63dc16d3ff8b39d14fe64aba31f9bf93a422a1dc1e86e321e1faca99ded14f2e

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4aa64f5fee6c6ba380d13415073d5a90N.exe
Size

94KB
MD5

4aa64f5fee6c6ba380d13415073d5a90
SHA1

e170d334fa83cc7d65bfe95505daa2dde0be8738
SHA256

63dc16d3ff8b39d14fe64aba31f9bf93a422a1dc1e86e321e1faca99ded14f2e
SHA512

0d5f2fa8efd9804a410b345057447ef516dae38983b0f9e08ffdb461144db0fc88b73b99f8bae73b315e4df1f56f70d6eaed2b2d4c400d3c393578ff6f8d459a
SSDEEP

1536:VnqYmjUpfgeWYGeHtl6qg4VTgkI8A0YEocgU4thlZ2nVhBNqW/LPHq39KUIC0uGE:MYBamtv/eW/jH6KU90uGimj1ieybvrx

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4aa64f5fee6c6ba380d13415073d5a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4aa64f5fee6c6ba380d13415073d5a90N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhhhd32.exe

Executes dropped EXE 35 IoCs

pid	Process
2344	Ajpepm32.exe
2132	Achjibcl.exe
2676	Ahebaiac.exe
2680	Aoojnc32.exe
2904	Adlcfjgh.exe
2700	Agjobffl.exe
2584	Andgop32.exe
2992	Adnpkjde.exe
2052	Bkhhhd32.exe
1956	Bbbpenco.exe
1676	Bccmmf32.exe
1744	Bjmeiq32.exe
336	Bqgmfkhg.exe
2036	Bgaebe32.exe
2364	Bnknoogp.exe
2936	Bqijljfd.exe
2808	Bffbdadk.exe
992	Bjbndpmd.exe
1652	Bqlfaj32.exe
1576	Bcjcme32.exe
2096	Bigkel32.exe
2848	Coacbfii.exe
1740	Cenljmgq.exe
2088	Ciihklpj.exe
1596	Cnfqccna.exe
2896	Cfmhdpnc.exe
2732	Cileqlmg.exe
2744	Cgoelh32.exe
2832	Cnimiblo.exe
2796	Cebeem32.exe
2536	Caifjn32.exe
1164	Cgcnghpl.exe
1928	Calcpm32.exe
1944	Cegoqlof.exe
1912	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2336	4aa64f5fee6c6ba380d13415073d5a90N.exe
2336	4aa64f5fee6c6ba380d13415073d5a90N.exe
2344	Ajpepm32.exe
2344	Ajpepm32.exe
2132	Achjibcl.exe
2132	Achjibcl.exe
2676	Ahebaiac.exe
2676	Ahebaiac.exe
2680	Aoojnc32.exe
2680	Aoojnc32.exe
2904	Adlcfjgh.exe
2904	Adlcfjgh.exe
2700	Agjobffl.exe
2700	Agjobffl.exe
2584	Andgop32.exe
2584	Andgop32.exe
2992	Adnpkjde.exe
2992	Adnpkjde.exe
2052	Bkhhhd32.exe
2052	Bkhhhd32.exe
1956	Bbbpenco.exe
1956	Bbbpenco.exe
1676	Bccmmf32.exe
1676	Bccmmf32.exe
1744	Bjmeiq32.exe
1744	Bjmeiq32.exe
336	Bqgmfkhg.exe
336	Bqgmfkhg.exe
2036	Bgaebe32.exe
2036	Bgaebe32.exe
2364	Bnknoogp.exe
2364	Bnknoogp.exe
2936	Bqijljfd.exe
2936	Bqijljfd.exe
2808	Bffbdadk.exe
2808	Bffbdadk.exe
992	Bjbndpmd.exe
992	Bjbndpmd.exe
1652	Bqlfaj32.exe
1652	Bqlfaj32.exe
1576	Bcjcme32.exe
1576	Bcjcme32.exe
2096	Bigkel32.exe
2096	Bigkel32.exe
2848	Coacbfii.exe
2848	Coacbfii.exe
1740	Cenljmgq.exe
1740	Cenljmgq.exe
2088	Ciihklpj.exe
2088	Ciihklpj.exe
1596	Cnfqccna.exe
1596	Cnfqccna.exe
2896	Cfmhdpnc.exe
2896	Cfmhdpnc.exe
2732	Cileqlmg.exe
2732	Cileqlmg.exe
2744	Cgoelh32.exe
2744	Cgoelh32.exe
2832	Cnimiblo.exe
2832	Cnimiblo.exe
2796	Cebeem32.exe
2796	Cebeem32.exe
2536	Caifjn32.exe
2536	Caifjn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ajpepm32.exe	4aa64f5fee6c6ba380d13415073d5a90N.exe
File created	C:\Windows\SysWOW64\Ibbklamb.dll	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Ajpepm32.exe	4aa64f5fee6c6ba380d13415073d5a90N.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Gfikmo32.dll	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Fiqhbk32.dll	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Bbbpenco.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Bgmdailj.dll	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Aoojnc32.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Adlcfjgh.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Agjobffl.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Coacbfii.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1424	1912	WerFault.exe	65

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4aa64f5fee6c6ba380d13415073d5a90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4aa64f5fee6c6ba380d13415073d5a90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Andgop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4aa64f5fee6c6ba380d13415073d5a90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4aa64f5fee6c6ba380d13415073d5a90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2344	2336	4aa64f5fee6c6ba380d13415073d5a90N.exe	31
PID 2336 wrote to memory of 2344	2336	4aa64f5fee6c6ba380d13415073d5a90N.exe	31
PID 2336 wrote to memory of 2344	2336	4aa64f5fee6c6ba380d13415073d5a90N.exe	31
PID 2336 wrote to memory of 2344	2336	4aa64f5fee6c6ba380d13415073d5a90N.exe	31
PID 2344 wrote to memory of 2132	2344	Ajpepm32.exe	32
PID 2344 wrote to memory of 2132	2344	Ajpepm32.exe	32
PID 2344 wrote to memory of 2132	2344	Ajpepm32.exe	32
PID 2344 wrote to memory of 2132	2344	Ajpepm32.exe	32
PID 2132 wrote to memory of 2676	2132	Achjibcl.exe	33
PID 2132 wrote to memory of 2676	2132	Achjibcl.exe	33
PID 2132 wrote to memory of 2676	2132	Achjibcl.exe	33
PID 2132 wrote to memory of 2676	2132	Achjibcl.exe	33
PID 2676 wrote to memory of 2680	2676	Ahebaiac.exe	34
PID 2676 wrote to memory of 2680	2676	Ahebaiac.exe	34
PID 2676 wrote to memory of 2680	2676	Ahebaiac.exe	34
PID 2676 wrote to memory of 2680	2676	Ahebaiac.exe	34
PID 2680 wrote to memory of 2904	2680	Aoojnc32.exe	35
PID 2680 wrote to memory of 2904	2680	Aoojnc32.exe	35
PID 2680 wrote to memory of 2904	2680	Aoojnc32.exe	35
PID 2680 wrote to memory of 2904	2680	Aoojnc32.exe	35
PID 2904 wrote to memory of 2700	2904	Adlcfjgh.exe	36
PID 2904 wrote to memory of 2700	2904	Adlcfjgh.exe	36
PID 2904 wrote to memory of 2700	2904	Adlcfjgh.exe	36
PID 2904 wrote to memory of 2700	2904	Adlcfjgh.exe	36
PID 2700 wrote to memory of 2584	2700	Agjobffl.exe	37
PID 2700 wrote to memory of 2584	2700	Agjobffl.exe	37
PID 2700 wrote to memory of 2584	2700	Agjobffl.exe	37
PID 2700 wrote to memory of 2584	2700	Agjobffl.exe	37
PID 2584 wrote to memory of 2992	2584	Andgop32.exe	38
PID 2584 wrote to memory of 2992	2584	Andgop32.exe	38
PID 2584 wrote to memory of 2992	2584	Andgop32.exe	38
PID 2584 wrote to memory of 2992	2584	Andgop32.exe	38
PID 2992 wrote to memory of 2052	2992	Adnpkjde.exe	39
PID 2992 wrote to memory of 2052	2992	Adnpkjde.exe	39
PID 2992 wrote to memory of 2052	2992	Adnpkjde.exe	39
PID 2992 wrote to memory of 2052	2992	Adnpkjde.exe	39
PID 2052 wrote to memory of 1956	2052	Bkhhhd32.exe	40
PID 2052 wrote to memory of 1956	2052	Bkhhhd32.exe	40
PID 2052 wrote to memory of 1956	2052	Bkhhhd32.exe	40
PID 2052 wrote to memory of 1956	2052	Bkhhhd32.exe	40
PID 1956 wrote to memory of 1676	1956	Bbbpenco.exe	41
PID 1956 wrote to memory of 1676	1956	Bbbpenco.exe	41
PID 1956 wrote to memory of 1676	1956	Bbbpenco.exe	41
PID 1956 wrote to memory of 1676	1956	Bbbpenco.exe	41
PID 1676 wrote to memory of 1744	1676	Bccmmf32.exe	42
PID 1676 wrote to memory of 1744	1676	Bccmmf32.exe	42
PID 1676 wrote to memory of 1744	1676	Bccmmf32.exe	42
PID 1676 wrote to memory of 1744	1676	Bccmmf32.exe	42
PID 1744 wrote to memory of 336	1744	Bjmeiq32.exe	43
PID 1744 wrote to memory of 336	1744	Bjmeiq32.exe	43
PID 1744 wrote to memory of 336	1744	Bjmeiq32.exe	43
PID 1744 wrote to memory of 336	1744	Bjmeiq32.exe	43
PID 336 wrote to memory of 2036	336	Bqgmfkhg.exe	44
PID 336 wrote to memory of 2036	336	Bqgmfkhg.exe	44
PID 336 wrote to memory of 2036	336	Bqgmfkhg.exe	44
PID 336 wrote to memory of 2036	336	Bqgmfkhg.exe	44
PID 2036 wrote to memory of 2364	2036	Bgaebe32.exe	45
PID 2036 wrote to memory of 2364	2036	Bgaebe32.exe	45
PID 2036 wrote to memory of 2364	2036	Bgaebe32.exe	45
PID 2036 wrote to memory of 2364	2036	Bgaebe32.exe	45
PID 2364 wrote to memory of 2936	2364	Bnknoogp.exe	46
PID 2364 wrote to memory of 2936	2364	Bnknoogp.exe	46
PID 2364 wrote to memory of 2936	2364	Bnknoogp.exe	46
PID 2364 wrote to memory of 2936	2364	Bnknoogp.exe	46

C:\Users\Admin\AppData\Local\Temp\4aa64f5fee6c6ba380d13415073d5a90N.exe
"C:\Users\Admin\AppData\Local\Temp\4aa64f5fee6c6ba380d13415073d5a90N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\Ajpepm32.exe
  C:\Windows\system32\Ajpepm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\Achjibcl.exe
    C:\Windows\system32\Achjibcl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\Ahebaiac.exe
      C:\Windows\system32\Ahebaiac.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 144
        37⤵
        Program crash
        
        PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
94KB

MD5
5e7146c4b65917848ffafae9c2e5c1d4

SHA1
50c0180b0c56370a24284ec4a0fc59751cb16e6d

SHA256
e33b54630ba42f7d8be6c76203cfdacf8cfe9eb10602cf45b4e4453a6ef20df2

SHA512
dd57666ff7846f4c9e48bdae55c9b8a844e9763556fd3ef03332c581ca2543856ecf23680afe313e745cea3f53f6d6b5abf43977953a0ea180e0806acfe23bc8

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
94KB

MD5
51552ceb2c7b20453dc2740a4f6607ac

SHA1
8df2911485b9aefee6780e42a66673b31c4bd7c6

SHA256
a54f9fb55fd43a52c4d83c39edc67e742df93c0ec57ad1f1e4048df06cd32b67

SHA512
dbd45a761f94af26de4eac8ffad6774b71b9d184438572f9a000c855171f2f2d7aeb46ae31222fa65707d4d76dac75769a5938d4d2eb1269983235f324aaf883

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
94KB

MD5
632cc60fd3acab27212c75255c26edc8

SHA1
b8fe8c5c07da681837d4041516da61570b49223d

SHA256
7833823f9418add3521b7ddfb932d15bf2f131e4ccd9f0e6b50eb66796454080

SHA512
4b31b20a258815ebbb8144000ed2e01ab5d736e42429c33a4099ec4631f0eb2ef38614f55e7f33dddea46b2a11b70acf900aba4db66a412f702927ea7928a54f

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
94KB

MD5
be1e1adeeb107104249dd1b5446884e5

SHA1
90ffd6f32eefa37a3bc3ae380b590ddc036d9e12

SHA256
3d0eb5a62bd858120a0facf571a2df82eaf966c879b6da69bb0542fcad8b4353

SHA512
b9d26aa33c70669ab82ba0f49f6e89c530baab0ca4a60ec18c5de1b5b67aca6402581a264c6e1a7caf83e2376e0b67acb023fe0f7617857f8a482833ea95a0ed

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
94KB

MD5
f450b12b56f093c36f76769f8c4f8ff6

SHA1
bd9269c670cbb05173cf1bf98ce82bbce1e1470d

SHA256
12be766c676e7284ad8ff9e860b9874eb150a8b6dd2c7e0d63e6e8a41f29704a

SHA512
c0e428f1761bee38190729c149ffb1402988d9f8873e64405794931d1cc4aef471f265fc42ea43d79ad9e7ca7ab37622ea25dc350ae67422ff3305a95bb748dc

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
94KB

MD5
53e361db0b7c6b38d6c08fcc72640f4e

SHA1
36eceda49dd481ebec409bc1788fafaffa7f109e

SHA256
e22755018d6ae7b395582fe95b0c169bcfdb495bd20aa3f5989294f492976b6e

SHA512
4001206bd70d8ebd135c549fdda94b946620c9129f81864b32e2cad9feccf96210d420187cf77b34b858ce5fdb57173842a1fe40229bdb6e1d3ae9cb21688ee2

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
94KB

MD5
ea04b50b469c00468795639b4c154640

SHA1
9e4f04ee0dbb59b1c4a9ee4e58074009e1ca9b6d

SHA256
b045a06df0f68b405af84f4af365a45cfac97b828b8ad7e2f0390791ae767e4c

SHA512
00675cbdb6f0501762fd09a985653a06e6ff0ebebdc0b5bae635a0113e0d4eab12b307fb495cff0d96077634b640e09bed8d9dccbfdf4fb316d6f6c861e5b28f

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
94KB

MD5
dae84bae5966b33fa62676633ebbf02b

SHA1
5be6b67ce0013e1cda294a191f9541d7b45abbc0

SHA256
b16a8dfde0e034c49781f09bdd3ca1c307f2e24c4156b721c8e8a0eaf7fa25e8

SHA512
5a569623111053ada720ac18559031feb42f664a0f06221448801ac5ccccb744f4542fb2bf4e04607ce3ae8da6ad00474bd3337438560738130862bc725cac92

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
94KB

MD5
bca53729583940df920a0c7c1ced3c34

SHA1
9f044020e09f790b973169437b82018d3e9634de

SHA256
b725713219571711ce0f7ed22a892669a2b1cab495423dc31c20106ad78edf4e

SHA512
d36fe3daabd43a75ec0aa05441faeed26225bdc4b031ac7f8c44d059586e10bbefba0ecae5d26698a9d9b4062b15f9ee20b0ff82c2720b49ab665aa3a4efd7bf

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
94KB

MD5
88d2e82e353a07c8f286153875463746

SHA1
f5aa15aa51519d4ed388a1b491ac6dc1a700b8a9

SHA256
90ad038ee587443c13f8a326e12daaea4c3ca5d9403df8c01765370ac8cb1ebe

SHA512
2691aa0373afc03d7ebc449b9b00d5ba0b77f67c5a8143087dadf8dd92f9f9cf78386cd0b5bf848fa69e7d397d0deb55c659369631ab652cf3b75017a9188ee6

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
94KB

MD5
ab7529d0abfc800ae2e4dcdbd43499e9

SHA1
5fb33945802c2657edaa8384b38f151401f534e8

SHA256
7d2464e61efd36d776b370a25b357cd3049c8b3886203def4fb3ffec866dc55b

SHA512
fde06d97807249b72fb3f84359cfeea835ed7140ff50c5b4036d9ae7c9c131e21da1496be544666bc2f85740bea2b74458cf60281dff3861a31e5eb53454b0f2

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
94KB

MD5
6aca25fdcddfb6d86e013b8a9ee031ab

SHA1
166cc6d5b40b844874491bcd1d807d15dc0a6820

SHA256
464fe39a91a095f0cae1ef15fc0908ad7369aa10093fa730baee5b4994bc1fd0

SHA512
92b02e8bbe685cba9016540ce943d6c8f4a4c1a78dedd9cc470b14aa8e683464e0801fb3c30a7090ca8dbfd91807849455e1526034be19a693792d2cde7554a1

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
94KB

MD5
d3530685016274c3f9e3acbb4d627921

SHA1
f71badac172158e49b7cc828ae1da3d6dea052a8

SHA256
ffd5fe6d213d7df9bb5d3b6d4a83d0cb52b091614473c59bcdc87fa51f05f58b

SHA512
282c82254780b4ad770907291af3c509eab47938f570402305356c924f0e85873604b361a69d53ddcc5da3d63276b0f7f895a99ab275ec633672b23629401955

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
94KB

MD5
c476f176e7345a268d56ea462b81b3bb

SHA1
827b72414a63ca74d9715818a2d6e9c43b2ba10d

SHA256
7c12b4dc019d3fd2b4fcc02701e44b2f798db5bef1eedb43f789477f024fe7c1

SHA512
94fdf7b529207b20c82c6ca961ae879c9cc844174ceb2bf0eaf21cf03e3c568a615870bfb4b010a87e91a6da96ebbea4c4a563551621b5d1b5a9c057cdb0d0fa

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
94KB

MD5
3fcfd35604065317411f654d15ec9fdf

SHA1
ee0def8a215d6c7d68fd7ee0cb55a95ff490d95f

SHA256
eb6324c2c6e341cca6039a3de97284f26a9a4d596c4389b169e322af25d13d88

SHA512
2609d6fd8c8cfa11928019a98d2fc8f692f2ab556e108ffec04750f2cc943cbc63fdc5c439fe917fdb37efea7e4ee80cb5adebacb3a87dc97dcef30cb65e9397

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
94KB

MD5
1323b96f8c03155194b2fa3f01cac2fc

SHA1
a2e8aa91040ac2f6906b34272493a5c770a2b1a6

SHA256
20f6d52f7af69e672319331a939ba2d5d8505857cbe1928eaaad7ca706e4b2ae

SHA512
6cf40fe205ceb75ccb5405287ba7ba608d0bf8d39e6820aedf2c70a3cc1d047510cdb024db6d83bda6277f3ce06d8cf3b0f7b9294f61fe8d461fa744bff53eed

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
94KB

MD5
7aa9091ffac42803112d0dc250fb950b

SHA1
220d666a00ff9d8e9cc76bc3eb5f463d75ca023b

SHA256
e6f389f66b82ba7779ff925e1b937ddbfed2490c1eb90bc2beb6527306b1f2e0

SHA512
aef7f66deecd8adb996a2de70450e1e907d98ac9d93b9c4e415f8c641ff9fe8901cb062bfb4cb646223066f9a7e0d083e4fbf47cbc1679d3c86fa0f199a3339a

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
94KB

MD5
12b0868aef54767d428d8d51d5140994

SHA1
1065986f3fdeb10e82ab4e9a5799690fc6b1d5ef

SHA256
29f7d750dcce9e0dfe5c4e8a0a1295eb9127203827071e1de43176083057e18c

SHA512
c6f3696dad12f576a8b86926a3beb525283a84c64fd837b8e78829ca8550e43a964c1b677420ef73122d3e1c45fd6d4dfa1beb2f4d9e2a624a16f9189263de45

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
94KB

MD5
24ed921df46ba532ab66d484127adfa6

SHA1
7dfece6bcdacc4bbb5cbf6add647f6cbba32f004

SHA256
080f88685b200ac76fa7ffed020621d77c9b01fc0e92059c873ac978aae726bb

SHA512
35178888f276bcfdad55af13661558ec6c927d6fe62b69cda6051b518278f30614253cd5e3fbea6121307ecdb546ad88e82627ab486412db6728a18d56577db6

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
94KB

MD5
33f496b8026f7a695390561811712ed8

SHA1
d465405ba68f335d7a363908fdc80809fddd2c57

SHA256
6dd0cf8af3f20cc7ab211ef0bf124fac58f305a03ba58d469418f8dd73c7c7a8

SHA512
cd51d20324118b2cf9f32a84a073d8095d702822eb4902de6ffccf3ced7b77e4c392cb68f25e72226dfb8b9cb6449d3af8afef8e60d08cc4f5122d56846eb0b8

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
94KB

MD5
4a71edaac5bdad3d5207daf8425a56fa

SHA1
d5ec03863426c2b11be4eba13b48f0e76924eab1

SHA256
fa363c7e02020901e66cdf4e13b191cf8db84de03cfb2c5808f4f24e8092d341

SHA512
20f503dd868fef962d735a5f412d9d7dd5079e1649ac29efce29e8016afaca7035fa5bfcefca11c3c26a84fdf082f422623300266154ecbd4834a0ed3577f253

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
94KB

MD5
5d1dc177ecd8843cfb7e15e12da32dc3

SHA1
5d4b3b3e683ac300bfa79706f27a6c612c6f2192

SHA256
893dc7d1ea2b24b4a6a13a404f76831da02991d461851ba324c99a5ccb64328f

SHA512
18863bbd723c5c937ff2750e0c924be590bcde00a47d4396b546ed1ec1bb7a2720b02f876ae344215f37586744215686e844b3232c0cc03335aa7521c10880fb

Download Submit
\Windows\SysWOW64\Achjibcl.exe

Filesize
94KB

MD5
df986693821f5d1b7f3d38c47d0a919b

SHA1
00cc99df81c1f8528b3d1b6556e71fc508e33cca

SHA256
c1ce6a9e4538d6acbfba3f7087e11eccb745a633cd6db8f319558888dbf52697

SHA512
2ba15772ce7fc252d6865e3d15abc76d13d96a90aa59288dca003dfbec39cd3801bb316d74a410dbffab008bf88ab1d5e991075d128fda8f7a1eb775839cb2c2

Download Submit
\Windows\SysWOW64\Adlcfjgh.exe

Filesize
94KB

MD5
497a1d08727b9bfde149adf0fcef49fd

SHA1
7e125634bb6134d2aa72a826852da134b13a7871

SHA256
a1c04c4c550d2924090d2f1597083718f33224231eefd903ef17714b14379f8f

SHA512
a1ce2b247dda79974a229f77ee8acf84c761fb9d0d184c3655ebb07a4bf9741a5a167001bd3e94088d0d6cd399dc193b971ddbf53338856554d4e12285011e09

Download Submit
\Windows\SysWOW64\Agjobffl.exe

Filesize
94KB

MD5
aeb45b5dfeba37bf2bcc27d3b1515e83

SHA1
751ca082d21a3bc206ecad712115a7c0d8eb068a

SHA256
2c9dd904f39699b85985d91fbe463d103a1b84fdf611afc3e3b9bf6b87a9d93e

SHA512
5196dd5b417b90807f9a531ee920433fb9dc00626f88f73ad390a4929da86aa187712165ff8f548bc62f02ccb789c2497cdbbd7f8184a654a152d3271af220a9

Download Submit
\Windows\SysWOW64\Ahebaiac.exe

Filesize
94KB

MD5
5e803013cfc976fcd5f629b322ee5e9c

SHA1
9683b6f0dc6a51c52158e883cd57f89d82c0bd9e

SHA256
9e73e881dffb20c08d7c4238386bb3674bf2784955f9c39a1fedd2d7f291571e

SHA512
b0fac8aa081d9edbf21f896360e39113ed58b566acaaee956ce7047a88bf4a7ba5d28ee15938752e1ad25e770ad42a9f6cdc737bf6c907cfb4922b56ba670634

Download Submit
\Windows\SysWOW64\Ajpepm32.exe

Filesize
94KB

MD5
7302097a6e7f1a9887b75bc20e9f189e

SHA1
ea8af9f92d69d7ffb1950b503b3e220288e004e3

SHA256
311d4593454bcb4634b42634c8235d8b72df1ae56686aff044b8aec9142d67f4

SHA512
08384bcbaa8021b9d07e1f84892f8331037d70f6f8b36a92e5ba5c8a2a16b710914b9f2067f72ccba8043e63ed657663cfdedb2245d6fd818667a41e395ff5dc

Download Submit
\Windows\SysWOW64\Andgop32.exe

Filesize
94KB

MD5
f54c548236da71c951860622b910124f

SHA1
8e6c3027655444a873af67f8d18ba71890a56170

SHA256
417b17277cf2602d4fca7b55401aefd987d3015d3200bbc724b88cf2e063edfa

SHA512
c7fe4236995b83386a5dfc235b3ce82381116d0956b4ecd18381d0612027d7fe79602986a889e479824051cb2f71759a4459d017494fe23f674d9dbf7a385141

Download Submit
\Windows\SysWOW64\Bbbpenco.exe

Filesize
94KB

MD5
d59251dee21d18ad45e8662980572448

SHA1
720ce2b51e636d903e5aa18b52460eb0779672d6

SHA256
28db9e915fe3810ddef6a4e59998d8aed129a96da0657b4e1384b20e08505aa7

SHA512
33498bffd96ba2766d05b91cfdc957099b7bef7ca24accabc3cad1278d1a4a494b897c5dccdf60bac2937bd18ae308066f5b59b3906fa0734c8e13f9eaa0fd44

Download Submit
\Windows\SysWOW64\Bccmmf32.exe

Filesize
94KB

MD5
caa78cd401d2e70b678b4dfa424d0b04

SHA1
48ec9134359ad5b3c25fad2a64fc46d6e88cbd48

SHA256
e5fae26cf91502f179284a3f41ed1789033c67ecf75a86a67ba71ce3646196bd

SHA512
cc47ff917b020dfe0c12d0b113b0d8e306e6752fd5eee5b32f6f48528ef50f3d4cdea35462a3e5481bb679ac8ebd46f20d79f5d3e31032c2b48f9f19eac61714

Download Submit
\Windows\SysWOW64\Bjmeiq32.exe

Filesize
94KB

MD5
9723c33f6c3f7d8fcfcc4c5e36ee89d3

SHA1
51804068b1994db09a862bad99822b0ac2777de8

SHA256
934a73035a0534d9a8f207499d440ba8d5ca9d1b58f7db91ffb1cfc0d8050561

SHA512
353d0837188c9a5f2dae21fbded86ae4dcc8991e4d2481374663688b8cecb08f2734006418a8d3ca456b2d7e6059926fdebb95435040c30a07e9f1d82042834a

Download Submit
\Windows\SysWOW64\Bkhhhd32.exe

Filesize
94KB

MD5
5ee14d0c9a9763cc35274b6ef7439de4

SHA1
752ae4a8a9c86f9ee2b20fff3355eb26618548f4

SHA256
5a09fad183c790dfafb30f25c9f333434fdd86aa3edc9635f11b10e52f9fb887

SHA512
ecfd53eca3b80a60840f3c111689585d7bf73fee9bb0b9d5e0aa2e2cf3d184d2ad722d90b20e8eb1e16ea4f9ce2c5fcb2fe801e655b87c8cb79b0a14944a9f37

Download Submit
\Windows\SysWOW64\Bnknoogp.exe

Filesize
94KB

MD5
f77dcb23b830b1271a857095de5fba8a

SHA1
93d5ed34ee48af8d7c36393756d2743ad73ed80a

SHA256
26deab7281e7db423717dc1d16f740c8086717145d445119e2b74f208b9edc7c

SHA512
491a0789054dcc2938b0ba3ea07aac929915a381007d60ce85ff27e6ba577ed380eae8c9def690ed3d0372581d91da89db99571a3cc646de0ecb621b43a50256

Download Submit
\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
94KB

MD5
2bb66c33deef4ce1bc56b86e20bb9da2

SHA1
69552bcdb151e81615bd2bbd3a2650f55f0eeb95

SHA256
12394752567915ae7d2ceb351022c75d1881c73d1d00398e2a3b6981d94b9bcb

SHA512
c7d0f88e747256c65e3a7c353d6bb0fb8312f8ab787c03dda45f8f04d9cf88a64280b2d11365967fce97c01af7b493f12144b7ffea86e7aaf8792d1924af9d24

Download Submit
\Windows\SysWOW64\Bqijljfd.exe

Filesize
94KB

MD5
e17707495c9ac141a978665776aa9e01

SHA1
4cf695fcb59a708159d15351a438f35978fbf23b

SHA256
ce26d12c8d20e586813e314b80a46d70c8918694d9a74a8a8ad98cfe6e942fdb

SHA512
64bf4a53f44c66a405112723ea8beda1c0880a7baa2fda312135c8471c14c14ce2ff32a89effb9dc89dd351259f7fb6782b73bb241f15d313e1150dfe38d0c3a

Download Submit
memory/336-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/992-239-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/992-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/992-235-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1164-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1164-387-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1164-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1576-256-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1576-260-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1596-309-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1596-313-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1596-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-249-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1652-248-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1652-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1676-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1740-293-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1740-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1740-289-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1740-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-165-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1744-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-398-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1944-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1944-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1944-406-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1956-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1956-139-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/2036-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-193-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2036-421-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2036-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-127-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2052-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2088-299-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2088-303-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2096-270-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2096-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-271-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2096-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-356-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2132-34-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2132-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-7-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2336-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-24-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2344-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-205-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2364-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-375-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2584-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-382-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2680-60-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2680-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-87-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2700-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-339-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2796-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-226-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2832-355-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2832-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-354-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2848-278-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2848-282-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2848-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-323-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2896-319-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2896-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-220-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2992-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2992-112-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads