:0KvEaT63daRzwiOCuq4cyF

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe

Executes dropped EXE 32 IoCs

pid	Process
1272	Bchomn32.exe
4308	Bffkij32.exe
5092	Bnmcjg32.exe
4524	Bcjlcn32.exe
2528	Bgehcmmm.exe
1940	Bmbplc32.exe
4252	Bclhhnca.exe
2224	Bjfaeh32.exe
2792	Bapiabak.exe
4964	Bcoenmao.exe
1816	Cjinkg32.exe
4404	Cmgjgcgo.exe
3732	Cdabcm32.exe
1784	Cjkjpgfi.exe
2580	Caebma32.exe
1076	Cdcoim32.exe
644	Cjmgfgdf.exe
2456	Cagobalc.exe
612	Cajlhqjp.exe
4468	Cmqmma32.exe
3664	Djdmffnn.exe
2024	Danecp32.exe
3288	Ddmaok32.exe
2112	Djgjlelk.exe
2940	Delnin32.exe
4616	Dmgbnq32.exe
3572	Ddakjkqi.exe
2200	Dfpgffpm.exe
2788	Dogogcpo.exe
3080	Deagdn32.exe
4608	Dgbdlf32.exe
3480	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2964	3480	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 1272	2876	38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe	84
PID 2876 wrote to memory of 1272	2876	38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe	84
PID 2876 wrote to memory of 1272	2876	38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe	84
PID 1272 wrote to memory of 4308	1272	Bchomn32.exe	85
PID 1272 wrote to memory of 4308	1272	Bchomn32.exe	85
PID 1272 wrote to memory of 4308	1272	Bchomn32.exe	85
PID 4308 wrote to memory of 5092	4308	Bffkij32.exe	86
PID 4308 wrote to memory of 5092	4308	Bffkij32.exe	86
PID 4308 wrote to memory of 5092	4308	Bffkij32.exe	86
PID 5092 wrote to memory of 4524	5092	Bnmcjg32.exe	87
PID 5092 wrote to memory of 4524	5092	Bnmcjg32.exe	87
PID 5092 wrote to memory of 4524	5092	Bnmcjg32.exe	87
PID 4524 wrote to memory of 2528	4524	Bcjlcn32.exe	88
PID 4524 wrote to memory of 2528	4524	Bcjlcn32.exe	88
PID 4524 wrote to memory of 2528	4524	Bcjlcn32.exe	88
PID 2528 wrote to memory of 1940	2528	Bgehcmmm.exe	90
PID 2528 wrote to memory of 1940	2528	Bgehcmmm.exe	90
PID 2528 wrote to memory of 1940	2528	Bgehcmmm.exe	90
PID 1940 wrote to memory of 4252	1940	Bmbplc32.exe	91
PID 1940 wrote to memory of 4252	1940	Bmbplc32.exe	91
PID 1940 wrote to memory of 4252	1940	Bmbplc32.exe	91
PID 4252 wrote to memory of 2224	4252	Bclhhnca.exe	92
PID 4252 wrote to memory of 2224	4252	Bclhhnca.exe	92
PID 4252 wrote to memory of 2224	4252	Bclhhnca.exe	92
PID 2224 wrote to memory of 2792	2224	Bjfaeh32.exe	93
PID 2224 wrote to memory of 2792	2224	Bjfaeh32.exe	93
PID 2224 wrote to memory of 2792	2224	Bjfaeh32.exe	93
PID 2792 wrote to memory of 4964	2792	Bapiabak.exe	95
PID 2792 wrote to memory of 4964	2792	Bapiabak.exe	95
PID 2792 wrote to memory of 4964	2792	Bapiabak.exe	95
PID 4964 wrote to memory of 1816	4964	Bcoenmao.exe	96
PID 4964 wrote to memory of 1816	4964	Bcoenmao.exe	96
PID 4964 wrote to memory of 1816	4964	Bcoenmao.exe	96
PID 1816 wrote to memory of 4404	1816	Cjinkg32.exe	97
PID 1816 wrote to memory of 4404	1816	Cjinkg32.exe	97
PID 1816 wrote to memory of 4404	1816	Cjinkg32.exe	97
PID 4404 wrote to memory of 3732	4404	Cmgjgcgo.exe	98
PID 4404 wrote to memory of 3732	4404	Cmgjgcgo.exe	98
PID 4404 wrote to memory of 3732	4404	Cmgjgcgo.exe	98
PID 3732 wrote to memory of 1784	3732	Cdabcm32.exe	99
PID 3732 wrote to memory of 1784	3732	Cdabcm32.exe	99
PID 3732 wrote to memory of 1784	3732	Cdabcm32.exe	99
PID 1784 wrote to memory of 2580	1784	Cjkjpgfi.exe	100
PID 1784 wrote to memory of 2580	1784	Cjkjpgfi.exe	100
PID 1784 wrote to memory of 2580	1784	Cjkjpgfi.exe	100
PID 2580 wrote to memory of 1076	2580	Caebma32.exe	101
PID 2580 wrote to memory of 1076	2580	Caebma32.exe	101
PID 2580 wrote to memory of 1076	2580	Caebma32.exe	101
PID 1076 wrote to memory of 644	1076	Cdcoim32.exe	102
PID 1076 wrote to memory of 644	1076	Cdcoim32.exe	102
PID 1076 wrote to memory of 644	1076	Cdcoim32.exe	102
PID 644 wrote to memory of 2456	644	Cjmgfgdf.exe	103
PID 644 wrote to memory of 2456	644	Cjmgfgdf.exe	103
PID 644 wrote to memory of 2456	644	Cjmgfgdf.exe	103
PID 2456 wrote to memory of 612	2456	Cagobalc.exe	104
PID 2456 wrote to memory of 612	2456	Cagobalc.exe	104
PID 2456 wrote to memory of 612	2456	Cagobalc.exe	104
PID 612 wrote to memory of 4468	612	Cajlhqjp.exe	105
PID 612 wrote to memory of 4468	612	Cajlhqjp.exe	105
PID 612 wrote to memory of 4468	612	Cajlhqjp.exe	105
PID 4468 wrote to memory of 3664	4468	Cmqmma32.exe	106
PID 4468 wrote to memory of 3664	4468	Cmqmma32.exe	106
PID 4468 wrote to memory of 3664	4468	Cmqmma32.exe	106
PID 3664 wrote to memory of 2024	3664	Djdmffnn.exe	107

C:\Users\Admin\AppData\Local\Temp\38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe
"C:\Users\Admin\AppData\Local\Temp\38b0ad2a617de118618a871cb7e77175e4e2068c14cbd22d51d14d24e84e73f2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\Bchomn32.exe
  C:\Windows\system32\Bchomn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\Bffkij32.exe
    C:\Windows\system32\Bffkij32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\SysWOW64\Bnmcjg32.exe
      C:\Windows\system32\Bnmcjg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 228
        34⤵
        Program crash
        
        PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3480 -ip 3480
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bapiabak.exe

Filesize
78KB

MD5
b29db68fd22f6772cdf3b25386161e9e

SHA1
7566360a7c240c987674a6cf351642078e44ce29

SHA256
364065144ae56990416dd91cec51b176d3bd74804d5dc777c5884e4279bdaea6

SHA512
e87b7428e5a74b56b764cdd81726f67d021a59b77443a61a7bd40a20e0971e1b4d3b22bf80c7ebb56cb4cbd3ecb7e4b05e8a0a177222af3d2db2c5d9b47f7d4b

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
78KB

MD5
6f622d8c83bb5d8680f41101e9bae63b

SHA1
4b564f8bbb813069b6083c560b3dc0ca70521739

SHA256
3aacf30c6f5a6c804ca640cd0dc8ab1270d703a01a7ee378c645bc1caf2f9870

SHA512
d8bb7a4a90ac31ecf3df98a1c61b97754bf2b60b442dfc211f480ae0ea4e35c0c8d5e9e47368f5f282bc017dfff3256df9276f2ef265ffb164c8444d5d2ba203

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
78KB

MD5
eaf20ab393746d83062632f11e3beb36

SHA1
07750bc41352cbcfa454dab4e7757016660e369d

SHA256
1992386b385fe35b5ecb5d5bfbe5c9cc78063644f99982020d0e9160c2cc558e

SHA512
200991ec8e5ba96e72fbb5f067a3d9eff6bb65a13c8ea1bd8e5f375f2ce7ac1a710e4b661a3611d0cd3a2414800251cfd424ade07e3f1d6ba43734a777105caa

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
78KB

MD5
7721828d5c3efc4effe03109d2991ac6

SHA1
3ec614c182a9913bc9dd38fbab87bbbf3934852e

SHA256
7b8d234fcf4da6776977830f96b892c330292d24d1217d1872e175ba70888310

SHA512
5e3966b4ccadbcf4152cb2447b5d8ce3db549c2121349110afa75129b14aebdcf943837896dd324de96754b7b75c71b25eb863c714d3e986501b43ec0e74a352

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
78KB

MD5
df853ed18db9ce06198529d4adbf53ec

SHA1
f80edec83aff81cfd39dbd54b5f6cf3c9a2710e3

SHA256
4cb0703cc5d5bb48da774235559a3112d7e2ca3725879182e288e8c823a52a4b

SHA512
20da51a49b4d1250827663f96027dfd66bcd11a182221bd30bf80aee581ce3d72779282073a12f35a8fed333eee1328d6751d2407dff68d349a1b19a664fbe69

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
78KB

MD5
3ad1c0aba5fc2dc03271ececaac43e60

SHA1
dc09f440208dc740d36798ba3c603515a5fbf4f5

SHA256
66eccad1cf618f16b4d2d2d65387a353f85094aa171379761384e45c18b0e4ce

SHA512
c9f12f00a3bb5dd5eb9a93799bc1f0b0c5f91b2c1ce93f85a2e78402c3a742270ea64af4ceec2d483a4d8f788c788258b9c424b30fe150a33fa6fd1667e8e98d

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
78KB

MD5
ff6a937b9b91894190f4017b93e79ef0

SHA1
864fe4eb8f909fc7419eaa23d739c20ccac370e8

SHA256
8904529566a2cb31a48df916d59031586c4543c9ef9ac4386c02c728692fe899

SHA512
06d0e9e2c30a494d31e14c5c6b9df4a92c36576edd97b7dfa746e426e5726592eb99d6327fc26f77b3ae3ac3eadfd2e9f52b8cb31da40089c9f34d863375d102

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
78KB

MD5
a5542d8ae2dd010d7f9245962dede83f

SHA1
1e963e6e979a41cd3b7aca2872c441b0684652da

SHA256
6d01684e5cb6a1f371a36035fe5552ec79b451f8c44e9f9f403b2a6c26fa8623

SHA512
7aca1f899f1c369cc18fcae111fd458d0952b0a1048cfb76a55ef9fab2499f3bce9ade3a2a75fa5aac7a25c86ca756a7b3b90df72ef3fb3583d88034b42350b2

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
78KB

MD5
71debe7600dfd577ce4b1cb949b98068

SHA1
9ca0c76073efe25ba52617f0440b881681d54eac

SHA256
a050ff288570ae5f55f755af877b30f7d23c2d8ef1469313379d6e663561e598

SHA512
0d7129c54e03c740e7d939d76dde844a2f98f82eb79a73f58f175b6274ec420658e957649609729fe1d876d48c39702c1e852845651d8a9a9165b527b681531e

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
78KB

MD5
927537299c88361fb610a4906aed016a

SHA1
82622e153360f17a031f25ff5136553c0c90b51e

SHA256
0c07c320dc1f8334ae490b60a2d284f9022636367e06270c439c6e3fb0cd9bc0

SHA512
3e9cdac043fb682a9b0b35569317d2d0054e3c5d11fc86b4716d5a5a2c7250faaa424801d8b1b5adf5cf0b7031425affb1a355b2446ecd366e588313576e1a43

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
78KB

MD5
88e5c156836692c739aad2e9b36ca88d

SHA1
5d527eeefe04caab2cbbb59f1edf1c42c3bfa223

SHA256
3992a6a9d3a9970c149cfaab5e33993d8793c55f673a6735c343d8e510075b07

SHA512
c84d8ec670c0d5c8673d58b779867bc9e40901537306a3df401a42824b5547a8c97b555fa5a25089d641db0449c0e9abec7533f705e46d8532983d23434db1c7

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
78KB

MD5
6df63ac4f37bf0582edc8f25d4b50c4d

SHA1
2c3a4ec15a8d03e9a98b2aa9a3d1ea28b6d89f7e

SHA256
7a60c9cf19a1bc9603d2a40b3ba21d5d4eb53e93931c26670a45c79d9e8e7217

SHA512
86efa9e8bf1e355a502627ca6424457056cc8bafa7cd5d0caee0888de945eba91ce4f0a4124a802b611d66ab188e56863837ef01cf805d3b69a9bd10a6b278c8

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
78KB

MD5
9eaa304df77834b92e6e010145cbbdbf

SHA1
efcebcac95ab505bef4967c95f8ad7f5e30b7dd9

SHA256
652d0d7d906be84fd7f4e9c0fb0901d57b2da46aa086ed71c4bc4db213148e58

SHA512
75826c2b222926c06c844d0deb300d4a01cf162f440d3f71755a08046f3649a6748fb6ddaa5215117b6aabb2abfa7a28959cf6cfebc95820f33f225292e210b1

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
78KB

MD5
79e61180e095d072d1ae3c18ae78671e

SHA1
8aa2fb6173a668b70dadf9716f74752d075e9e50

SHA256
38f0e48edb05c0fd0b2fe2d909f3b8c10b0a5330c981c14f61effecf983ee99c

SHA512
42c9dd9b3d17df2801c997d5f86c6f265189c3ad7f58f442f2e926478c9d34df550bcb434ff90987c8003022c4677d6dbc79542702fc376a9ab9961a896ebd8b

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
78KB

MD5
2533f692c8ba145732368a93a18593c6

SHA1
623843c53325161db4a90502eb47e87df95b6f84

SHA256
730f79245bb6c0beddd1f7f9e0c0bf9b98071f1bc355a38e96bfb1a57d6d1463

SHA512
a5d3577fdf2932e2a2798af88de2b652b32b9b674e576ff4e7a74c7777b17c5f6048c94af92753c97b99275e483f6715e723ee803c7a1aa9ffad6ff555e5bbec

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
78KB

MD5
fb6a8116c1a111a60e7cb5c074062a0a

SHA1
33e40f2d789d940423f3d75be581a1e0e6b30d71

SHA256
5b1b8585d9aa576dc796b6b501e4080c1287925bf3a5ca7c1569a96f68a7978d

SHA512
dde1830ad4a7bcb2c557a721e4475006dbd7768aa865e54e24615f3e92d1b3802ac38fd10a314715201d2a51cc1f988f48aa83a6bc11b61054c5bca00c3e1c3f

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
78KB

MD5
7007bcca02a2d1bce11dbccf39545f59

SHA1
2d36ea58b731154fd50dad824c64513de9129c11

SHA256
5ba4870dc3417bf424f62db50e312cfa44e3f3c3639a4d6856c2ee5e24c99358

SHA512
107062b6ed8bedfd6d9cc22a5e2aae70ea0c4f6ae27e4c158cc72422d9d50222d19d296936b6c3880309ab62ae5a4316da409f21da1da63e1e65cd26f9eaa023

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
78KB

MD5
44de8364d399e9dca722f648112eaee1

SHA1
511a78092f3dffe880968a85a8f486c54278f116

SHA256
0b15afc1c119b6ec2ddc131c9411982c839bd3aa5e8a76ca1b570562dde91c2a

SHA512
52ef916cc3fd65e737f9168919d5f2c1a4ace91c9378e6f436bc79fd20d59773c2ffdeaa09c616fcbdc897c09ccc9e7e81bafd2400276730b6c850788e6f1b52

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
78KB

MD5
71a26863e1c4e0fd2cb654e85d59276e

SHA1
3e98e4f41f536c155949fad8fa1580c6bb838213

SHA256
653fdfcb6aed408f1bf620200c761374ab183c92927deec61417800cd48dea72

SHA512
9b68b36866695af84fb0443321ab15f1ccc3edd08d19d3c05d7d0e4f0dba08f6d8517d919dc65e6f709eb19ca1f71a5650d4788241b5f29bee4db30595b36241

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
78KB

MD5
8473652329b9f1ba31779931cac56e34

SHA1
917f4b47654beaec5c2a1bce2a331b1d1dbf5784

SHA256
e3125b014dad2b74febb1caf91e3facf89b04c39039b6dcf58a0f27a7c640dd6

SHA512
4be028b4479c5b7c297e918f639bbc8acc677865674ba88fe18f1c4e50cdaa26db7f3ccdcb1058b67ab71ace4d54afac106cdf4c6d4b59164a8742cb9d57d8d1

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
78KB

MD5
abf071c206a82b6c08595f287c1902cc

SHA1
22810fd29a9bae288c4777b3f774921705a91f7a

SHA256
28324f064a9c307a24f54e0d40b04a3da6c01be57f2b0a5c4ad1378ccf4f53b4

SHA512
0e62c25a86d645bb64f1f0dbacf63d731d13a67270863722d8458eb7a6b1213bdf2f3e10756edce7ef29cdad5a037284073a567e8cab8f70b96852b9750a190c

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
78KB

MD5
cadd87b9dc14172537f2184c33af87fd

SHA1
9edd08e03e7f3b10a7512c8744fe16686928ad46

SHA256
2cdf5d812b21808d034fde58b1e1b6d9cdd2623a6d93e27c3ef59c31c2929bab

SHA512
70d0983baf8f6a7b2bb8afbfe7d93938f061aa3b896a19c1067d039c1341df57f7b8dc4ac61ab65f4269cda293e88f7f29084d04f1e8bc7b4217e1b0afd7523f

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
78KB

MD5
793e30b7abe06e33d3428d652847c6a9

SHA1
22d1af6497a4fe9c8271e18da5cd49339b576ab0

SHA256
1619eddffcadf7f9b6a32c0dfc684b57d6f5c4c28cca8216d027647cf160a5be

SHA512
c550ef26f8cdeabee5295216e6f43122829468d6419d9fb82a64f121cd32e9bb34db8c632fab540c5085be8a7cd6d1b1943d3d7c71246d0272e5beff75550f87

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
78KB

MD5
8a98beda41274b611da9ac2e0ed4b66d

SHA1
db7b577e88a05a56ab0665169bef1efb520bc555

SHA256
dc83db485e8cd4b64a558a85bb722227720ca86f506da03b4ab183f9a9d81814

SHA512
80f52484e6cad2529e01bc01b71df52a795d5b4a470fc1c6e32ef0856a7dd65916e0b4bde38c10b7aebf96ef244703fc85a90bbde611b8b95541c2cdea56880b

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
78KB

MD5
0b91bdb1ebb5fae25a0200b3661e876f

SHA1
5420c4b3894e31be82ffbcf2c21565b20d9ed79e

SHA256
5919998a134a2148b6b407cf284194cbeaa6a33ce1edf6d5392fe51f90e85d73

SHA512
3acc5d14291f328cc89a4c8a7cbb538639928f9460b1e221d3a3297def4ef1b59626274ac80bed5502038c300697467fae91b4b69802d8d1ec99744accf64e76

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
78KB

MD5
03035090f9a6859deaa6a8e5c80f4985

SHA1
f46b7822f5fde6e07131bacf48bfc3835abbd6fc

SHA256
35d3daf2246f4d5af3c01530df15cb4454116f9698fcb2f8d73884fd8019c89a

SHA512
30a64e3bf9483188a1dc42142c3cd325aa0fb22e4bf766d0c1520ffbe8415c157d49eaca062911a64493618892b4bf5769e5f20ebe43e7b8a4f234488faa16f2

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
78KB

MD5
60d5da86104507a77bfa8fbd4b45cdbb

SHA1
eb14467f03d92c956b6ed9ef5b8591ab7e662ad0

SHA256
0b4aefe02c1c3881752610a58e10affbc75a5bd73b38979391a62151c47f7cc6

SHA512
bcee4716ee00c990dbccc76edce96d9150d58f3441a22cc9d052876abb7267cf3d6556c5edda8479fe937f6a386ebc16a3fe877f5ff6d54f8ee137cd653fbb31

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
78KB

MD5
3c6368663264da5a1886d6b7b9267c95

SHA1
0aa43bb419f2dde95d951213977f58457a8ad0dc

SHA256
9fc9493efdf59f0c6bb0fd7d441a085f260dee1ca083569842d77201d01dc8aa

SHA512
0599923de31e40337ee32e0292b82d2863e83349a000cf72fdae6d580973a3b72a544cd1b8402b8d0d1f2894ff5501bfb33078f5c70766a4c3c12e412f9935cb

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
78KB

MD5
aec8d436d90ceb8ac0dc5a670937fa54

SHA1
9a981fe64f321714725c7fa5c27bd0a0bfd439a5

SHA256
c284f6ddde56ed9071316b55608cf30f41cfa9e37affd269f03191ce39606864

SHA512
ddab00693686e715dc1e9397cbc1b16484162611708f73b05ce0b7485657bb24c8181657bbb8a5323d2a97080447cb791a43122382b8a84cf2b5aaa959616001

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
78KB

MD5
2b0d8540fcf3c646b7a4adadd992c464

SHA1
b6d0fbdc47ccf1190d49c2b6381f54b6ecf2f8d2

SHA256
e212748c7934c3bf6e50723baf904eed6f3d321a9f06cecdbcb885c71d896ce3

SHA512
5999e85aafe72da9af04bc219db1de5c8d3abcb9a4669cb4a530ee20a0e7a4bfb7e4d6ad92c1516405512abc49910abb8c48c3a9a3eed6cc08bb432b5e992701

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
78KB

MD5
1c989c7ccce5a1d7086e187d3ef6a560

SHA1
f5364a807c9716a7ab41a8c534d26f4e989d2f8d

SHA256
35314702ba8ce11b402a81242c79e5e716e2dbc51c63d60ff3214a9131ab1886

SHA512
94ea40e2539b0b65054a8ced08393868c7ec89834c8d4c0654f503c8ec64d9671d4dc3f9e239c5255ce3b857d4349ae5e9c455e3058c88884f3b1a07dfe421a9

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
78KB

MD5
1ec528729ffda459292ee65760d6731f

SHA1
17ffd2c97368372e1af01282dcbc3fd714d5429a

SHA256
0d1befcd376736227ad03c3a3c89185074cb0c1681a07730de23c592e90f921c

SHA512
76c1610b896e3cc55782b3a80ba3b03a345572516f4d2e9698a9e913f1238a399228a830b31cac2c01707fafed6360a2ccb4fbbffd1b5546dc6d8a62ab993f9f

Download Submit
memory/612-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/612-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/644-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/644-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1272-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1272-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1940-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1940-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2024-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2024-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2112-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2112-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2224-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2224-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2788-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2788-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2792-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2792-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2876-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2876-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-265-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3080-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3080-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3288-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3288-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3480-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3480-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3572-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3572-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3664-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3664-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3732-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3732-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4616-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4616-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads