30ccff85f39290bc0d6b987fa4697859f9dbf5f136f8f0f52bf9fcbeb24d7c16

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
Size

194KB
MD5

a7afddf1b873c08b40039e4e0c4a8e50
SHA1

c33eb6db431b27ece8a714024780190ef53d3461
SHA256

30ccff85f39290bc0d6b987fa4697859f9dbf5f136f8f0f52bf9fcbeb24d7c16
SHA512

373c7b5b4e1990689688990cb4170cf3609fac5d4014a90fe4dbc8fbb3610be1067dc2f950ccb94b4a0c259879125dea35f70bfba5173cb1eaf96ec0488162ff
SSDEEP

6144:K/PqKDPSdSfUNRbCeKpNYxWlJ7mkD6pNY:KnqKD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apalea32.exe

Executes dropped EXE 32 IoCs

pid	Process
2716	Amqccfed.exe
2780	Apoooa32.exe
2760	Agfgqo32.exe
2008	Ajecmj32.exe
528	Amcpie32.exe
1516	Apalea32.exe
2284	Afkdakjb.exe
2096	Ajgpbj32.exe
1424	Alhmjbhj.exe
1824	Acpdko32.exe
2676	Afnagk32.exe
2056	Bilmcf32.exe
1948	Bpfeppop.exe
2388	Bfpnmj32.exe
2460	Bhajdblk.exe
1808	Bnkbam32.exe
2320	Beejng32.exe
2192	Biafnecn.exe
1528	Blobjaba.exe
2136	Bonoflae.exe
636	Balkchpi.exe
2940	Behgcf32.exe
2116	Bjdplm32.exe
2528	Boplllob.exe
888	Baohhgnf.exe
2300	Bdmddc32.exe
1860	Bkglameg.exe
2892	Bmeimhdj.exe
1120	Cdoajb32.exe
1296	Cfnmfn32.exe
2296	Cilibi32.exe
1316	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2824	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
2824	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
2716	Amqccfed.exe
2716	Amqccfed.exe
2780	Apoooa32.exe
2780	Apoooa32.exe
2760	Agfgqo32.exe
2760	Agfgqo32.exe
2008	Ajecmj32.exe
2008	Ajecmj32.exe
528	Amcpie32.exe
528	Amcpie32.exe
1516	Apalea32.exe
1516	Apalea32.exe
2284	Afkdakjb.exe
2284	Afkdakjb.exe
2096	Ajgpbj32.exe
2096	Ajgpbj32.exe
1424	Alhmjbhj.exe
1424	Alhmjbhj.exe
1824	Acpdko32.exe
1824	Acpdko32.exe
2676	Afnagk32.exe
2676	Afnagk32.exe
2056	Bilmcf32.exe
2056	Bilmcf32.exe
1948	Bpfeppop.exe
1948	Bpfeppop.exe
2388	Bfpnmj32.exe
2388	Bfpnmj32.exe
2460	Bhajdblk.exe
2460	Bhajdblk.exe
1808	Bnkbam32.exe
1808	Bnkbam32.exe
2320	Beejng32.exe
2320	Beejng32.exe
2192	Biafnecn.exe
2192	Biafnecn.exe
1528	Blobjaba.exe
1528	Blobjaba.exe
2136	Bonoflae.exe
2136	Bonoflae.exe
636	Balkchpi.exe
636	Balkchpi.exe
2940	Behgcf32.exe
2940	Behgcf32.exe
2116	Bjdplm32.exe
2116	Bjdplm32.exe
2528	Boplllob.exe
2528	Boplllob.exe
888	Baohhgnf.exe
888	Baohhgnf.exe
2300	Bdmddc32.exe
2300	Bdmddc32.exe
1860	Bkglameg.exe
1860	Bkglameg.exe
2892	Bmeimhdj.exe
2892	Bmeimhdj.exe
1120	Cdoajb32.exe
1120	Cdoajb32.exe
1296	Cfnmfn32.exe
1296	Cfnmfn32.exe
2296	Cilibi32.exe
2296	Cilibi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgjcep32.dll	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
File created	C:\Windows\SysWOW64\Apoooa32.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Mbkbki32.dll	Apoooa32.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Bfpnmj32.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Fekagf32.dll	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Apalea32.exe
File created	C:\Windows\SysWOW64\Jhgkeald.dll	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Amqccfed.exe	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
File created	C:\Windows\SysWOW64\Ajgpbj32.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Ajgpbj32.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Nodmbemj.dll	Bhajdblk.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Beejng32.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Alhmjbhj.exe	Ajgpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Afnagk32.exe
File created	C:\Windows\SysWOW64\Bfpnmj32.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Bfpnmj32.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Bnkbam32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Balkchpi.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Ajecmj32.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Apalea32.exe	Amcpie32.exe
File opened for modification	C:\Windows\SysWOW64\Apalea32.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Acpdko32.exe	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Afnagk32.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Qofpoogh.dll	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
File created	C:\Windows\SysWOW64\Agfgqo32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Hbappj32.dll	Amcpie32.exe

Program crash 1 IoCs

pid	pid_target	Process
832	1316	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpnmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbappj32.dll"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koldhi32.dll"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcpie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkbki32.dll"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekagf32.dll"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2716	2824	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe	30
PID 2824 wrote to memory of 2716	2824	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe	30
PID 2824 wrote to memory of 2716	2824	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe	30
PID 2824 wrote to memory of 2716	2824	virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe	30
PID 2716 wrote to memory of 2780	2716	Amqccfed.exe	31
PID 2716 wrote to memory of 2780	2716	Amqccfed.exe	31
PID 2716 wrote to memory of 2780	2716	Amqccfed.exe	31
PID 2716 wrote to memory of 2780	2716	Amqccfed.exe	31
PID 2780 wrote to memory of 2760	2780	Apoooa32.exe	32
PID 2780 wrote to memory of 2760	2780	Apoooa32.exe	32
PID 2780 wrote to memory of 2760	2780	Apoooa32.exe	32
PID 2780 wrote to memory of 2760	2780	Apoooa32.exe	32
PID 2760 wrote to memory of 2008	2760	Agfgqo32.exe	33
PID 2760 wrote to memory of 2008	2760	Agfgqo32.exe	33
PID 2760 wrote to memory of 2008	2760	Agfgqo32.exe	33
PID 2760 wrote to memory of 2008	2760	Agfgqo32.exe	33
PID 2008 wrote to memory of 528	2008	Ajecmj32.exe	34
PID 2008 wrote to memory of 528	2008	Ajecmj32.exe	34
PID 2008 wrote to memory of 528	2008	Ajecmj32.exe	34
PID 2008 wrote to memory of 528	2008	Ajecmj32.exe	34
PID 528 wrote to memory of 1516	528	Amcpie32.exe	35
PID 528 wrote to memory of 1516	528	Amcpie32.exe	35
PID 528 wrote to memory of 1516	528	Amcpie32.exe	35
PID 528 wrote to memory of 1516	528	Amcpie32.exe	35
PID 1516 wrote to memory of 2284	1516	Apalea32.exe	36
PID 1516 wrote to memory of 2284	1516	Apalea32.exe	36
PID 1516 wrote to memory of 2284	1516	Apalea32.exe	36
PID 1516 wrote to memory of 2284	1516	Apalea32.exe	36
PID 2284 wrote to memory of 2096	2284	Afkdakjb.exe	37
PID 2284 wrote to memory of 2096	2284	Afkdakjb.exe	37
PID 2284 wrote to memory of 2096	2284	Afkdakjb.exe	37
PID 2284 wrote to memory of 2096	2284	Afkdakjb.exe	37
PID 2096 wrote to memory of 1424	2096	Ajgpbj32.exe	38
PID 2096 wrote to memory of 1424	2096	Ajgpbj32.exe	38
PID 2096 wrote to memory of 1424	2096	Ajgpbj32.exe	38
PID 2096 wrote to memory of 1424	2096	Ajgpbj32.exe	38
PID 1424 wrote to memory of 1824	1424	Alhmjbhj.exe	39
PID 1424 wrote to memory of 1824	1424	Alhmjbhj.exe	39
PID 1424 wrote to memory of 1824	1424	Alhmjbhj.exe	39
PID 1424 wrote to memory of 1824	1424	Alhmjbhj.exe	39
PID 1824 wrote to memory of 2676	1824	Acpdko32.exe	40
PID 1824 wrote to memory of 2676	1824	Acpdko32.exe	40
PID 1824 wrote to memory of 2676	1824	Acpdko32.exe	40
PID 1824 wrote to memory of 2676	1824	Acpdko32.exe	40
PID 2676 wrote to memory of 2056	2676	Afnagk32.exe	41
PID 2676 wrote to memory of 2056	2676	Afnagk32.exe	41
PID 2676 wrote to memory of 2056	2676	Afnagk32.exe	41
PID 2676 wrote to memory of 2056	2676	Afnagk32.exe	41
PID 2056 wrote to memory of 1948	2056	Bilmcf32.exe	42
PID 2056 wrote to memory of 1948	2056	Bilmcf32.exe	42
PID 2056 wrote to memory of 1948	2056	Bilmcf32.exe	42
PID 2056 wrote to memory of 1948	2056	Bilmcf32.exe	42
PID 1948 wrote to memory of 2388	1948	Bpfeppop.exe	43
PID 1948 wrote to memory of 2388	1948	Bpfeppop.exe	43
PID 1948 wrote to memory of 2388	1948	Bpfeppop.exe	43
PID 1948 wrote to memory of 2388	1948	Bpfeppop.exe	43
PID 2388 wrote to memory of 2460	2388	Bfpnmj32.exe	44
PID 2388 wrote to memory of 2460	2388	Bfpnmj32.exe	44
PID 2388 wrote to memory of 2460	2388	Bfpnmj32.exe	44
PID 2388 wrote to memory of 2460	2388	Bfpnmj32.exe	44
PID 2460 wrote to memory of 1808	2460	Bhajdblk.exe	45
PID 2460 wrote to memory of 1808	2460	Bhajdblk.exe	45
PID 2460 wrote to memory of 1808	2460	Bhajdblk.exe	45
PID 2460 wrote to memory of 1808	2460	Bhajdblk.exe	45

C:\Users\Admin\AppData\Local\Temp\virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_a7afddf1b873c08b40039e4e0c4a8e50.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\Amqccfed.exe
  C:\Windows\system32\Amqccfed.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\Apoooa32.exe
    C:\Windows\system32\Apoooa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\Agfgqo32.exe
      C:\Windows\system32\Agfgqo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Bfpnmj32.exe
        
        C:\Windows\system32\Bfpnmj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 140
        34⤵
        Program crash
        
        PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
194KB

MD5
b6d00ec26f6f3b9016f7605a3aa438b1

SHA1
86741b0a9ad22d279d88f2a8981af5a9597dbcbd

SHA256
53e05f2932c81733211ac4a9a401e2aec749dccb7159be49da48eb4a752fa248

SHA512
436ef56ee574b064572c67cb9e1698bd9970bb4106732e7ac49faf925e8994a80ebfcca98610f3d731ab9f3f4345fd67df87aac4f5d5a68eb62353f95786d84b

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
194KB

MD5
4210756b500e8eff257b1d44496aa12e

SHA1
1d14ae6471f410b1246f181fcb834aa2a7194324

SHA256
59d41b5b390f3c678221afc4ac8256d8a61c30261ee0283f209e73b49f5dc81b

SHA512
1597e020944f6b029838677d200108853f2eef19b4b253098d669f5c2b633dc695bf72000eaee8459d2ce151a05677fa37fd0dd5b50f881b2d8415057bda6137

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
194KB

MD5
3331b82a73d6a08838580116abf3edb5

SHA1
5f7972653af17bea381c63a057fb6cc9e1562f87

SHA256
5aa701bb45c824f6b3ed5657cabe0550f25a89417b91fb6347654cb3f03861b0

SHA512
de4989f7b7ebdfc556ebc19cc5d01c3d118fa0f338b1689b9a6c84262545b0858daf712e9f1b8cd2f57e0eccf6938507aca16d26a805c76564b9617ccba9cbe6

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
194KB

MD5
d97aac108d054fc177d96e3543aa84a8

SHA1
af774f3740fa371c7ced30804bbf4b95736b0be5

SHA256
f267604dad8825ff02be9d1d99df58092f7eb1afd6dcb50ad544c749bba2dc0d

SHA512
e4deece77f92f805c068df3b2b6129e9ddba52ff98108e44c4f62c9603ee839ff256dc3b5a30a22b8f304c3b1662e748555984fcb198c3720cf9aa90e6810615

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
194KB

MD5
a15a3e70b84768817ba6c7780710f60b

SHA1
acf7e6f2388da4bd18ed869acee962fcd496e9e2

SHA256
bf3250ebfb47df8807f77f0141ccd8901040f9f566ea0f74efcd4e3be9249174

SHA512
4d467c28e83606f9944482ec017de78719d4fcd1343c954fec940ec4b76f8688d943d38e1233cedb6f185d8be4663acacbc0d8959484755b9fa24b701c1d4b10

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
194KB

MD5
aa8d6ae105ff08b7b5f689e54259a7bf

SHA1
295fbe0b41a09d1d3a67069beb2d9930a1d4883e

SHA256
b6a6fe4829914133c876917e32562f50e51a284f31eabb256f45cf3de694eaa2

SHA512
0d271227f8d2d51a8e79d01a6d3a56014f85cb0a3c7b697e49ec15b7e973be1cde364b625571941cb624c01ac4449bd7fa125e5d123ee5d01e405515db7d2b83

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
194KB

MD5
62a321050b6fe013044e57781cc615b7

SHA1
efcf9ce463bfb666ee1ae5ce3a0fb302bd794bbd

SHA256
92b05c79a1d89deafb49b2db77cd71195e263dcdc91b8ac41714d42cb635d216

SHA512
bb441d8c8d279b900174c378022610af9afa1c0f543f4a89818dc24b53cab7905d079548f46abbf63efcde3fe6a22e9291e125278bc59a9a81a2e5c645821bea

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
194KB

MD5
3e3ed4251cadff4eda81a191f6f3fbf9

SHA1
a8c85cfc21a089d4ca9ea1bf62aee2e9bd4d9c8a

SHA256
f9e69be04506b612dfb86c844e1056bb0e2749ca11dbf1a675873dbbbbfe8f9b

SHA512
36f788a06a4eb0cb1c6f9eeceaa6acd94206975a1b10dcd0f0abae330efac00a2094aa7eb36856c99dd536fae703c34d064e8118fd0a92081eb25fd555227e9f

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
194KB

MD5
eb727bba0e369a004114092a03b1f197

SHA1
93c61a929970bd4a744457850c428f87ed6ff7c5

SHA256
bccb3fe9da855eaf0d6fecf65cd32b2696d0b813ed1fbdf988f450aa0124b0d6

SHA512
3a6993319757828fb607cfdd861c226ea30fb61d63abdcd6b296db106c3cb9983c522479eee9ad53111e0052eaa452638850a52f75a9d64ff710425082ed00a9

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
194KB

MD5
90349e34f166befebffc3887bacabe01

SHA1
eb0c81d129b4fc8d1bfe74a454ea256048c51a1d

SHA256
28b0f5fb2ee5015c14d766aa7c46f2b6621018bbb866cd6b85a5802e6e788b2a

SHA512
6b41c751c3fd1123c541b80840aee485393417fc4b7b88b067893018bd71ee0a0bafa8973050e75c01630e8740ba76677383c14dd76fde56bf71b7095b1b944b

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
194KB

MD5
2adaefe0544924ba2874f7ffd5fa071b

SHA1
d73d717e06eef34c1b0162f7c4f9107221f9e1a7

SHA256
20e7b02b38740349252415cdc168998ee77a76aa6471cfc365318db6247f81f4

SHA512
7ac5c187eea57b1d0f42bfa419857db35455c0d23d75a17f7735096ba0dd8bd87b9d64773870b919ae76076acad4acc95ea045159c776aaf6526079173cab519

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
194KB

MD5
5e22a135647307247fe3878bf9957495

SHA1
b6351405efa91b2ebab3a801e602cb9177b294e7

SHA256
74998443e11b5a427369aeacc175fd12d72334c43c6407bfabdc64e8fa895157

SHA512
44e08524a520554acc61dd21fa6202ad11f7d07e4d0c2cd5fd6f220031806e4143c2eb6f68d83db38aa755bdde915ceba93313c6e0eb4e29372ea1ae88a2479b

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
194KB

MD5
6929ab000586951dd253442cd4f2f152

SHA1
adcdddde67e178d88b043d9d0ff4a16baababc5b

SHA256
e8424c73f9660d70573416b32bafa76096e268c195caf102b44ff405623134bb

SHA512
925c505c429046a5e70d3ac122469186aef79c5e138fff28126efeb810fa7d0b1fb089f50fb4d9af56fb6c1bb94117ee3209b0d1d8c87b5fe6f39e89a391551d

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
194KB

MD5
f23a9420f2cf29ffd2391f2ab719b75a

SHA1
a2386b0c96b2ce7be14226c24ee7253b0d4a6aa0

SHA256
59a49f0c6d7282bf997308fda46a72d25e397f2cac339130f6533a3517c3a909

SHA512
89dc1ef3f819537848a86cd351c19dd3b47ebc7aea663c8b5e5289d108b7a4a3a828d853152491ea5b0f65559e72fe9443eb5c76cecfd258d1f4edb2075f42aa

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
194KB

MD5
7e8881489e7bcb9ac3970f29049f456d

SHA1
3794c8b6352b81a7144752d6bc19f0198e8e099d

SHA256
f664de813ed3508962254df546b1043a9342bde85a1f9073e12934853ce01215

SHA512
cf75c4e3cc9a33d759e7486d97dff6ad1842f003a5185c3a2a9e6c2cecc851ca81e20ff77e07badab00a552dcdafb24243b7fe9dff64451e04f8c2ae4abf93e5

Download Submit
C:\Windows\SysWOW64\Bfpnmj32.exe

Filesize
194KB

MD5
c71a595231acbc1a41e712b009d7dc16

SHA1
572b9e42e8769f9c16ec5ec5a3d98d5f0ebde06c

SHA256
0a449f7ee4abe090e13fd0c80a86b1a52b078eb80a64dda23fe7abc69544b7c3

SHA512
4d7d32de466db8bc20ceb6cdf5f2c1a943dae8c15f176b5699231e3a744000c24f21dea4b75f61733f37ef49ba98a2298508f45e8dc452b51f072188db2899f1

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
194KB

MD5
eb710b8f5eebfb5dc5c31b2fd27948eb

SHA1
593042b9dda1b14b091f7ab0de19bfa3eb224298

SHA256
8ccfff54a7829d89499dba9c9339623549aa20ac3b0c670b72ff1ef534786226

SHA512
822a1e68a87598d6355e932a9c135378f8fe7aff602b68ee002d28fa1d1d29d33bd1400c020a0c26f351866d6ccde315b253c6265547440aeeb132e1cf8f10cf

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
194KB

MD5
6d4e380550b6bbf0b60e4d575745bb65

SHA1
102dbe3d6cfa8641adf97555ce0c1bae50b81b17

SHA256
7aa7c42fb0dcd2049e64c6ddb8b8a136515d5d2d7739cb638c3beaa38054780a

SHA512
cf16d2cda3533539979a20f51b71d32c2011e1329eccf8152ad7c1cc5429a4eaf7ce90b760164e75ec19b398c742ccfeaf48df7da2d427bf702fa26e2ec96915

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
194KB

MD5
394ec9c2a53ce4c2be8007ed59faaf63

SHA1
54cc1c73660a32e8e99f2f6b8e87fd093b45e06c

SHA256
c0e596c61a34224ca8e9c4e407da0ad50c00586b14c5151b5e7222d132be947f

SHA512
03f719f3031bf52e930e6b6738cabc638053dc52e3f24060e168e47d14d2b8eb667660a91cb9a2e2502415c9e66a06b641c92acf455210980d913448f2285057

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
194KB

MD5
69ce3aa6d3c6343e8810a9092d4e387f

SHA1
54b0ae61adefce0acb1254973f7af73f7fc04e63

SHA256
9fc0922e2e1c29d31831086b154adef5f31da4bc3ba41cf111734420d9a0995c

SHA512
0ae3bebf4fe7fda9d043028127b4fadd3a04a070267faeeaff87899136f2651ff871306aecc4b509b77a498e7351cdeed5bc16aa2f3e45ce6d7de3414d0dfddc

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
194KB

MD5
2b5567aad532e2b26f3226bf00cf81ac

SHA1
bcd19c80fa685ac82d4381cbce7eebefbdb2a567

SHA256
356b8931c1fd14649780af8998ec954bdec67186503a380f6cb2988d453a5113

SHA512
54f6e8f7b87648d206c38a346e4e2db23de807fba94ff036c0e99c84158db7cd499737bc7a2f60efe196f4c8aa0ede2cb95ff97bbae75516db1f3b2b5a14df33

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
194KB

MD5
8313133d6fc43b295c4a9187afc7a6ad

SHA1
9efb9dafbf410cf7a271c28b090d7c37d6820c1b

SHA256
e35574e9e10beee728ace8edbd49a867aecee48595f9528e18502a64b3ea2997

SHA512
82be5f8a3c124d21a8ec9d7e4c1f1e898ec2091f70eb4c8c1f0a421ab29f2ebe4da90bae3e5efa31de3212b03da6833dcea26c98cf3fc73138eec57234d44fc9

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
194KB

MD5
430708891c38a663f19ee08b74e01572

SHA1
6e7726f7859335a66faed56f4feeaedbe531840b

SHA256
47b3f17f5f9d61d95642ddb9b6224f148d17ccde18cce91e4e31ed28fc6a3cdf

SHA512
11febc8629f571db8a894ef29a8603b1389dfce9fb53e251b3f242b6e8b7e677708b18c4981ca5a10fc3675a801bf83589ec4475ec663032b0d15165b51aab8b

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
194KB

MD5
5dbb8931624024cc27b4840266d8032d

SHA1
eb1fd4eded0ffea17f89fbe5829be08b8102300e

SHA256
4846e0bdbf4753bcfbbaa835a580da517e688d4c82ba4e23d0ef80e0cbf6110b

SHA512
767a363697ed5c778a7772ab2f8ea6272c42df419c67e37d7a24783d9a7fde182d996bda4fb8c07b9b1ef501c5c2e42eb21ee3e66ef639539af70e911f05637e

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
194KB

MD5
9862c97a0ffaa594ea2f12583b334989

SHA1
ce760887f82616cf61c079a4205dcbe8b7aedac8

SHA256
83032a7b53c80c29a80a646a255c7ea6c4b2f937c49bd44d2150d5a1543bde10

SHA512
e0a177a334883dee0cd1f2af6b07b54f6b47cce3c779b5d6d39b54af7f6e08e073397bbb187d2b56d04a8dd5f4c69c190fcb98a2736849115c88e8a953571537

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
194KB

MD5
a1c31d75c878f3a5f0c52a47ca90e83b

SHA1
31110b4c9a16707ee5aafa73931d6ab7b640cce9

SHA256
2e9dc5811ee7454d5ed6c74272e336225d9bf8ae5a78d4fbb23c32e07cf53d76

SHA512
1650d0608c35ca2dc1d18d0bcaaaabc1e8036a61085ef9050d266e9102510c20a0073f5e3b723d8b32ec76bf0ccec814a8559b6684ceabf6aba86c7bf2b14deb

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
194KB

MD5
de65b70c4757525cc4fbf963ec80d621

SHA1
eef8da5466476a1cab9886fefc3e2a39d6ca26ad

SHA256
f24c6eadcf825db03b5e346bc0616245d0036eadff985dfba1e1344c9c8bf758

SHA512
191db3906634b56b5e6daad78dd0b67f455b8953f6bf75d4819a52bd89229c665b39ed0140a353fe7b79d12dc7281813da5104bfe1f326d1ea8e5b1b101cdd6b

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
194KB

MD5
d5b5e4b28eddb9e2f5b4e892436b4f6b

SHA1
d105afc69f6a5153d68b7e29e22bde30ea223dc6

SHA256
1dd248aefabf0d9db522e927086db95b479c307cf77b582786356665ca1e5b2a

SHA512
de849b33d137fd77b78590fcedf16d62809daefca2a014ee22dae59331d05ef0f3536aa692c3a9b7bd8749e995f589ef15496f726acb012ccb46e99a0e3d9a05

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
194KB

MD5
ce4b41859f360a3a65b505f728375be1

SHA1
8363bd8a1a839445e90547d7765f9e1be366b03d

SHA256
67bce83991205581527a117715944377747d27524f57ceb0532b8e12fd84749f

SHA512
7e2dcf324ba65dd86f932e826725cfdb2eeb2b4985b4082e4a7d6b68b5d47107b3fb2494caaed0671afd047dc1c4b1e911eb5e29434c637769b0178e92024b92

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
194KB

MD5
91ae84522e80a6cb55a39c79720d836d

SHA1
46900000ad2694698f8379bfa9879e245f0c2ca9

SHA256
19e31e1725e8272b6aac3e56b80a7c1555d612ac2fb4e2ad9e6afef292068de9

SHA512
16b46124e401f9e1e224ca2e30660b8e9cac4da0e792f0cb0942df6791bea8a8e8b9fdfad0792e81d31fff7bd5375b0f401de3b2a5089f537b3216a9cd434421

Download Submit
\Windows\SysWOW64\Acpdko32.exe

Filesize
194KB

MD5
d50be5552a9954fc6154a2be71e91d72

SHA1
b4cbb52a4e5d6df7809637fd622f6ecaf75fb3d4

SHA256
ecef9a77360fa65ff16439586c2784576b689a9a7ade372a1e4c6074d0956d75

SHA512
31e785b1e798c1bbdb1722631d10571549851032e9985e6357087c92e4f0c1523c948f8b0c2404be2b4e039c7b00d5557f23a10a579e0c9829e4d36c3b44081f

Download Submit
\Windows\SysWOW64\Bilmcf32.exe

Filesize
194KB

MD5
8d8fe1769d39e70813cbcb406764e43d

SHA1
5202b3a3460bd5049ac628e19ab40808013f6e0d

SHA256
d3f5c2427a2b14dd48c3db8450a9d86b523bca4a140fc242332f28bc1fd891f8

SHA512
2eec964fc33409c0f0446c1a4700ce67ff814cf4d3552d4b93a34beabb04d7d93e46ce29094de748be5222509bb6fea978817707b8c3211d2cb458945f25d1be

Download Submit
memory/528-480-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/528-76-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/636-287-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/636-283-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/636-276-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/888-327-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/888-325-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1120-364-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1120-373-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/1296-374-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1316-392-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1424-129-0x00000000006C0000-0x000000000071B000-memory.dmp

Filesize
364KB

Download
memory/1424-130-0x00000000006C0000-0x000000000071B000-memory.dmp

Filesize
364KB

Download
memory/1424-506-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1424-425-0x00000000006C0000-0x000000000071B000-memory.dmp

Filesize
364KB

Download
memory/1516-500-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1516-91-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/1528-255-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1528-264-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1528-265-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1808-228-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/1808-221-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1808-232-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/1824-460-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/1824-459-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/1824-441-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1824-146-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/1824-140-0x0000000000290000-0x00000000002EB000-memory.dmp

Filesize
364KB

Download
memory/1824-132-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1824-508-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1860-352-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/1860-348-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/1860-342-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1948-189-0x0000000001FB0000-0x000000000200B000-memory.dmp

Filesize
364KB

Download
memory/1948-468-0x0000000001FB0000-0x000000000200B000-memory.dmp

Filesize
364KB

Download
memory/1948-467-0x0000000001FB0000-0x000000000200B000-memory.dmp

Filesize
364KB

Download
memory/1948-466-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1948-176-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1948-184-0x0000000001FB0000-0x000000000200B000-memory.dmp

Filesize
364KB

Download
memory/2008-60-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2008-478-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-464-0x0000000001FB0000-0x000000000200B000-memory.dmp

Filesize
364KB

Download
memory/2056-463-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-465-0x0000000001FB0000-0x000000000200B000-memory.dmp

Filesize
364KB

Download
memory/2056-175-0x0000000001FB0000-0x000000000200B000-memory.dmp

Filesize
364KB

Download
memory/2056-162-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2096-504-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2096-112-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2116-309-0x0000000001FC0000-0x000000000201B000-memory.dmp

Filesize
364KB

Download
memory/2116-305-0x0000000001FC0000-0x000000000201B000-memory.dmp

Filesize
364KB

Download
memory/2116-303-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2136-277-0x0000000000320000-0x000000000037B000-memory.dmp

Filesize
364KB

Download
memory/2136-270-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2136-275-0x0000000000320000-0x000000000037B000-memory.dmp

Filesize
364KB

Download
memory/2192-244-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2192-250-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2192-254-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2284-99-0x00000000002D0000-0x000000000032B000-memory.dmp

Filesize
364KB

Download
memory/2284-502-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2296-391-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2300-341-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2300-335-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2300-337-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2320-239-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2320-233-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2320-243-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2388-205-0x00000000002D0000-0x000000000032B000-memory.dmp

Filesize
364KB

Download
memory/2388-191-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2388-204-0x00000000002D0000-0x000000000032B000-memory.dmp

Filesize
364KB

Download
memory/2460-220-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2460-214-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2460-206-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2528-320-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2528-319-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2528-310-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2676-147-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2676-159-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2676-160-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2676-461-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2676-462-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2716-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2716-472-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2760-46-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/2760-476-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2780-474-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2780-38-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/2780-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2824-470-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2824-363-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2824-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2824-11-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2892-353-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2892-362-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/2940-298-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2940-292-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2940-294-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads