b037fea74c66e40ae10bca2e07cc02bfe537b7c8df7d5d425e4646dbb6e558ac

Analysis

max time kernel
82s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01e632411a8608598df26d05862aff40N.exe
Size

128KB
MD5

01e632411a8608598df26d05862aff40
SHA1

7440e93ce52dc1ae973b071b074cfc53ab746175
SHA256

b037fea74c66e40ae10bca2e07cc02bfe537b7c8df7d5d425e4646dbb6e558ac
SHA512

8b51af369c3e230b7f60d2c0cdacc2e4420841c8367a23314ebcbaca1b07b0edf1cbe5250e22fa6e120e8546ac41e8e1aaed3dd89d3af119bf6dbb926510e406
SSDEEP

3072:EY0bI2wMV7EC6k8QYxQdLrCimBaH8UH30ZIvM6qMH5X3O/:B0bISEvFtCApaH8m3QIvMWH5H

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akmlacdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcmjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akbelbpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aofklbnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmlacdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aialjgbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdlfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anndbnao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpchl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aialjgbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjgbmoda.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkdbab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpjga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicipgqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaondi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjgbmoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aofklbnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ankhmncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalaoipc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcmjpd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	01e632411a8608598df26d05862aff40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acpjga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anpahn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	01e632411a8608598df26d05862aff40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ankhmncb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anndbnao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akbelbpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anpahn32.exe

Executes dropped EXE 19 IoCs

pid	Process
1148	Amebjgai.exe
2792	Acpjga32.exe
580	Aofklbnj.exe
2848	Afpchl32.exe
2448	Aioodg32.exe
2816	Akmlacdn.exe
2780	Ankhmncb.exe
1744	Aialjgbh.exe
2696	Agdlfd32.exe
2532	Anndbnao.exe
2012	Aalaoipc.exe
1328	Aicipgqe.exe
1664	Akbelbpi.exe
1728	Anpahn32.exe
448	Aaondi32.exe
2196	Bcmjpd32.exe
1864	Bkdbab32.exe
876	Bjgbmoda.exe
2484	Bmenijcd.exe

Loads dropped DLL 42 IoCs

pid	Process
628	01e632411a8608598df26d05862aff40N.exe
628	01e632411a8608598df26d05862aff40N.exe
1148	Amebjgai.exe
1148	Amebjgai.exe
2792	Acpjga32.exe
2792	Acpjga32.exe
580	Aofklbnj.exe
580	Aofklbnj.exe
2848	Afpchl32.exe
2848	Afpchl32.exe
2448	Aioodg32.exe
2448	Aioodg32.exe
2816	Akmlacdn.exe
2816	Akmlacdn.exe
2780	Ankhmncb.exe
2780	Ankhmncb.exe
1744	Aialjgbh.exe
1744	Aialjgbh.exe
2696	Agdlfd32.exe
2696	Agdlfd32.exe
2532	Anndbnao.exe
2532	Anndbnao.exe
2012	Aalaoipc.exe
2012	Aalaoipc.exe
1328	Aicipgqe.exe
1328	Aicipgqe.exe
1664	Akbelbpi.exe
1664	Akbelbpi.exe
1728	Anpahn32.exe
1728	Anpahn32.exe
448	Aaondi32.exe
448	Aaondi32.exe
2196	Bcmjpd32.exe
2196	Bcmjpd32.exe
1864	Bkdbab32.exe
1864	Bkdbab32.exe
876	Bjgbmoda.exe
876	Bjgbmoda.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe
1300	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lbdcfl32.dll	Amebjgai.exe
File created	C:\Windows\SysWOW64\Aioodg32.exe	Afpchl32.exe
File created	C:\Windows\SysWOW64\Dcemgk32.dll	Ankhmncb.exe
File created	C:\Windows\SysWOW64\Aaondi32.exe	Anpahn32.exe
File created	C:\Windows\SysWOW64\Oedqakci.dll	Anpahn32.exe
File created	C:\Windows\SysWOW64\Aofklbnj.exe	Acpjga32.exe
File created	C:\Windows\SysWOW64\Jahonm32.dll	Acpjga32.exe
File created	C:\Windows\SysWOW64\Aalaoipc.exe	Anndbnao.exe
File opened for modification	C:\Windows\SysWOW64\Anpahn32.exe	Akbelbpi.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Bjgbmoda.exe
File created	C:\Windows\SysWOW64\Jgcfpd32.dll	Akmlacdn.exe
File opened for modification	C:\Windows\SysWOW64\Anndbnao.exe	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Kagbmg32.dll	Anndbnao.exe
File opened for modification	C:\Windows\SysWOW64\Aaondi32.exe	Anpahn32.exe
File created	C:\Windows\SysWOW64\Bjgbmoda.exe	Bkdbab32.exe
File created	C:\Windows\SysWOW64\Jpobja32.dll	01e632411a8608598df26d05862aff40N.exe
File opened for modification	C:\Windows\SysWOW64\Bkdbab32.exe	Bcmjpd32.exe
File created	C:\Windows\SysWOW64\Inmfkm32.dll	Aofklbnj.exe
File opened for modification	C:\Windows\SysWOW64\Aalaoipc.exe	Anndbnao.exe
File created	C:\Windows\SysWOW64\Bjakil32.dll	Aaondi32.exe
File created	C:\Windows\SysWOW64\Omjkkb32.dll	Bcmjpd32.exe
File created	C:\Windows\SysWOW64\Afpchl32.exe	Aofklbnj.exe
File created	C:\Windows\SysWOW64\Apfamf32.dll	Afpchl32.exe
File created	C:\Windows\SysWOW64\Aialjgbh.exe	Ankhmncb.exe
File opened for modification	C:\Windows\SysWOW64\Aialjgbh.exe	Ankhmncb.exe
File created	C:\Windows\SysWOW64\Agdlfd32.exe	Aialjgbh.exe
File opened for modification	C:\Windows\SysWOW64\Bjgbmoda.exe	Bkdbab32.exe
File opened for modification	C:\Windows\SysWOW64\Ankhmncb.exe	Akmlacdn.exe
File created	C:\Windows\SysWOW64\Naagof32.dll	Aicipgqe.exe
File created	C:\Windows\SysWOW64\Agfbfl32.dll	Bkdbab32.exe
File created	C:\Windows\SysWOW64\Ankhmncb.exe	Akmlacdn.exe
File created	C:\Windows\SysWOW64\Lphdbl32.dll	Akbelbpi.exe
File created	C:\Windows\SysWOW64\Akbelbpi.exe	Aicipgqe.exe
File opened for modification	C:\Windows\SysWOW64\Acpjga32.exe	Amebjgai.exe
File created	C:\Windows\SysWOW64\Bcmjpd32.exe	Aaondi32.exe
File created	C:\Windows\SysWOW64\Bkdbab32.exe	Bcmjpd32.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Bjgbmoda.exe
File created	C:\Windows\SysWOW64\Acpjga32.exe	Amebjgai.exe
File created	C:\Windows\SysWOW64\Jichkb32.dll	Aialjgbh.exe
File opened for modification	C:\Windows\SysWOW64\Aicipgqe.exe	Aalaoipc.exe
File opened for modification	C:\Windows\SysWOW64\Akbelbpi.exe	Aicipgqe.exe
File opened for modification	C:\Windows\SysWOW64\Afpchl32.exe	Aofklbnj.exe
File opened for modification	C:\Windows\SysWOW64\Akmlacdn.exe	Aioodg32.exe
File created	C:\Windows\SysWOW64\Amebjgai.exe	01e632411a8608598df26d05862aff40N.exe
File opened for modification	C:\Windows\SysWOW64\Amebjgai.exe	01e632411a8608598df26d05862aff40N.exe
File opened for modification	C:\Windows\SysWOW64\Agdlfd32.exe	Aialjgbh.exe
File created	C:\Windows\SysWOW64\Jegphc32.dll	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Inceepmo.dll	Aalaoipc.exe
File opened for modification	C:\Windows\SysWOW64\Aofklbnj.exe	Acpjga32.exe
File opened for modification	C:\Windows\SysWOW64\Aioodg32.exe	Afpchl32.exe
File created	C:\Windows\SysWOW64\Akmlacdn.exe	Aioodg32.exe
File created	C:\Windows\SysWOW64\Fcdcfmgg.dll	Aioodg32.exe
File created	C:\Windows\SysWOW64\Anndbnao.exe	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Aicipgqe.exe	Aalaoipc.exe
File created	C:\Windows\SysWOW64\Anpahn32.exe	Akbelbpi.exe
File opened for modification	C:\Windows\SysWOW64\Bcmjpd32.exe	Aaondi32.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Bjgbmoda.exe

Program crash 1 IoCs

pid	pid_target	Process
1300	2484	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amebjgai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmlacdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaondi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01e632411a8608598df26d05862aff40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpchl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ankhmncb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anndbnao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anpahn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcmjpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpjga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aofklbnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalaoipc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicipgqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akbelbpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aialjgbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdlfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkdbab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjgbmoda.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmfkm32.dll"	Aofklbnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	01e632411a8608598df26d05862aff40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpobja32.dll"	01e632411a8608598df26d05862aff40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afpchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akmlacdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jichkb32.dll"	Aialjgbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcmjpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	01e632411a8608598df26d05862aff40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jahonm32.dll"	Acpjga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anpahn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akmlacdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ankhmncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcmjpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjgbmoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagbmg32.dll"	Anndbnao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagof32.dll"	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfamf32.dll"	Afpchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegphc32.dll"	Agdlfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aicipgqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acpjga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcemgk32.dll"	Ankhmncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aialjgbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aalaoipc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aioodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anndbnao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acpjga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ankhmncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjgbmoda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	01e632411a8608598df26d05862aff40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedqakci.dll"	Anpahn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Bjgbmoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcfl32.dll"	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdcfmgg.dll"	Aioodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aicipgqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agfbfl32.dll"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjakil32.dll"	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aofklbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcfpd32.dll"	Akmlacdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afpchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aioodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aialjgbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anndbnao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inceepmo.dll"	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdbl32.dll"	Akbelbpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	01e632411a8608598df26d05862aff40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	01e632411a8608598df26d05862aff40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anpahn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjkkb32.dll"	Bcmjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amebjgai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aofklbnj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1148	628	01e632411a8608598df26d05862aff40N.exe	30
PID 628 wrote to memory of 1148	628	01e632411a8608598df26d05862aff40N.exe	30
PID 628 wrote to memory of 1148	628	01e632411a8608598df26d05862aff40N.exe	30
PID 628 wrote to memory of 1148	628	01e632411a8608598df26d05862aff40N.exe	30
PID 1148 wrote to memory of 2792	1148	Amebjgai.exe	31
PID 1148 wrote to memory of 2792	1148	Amebjgai.exe	31
PID 1148 wrote to memory of 2792	1148	Amebjgai.exe	31
PID 1148 wrote to memory of 2792	1148	Amebjgai.exe	31
PID 2792 wrote to memory of 580	2792	Acpjga32.exe	32
PID 2792 wrote to memory of 580	2792	Acpjga32.exe	32
PID 2792 wrote to memory of 580	2792	Acpjga32.exe	32
PID 2792 wrote to memory of 580	2792	Acpjga32.exe	32
PID 580 wrote to memory of 2848	580	Aofklbnj.exe	33
PID 580 wrote to memory of 2848	580	Aofklbnj.exe	33
PID 580 wrote to memory of 2848	580	Aofklbnj.exe	33
PID 580 wrote to memory of 2848	580	Aofklbnj.exe	33
PID 2848 wrote to memory of 2448	2848	Afpchl32.exe	34
PID 2848 wrote to memory of 2448	2848	Afpchl32.exe	34
PID 2848 wrote to memory of 2448	2848	Afpchl32.exe	34
PID 2848 wrote to memory of 2448	2848	Afpchl32.exe	34
PID 2448 wrote to memory of 2816	2448	Aioodg32.exe	35
PID 2448 wrote to memory of 2816	2448	Aioodg32.exe	35
PID 2448 wrote to memory of 2816	2448	Aioodg32.exe	35
PID 2448 wrote to memory of 2816	2448	Aioodg32.exe	35
PID 2816 wrote to memory of 2780	2816	Akmlacdn.exe	36
PID 2816 wrote to memory of 2780	2816	Akmlacdn.exe	36
PID 2816 wrote to memory of 2780	2816	Akmlacdn.exe	36
PID 2816 wrote to memory of 2780	2816	Akmlacdn.exe	36
PID 2780 wrote to memory of 1744	2780	Ankhmncb.exe	37
PID 2780 wrote to memory of 1744	2780	Ankhmncb.exe	37
PID 2780 wrote to memory of 1744	2780	Ankhmncb.exe	37
PID 2780 wrote to memory of 1744	2780	Ankhmncb.exe	37
PID 1744 wrote to memory of 2696	1744	Aialjgbh.exe	38
PID 1744 wrote to memory of 2696	1744	Aialjgbh.exe	38
PID 1744 wrote to memory of 2696	1744	Aialjgbh.exe	38
PID 1744 wrote to memory of 2696	1744	Aialjgbh.exe	38
PID 2696 wrote to memory of 2532	2696	Agdlfd32.exe	39
PID 2696 wrote to memory of 2532	2696	Agdlfd32.exe	39
PID 2696 wrote to memory of 2532	2696	Agdlfd32.exe	39
PID 2696 wrote to memory of 2532	2696	Agdlfd32.exe	39
PID 2532 wrote to memory of 2012	2532	Anndbnao.exe	40
PID 2532 wrote to memory of 2012	2532	Anndbnao.exe	40
PID 2532 wrote to memory of 2012	2532	Anndbnao.exe	40
PID 2532 wrote to memory of 2012	2532	Anndbnao.exe	40
PID 2012 wrote to memory of 1328	2012	Aalaoipc.exe	41
PID 2012 wrote to memory of 1328	2012	Aalaoipc.exe	41
PID 2012 wrote to memory of 1328	2012	Aalaoipc.exe	41
PID 2012 wrote to memory of 1328	2012	Aalaoipc.exe	41
PID 1328 wrote to memory of 1664	1328	Aicipgqe.exe	42
PID 1328 wrote to memory of 1664	1328	Aicipgqe.exe	42
PID 1328 wrote to memory of 1664	1328	Aicipgqe.exe	42
PID 1328 wrote to memory of 1664	1328	Aicipgqe.exe	42
PID 1664 wrote to memory of 1728	1664	Akbelbpi.exe	43
PID 1664 wrote to memory of 1728	1664	Akbelbpi.exe	43
PID 1664 wrote to memory of 1728	1664	Akbelbpi.exe	43
PID 1664 wrote to memory of 1728	1664	Akbelbpi.exe	43
PID 1728 wrote to memory of 448	1728	Anpahn32.exe	44
PID 1728 wrote to memory of 448	1728	Anpahn32.exe	44
PID 1728 wrote to memory of 448	1728	Anpahn32.exe	44
PID 1728 wrote to memory of 448	1728	Anpahn32.exe	44
PID 448 wrote to memory of 2196	448	Aaondi32.exe	45
PID 448 wrote to memory of 2196	448	Aaondi32.exe	45
PID 448 wrote to memory of 2196	448	Aaondi32.exe	45
PID 448 wrote to memory of 2196	448	Aaondi32.exe	45

C:\Users\Admin\AppData\Local\Temp\01e632411a8608598df26d05862aff40N.exe
"C:\Users\Admin\AppData\Local\Temp\01e632411a8608598df26d05862aff40N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\Amebjgai.exe
  C:\Windows\system32\Amebjgai.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\Acpjga32.exe
    C:\Windows\system32\Acpjga32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Aofklbnj.exe
      C:\Windows\system32\Aofklbnj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:580
    - - C:\Windows\SysWOW64\Afpchl32.exe
        
        C:\Windows\system32\Afpchl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\Aioodg32.exe
        
        C:\Windows\system32\Aioodg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Akmlacdn.exe
        
        C:\Windows\system32\Akmlacdn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Ankhmncb.exe
        
        C:\Windows\system32\Ankhmncb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Aialjgbh.exe
        
        C:\Windows\system32\Aialjgbh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Agdlfd32.exe
        
        C:\Windows\system32\Agdlfd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Anndbnao.exe
        
        C:\Windows\system32\Anndbnao.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Aalaoipc.exe
        
        C:\Windows\system32\Aalaoipc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Aicipgqe.exe
        
        C:\Windows\system32\Aicipgqe.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Akbelbpi.exe
        
        C:\Windows\system32\Akbelbpi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Anpahn32.exe
        
        C:\Windows\system32\Anpahn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Aaondi32.exe
        
        C:\Windows\system32\Aaondi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Bcmjpd32.exe
        
        C:\Windows\system32\Bcmjpd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Bkdbab32.exe
        
        C:\Windows\system32\Bkdbab32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Bjgbmoda.exe
        
        C:\Windows\system32\Bjgbmoda.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aalaoipc.exe

Filesize
128KB

MD5
5ce1a49d6a4001373bee40fcd5ada76d

SHA1
0648256075c6e914c88072a9bec3fa356f75b5cd

SHA256
fbd1219f1c323e6868f0d9d0191e341eea6b2b5c26cb585d62c345ba8c227afc

SHA512
c1aeb124d456400549d66ba549887b693515a09e68199231967aa8d67df36488fc319f53bd46a14f028ac2209d7cea3179a007aa641a4a0c13395ddf53d0f1b4

Download Submit
C:\Windows\SysWOW64\Aaondi32.exe

Filesize
128KB

MD5
8320e594d187c6902dd7a95014b45667

SHA1
af360b440fdab71845cf60789701cf909f03c96f

SHA256
242e2ec00eb4fef747037127060d0bc1dd871c7e6239e186a52e438564fa6b57

SHA512
3a9dd2678f3a263c4ac8fb9337f659bd2ea5ebef366f70b548bd164c2821c66fa3a5f29637cf5f93c0d8313cc1e10a8c93d9bb505f2ca1be8b0df3a4e3060e4d

Download Submit
C:\Windows\SysWOW64\Acpjga32.exe

Filesize
128KB

MD5
924eeaab6a1b301bcd03ac0e738c0d5a

SHA1
efdf6d6d96c38a2368354e2c0aea62b30452d58b

SHA256
c6b6141e55ab6a51d0feb93d816fdef81d766af32daf416beadc1751e8cf774a

SHA512
55ab6e5b055ce2c7d9311b24a46e587da95a2fbfbf347cdc00cab4c9401a051e3cedadf451355497efcfa30b9c23ae50f6ca132c8cf566668e3c424ce2b46b36

Download Submit
C:\Windows\SysWOW64\Aicipgqe.exe

Filesize
128KB

MD5
bd58a527d34957e6567721d095bb16a3

SHA1
25f26b5b2ff5faa6427d3880c3c914e9af2e6bc6

SHA256
da30db79065f243494319238278805ccc192b5645606b0be97ffee89b27445b0

SHA512
515863914c489961e5896a857bb45d19a7e01d90c4e5be63e18e5734dc3b189bd97333a9180d781c237eba9b9050992156cc9909b9a3d218854a8f9e9d3e4f56

Download Submit
C:\Windows\SysWOW64\Aioodg32.exe

Filesize
128KB

MD5
ef91f0e734d346c1d5b094febc1b61be

SHA1
ec82aa1b6f92ead5ba66c84d119519fb95f2a24d

SHA256
4fe2393131521b88c6bc726e8808fc22cc61147808884bf4f76f5a60055281bb

SHA512
167f5f874bbcdf935beac30a0ca5df4d55364172e7501142babe0f1b9d4aae6505165f2f3453c6ca7e3e5ce5ecdf46c172777885aaac7bf8a08a13952ee4888d

Download Submit
C:\Windows\SysWOW64\Akbelbpi.exe

Filesize
128KB

MD5
765815a62f60b260d38f7b22b5b0f788

SHA1
90be75258ae9fe91bc6beb76e65bdd7cf384e8d8

SHA256
29dfef238468489bd250f6f497c87ddd0b33483fc696d62eca307a40ffe1f08b

SHA512
449ac1cc5efff28ef6115f8b800362ae523c43a0f7e6e3be3165f43eb6a7beed124d116a6a429e69ed05765ec9392431b2ee95089b9efe48859851002e4d97dc

Download Submit
C:\Windows\SysWOW64\Akmlacdn.exe

Filesize
128KB

MD5
b7dc3156c4f178c08473f541a55c4c54

SHA1
f7892e7b454f4c129ffbab2ba751c198ad36338d

SHA256
381b2363fd2936c42045d6ccb758c1935415cd9e601e1fa35c5b50d678515b3d

SHA512
cfb1797bcc15bcf8575dd5400131e0d295d14d5bb0eaf4db7202750d2f705c24dede54660677177c5ea7bdf31b1e20411611488d3f4fab844ae49ee3283ca6ce

Download Submit
C:\Windows\SysWOW64\Amebjgai.exe

Filesize
128KB

MD5
68503ca4cc7f7c49dd331dc730e7c715

SHA1
6733b20345ca5abe9d6d30bd2616d03ae8894496

SHA256
3a8a921eb6c3950f33c5c29d139d1cb1d97d45ed48a0c30da0786ebc2756856d

SHA512
e6fbbf9ed5d7a13c309c9dcbc6666e25a0e3d1d7b3427a1d60031c3a535b0e36bf3d687ca30c578b703da6ed2c189b7af9db8bee73c4f6f2cc2d452c9eab0f0b

Download Submit
C:\Windows\SysWOW64\Ankhmncb.exe

Filesize
128KB

MD5
98798a7e06e292772952dd0a67f06ada

SHA1
84cdebcd3b7ee80c2512de73416dcb5e10880a6b

SHA256
b5295453809b8073d9aca7040f322b2c32ad2ca39f0914ceb0dc8fbf23a0e786

SHA512
44cc5c4a80467b4b6d7cae5cd7474f744b4b6ddf2de72901711cfa211a8218013c6d1c63e15ebe2baca6ef7252e192be77e0988582e12c168a5d8be669adeb65

Download Submit
C:\Windows\SysWOW64\Anndbnao.exe

Filesize
128KB

MD5
1b2c85907c84e19eeb59ca3cf2d06e65

SHA1
2570b715c0154e1e2b14dca181af2debd9270b7e

SHA256
5dd046ce1aa9d30a4140822ad99a57c63421a4f47b5bec1705280c4c54a63d55

SHA512
d918c3b0a637241237ae4d18d55c90188e29d3ca66d7f364e6c2177b2a670cd5f88536640383343ec53eb0f9524b310feb832b0a8d8b092cc32371a450d17478

Download Submit
C:\Windows\SysWOW64\Anpahn32.exe

Filesize
128KB

MD5
9f1fef2d42f82ef6215212731dca45ff

SHA1
fd9a5ff407a91b8d541cf441beee06a20e3cdccc

SHA256
afe0b54cdf94ae8fbb683e4d3c013989584710414b40b116dcf0462de481a974

SHA512
528d36b84b452d99e7b958ec6e1c901ab503dc9fb0866512c58fc99e8778dfa925fd9c7d4c24727ec34ef0e409dd30d92495f81af0c7b5356647f45068075a0b

Download Submit
C:\Windows\SysWOW64\Bcmjpd32.exe

Filesize
128KB

MD5
f1b7aa3ab4dea028428d68a11cbf7ff4

SHA1
77279ba0aab8c32912cdadfc8099fbd61751e112

SHA256
f4704b7ce363b71fb2674b26d8c41c8d239d6de8bedc4558faa1e850d676f3eb

SHA512
03d23c8af68506da113bbb9caeb5ba0c35cebbf43c2cecb6d2261ac0becc4c95edbefc84af6c2b9daf38e8346b728a18a789870e835525ebf871dad7bba0b828

Download Submit
C:\Windows\SysWOW64\Bjgbmoda.exe

Filesize
128KB

MD5
7b35a821ddda643a20d4d62890d6a483

SHA1
6ec23b0dd949f933a2232c03472098c649ed9561

SHA256
25c7901cc13a7b44f65e86fa738c55539dd31670f293ea2970fdb1fdc39c1074

SHA512
81758c76efeda5d7b9b71d7fb0194d463fc0dcd739e059935fdd27a3b609ad4236b3754aed584e25d7d0cea34ac357fa6a8c0dba2152cb8d2abd2883fce2fe2b

Download Submit
C:\Windows\SysWOW64\Bkdbab32.exe

Filesize
128KB

MD5
07bde885e7c9ffd09441a50ebfff3c23

SHA1
9f23e398e8ae2ff192482aa11011ade89f30ec1e

SHA256
27a08472ac28bafbc94b74145e20d744e0fc8af5ca066fb62b2805b538fe1b09

SHA512
81fc891eaa1121015e250661640de68e3bfc068a5f4bfb72a2fa865846f03f9cbde1a68a38e81995ce3650235bd78ef05d0bbfdf15a10feda5adcd305503a6f3

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
128KB

MD5
ab90118c78c1af0c34734ac07a6954f3

SHA1
161d4c1a10a3a14767337d8c3cc44073f1a21072

SHA256
ac913587d0f58c919724df1c68e3c975b0782da78196a73606711bc75d987025

SHA512
f925c1ae32fea62c92bd8506a12a429e9093146869e3018688b4c8287094b15ccf99bfc5aa1de741ec857dada6d5bfacee1e789543090e20f5c30b3d2fbb9ddc

Download Submit
\Windows\SysWOW64\Afpchl32.exe

Filesize
128KB

MD5
607abfae52589e6ba8c18e3db26398ef

SHA1
973e9ab8ec1e465adc5c456976c107790787675a

SHA256
c80a5f452b6cf433bb4924fa109e850045269bf6b3b8d2ef721a02c2c03b8bc6

SHA512
489b5d6abebc47ea5741e93dd66cf5b02fe98cf8fa439f89e723ed3b6c6271a14d05919b5194c0a6d9be9e769ebb4018bef3b934d3b5e3c7872cbf9fdc2d2ad2

Download Submit
\Windows\SysWOW64\Agdlfd32.exe

Filesize
128KB

MD5
6736061eb9f02110162d001d152bbc8f

SHA1
e0d473d933c78f30c4ff85964ec22c42134b899b

SHA256
b88c053cbcfe5f78ddca5137d4f4b8d694b7156e0846ce949edc21671e11e3c0

SHA512
e98e1bbcbb5b4b127475bb1494696c2f2dad483968974c660d0276847d41eac22817317bb33815fbb7426332108c6854f6eb3df51cbbee9ad2d294cd231685f7

Download Submit
\Windows\SysWOW64\Aialjgbh.exe

Filesize
128KB

MD5
ee2efa6858b9fdd081089c09ad3f4d28

SHA1
cc30d0140c8fff3494b880ee0a7136754bbb7118

SHA256
e22880a03aa62eda4580d36b62f6c349cd1421366b5fb2fc9e1c10fa87895968

SHA512
bb9b6e52d862cf82c750e0990f2a2bcb904d5cfb0329a55463077cb01ffcd55324833f7c27da2cf770d3ac4de4a3cdaec87434ae75a7f25244210436e33f1ed0

Download Submit
\Windows\SysWOW64\Aofklbnj.exe

Filesize
128KB

MD5
1890ebbb92d203c0f9b4144844468ec9

SHA1
0746e6864c392de82406117b31580acf49f7be83

SHA256
f085c0a6fb789e552a3c139664a85732f6816dd638f523b7e1eed410031bc88e

SHA512
5ef528a5c7152da319ae78bf4174b51a2180272be8cbec3c37bd4962ceedf39dba577c58af2c5991ec393f679b04f1ee7d8c5d509d94cb6139b2921e5379c6c4

Download Submit
memory/448-259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/580-54-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/580-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/628-245-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/628-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/628-19-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/628-15-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/876-235-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/876-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/876-241-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/1148-26-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1148-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1328-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1328-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1664-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1664-174-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-258-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-195-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1728-187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1744-107-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1744-119-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/1744-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1864-234-0x0000000001F60000-0x0000000001F9E000-memory.dmp

Filesize
248KB

Download
memory/1864-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1864-261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-159-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2012-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2196-224-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2196-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2196-220-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2196-260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2448-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2448-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-141-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2532-254-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-133-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2696-253-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-35-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2792-246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2792-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-93-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2816-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2848-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2848-62-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads