37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cb

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
Size

89KB
MD5

cb94562d37aaccfc899cf1f79d9f2430
SHA1

71cbeeb95f5fe1965d4edbe849cbf1ebe8063a0c
SHA256

37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cb
SHA512

fe54779ee720cf4cd642121e2cbb34b2b2c94e249cbe25dec2a2b8a89f27df32ef0cc28cd5dad0c234e05338ae180acc6c8c916745a0d8e0df5dec70bd7daba5
SSDEEP

1536:3/K9Lrz3g+U66BIl2u/n2c/Rf+l7xyU/Y9mOgUWw/9V/ivp4cVlExkg8Fk:vK9LH3gsOIl/ftfW7xyU/OmOPWw/O4cc

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe

Executes dropped EXE 34 IoCs

pid	Process
1084	Alnalh32.exe
2896	Achjibcl.exe
2660	Afffenbp.exe
2656	Aficjnpm.exe
2648	Akfkbd32.exe
2696	Aqbdkk32.exe
2596	Bhjlli32.exe
2436	Bjkhdacm.exe
1520	Bqeqqk32.exe
1932	Bccmmf32.exe
1720	Bmlael32.exe
1968	Bceibfgj.exe
1704	Bjpaop32.exe
2004	Bqijljfd.exe
2416	Bffbdadk.exe
2216	Bieopm32.exe
1560	Bcjcme32.exe
2248	Bfioia32.exe
1684	Bjdkjpkb.exe
1792	Ccmpce32.exe
1476	Cfkloq32.exe
676	Cmedlk32.exe
2056	Cnfqccna.exe
2212	Cfmhdpnc.exe
2456	Cgoelh32.exe
2124	Cnimiblo.exe
2680	Cebeem32.exe
2200	Cnkjnb32.exe
1800	Cchbgi32.exe
2560	Cnmfdb32.exe
2192	Cmpgpond.exe
2260	Cfhkhd32.exe
1276	Danpemej.exe
568	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1980	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
1980	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
1084	Alnalh32.exe
1084	Alnalh32.exe
2896	Achjibcl.exe
2896	Achjibcl.exe
2660	Afffenbp.exe
2660	Afffenbp.exe
2656	Aficjnpm.exe
2656	Aficjnpm.exe
2648	Akfkbd32.exe
2648	Akfkbd32.exe
2696	Aqbdkk32.exe
2696	Aqbdkk32.exe
2596	Bhjlli32.exe
2596	Bhjlli32.exe
2436	Bjkhdacm.exe
2436	Bjkhdacm.exe
1520	Bqeqqk32.exe
1520	Bqeqqk32.exe
1932	Bccmmf32.exe
1932	Bccmmf32.exe
1720	Bmlael32.exe
1720	Bmlael32.exe
1968	Bceibfgj.exe
1968	Bceibfgj.exe
1704	Bjpaop32.exe
1704	Bjpaop32.exe
2004	Bqijljfd.exe
2004	Bqijljfd.exe
2416	Bffbdadk.exe
2416	Bffbdadk.exe
2216	Bieopm32.exe
2216	Bieopm32.exe
1560	Bcjcme32.exe
1560	Bcjcme32.exe
2248	Bfioia32.exe
2248	Bfioia32.exe
1684	Bjdkjpkb.exe
1684	Bjdkjpkb.exe
1792	Ccmpce32.exe
1792	Ccmpce32.exe
1476	Cfkloq32.exe
1476	Cfkloq32.exe
676	Cmedlk32.exe
676	Cmedlk32.exe
2056	Cnfqccna.exe
2056	Cnfqccna.exe
2212	Cfmhdpnc.exe
2212	Cfmhdpnc.exe
2456	Cgoelh32.exe
2456	Cgoelh32.exe
2124	Cnimiblo.exe
2124	Cnimiblo.exe
2680	Cebeem32.exe
2680	Cebeem32.exe
2200	Cnkjnb32.exe
2200	Cnkjnb32.exe
1800	Cchbgi32.exe
1800	Cchbgi32.exe
2560	Cnmfdb32.exe
2560	Cnmfdb32.exe
2192	Cmpgpond.exe
2192	Cmpgpond.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bjkhdacm.exe	Bhjlli32.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Alnalh32.exe	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Aficjnpm.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Lgpgbj32.dll	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
File created	C:\Windows\SysWOW64\Afffenbp.exe	Achjibcl.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Hpqnnmcd.dll	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Pkdhln32.dll	Achjibcl.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Bhjlli32.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Opobfpee.dll	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Aqbdkk32.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Aqbdkk32.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Bjkhdacm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
912	568	WerFault.exe	64

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bjdkjpkb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1084	1980	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe	31
PID 1980 wrote to memory of 1084	1980	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe	31
PID 1980 wrote to memory of 1084	1980	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe	31
PID 1980 wrote to memory of 1084	1980	37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe	31
PID 1084 wrote to memory of 2896	1084	Alnalh32.exe	32
PID 1084 wrote to memory of 2896	1084	Alnalh32.exe	32
PID 1084 wrote to memory of 2896	1084	Alnalh32.exe	32
PID 1084 wrote to memory of 2896	1084	Alnalh32.exe	32
PID 2896 wrote to memory of 2660	2896	Achjibcl.exe	33
PID 2896 wrote to memory of 2660	2896	Achjibcl.exe	33
PID 2896 wrote to memory of 2660	2896	Achjibcl.exe	33
PID 2896 wrote to memory of 2660	2896	Achjibcl.exe	33
PID 2660 wrote to memory of 2656	2660	Afffenbp.exe	34
PID 2660 wrote to memory of 2656	2660	Afffenbp.exe	34
PID 2660 wrote to memory of 2656	2660	Afffenbp.exe	34
PID 2660 wrote to memory of 2656	2660	Afffenbp.exe	34
PID 2656 wrote to memory of 2648	2656	Aficjnpm.exe	35
PID 2656 wrote to memory of 2648	2656	Aficjnpm.exe	35
PID 2656 wrote to memory of 2648	2656	Aficjnpm.exe	35
PID 2656 wrote to memory of 2648	2656	Aficjnpm.exe	35
PID 2648 wrote to memory of 2696	2648	Akfkbd32.exe	36
PID 2648 wrote to memory of 2696	2648	Akfkbd32.exe	36
PID 2648 wrote to memory of 2696	2648	Akfkbd32.exe	36
PID 2648 wrote to memory of 2696	2648	Akfkbd32.exe	36
PID 2696 wrote to memory of 2596	2696	Aqbdkk32.exe	37
PID 2696 wrote to memory of 2596	2696	Aqbdkk32.exe	37
PID 2696 wrote to memory of 2596	2696	Aqbdkk32.exe	37
PID 2696 wrote to memory of 2596	2696	Aqbdkk32.exe	37
PID 2596 wrote to memory of 2436	2596	Bhjlli32.exe	38
PID 2596 wrote to memory of 2436	2596	Bhjlli32.exe	38
PID 2596 wrote to memory of 2436	2596	Bhjlli32.exe	38
PID 2596 wrote to memory of 2436	2596	Bhjlli32.exe	38
PID 2436 wrote to memory of 1520	2436	Bjkhdacm.exe	39
PID 2436 wrote to memory of 1520	2436	Bjkhdacm.exe	39
PID 2436 wrote to memory of 1520	2436	Bjkhdacm.exe	39
PID 2436 wrote to memory of 1520	2436	Bjkhdacm.exe	39
PID 1520 wrote to memory of 1932	1520	Bqeqqk32.exe	40
PID 1520 wrote to memory of 1932	1520	Bqeqqk32.exe	40
PID 1520 wrote to memory of 1932	1520	Bqeqqk32.exe	40
PID 1520 wrote to memory of 1932	1520	Bqeqqk32.exe	40
PID 1932 wrote to memory of 1720	1932	Bccmmf32.exe	41
PID 1932 wrote to memory of 1720	1932	Bccmmf32.exe	41
PID 1932 wrote to memory of 1720	1932	Bccmmf32.exe	41
PID 1932 wrote to memory of 1720	1932	Bccmmf32.exe	41
PID 1720 wrote to memory of 1968	1720	Bmlael32.exe	42
PID 1720 wrote to memory of 1968	1720	Bmlael32.exe	42
PID 1720 wrote to memory of 1968	1720	Bmlael32.exe	42
PID 1720 wrote to memory of 1968	1720	Bmlael32.exe	42
PID 1968 wrote to memory of 1704	1968	Bceibfgj.exe	43
PID 1968 wrote to memory of 1704	1968	Bceibfgj.exe	43
PID 1968 wrote to memory of 1704	1968	Bceibfgj.exe	43
PID 1968 wrote to memory of 1704	1968	Bceibfgj.exe	43
PID 1704 wrote to memory of 2004	1704	Bjpaop32.exe	44
PID 1704 wrote to memory of 2004	1704	Bjpaop32.exe	44
PID 1704 wrote to memory of 2004	1704	Bjpaop32.exe	44
PID 1704 wrote to memory of 2004	1704	Bjpaop32.exe	44
PID 2004 wrote to memory of 2416	2004	Bqijljfd.exe	45
PID 2004 wrote to memory of 2416	2004	Bqijljfd.exe	45
PID 2004 wrote to memory of 2416	2004	Bqijljfd.exe	45
PID 2004 wrote to memory of 2416	2004	Bqijljfd.exe	45
PID 2416 wrote to memory of 2216	2416	Bffbdadk.exe	46
PID 2416 wrote to memory of 2216	2416	Bffbdadk.exe	46
PID 2416 wrote to memory of 2216	2416	Bffbdadk.exe	46
PID 2416 wrote to memory of 2216	2416	Bffbdadk.exe	46

C:\Users\Admin\AppData\Local\Temp\37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe
"C:\Users\Admin\AppData\Local\Temp\37a3dc90614bd4d6996790aff1d6e3e6bccdc744d3dbf4d8808a74537a0fd9cbN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\Alnalh32.exe
  C:\Windows\system32\Alnalh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\Achjibcl.exe
    C:\Windows\system32\Achjibcl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\Afffenbp.exe
      C:\Windows\system32\Afffenbp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 144
        36⤵
        Program crash
        
        PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Achjibcl.exe

Filesize
89KB

MD5
a23eb95458b86028979fcb27b15785c2

SHA1
b667544a9c39532c0b8fa7a87ea85560839953ed

SHA256
342fbfdf2b7538ed47271448aa56a429c024b672d816536aba270e8d84ac7fa2

SHA512
ac8e573ae265c78cd1a669eb1b02faef15099659b27465f6a5cc9f76937e43af004f4aaa11752ff29de48e299f5f3a094a90747b937420ec605f45fb87ee790d

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
89KB

MD5
bf94360bc157f443b1316c29809dddb2

SHA1
66062ec66a74b6fb1a27f58d305949580ce80b76

SHA256
1650082851b73f17b1828667aab05419a5cf105b0aab2ebf65668b4149d7e43a

SHA512
55f166a21c921d9bcdf5e71aeb422c8e15311dbd87b82365c3649336cfee97be879cf82f8b2b2011df82c0a3dd7d7edd6e61f3f65910fa55ce0b89a99c617368

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
89KB

MD5
0cfefbe5e15b093d4c7fa3706aa705c6

SHA1
9737e1f1bce49634eca34563b0d5012e9d9ba0d0

SHA256
6fd2ed1ca64b452aac8403a8c8206c8a7c827a26c177048adb4f72f162e922a1

SHA512
15800693b263430998fd6196dbc635d012ded092c80303903c2fabb4422822d1445b85f8b782d541c89d8440c89a73affc2c9b5e3689acd727c4f4de17df3199

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
89KB

MD5
3aee4d8cabe3463ae25e1372915e8149

SHA1
187982b5e3fba78a6bec9d581786aa9c23357203

SHA256
b0f18230b084fedad25253a0fa135ca07dfbaca6425b8fa9d2b89ed8a0710951

SHA512
ec18e4814b561297e47d9c7d6101bbd822840ea00decdc1a923b3652bec74ff2ef91f38bd3c91c170e995f3d2c9ff930799849da5b8aaeed63809176f863f426

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
89KB

MD5
ae23211cce882c5694816671d63d3141

SHA1
827252f8696f7da15bb394af2fb03a99028b4412

SHA256
c2c09ae138657608987326ddb3bea450dc97b6135ffd99671712628148ebfeff

SHA512
4d04a480c44f85726dab55a5a494fe2e7e18062e8be79c2bb674785f6aaf248a7584c6ba7afb67e1b3887ff5b3d056f0682732cea2d893a156c2a4b660fd5ab0

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
89KB

MD5
33269f9e3a3e78e3db90e3aa87cf9d17

SHA1
9c70306f5e3d0b48b63cd082d557df250f7c9c91

SHA256
99357bc114dece619c02eb4610bff468bae2a999e6564d753c258425cd01fd32

SHA512
3c878a1319fe3230489f7ff020f7a16cf6e7943d77ab3d844eec0c43b19f2220db3dd998535cf37d5530294c3d013ffae7f0e9c5b84702df370045dbee55a812

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
89KB

MD5
017bc2f99592074e1ab669e64033478b

SHA1
68bef397d5daf22cede42e1c6c1d049cf77c67eb

SHA256
ad76ec8643b89ffba252ef142dfba245f09013ec2877478107251ffe8d3fd8e0

SHA512
76494296f48f8be19abf9198223e9154479b4194fac207849a7dcf3c60d969359030b60b4e4ad6f05027f09b465247b0451af4e46675339475629c6862773cf2

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
89KB

MD5
1fd8cd1b43329650a8c7248f96dc95da

SHA1
28d177b7b0764e0b4d4cbd6be860764482724fb0

SHA256
42929afd28c23a4b935352d3532a1bd682d3a2680e578cf56fb31eb9eb117b49

SHA512
276292380b70f217db15f73d0d4cb0fcb17d9151c32270307a1343055d9432ede64bf92c0c52ba794eb0d4762d9b341ddefc13c30913d519c2cadd0ed98243ea

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
89KB

MD5
0f2ef8ec5c851eed1f3935eee2aa38a9

SHA1
69dfd17fe5c706e09278cc21ccd472fcfe2fadf5

SHA256
f0f22b81c9e8e48e735d11055eb48dfffbfcd9414f5f91103fb3f7282f7a7708

SHA512
e6525532f3c62b7263849c8baf893df8f9b12f6d0d29cce85d689ebbc1d052ab15fa3581f3d4569ec4f775dde0893eb357da3c9f1267f98681a6f9a9ff8186fe

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
89KB

MD5
eda33c25170454461b869c85b2da9fd0

SHA1
a0569c6bb67ab9f45280450d97232f7e6587052c

SHA256
05d3d6fb76d21f66dd490ef7caaab361bccc3ee80df73a3b6d90acc78652046b

SHA512
b6b1ca41eef51feb8169b7013235153fad0193927de195f0b0d86400f70ff8346ebfa4f0eeaa20875307cde87c9739f1578d334a0812f958a5f0edd7eef3b450

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
89KB

MD5
9017f881af948f9c066e70374de854bc

SHA1
e15e570e8bb1b4c6258aa1ec74a929551b8b8c57

SHA256
acc88845d3cfd165a5b16b59a3fad3ac296fd6a3dcfe81d9a62ee8c2ee051173

SHA512
6f09f7a107f3528c5a40cf131e161f54806ea88974083a248c3a2e04285ff7ba3c73c36f7bb4d44d73f45ed5e1e82264401a18eea7573e6a493e38318436d7a1

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
89KB

MD5
bab440939fda259b2da388ce0d93ee78

SHA1
68643959fada0e3e8f3ac8175d9d63c4bf6de169

SHA256
3664d7f37c35d3f25eb0f034a3ccba6de428d398b7c2051abada10d364e4ba7a

SHA512
c74664d080d6deefccee8ca9333844db3c9beafee03eacf873fb14f0edb5ece2ef0da7adccd34f3a9b47d98fd03cff95813225845902474783c588933a0cb0db

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
89KB

MD5
d22ebe38e4a520c53b1e363e624aaa2c

SHA1
5ed05cd9fef9cb08ce6413503956b09bf1ac9f71

SHA256
7af5afcf8cf20ff30d2f51f0c669f766ec0c23547195a6a468b134dc3908dae3

SHA512
17c6f32fbcb680bb804b04b3b88dda13b708dce2769384e7dd306c885b5605f728ed9486336c015dbb94708c36c2d0d9d298d957b3ed1d7a2666cd8d6afea2de

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
89KB

MD5
ccd8df16a24d6ebf206d46a50f3518a7

SHA1
5c05f680b003d162e5a49e7a3048d590062c37ec

SHA256
7f68e298f25bd863b158fda90430b4281ae0025289a268cdfcb3903e5082b7dc

SHA512
508c92babd56bb51e0a3fb5f3f330a56b0a12c410f590d8a3776223401dfb034b44410587d6b850eaaf013214de297c659430bd0d0f05be8661b68ab1f99b5a8

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
89KB

MD5
a54113c11244cfce45f72e8292a21b23

SHA1
b8a1446c26f14dde36ff838771f3696de7d7c00c

SHA256
01726609cafc9c16b87e25a86efab5d3e1f6f6352031bf8d32c7748c23382e7f

SHA512
9df6b3004ece249bad93ffcfdf21947383fb7061f163ff51cfd319a2db01f5ffd8a17cca3b913292c25d2d419eabb58bd45f8538095cfddbd975850e6ec5f3d0

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
89KB

MD5
15be9f7eb989f347e808a27b217cd38d

SHA1
3f71259ae328b931311c7743e481a129b2beecee

SHA256
3c4eae8f953c159148123486061df76a1545370c5e2fabbc15b0eaae5a80b92e

SHA512
43c2cc24df7be4e3ddff3fd0f9e34d7867d929a7786a6380b2a33f3867bf44f6fadab0f8a89df080b97b8467d9b135da1976dd8483544c53282175b4fbe98f3a

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
89KB

MD5
3bf6784be3c7794d58b055d9d54f0d82

SHA1
f757107a8a0e0c95443e3dd054a446c5b9a261c8

SHA256
0bc1be9bae38f883be200e3b06040d40eca22632d8145a895e8e2960116fac98

SHA512
eb8af91aaff80ea1c80bb583d873cf72409c070fb585e582cc8a6751901c99d12aac21cf1ed83cc57185eae4b66afb9311e69f059e96a6a3ae3f241eff796d1a

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
89KB

MD5
25d8a2b8cdf989d8f3ec535d3546e913

SHA1
f2ed60e9252d7c7ba9d5bf15074e663b3fa5e399

SHA256
1cb8e651af0cd79f8778960427050f3eddfc4a125e8f9f77eb1878b3fafd6fd5

SHA512
4f864f35e3cee1bc8adc08e19ea33d2391cc02c54f1d9f0d619f2d520ae086a212005fc4b27a4adeb6cefb8349cd8733e5e4f210bc77e7d23673b0cad25fc6b7

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
89KB

MD5
390699f8f791365917d5174e8482199d

SHA1
81abf68f60e7d67e4920b01b7210a243c05b78b4

SHA256
774e261005f4d63d5661b84a7281faa58d99e93696896faac14f879554dd1067

SHA512
0b02c92c141da67ad1ec1f802565d4f1c83f2886816a43a7cbf1208b309430a1e67f87ed724c3299c48d3b481d2456ba12c5a2541ad6e9b35a91482907f94c55

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
89KB

MD5
95661cfba1046015ca0a06ba9687dd62

SHA1
d8827bd9abf340ad31f0117b9a729ed8efd29249

SHA256
d277f46a320ca4bc88b93f01d23f2314f6b1cac83b9058dde5616df78a4b4eb8

SHA512
13ddbe6d623fa8493c2a09186c5ae44c9f53695f401491560079bf1ba2c7e0ae3d740856e17e21d885e5097c4dfd5d0891d88662f0bcc4adc4718c636754b5d6

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
89KB

MD5
e4f82fa65d95281bf7c4e1da25f5f453

SHA1
49b5ed1a6314aaada0586a346a3bfdeab861651b

SHA256
796822815f60a603809b0c340e14584de85a15e10727423ec0a71937840f64a5

SHA512
c6ad8576c0098114d90f1ee2fc43d8f85d7991ba3e1e97d6d86f1953af546c9f46d4b78342f2cefab3bd4b05e5db3fb54b607b41011a600d731792dc632d9ee5

Download Submit
C:\Windows\SysWOW64\Gggpgo32.dll

Filesize
7KB

MD5
32d7d401b55db2e1772712a811ba1aab

SHA1
f0c83d60baf7981d2016a37fedb63a725b7f3ac8

SHA256
42dd64545767e85739c060eceaf260cd88f679a2b5e7bcf3377e94798fa389ee

SHA512
a9c55a303bde92b1f2b5d1654ae7fa8aaa2ea1feb284c319a9e0bf712f9ad5e797ae97c40f4494433010b295d492615cda26f9c8f77941a2141de57e521ddd09

Download Submit
\Windows\SysWOW64\Afffenbp.exe

Filesize
89KB

MD5
6dea8595ca46a41f5f2c3e953dda5169

SHA1
d9cae8c1db27f496aa1e0ed3c330e1101fbedc1b

SHA256
bc4e85cd3e56bf48aa9578657b6ad873da77428bd8b3ffc7dd8869cab194c595

SHA512
af8d5290cf0e62ebae33242235993070ebc6273838eba0e43f93f139a6384f81bf691561661aa66df861f557092528173a9be9526b3557ace43b2d1c0a38f92d

Download Submit
\Windows\SysWOW64\Aficjnpm.exe

Filesize
89KB

MD5
d2a20ba4cd223fa586e7d4d0d9fd0dfb

SHA1
433db90dc4ebdd17e8141d92fe30bb4f2273b233

SHA256
6c2c415adc1d3a79b681bc3524fda299583bf71b2f6ea9579f0d67dc6d790253

SHA512
18dfe1da16fb14277a65120b98d39580605eb3f230661263fefcb54e6c96df46b5b04194d2e9b3c696740beb711075e1ae7595fd83ec36519b8f5cd8e53a4477

Download Submit
\Windows\SysWOW64\Akfkbd32.exe

Filesize
89KB

MD5
7ceea36e96a9fe907736271b82cbd149

SHA1
dff79aeeb43ab3acf62fee3478da2d59d03205c5

SHA256
a3808357d49cab6bd4084c6f3c72a576eed24e9b745d07b61c4a62fae76c80dd

SHA512
1e3e6f5b43af7f1a50d7a1c9b66d2aafed817ca8a63a3951180b80df08ec9c9955fc06eb7a71fc7cbdfedbca5829d5fb3821eff5e70d7eba8e789ad2b15c5406

Download Submit
\Windows\SysWOW64\Alnalh32.exe

Filesize
89KB

MD5
96c6f8e998b4eb22a4eef772690925ba

SHA1
49e41e7a0904b3583795ae1561a1a05394990aa2

SHA256
f9156f8da1e41cfbdc71244a42c18e4ab578f2fb8b9cbd878701668aab47bcb2

SHA512
e5724e38bb7747f515ff222aded7348aef19c25be93db785431e131355256ddbd7ec55a1629963a20abbe5bfbacdc4154d9368fcbc31592891d3ee09a74b5ddd

Download Submit
\Windows\SysWOW64\Aqbdkk32.exe

Filesize
89KB

MD5
8fec7a3cbfab28e2150260322583e0c2

SHA1
688391d8a4cbc758be5eb6e67e7d9b8b12559994

SHA256
58fcf815122a3296f546a9b597938db58ac241b104ac61d8929c3e9ecd85d9ce

SHA512
69cd18375672f5c835402c04d8a157066834550edcf9e04db2dd0f66e4439b4b439a8e1db13f2bb17b718e6ba6ad0c445a9ee2b9a0b92a64f5c76bb54dcf8f1d

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
89KB

MD5
fd34e4fe715443cfefd09dc6b01e1a57

SHA1
bfe9cc4efec2896de138f9e6f39d7e077aa29c0c

SHA256
f898eeb651696ead9c8d705aeab81f8fec617d617077abbb8c6db66ccb409486

SHA512
7c1b0f00d2e3147870ce3e06780d64453edd8bde3fcc1c31285067501fc05e0e85dc8297dc7a06b79b4b5b7855cb4a52426a252955d5f8f46a03558cedb24162

Download Submit
\Windows\SysWOW64\Bhjlli32.exe

Filesize
89KB

MD5
c41a21b306313be004df2529eeccd0bf

SHA1
bf443093efd079a6e00b9920a0f9e214d6770f2e

SHA256
3997ae89ed143b6f10dba1d8c1acec87c05e6197339c85b115c2f2b1a622f34c

SHA512
84f516b56d45b30871076bc8bde4475d8997a3600f2bc0efaca9d42227fc83b7145e9cdc09d2550c8b62d19273fd4cf89acd7fca645f046f64f0fcd27fef61a4

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
89KB

MD5
683ee7c60f02c166c1781ff22ddbf908

SHA1
395a6a77ceee80688656edc69d9d93c0be7c6fa5

SHA256
208f0e3d96fa68d12bba13609ed925518db26568a2027aef409c4b4c8168c178

SHA512
e7ed3139f8a3fcf78f6dbf5f587e9e6a4db42502be7aeac891dace50beee0647300a1d9f6cef9ac27aaa3572cccb90efe05f9ca8f1e2d2c595f882f0293f369b

Download Submit
\Windows\SysWOW64\Bjkhdacm.exe

Filesize
89KB

MD5
8410a4a4e8a821b6e55a461e4c159cef

SHA1
7dc2146684c461b6b6db05f5eb8e881e88547b11

SHA256
fe7ec9487ddf1ebcca965f90914fb651ec2e4dab7ac772d47050ace1b829b6a0

SHA512
a9172aa6114891d1c380df9b2cb8319846ec837e3e3ac209bffe42db67596450c4209ef48dd0b3830a767ff38a037cf752c70995d7ea8b0dd7d40e5b449eb87b

Download Submit
\Windows\SysWOW64\Bjpaop32.exe

Filesize
89KB

MD5
167cc7cec3b5f1e1e44bc2e5a0563490

SHA1
9b867e7f59dd11ee1cdf6f7d07a7b08c4b308123

SHA256
e5e0c5f5c3fa218368301171dd912bd3a21bb853b2d18f36cbb5b190ad531479

SHA512
8627e55e317e133ae05fed101be9e69310d0ed7b01f0aa9d18715d3408a3d3c1bf8d50e5a23d7ae5ee73f1b844caebf8f5b9aebe5cd0e187d0c4e1ce2c6841ee

Download Submit
\Windows\SysWOW64\Bmlael32.exe

Filesize
89KB

MD5
856ecbf2e56dfbdba367da0c2a3dc135

SHA1
90d681dbeda4262e25f323957d8ed32dfd4acfe5

SHA256
cd10503ca6fe96acafa079f620af21127b36d5bcfaaeae3395e35ab1b552d0fd

SHA512
706cf01bb9a11b799bee5fc78722612fe5db1c2caa059daaa9c0db2c4521aa8944856403b6f01cafd92634a8221a09f1a7bbb7572fa80d9f5ae63cdd9cda9f0a

Download Submit
\Windows\SysWOW64\Bqeqqk32.exe

Filesize
89KB

MD5
158b267b3beb8b7eec75528ff861bc62

SHA1
62ceedc93da7575cd9ea1424dbc3616421d5a4f7

SHA256
5f7779ab6e8f9e2db1450958fcbdb2ccb4febf4c9e931b3b180ed55462a2e6bf

SHA512
8885eb384de9e1590a61bbdf77ac1ac628f780e4b92eca902b1550925e9f45108b7888304663882ea666db8035bec786bdd5e89ace45ce5e8467932c968c5803

Download Submit
\Windows\SysWOW64\Bqijljfd.exe

Filesize
89KB

MD5
f528be1e0ca683788796bdbf07207fa3

SHA1
4257b0c513d36c15ecb4828fa9f8f5bb37d8e217

SHA256
6d1b0702c5eb927495799bdebb59e59efdb10798dbd4b09c30c6de45b6db8862

SHA512
d7a0d0a495fb75eb2ca2ac8c0ee8a68e71c15c730112e8cd71309935d2e81a7fdc46a941a8da055ce870b6d5089305fadc477f7ce740a199a5e6cfa818a05834

Download Submit
memory/568-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/568-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/676-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/676-284-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/676-280-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/676-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1084-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-402-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/1476-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-273-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1476-272-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1476-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-250-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/1684-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-251-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/1704-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-262-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1792-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-258-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1800-360-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1800-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-362-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1932-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-141-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1968-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-167-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1980-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1980-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1980-17-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2004-193-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2004-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-294-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2056-295-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2124-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-327-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2124-328-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2124-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-378-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2200-346-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2200-350-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2200-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-306-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2212-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-302-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2216-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-218-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2248-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-241-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2248-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-237-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2260-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2416-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2416-206-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2436-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-113-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2436-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-316-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2456-317-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2560-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-427-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2596-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-60-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2656-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-338-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2680-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-339-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2696-87-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2696-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-33-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2896-39-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads