02bf77b92a3e4dc42102ae3425cf717a79a0929b3f95945ce71fd8c0880e1fee

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47591e35f975ace6be731ff9d1e92cf0N.exe
Size

90KB
MD5

47591e35f975ace6be731ff9d1e92cf0
SHA1

aaa53fd5f947e233fa8f3774a16808d1cfaa697a
SHA256

02bf77b92a3e4dc42102ae3425cf717a79a0929b3f95945ce71fd8c0880e1fee
SHA512

671c7ee0c071de06130a8c4a4237d017b6738474df0428e48bb515b946472ff2160aedea14ca84911d44fbe48b3539d07721b417cf933d586490cae234558b14
SSDEEP

1536:CkAaPFvkRmhdAiOu0xzlzM0ob6EANGT/MPHugiVx8Me9:CkAaRPAiOuezVMHGEfMm/x8N

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	47591e35f975ace6be731ff9d1e92cf0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	47591e35f975ace6be731ff9d1e92cf0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe

Executes dropped EXE 30 IoCs

pid	Process
2100	Adnpkjde.exe
2732	Bgllgedi.exe
2232	Bjkhdacm.exe
2880	Bdqlajbb.exe
2792	Bniajoic.exe
2592	Bmlael32.exe
2620	Bgaebe32.exe
2976	Bqijljfd.exe
2616	Bgcbhd32.exe
2376	Bqlfaj32.exe
1476	Boogmgkl.exe
1672	Bjdkjpkb.exe
2848	Bmbgfkje.exe
2372	Cfkloq32.exe
1128	Cenljmgq.exe
1080	Cocphf32.exe
1952	Cfmhdpnc.exe
1804	Cileqlmg.exe
1700	Cgoelh32.exe
832	Cbdiia32.exe
872	Cebeem32.exe
656	Ckmnbg32.exe
2512	Caifjn32.exe
2936	Cchbgi32.exe
2096	Cjakccop.exe
1600	Cmpgpond.exe
1848	Cegoqlof.exe
1688	Dmbcen32.exe
2556	Danpemej.exe
2172	Dpapaj32.exe

Loads dropped DLL 63 IoCs

pid	Process
2468	47591e35f975ace6be731ff9d1e92cf0N.exe
2468	47591e35f975ace6be731ff9d1e92cf0N.exe
2100	Adnpkjde.exe
2100	Adnpkjde.exe
2732	Bgllgedi.exe
2732	Bgllgedi.exe
2232	Bjkhdacm.exe
2232	Bjkhdacm.exe
2880	Bdqlajbb.exe
2880	Bdqlajbb.exe
2792	Bniajoic.exe
2792	Bniajoic.exe
2592	Bmlael32.exe
2592	Bmlael32.exe
2620	Bgaebe32.exe
2620	Bgaebe32.exe
2976	Bqijljfd.exe
2976	Bqijljfd.exe
2616	Bgcbhd32.exe
2616	Bgcbhd32.exe
2376	Bqlfaj32.exe
2376	Bqlfaj32.exe
1476	Boogmgkl.exe
1476	Boogmgkl.exe
1672	Bjdkjpkb.exe
1672	Bjdkjpkb.exe
2848	Bmbgfkje.exe
2848	Bmbgfkje.exe
2372	Cfkloq32.exe
2372	Cfkloq32.exe
1128	Cenljmgq.exe
1128	Cenljmgq.exe
1080	Cocphf32.exe
1080	Cocphf32.exe
1952	Cfmhdpnc.exe
1952	Cfmhdpnc.exe
1804	Cileqlmg.exe
1804	Cileqlmg.exe
1700	Cgoelh32.exe
1700	Cgoelh32.exe
832	Cbdiia32.exe
832	Cbdiia32.exe
872	Cebeem32.exe
872	Cebeem32.exe
656	Ckmnbg32.exe
656	Ckmnbg32.exe
2512	Caifjn32.exe
2512	Caifjn32.exe
2936	Cchbgi32.exe
2936	Cchbgi32.exe
2096	Cjakccop.exe
2096	Cjakccop.exe
1600	Cmpgpond.exe
1600	Cmpgpond.exe
1848	Cegoqlof.exe
1848	Cegoqlof.exe
1688	Dmbcen32.exe
1688	Dmbcen32.exe
2556	Danpemej.exe
2556	Danpemej.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bniajoic.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	47591e35f975ace6be731ff9d1e92cf0N.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Kfcgie32.dll	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Bjkhdacm.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Bgllgedi.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bniajoic.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bmlael32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cocphf32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dmepkn32.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dmepkn32.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2948	2172	WerFault.exe	60

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47591e35f975ace6be731ff9d1e92cf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	47591e35f975ace6be731ff9d1e92cf0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	47591e35f975ace6be731ff9d1e92cf0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	47591e35f975ace6be731ff9d1e92cf0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	47591e35f975ace6be731ff9d1e92cf0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgllgedi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2100	2468	47591e35f975ace6be731ff9d1e92cf0N.exe	31
PID 2468 wrote to memory of 2100	2468	47591e35f975ace6be731ff9d1e92cf0N.exe	31
PID 2468 wrote to memory of 2100	2468	47591e35f975ace6be731ff9d1e92cf0N.exe	31
PID 2468 wrote to memory of 2100	2468	47591e35f975ace6be731ff9d1e92cf0N.exe	31
PID 2100 wrote to memory of 2732	2100	Adnpkjde.exe	32
PID 2100 wrote to memory of 2732	2100	Adnpkjde.exe	32
PID 2100 wrote to memory of 2732	2100	Adnpkjde.exe	32
PID 2100 wrote to memory of 2732	2100	Adnpkjde.exe	32
PID 2732 wrote to memory of 2232	2732	Bgllgedi.exe	33
PID 2732 wrote to memory of 2232	2732	Bgllgedi.exe	33
PID 2732 wrote to memory of 2232	2732	Bgllgedi.exe	33
PID 2732 wrote to memory of 2232	2732	Bgllgedi.exe	33
PID 2232 wrote to memory of 2880	2232	Bjkhdacm.exe	34
PID 2232 wrote to memory of 2880	2232	Bjkhdacm.exe	34
PID 2232 wrote to memory of 2880	2232	Bjkhdacm.exe	34
PID 2232 wrote to memory of 2880	2232	Bjkhdacm.exe	34
PID 2880 wrote to memory of 2792	2880	Bdqlajbb.exe	35
PID 2880 wrote to memory of 2792	2880	Bdqlajbb.exe	35
PID 2880 wrote to memory of 2792	2880	Bdqlajbb.exe	35
PID 2880 wrote to memory of 2792	2880	Bdqlajbb.exe	35
PID 2792 wrote to memory of 2592	2792	Bniajoic.exe	36
PID 2792 wrote to memory of 2592	2792	Bniajoic.exe	36
PID 2792 wrote to memory of 2592	2792	Bniajoic.exe	36
PID 2792 wrote to memory of 2592	2792	Bniajoic.exe	36
PID 2592 wrote to memory of 2620	2592	Bmlael32.exe	37
PID 2592 wrote to memory of 2620	2592	Bmlael32.exe	37
PID 2592 wrote to memory of 2620	2592	Bmlael32.exe	37
PID 2592 wrote to memory of 2620	2592	Bmlael32.exe	37
PID 2620 wrote to memory of 2976	2620	Bgaebe32.exe	38
PID 2620 wrote to memory of 2976	2620	Bgaebe32.exe	38
PID 2620 wrote to memory of 2976	2620	Bgaebe32.exe	38
PID 2620 wrote to memory of 2976	2620	Bgaebe32.exe	38
PID 2976 wrote to memory of 2616	2976	Bqijljfd.exe	39
PID 2976 wrote to memory of 2616	2976	Bqijljfd.exe	39
PID 2976 wrote to memory of 2616	2976	Bqijljfd.exe	39
PID 2976 wrote to memory of 2616	2976	Bqijljfd.exe	39
PID 2616 wrote to memory of 2376	2616	Bgcbhd32.exe	40
PID 2616 wrote to memory of 2376	2616	Bgcbhd32.exe	40
PID 2616 wrote to memory of 2376	2616	Bgcbhd32.exe	40
PID 2616 wrote to memory of 2376	2616	Bgcbhd32.exe	40
PID 2376 wrote to memory of 1476	2376	Bqlfaj32.exe	41
PID 2376 wrote to memory of 1476	2376	Bqlfaj32.exe	41
PID 2376 wrote to memory of 1476	2376	Bqlfaj32.exe	41
PID 2376 wrote to memory of 1476	2376	Bqlfaj32.exe	41
PID 1476 wrote to memory of 1672	1476	Boogmgkl.exe	42
PID 1476 wrote to memory of 1672	1476	Boogmgkl.exe	42
PID 1476 wrote to memory of 1672	1476	Boogmgkl.exe	42
PID 1476 wrote to memory of 1672	1476	Boogmgkl.exe	42
PID 1672 wrote to memory of 2848	1672	Bjdkjpkb.exe	43
PID 1672 wrote to memory of 2848	1672	Bjdkjpkb.exe	43
PID 1672 wrote to memory of 2848	1672	Bjdkjpkb.exe	43
PID 1672 wrote to memory of 2848	1672	Bjdkjpkb.exe	43
PID 2848 wrote to memory of 2372	2848	Bmbgfkje.exe	44
PID 2848 wrote to memory of 2372	2848	Bmbgfkje.exe	44
PID 2848 wrote to memory of 2372	2848	Bmbgfkje.exe	44
PID 2848 wrote to memory of 2372	2848	Bmbgfkje.exe	44
PID 2372 wrote to memory of 1128	2372	Cfkloq32.exe	45
PID 2372 wrote to memory of 1128	2372	Cfkloq32.exe	45
PID 2372 wrote to memory of 1128	2372	Cfkloq32.exe	45
PID 2372 wrote to memory of 1128	2372	Cfkloq32.exe	45
PID 1128 wrote to memory of 1080	1128	Cenljmgq.exe	46
PID 1128 wrote to memory of 1080	1128	Cenljmgq.exe	46
PID 1128 wrote to memory of 1080	1128	Cenljmgq.exe	46
PID 1128 wrote to memory of 1080	1128	Cenljmgq.exe	46

C:\Users\Admin\AppData\Local\Temp\47591e35f975ace6be731ff9d1e92cf0N.exe
"C:\Users\Admin\AppData\Local\Temp\47591e35f975ace6be731ff9d1e92cf0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\Adnpkjde.exe
  C:\Windows\system32\Adnpkjde.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\Bgllgedi.exe
    C:\Windows\system32\Bgllgedi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\Bjkhdacm.exe
      C:\Windows\system32\Bjkhdacm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 144
        32⤵
        Loads dropped DLL
        Program crash
        
        PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
90KB

MD5
ebdc5e4208a390b251cb87724fae7b43

SHA1
7de5ea2a9a19cf90ad3a5f833ec9f3472c109686

SHA256
268b12bcaf89b3781397230e4d456dfc7f507ba0a2cfc639c2b68b3e521634e3

SHA512
16e871e8f60b0a4d7f2d337110e605cc32db1a6ce115eed8026e85c6e38a169ad7c52b4e5901ce56db3c50ae1774a8bd843cab5366cfbf65934e675b660965ab

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
90KB

MD5
8a975f1a604060f38d1b8d56395bf7ab

SHA1
83cdf110872ec6d2b2e300ef22e9cf1bc2e78bfc

SHA256
349f26ba778fe85958b14a8030754ba27fc4ffb7b8c7642a46f5a2603cf352a4

SHA512
07e53734a0686314758a20dc11a611f7cf6a57520b62834d6f0b7192dce6e8b4fc171105936d251d5cac2068f53f6f85be210404d26b72ac1d9bfbe8d763f996

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
90KB

MD5
0aece03fd21452aec1cbf7d77f91c685

SHA1
6ff5b16adfa9234059557854090de7e883591279

SHA256
36f95573761bbcf718542ed394223b7c419f06b0863f63b17e565234470952fa

SHA512
e93773242dd7879816ca41d070374892d497b151f5dd2162e4a0ae2068932a80a97ea5047a01f9b5f9cc8f0c4483259fdaea42aae47c0d238a8265ab5fd1ec4a

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
90KB

MD5
326eabcd505eb3ee69c6681eb6f1b594

SHA1
b9f627ae4ce7f0bc678abe1b1db5a5d6c8a207ce

SHA256
b4501ad61003041c50af81ed69f6eacaa887c10d922a50bae2103657d4e1b74e

SHA512
034f0354eedaabbcbe9108cca4bb87609daebe1f37282e8910b12c6ed15a5766866fc6fca3b271fe6f871383976656efb4d7e51fd184a747cd383e77afcf2448

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
90KB

MD5
21008790a6cc8cd74fb13bf27cc29701

SHA1
51effc741121cb565e41c8ee20e60166ebf2f066

SHA256
e22b846d96d955145415bd7fd4250fe45b4c6a731eda2bfefc339478f201d72c

SHA512
7ac1af8e897b3e389295a1cb43e5670fb65019dcce85980cc6ca47efd480a9325ed07f68b03cca788cad4de923e7162a3fbb83db771453f5b40727e03eff3f65

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
90KB

MD5
926e5b589d5480288fd93d79f9bd7618

SHA1
df2c9b70195d58364da0ff9012372e9c6c7184ee

SHA256
d836c2caf2d96c5323d0122a5a75577bd16f8bf709628ad08fab5d2622e94a24

SHA512
3fc867c2656da8e97e67ecace9e686d7a0b3b0643980c3b53ad88ea244c8b5af12f7099764595b7b71fcade6f884afb73a97daf76861dd424001ab347bf58eab

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
90KB

MD5
d50594cc363629e7d00de3614defb7fd

SHA1
3577fc5a1c4cd4db95540820e4960aede2ceb4a2

SHA256
1b9bd2656e0da60b2628d7af0496833f9f1e1ed34c65422a9966bc9d1d1be165

SHA512
945f4ae51e81572da1206f591ca8e890c29d642ff104e9be6aab4feb1c6c048a86f46dbe4884af4e897888b7d8fe5dcc68b1f384e9ab932ba70837a14c3401ca

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
90KB

MD5
d92762503e32cd30d9877a92782de84d

SHA1
12a0c9992319f68f96ccf40acbea40db43520465

SHA256
c33e979674c524e6e080dc766ca8a3bcd722d0f5235b67e123fef9c8565a424c

SHA512
4a220813240cd29c0ca3421e7f47fef539c4ba4bd27ca02b99f10d927854c9dcaecc8a01941a29477c770111bd2035cbd78354d332c9833e2f8dd81d6c5968d6

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
90KB

MD5
c0bb70a3bc2fd55f56ae2d4adf070bcd

SHA1
d9013b89729808658ed741152a7956c8161e235c

SHA256
cb48d00c29ede5e3c28087b170578c3ab353e2c9f7237d64fcf6839970417941

SHA512
19f554e14f6fbca874307f2ad06fa27c7a063e4a1978b8600262f1f2e60d1761cc5a7849b57ceee9c88d5860a5ea4ef248f3db2e47a66f8ee32dff2970742609

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
90KB

MD5
b3e17028a871fa855bbebb725b076206

SHA1
792d144f0ca36dd1a4f6b236a4bf2c671d5b08f4

SHA256
d20342affca2b4b9cb2e9898915dc2f0527c9ff351ab8913d1e330ddaf6b2d91

SHA512
6bff14c789f13b248e4bbf941f85242a3a3df6766d41df9ecd2454260919dd11e639715330dfa86d5d58c6fa4c8c19e55a85a2d7fadb08fc9fe13d65c4f93175

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
90KB

MD5
969fa7d839a62d9f671c6bff112d81ff

SHA1
0a3e11739db575e2f1dc412e809dab0655f42539

SHA256
30c5488763ea47d69bfe837753f0e699b4c9c054e73ea9170c31388a0ab618ea

SHA512
6948a75962f04c8a30156967d129d8cdaf612bf32b56d37dc54f05fae0905aa14fc14f7c837bcc6589d81ea54521bab25d783dc73c47022a7d7f9a0105edc491

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
90KB

MD5
a9662a6a19845260100238b7bdeefcda

SHA1
585ffb7762e0be83a9e7e83fe562cbf74ec56c98

SHA256
68009323b729efa6148be44787dc270e547e729402f9ffd498f01e4141f6487d

SHA512
61a80899109cd2baa5ea79b6abbfb2344b5a55bda5084e1fe9d91e1aaaacd2abe6fc2f2263fd0407884cebbf29692e50b246bb08567f2d213bebdfe5a3b98585

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
90KB

MD5
e4541825831b5730b7c902ddb2f6c380

SHA1
51a70ff86fef4e837eacd8db12ef491b1e58fae7

SHA256
ba7171a946fa30a5aa6657ef6e602a1a242b52e944e501f14dc8151d485e7e3f

SHA512
cb701f6fd6cdd05b6b771d3ece113a120a06b51112f6fe1e5bd5f4707d4055f2a17294d1ad1a9888fafcedf5fcb033baa3f576fe0e90e380c4f79afed724d0c7

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
90KB

MD5
51ea9803312ecba5856f8ced800e0526

SHA1
ccc67074dd36f246010192967011a0f1a158c33e

SHA256
b0695fb7f99b8f699e592de748dd1c40e874139805b680cc145bf1ea2d1dd2b8

SHA512
09f1aebe92dc889b990cf92c30201b1a6fd24a82ddde95a66d904c859d489cb516bad3f0fb4b771febca8934ca5f00782482cce928a64018581f241d64d4c7bc

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
90KB

MD5
8d6fa587c9fe97499964074f8bf94c2f

SHA1
8e3539c8a935e81da0cceed597a3e9b6e0373c82

SHA256
14899aa04e34ee0c88fe90cf56d8ddcd41571e939ca0127722223b5276229ce9

SHA512
d2475be368b8a95ca160530089a57cc3e0f2e55607f33d822f72e358d0f58bf3616e5eb7e785ea8c342ece86db1803c9e65beac17c4c18aaa3512100451f03da

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
90KB

MD5
2877f2c17209e6ba8722b6b3d465d888

SHA1
156fbfebd408cbe7ceabdef89bcf79455ec0de08

SHA256
33a707556375ce46220d5c669ed8dae690273779d4c3cf464dd169fa08f33478

SHA512
313716ca6dda1282730b66deb1ce44ba074e8166edf7f5ea65457326837ba6fd4d20ce5651376cc88fba8c2a601aaaa331ad392771a8eb5807d11e49554fbcd8

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
90KB

MD5
11574689a159d809dea23b448a913d93

SHA1
5f8c7fd95c7bd7c317ff6eb77b8910e9a677ea4b

SHA256
b295c2913a53099e66a04367eb6267afd52236bb40816f5e33a6943ac32e7386

SHA512
24360034af5cc4a999a9a699c54a894030444f7feac61defe1da742cd532cfe14ec981eedc0fa21d0555066d40b8fe896f54a1f168316f70a99b2868b8f353cc

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
90KB

MD5
e174921979f036795da86bb9e39936e8

SHA1
233f6fb5d44dfd9683830f2047fa210154d8d196

SHA256
4ea87f901e01aae093459efd1b958dca79f70276f82073dcf46b70af1017acc7

SHA512
2cd8a22f5c403c78d7f71df07557dd4c28bd9c80684ff87fcedd94e21680b8f687b75ef915fd0e09f422ee7e677fe50c82b80e22ea386f48e96ea3c92c787624

Download Submit
\Windows\SysWOW64\Bgcbhd32.exe

Filesize
90KB

MD5
467dc9c97384785f8d103a9d78a81cd8

SHA1
6f8150e1e66e1ea18f13cd926edc7676e2bf1ed5

SHA256
434e8b08145c459b8d1b93e8ce318a9fc0b9d13ca961fa3e3c92f2de7dae5656

SHA512
6c71382a114d5bfb760cbbd9d17734d94c2e25c7956e1626af710740f17810e35dae2cb7f05261a2240b61548032e1e88128e1f3cd211b540918ac1978713843

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
90KB

MD5
a1c3bc95edaf8cc271abb675ad6f1a93

SHA1
cd46adad11ed0ec45e5c35b1803cd1f592739d18

SHA256
4a3dbd75d4f41df48765409a1d10c26d800007ea39f392e15f547d7911498409

SHA512
ab2ea16259960a0927bd3cc0cd00dbaf986cc1b2e615f7c52133d5fa91ba81d42adfba73372785fc3add75467a3233e5f92336c9396979c92e43c08801dbbcfc

Download Submit
\Windows\SysWOW64\Bjkhdacm.exe

Filesize
90KB

MD5
dd3112217ec2b32bf5bb5ed3fa217132

SHA1
f75439183c30e3bdd09adf64d79c2613574dffc5

SHA256
3c6c3cb0ea089f07b3d096c40bdd3f94bd799c37452eecb96870845d16e22bac

SHA512
8424f661ee923161de9894019f02573ec89399c41e68809b9c2a9e574e521f43201b3dc91d77461a7cad4ab47f670aa1816015dc8582cc3ec209379ff59b7c0d

Download Submit
\Windows\SysWOW64\Bmbgfkje.exe

Filesize
90KB

MD5
ebcfa0451d9eb2e365216b619df36273

SHA1
56110cc4cf3f1d261a8b881fffa8d0c7ade2e0bb

SHA256
282e4fd299b22dec1c4664166d6f43b3fe2350597c76183db16a679c4ffb4a40

SHA512
38526c452470e9054e939b62df0abaa04075f847acd3cf2aec23987686aafb5d1d5fc2963a5ff74401667c8ed844ab5dd19100225a4afc20c0d01f5940f94fd2

Download Submit
\Windows\SysWOW64\Bmlael32.exe

Filesize
90KB

MD5
1ff46d4160cf31f3b4751b9c45c1d8d7

SHA1
86faf8cdf089a71d70420eb4b760aed2980ce76f

SHA256
f748934814bf3089ea721bfbf1ab23d65f006a636897c763da8a436a13f5a454

SHA512
73bb5d4a5e573e636d983d0730d5311dde1f70502795b2422478a19e910f945ae63c7e8576d85d2e1a423eaf2e7167157a70e6e8396ac9d86f7a5e761c62cbeb

Download Submit
\Windows\SysWOW64\Bniajoic.exe

Filesize
90KB

MD5
492b00d7f14bd4444e561e026eba1c6f

SHA1
18ec90960b72301abae377b3a36e2b16c1a99f64

SHA256
cc00540d1fddcec6a9a1a4b0fe081aed2deb792f1565e225403a00fc0429ba32

SHA512
533bebbd8f3ffb5af0370d2d497f08f9686a1684e2cd30e780c9f83f9fc39b327f6ef8f3f9c968f37748edcf19682a5d7844de2679ae613f37c066ea8e2ba581

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
90KB

MD5
b6e49d17807be0dde8639c9223fd274c

SHA1
70999a4a11c1d049a2b9d3b3ea9775df8b8f3786

SHA256
8041b609e0bcea8306343cd5175b402b7bc820701838becb3052f4963d1c31dd

SHA512
3e2dcd5677ccabcd259f319523271c84819c8307128797ceaa9439d776dac28a15392701f4834712193039ce8afad140a08fb940f09ae07e1f935e7910b0b97c

Download Submit
\Windows\SysWOW64\Bqijljfd.exe

Filesize
90KB

MD5
ec30d2ab58aa3fb976f2af4ebd484721

SHA1
4a43845b255d2ddf66fb8721226c4c8d1c7873e1

SHA256
981cb6d858281d63087f1ea2e2457774d54274c9887a20f745be5df7c9e850fd

SHA512
98f79aaf5cbb43d2ac200417d0afd87d505418d38d04845b9a7dc505945deb772515a138339edd714950388f50d25215f529a1d21bafe403ca90554d8775e966

Download Submit
\Windows\SysWOW64\Bqlfaj32.exe

Filesize
90KB

MD5
d012344442ee89de936283a6e5174f6f

SHA1
a01b1bdcfb3fc842bc98b0b5c254e7d921e12eee

SHA256
54f110046b2ee1b32c3d13a7b15613cb14f8b4a0b13973e775b9335937767f3b

SHA512
091b3a1744e1beb4281ee61088f307d9b497fb75946a5a7a3b343833c55060b55904a1582c22a4ff8e2c38e118423f79bf9f50bd9650883399bdf3da5e6d8a7b

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
90KB

MD5
84dfdba39e7b3b00db5bf01867b9b639

SHA1
4e0f4bd8ab02e6f0464233e4ae931c8ccf9e4c1e

SHA256
4aed37f228ee2899ebd214bb9dcf0fe07385f3e762f9d2de51878c22251cc140

SHA512
cd2fa93621999598a0a87a016fa49892694546d8d23deb512d0f74666c2e05a9c52abcc91e874694738c22ff750f8f62c05a2d330de6ce41f98096672f86f4eb

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
90KB

MD5
72990e0dbf11a95038e1d3110edd9b46

SHA1
f91a4f2f1754bc48842c4b41bd4848e114517e94

SHA256
a27bc788a6723653ae47710290d778d53b83dd8dc8e6fef57ff24506cd72220a

SHA512
88e293fb4e846ecf70d3e32154afd1fad371697dfbf399a6f8970021df6a459d77d01c0d1690aef51b04a0f3c28cc11a98193ba4e6d587472fa8c88cb49d4402

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
90KB

MD5
2ceb3259db3f2145dfc12a70423eccf8

SHA1
25c3d9cc722c05c78c7aa60b08450511fdff5c19

SHA256
dd5c05eeb1fb4c231dbcc4b4883306502d2ead63fcca9f13412386935c9572d4

SHA512
d41c237b20f2c80b4b9c774336205dc7338f31afd18828308c38939279d0adf1483c1a98dff7310ba4b0ffcdda1cf009f32cd6efb1a19bf870e7d82c3c88a88b

Download Submit
memory/656-275-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/656-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-198-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-209-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1476-363-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-157-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1600-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-314-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1600-315-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1672-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1688-336-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1688-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1688-337-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1700-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-331-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1848-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-329-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1952-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-303-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2096-304-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2100-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-351-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-140-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2468-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-11-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2512-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-348-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2556-347-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2556-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-361-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-79-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2792-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-357-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-184-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2880-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-65-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2880-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads