67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 21:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
Size

128KB
MD5

852a0a1117d1ab12be543cece64baa20
SHA1

0944bcb8f71bd5d49bbfb91b23738f503c728803
SHA256

67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197
SHA512

94e349de0e81e1dada3bd613af20ea9153e2e5152c451bb79089c78df57a3b99825d36b3f233e5353f119bcccae98ed6a31c5c252c4bdb8f1688716ed777c895
SSDEEP

3072:HJO5v/Bd44i4EdWRR9b/FWZVrdEznYfzB9BSwW:pqvD44i4gWRR9b/0rdYOzLc

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alqnah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe

Executes dropped EXE 31 IoCs

pid	Process
2516	Aaimopli.exe
1804	Ahbekjcf.exe
2028	Akabgebj.exe
2792	Alqnah32.exe
2856	Adlcfjgh.exe
2588	Akfkbd32.exe
2608	Bhjlli32.exe
2172	Bnfddp32.exe
1276	Bdqlajbb.exe
808	Bkjdndjo.exe
2768	Bmlael32.exe
1252	Bdcifi32.exe
1076	Bfdenafn.exe
2940	Bmnnkl32.exe
1624	Bffbdadk.exe
1676	Bieopm32.exe
2956	Bfioia32.exe
1616	Bigkel32.exe
2108	Cbppnbhm.exe
2720	Cenljmgq.exe
2392	Cnfqccna.exe
1592	Cbblda32.exe
3008	Cepipm32.exe
2492	Cnimiblo.exe
1328	Ckmnbg32.exe
2636	Cnkjnb32.exe
2008	Caifjn32.exe
2692	Cjakccop.exe
2148	Cnmfdb32.exe
2716	Ccjoli32.exe
2560	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2464	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
2464	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
2516	Aaimopli.exe
2516	Aaimopli.exe
1804	Ahbekjcf.exe
1804	Ahbekjcf.exe
2028	Akabgebj.exe
2028	Akabgebj.exe
2792	Alqnah32.exe
2792	Alqnah32.exe
2856	Adlcfjgh.exe
2856	Adlcfjgh.exe
2588	Akfkbd32.exe
2588	Akfkbd32.exe
2608	Bhjlli32.exe
2608	Bhjlli32.exe
2172	Bnfddp32.exe
2172	Bnfddp32.exe
1276	Bdqlajbb.exe
1276	Bdqlajbb.exe
808	Bkjdndjo.exe
808	Bkjdndjo.exe
2768	Bmlael32.exe
2768	Bmlael32.exe
1252	Bdcifi32.exe
1252	Bdcifi32.exe
1076	Bfdenafn.exe
1076	Bfdenafn.exe
2940	Bmnnkl32.exe
2940	Bmnnkl32.exe
1624	Bffbdadk.exe
1624	Bffbdadk.exe
1676	Bieopm32.exe
1676	Bieopm32.exe
2956	Bfioia32.exe
2956	Bfioia32.exe
1616	Bigkel32.exe
1616	Bigkel32.exe
2108	Cbppnbhm.exe
2108	Cbppnbhm.exe
2720	Cenljmgq.exe
2720	Cenljmgq.exe
2392	Cnfqccna.exe
2392	Cnfqccna.exe
1592	Cbblda32.exe
1592	Cbblda32.exe
3008	Cepipm32.exe
3008	Cepipm32.exe
2492	Cnimiblo.exe
2492	Cnimiblo.exe
1328	Ckmnbg32.exe
1328	Ckmnbg32.exe
2636	Cnkjnb32.exe
2636	Cnkjnb32.exe
2008	Caifjn32.exe
2008	Caifjn32.exe
2692	Cjakccop.exe
2692	Cjakccop.exe
2148	Cnmfdb32.exe
2148	Cnmfdb32.exe
2716	Ccjoli32.exe
2716	Ccjoli32.exe
2852	WerFault.exe
2852	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bieopm32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Aaimopli.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Hpqnnmcd.dll	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Bhjlli32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Akabgebj.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Fiqhbk32.dll	Alqnah32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Akabgebj.exe	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bmlael32.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Ahbekjcf.exe	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Akabgebj.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
File created	C:\Windows\SysWOW64\Alqnah32.exe	Akabgebj.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bmlael32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2852	2560	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2516	2464	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe	31
PID 2464 wrote to memory of 2516	2464	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe	31
PID 2464 wrote to memory of 2516	2464	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe	31
PID 2464 wrote to memory of 2516	2464	67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe	31
PID 2516 wrote to memory of 1804	2516	Aaimopli.exe	32
PID 2516 wrote to memory of 1804	2516	Aaimopli.exe	32
PID 2516 wrote to memory of 1804	2516	Aaimopli.exe	32
PID 2516 wrote to memory of 1804	2516	Aaimopli.exe	32
PID 1804 wrote to memory of 2028	1804	Ahbekjcf.exe	33
PID 1804 wrote to memory of 2028	1804	Ahbekjcf.exe	33
PID 1804 wrote to memory of 2028	1804	Ahbekjcf.exe	33
PID 1804 wrote to memory of 2028	1804	Ahbekjcf.exe	33
PID 2028 wrote to memory of 2792	2028	Akabgebj.exe	34
PID 2028 wrote to memory of 2792	2028	Akabgebj.exe	34
PID 2028 wrote to memory of 2792	2028	Akabgebj.exe	34
PID 2028 wrote to memory of 2792	2028	Akabgebj.exe	34
PID 2792 wrote to memory of 2856	2792	Alqnah32.exe	35
PID 2792 wrote to memory of 2856	2792	Alqnah32.exe	35
PID 2792 wrote to memory of 2856	2792	Alqnah32.exe	35
PID 2792 wrote to memory of 2856	2792	Alqnah32.exe	35
PID 2856 wrote to memory of 2588	2856	Adlcfjgh.exe	36
PID 2856 wrote to memory of 2588	2856	Adlcfjgh.exe	36
PID 2856 wrote to memory of 2588	2856	Adlcfjgh.exe	36
PID 2856 wrote to memory of 2588	2856	Adlcfjgh.exe	36
PID 2588 wrote to memory of 2608	2588	Akfkbd32.exe	37
PID 2588 wrote to memory of 2608	2588	Akfkbd32.exe	37
PID 2588 wrote to memory of 2608	2588	Akfkbd32.exe	37
PID 2588 wrote to memory of 2608	2588	Akfkbd32.exe	37
PID 2608 wrote to memory of 2172	2608	Bhjlli32.exe	38
PID 2608 wrote to memory of 2172	2608	Bhjlli32.exe	38
PID 2608 wrote to memory of 2172	2608	Bhjlli32.exe	38
PID 2608 wrote to memory of 2172	2608	Bhjlli32.exe	38
PID 2172 wrote to memory of 1276	2172	Bnfddp32.exe	39
PID 2172 wrote to memory of 1276	2172	Bnfddp32.exe	39
PID 2172 wrote to memory of 1276	2172	Bnfddp32.exe	39
PID 2172 wrote to memory of 1276	2172	Bnfddp32.exe	39
PID 1276 wrote to memory of 808	1276	Bdqlajbb.exe	40
PID 1276 wrote to memory of 808	1276	Bdqlajbb.exe	40
PID 1276 wrote to memory of 808	1276	Bdqlajbb.exe	40
PID 1276 wrote to memory of 808	1276	Bdqlajbb.exe	40
PID 808 wrote to memory of 2768	808	Bkjdndjo.exe	41
PID 808 wrote to memory of 2768	808	Bkjdndjo.exe	41
PID 808 wrote to memory of 2768	808	Bkjdndjo.exe	41
PID 808 wrote to memory of 2768	808	Bkjdndjo.exe	41
PID 2768 wrote to memory of 1252	2768	Bmlael32.exe	42
PID 2768 wrote to memory of 1252	2768	Bmlael32.exe	42
PID 2768 wrote to memory of 1252	2768	Bmlael32.exe	42
PID 2768 wrote to memory of 1252	2768	Bmlael32.exe	42
PID 1252 wrote to memory of 1076	1252	Bdcifi32.exe	43
PID 1252 wrote to memory of 1076	1252	Bdcifi32.exe	43
PID 1252 wrote to memory of 1076	1252	Bdcifi32.exe	43
PID 1252 wrote to memory of 1076	1252	Bdcifi32.exe	43
PID 1076 wrote to memory of 2940	1076	Bfdenafn.exe	44
PID 1076 wrote to memory of 2940	1076	Bfdenafn.exe	44
PID 1076 wrote to memory of 2940	1076	Bfdenafn.exe	44
PID 1076 wrote to memory of 2940	1076	Bfdenafn.exe	44
PID 2940 wrote to memory of 1624	2940	Bmnnkl32.exe	45
PID 2940 wrote to memory of 1624	2940	Bmnnkl32.exe	45
PID 2940 wrote to memory of 1624	2940	Bmnnkl32.exe	45
PID 2940 wrote to memory of 1624	2940	Bmnnkl32.exe	45
PID 1624 wrote to memory of 1676	1624	Bffbdadk.exe	46
PID 1624 wrote to memory of 1676	1624	Bffbdadk.exe	46
PID 1624 wrote to memory of 1676	1624	Bffbdadk.exe	46
PID 1624 wrote to memory of 1676	1624	Bffbdadk.exe	46

C:\Users\Admin\AppData\Local\Temp\67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe
"C:\Users\Admin\AppData\Local\Temp\67ec0088fc702d3e01029ba5c4a0c0d91f9d9872ecb85368b0593d56ae8f0197N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\Aaimopli.exe
  C:\Windows\system32\Aaimopli.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\Ahbekjcf.exe
    C:\Windows\system32\Ahbekjcf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\Akabgebj.exe
      C:\Windows\system32\Akabgebj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 144
        33⤵
        Loads dropped DLL
        Program crash
        
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
128KB

MD5
0e271a8337e6bbc2fa1f63cd63a1d71e

SHA1
1770971effc8918e57e544711335c253225e0e0c

SHA256
35cf1d6c2ad15c1c83452d9125c962b3927b95500ebd63df89f06fd948f6ece5

SHA512
d8ec47b63490c33110f3cce806800899d84f4f3866fb80eeb5b10a76384754efed0bed5527685e2c606cafdf8e387ee59b95fd8d81d52e94e7f7550161ddead1

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
128KB

MD5
7f36bf4a55f30b271106d2f3ee5b07a8

SHA1
4a33a2af529fcd9f85d519c5f558b4b35a2b3e01

SHA256
7d2699ae9e6257f04fcd762ab3d65df30377959d6542106a2073d0038fc58c54

SHA512
172ccf2b085e7a1cac04f53650b95875c696779375f71928a4cb25c7d08a4915e6bc2d73197ee5979d63c8a3a5aa08252c30de18a03c4bb205cf1ed7a68bb89e

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
128KB

MD5
6f92eaeafb64c1323964b8fbbe731ac6

SHA1
ed53071fe0b6d4ba828ee4e82fd4276297c89146

SHA256
d85ad7888dd008e877d5ca188b45ef86966923ba38e5fe9a2018732354f36534

SHA512
a9e93c99b6ace1aac2196320386bbf6e5950b053e429444e6e35595f91490d40656768dae41bbc52255691103636ad55b884ae707671e15e30bd893603bb2f19

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
128KB

MD5
0223a79bf6ffe85b33e3caf183c45aa8

SHA1
1ec8860600d9e5894a56c89c95214365097194fc

SHA256
a0eae4d57a31760b4f5131a87a5bffa8ed523ce6aa295e9f78d890a22bdcf2ac

SHA512
f0e90a462ea2da3d23a482a87068e145a48ca074f36d631f841182781fa2c9de9d0f65dc8b92c04ee1edcc484da8b01ee0c8c20b5f0ea42c7ea0699a416662db

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
128KB

MD5
f72b47e8e328c6171a41882ac3d2ebde

SHA1
c948db043ecae86363bcc742fd3bb4fd2ea49212

SHA256
949a1c8933fe191f41688222b1475276d25bc4aff4c6b28c5b0f92eb7f547a89

SHA512
24cd037ccd829030cd7d904193bc24d711c57717caa4e877193749c5220374ff6f639ae55e4e49fb1f9581881d7ece38ad8a698c6d8c258aa924d8fd37ea7fdd

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
128KB

MD5
6904c999a882d67117c82ef114dffa59

SHA1
6125ef2de7b62f07c27fe873d5bdbc53dbb2f05c

SHA256
62829ae56c7dd0f70e5adb2ffdd3b599fd1feb8ec379d387917811499ce9a645

SHA512
73470e515b0ae5bf5e6989a951e24501e273fb28188f3585d3c95474348618ab857cdf6f3742b8960ef4f7ee1151c24ab8417c9c0a8323652f5e79edb1e2b1c3

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
128KB

MD5
81bc1be463f25a4c2fda471064a31ea1

SHA1
0ff477f668d2878071299e2278dc0028dba1f7f3

SHA256
2ac38c2f4ea4faeec37a407e07bf6b048c0dcbea279083f1a99a9f72b36f1db0

SHA512
8447f69e635197fd84309186be13ac0afe0861a1d62552de111f6b31d8b0376c212f6645da900b3a334afa3588665e5617a808ef3fe3e442f2aa24b5ec504676

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
128KB

MD5
44abc403454418efb89d351166927a77

SHA1
cd0063c6b89ef940836b0f1278b961817559d54e

SHA256
62f058a839cd1d677ebe5f5aa2394016922151a8e85b1ea6d6de80482a7e36dc

SHA512
99bf364401a8db288b893f2237d7e3c144943486fcea671009685af0c02ad6d7aa26cab485ac8a590f2f0c365b481cd80940f200a002c3211e3a8224bb172c59

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
128KB

MD5
5b1aaa8d1c3679a4342af9612e7cbf87

SHA1
6457a8023ad57ae2908a97ef9a620898a8a2f6cd

SHA256
af3155c024eabb5674e3d2e00877d2ba28eaddc0dc43a69c307acdca5aefa82b

SHA512
d8e3a0e3ca431e65e1a262e52d67bd81c82ba3ac1a86a2f677ad9994de2858788e1a818526d5d4db8d4de6067d6363c6a891c5e7287b9a13da3f35001fafb24b

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
128KB

MD5
c10950d51ceb157a7f396d3f84bf69ce

SHA1
0d08407b6285dd80afa1466c46be2c11299783e1

SHA256
4455a63b69e62f52714858aab14314e48e153189d20b2ee116ee35e212c947e4

SHA512
e83f0fa472cc5fcc2b1e3e036e30f8c1eb6108a3d055e42f4aa4d68a0a6547fd3f6816136001b8faff1209486b0477ca3f86d502d41190bb72848fd2423f546c

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
128KB

MD5
8c71e9a6cfc62c9893d8efc532c66b93

SHA1
a1b47bba8a3bb5593167302d920a927f4d71bfa6

SHA256
255c82f2315820ce20f5b367370c55368ba5a0e13f8cda9d36364367f86c4e2c

SHA512
6ac025b8d1eba88e5cc5d3ef398fad5c412d82aa950b84c5cd8d7919042ccaec31fbcf7fae3474cf749f278667bb74eb5e1b0d36c7e640b413a0a51ee56321b9

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
128KB

MD5
cc27292904f818f0fe1776dbf006eadc

SHA1
c68bc3c41555e45165a72dc0ff5cd16354ffdb91

SHA256
0270edf0b0811179d995f7c9f4bbdcba9ce5c932a903a86eb8a8459bb4dbefb4

SHA512
cae5e72ed677e3612f11eb68c7563d3936f97c445e1c2918314e31d281b915757fb5c2441d516ebdcf79b69e18909a19304152da009274dc8824e48b91476f87

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
128KB

MD5
9c9c8f55fb30e4fc199d3c11c1fc646a

SHA1
75dc46c050bcd1b8ba1beba379e56b60a693aeb0

SHA256
d4b017897fbe62dd0a00f10ef19d40fa69941bbaef45f1507105c401c5bfcd00

SHA512
581156ea9c73ecb098a575188fd779b7950093efecdb49c29fab2fec6a95e442e620b9c9021f0766e8bdf7969ec4444dd58cf602750552d1db7c26c7dfce9fff

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
128KB

MD5
a2c1bc08ca39578c0e2189749215c930

SHA1
dc8a5dc5b0e5b8f965028ee33cc9f1dcfb6ea086

SHA256
d3c3218bf294616fd14485b0c6cc913390d493e6b7d8ee55fdd1ef1dd8c6caa9

SHA512
9b462eaae2c4110b4263dac57b67233729d94ee31fe07317a4139c9bdead96bf9f90a24638b8112af1180cabf162905f1b46a33a45141dfc6d6e99db699da3b0

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
128KB

MD5
7577ba084b683dec5eafb9df4cc13a14

SHA1
65ec1b42afa3c11f55b1b8a02a8f1a50820b75f1

SHA256
1579e75ba17deea69bde90cd56377b4b9ed9ab93777dbe50b50a822053b2bbd3

SHA512
41469302f0e7f8ec351e70c24f82e664140fddad8dcdd4b9865e3f5f1981e8a5ef1c41a19855b6159012c23e749a7b8040502d8e5a14be36e711eef60004e052

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
128KB

MD5
d8be4d4af4b80b677d8da87da58a0aba

SHA1
d52ec7854274f9662dff48a9a66529fbdb211948

SHA256
de889cf6b01da3ba3310c16f3f2a8f8a25668f4ad9ea14096d7cd151cc80327b

SHA512
0b318fc618d463a061acff511c6168592a9af7b7f220bf27d3c9de00308a834015407c246f3292529644b2d663812a231a0c8e59095e8a17ce5a79e64412ddb9

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
128KB

MD5
a23e719efdc7bd44ffbab7530de5f643

SHA1
4f7f2c052e47546525bcf159bce181890af00208

SHA256
a78a13e5f7125eb5c1f07acf59d049123d0cbf403305084dd768bffa5b12a3c4

SHA512
46d390826c5f2fe9b22ee5e5d9f18cccb7f9ea27b0f5de606545a4129ad803859e0c46666a7e05f63652c458fab9c962008bf593e3c7651664a488a699e576ac

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
128KB

MD5
94f3b3df8898d8526fb768d5381594a7

SHA1
d671c0c02b718ddece3d17488495a45966f72552

SHA256
9b40beda5f8d2abc9b2dbe674268f96db7b25cd600d374bb678ad575aec2957b

SHA512
1c47a380bbd1de07514210e7bde24a794889e325891c5bac9a5d79909daea23b3fa9314dd64ebeb24db938ff6a9b41cb11a769799ebbc834b262d9f95ed1980f

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
128KB

MD5
d75614e36d215b06ca670c2a2bb0e076

SHA1
c6fad015d1d07614046557e492b546c9e55334e4

SHA256
7913f311e1c19ed45ded75761d811bd9633a904229d28d6a0df6869d8eabb12e

SHA512
67f1864ed30db3287f0d5ec4badbd7ada8c71000630b0548fd222458be27d15690e480f0d73ba15747e2705d02cd9d0ae6c6ab71c77a569471b4a1afe33ec303

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
128KB

MD5
ba510d64b3d97a168fb58abccdd5f4ad

SHA1
c466941fbaf8fee8de3ba39cf31c73aeccc3471e

SHA256
e2b6f89ece6958917f0630a27d7f1e738ff520ec46015e3a76aa25a7ee49036e

SHA512
254f8adbb1e69676d14e7fdc760aa1d048e7789a446b10863947ad9d1a50e7ab8d6cb3a1e4638b15bb27ec85ac910815600987ecd7720b9f9fa1b8b6575ab75e

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
128KB

MD5
798301efab6e380beb454ff1f0d08947

SHA1
07b032cb8b2ef4843ccb185a8cb0ead83e2247b5

SHA256
915c85946a23cbf8c8626a469d4538fd999f3e0aecd9f5bd4beb8b20e93ea288

SHA512
a3943668246acf0e67f1c65b2688a8a09d4bb65439eed85a9d0768d09b05697d4092a14de6ef78ccc1f4142918f4de7ea8eef059f58e55e19f617096d33f3543

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
128KB

MD5
afecce319cce1dee587c5a0a2a77d61e

SHA1
ec791663b6b18a71056e7f402258f5087621344e

SHA256
fa55a111faec7ad9c66db4fa796485e5d26315cb4d3ce2b3d04b23be5f16ec03

SHA512
dde683f2632c347ddc005b3f05870690c908aa1f85e4e3ecf040efc4bb3289b942ca11293c3ccd35071db7f5991f169257f480ce847c66fe91004e505de25731

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
128KB

MD5
8641bb8222ca26932dbfb0733282ec66

SHA1
2ac04c2a57a6ad627f5b6df033af4234463e1a2c

SHA256
4676793e97ae5c27661e65bad90fc4ffa5681795943af48e81a76db844824635

SHA512
85e59b6e83fe3838f41242b0ae6babe12d9c066b52068f952004edc3e3e7fe8f459515edb9769539e1b1dba423d4e00359f765b39b8d1713cb8b8748d929a3a0

Download Submit
C:\Windows\SysWOW64\Fiqhbk32.dll

Filesize
7KB

MD5
10d68374480ce37609a4032166b1e578

SHA1
f6b1b523687dd18ec1dbe5a7a06cd926b281d3ae

SHA256
bb415c1d616e9609965d41f015efc8ea636bee8c1541780a3330bdb81af70862

SHA512
0e14d6d70114c89368afafad4b7c98b0e4744c97f21e32bd1d666db85338c0f191ee28e6c964f114a6ae8ef0c2d4fc8adff92439ffd124720574ef85906042af

Download Submit
\Windows\SysWOW64\Adlcfjgh.exe

Filesize
128KB

MD5
80c7320adc6f27515412346e5e47477f

SHA1
7c610580ed16d60ecb5fe762aec33473f08083ab

SHA256
ad97ac2fd53846d0ae4ec004cacedb3c18eb50ffb3ea3cfd0c68c2ff07729540

SHA512
b9be0081f8b64419d5d06a18754d2611d868c157d48e4a2e4741d0f3d97d7d32e8e48cc16e35d3bdc5a8bbb6011cd074e0fe37c1465a82b40595fb18af11d2ac

Download Submit
\Windows\SysWOW64\Akabgebj.exe

Filesize
128KB

MD5
35e1570e82afc4da4c1dfa678291ccfd

SHA1
e404cf7cfb72587b2765b121e69b8cf89c118b74

SHA256
07539c427c5744a796fa63a0e328412dbbb6b6b9799c48ae1d8db2798c2a5df6

SHA512
dae933b525ffe59761f3a1933e607d38693e0e26ff90ce1bbddb84b99e672a1b8e407159b2f04c9808e8e1f4a7bcfd3b10a5516c03b3b2e22696503e319c5f79

Download Submit
\Windows\SysWOW64\Bdqlajbb.exe

Filesize
128KB

MD5
353a69bb41bc740989275106634811fd

SHA1
0b346f58e6eebeeb05a67b96475ad694589027f0

SHA256
5fff6fcdcfda938a200acb34e9a94c36a8c03eb633c1059718c183a5ce8557fb

SHA512
f6a24c02c94db491e45e4296e95bd6bb2b2699c7c70b7f68d77222beedd80306989adf43fcc2523dc18a2b4d3d0f6e17d58a078ced4368288b7314dbcd8d129d

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
128KB

MD5
176a94dae90f93d3733d4d1f61ceddbf

SHA1
b2dc4530252d5cd04b299527395ee17ac0b95fa0

SHA256
82b3e63e7b1121ac34415ce609048f8bd6bef6b0baafa19a06bebeadeb23b557

SHA512
0107196d1b2b00110c2e1fc0370f31e06ffcf510910c449f2ebc0b381ed98c148615b3f170bac42251c4a5543a048aa4258ac3dc22ca1e82b1e1d044b4f709a4

Download Submit
\Windows\SysWOW64\Bffbdadk.exe

Filesize
128KB

MD5
97fc7acf6362c3ab7ec59c138466afb3

SHA1
0507cdcc12f952faf101b47df90480a79aac3159

SHA256
98f20843ed46f2ec22b32ce4a0a65d975a4c99a9bdd1900335c00cad1b61b497

SHA512
de4a15438be50bd68aac27b532e905166941b4896b3ed4cbd68f40f37c7d2356ecc4d1f3c9a245c1bbbf7c70a9a6c789b564f2c8a31bd944aa6d8d06d67a76cb

Download Submit
\Windows\SysWOW64\Bhjlli32.exe

Filesize
128KB

MD5
2d282d17e929f83573c071050610784f

SHA1
b83269d7a9badc96fe60852488706a054c84e996

SHA256
17d9c92f7767b940e60e5573aa890c7016b2446934ea0c37b1f4ef0175ca9bd4

SHA512
6b3791a00569fb67f333ed2efd452d1323f63b1781f5a4c4131eb30c118a0d8e707d57315b3516e62d03c9fad9e5ed861ab38e63f2bbaca673aae05c6cc5ed7a

Download Submit
\Windows\SysWOW64\Bmlael32.exe

Filesize
128KB

MD5
554f5f7608a5f063e76249d3e99d9a19

SHA1
825113e41313799894247434068c9ceb23edab66

SHA256
056ae5fba5dd1e05475741e3c83b9fc8ab8d5b5b5528cf78f6a77daef769bec0

SHA512
efceb1c29f903181f6d76abddee8cd3e9ea70ebc9047a2a450276f8b467955e69a0393dff919c773af7755dd2ff4526527d92a548c17e22183c6b49711830fc4

Download Submit
\Windows\SysWOW64\Bnfddp32.exe

Filesize
128KB

MD5
7cb22832c3d071a81945ee34786d7481

SHA1
0a87bb0fdd0f0f8ae7c520731fbfe873f036b6eb

SHA256
67948e462be6b5246c19508ccca8e467571dabdfbbc8bf5082934674707f493e

SHA512
3e6657370d6b242fa2695e697895d35ac221aaf3b5ec1ec8c84d86ab172f30c5ab47232c554c2f24dc5b4286e72d0ad18fefd0c4c52852539899986506f17fe7

Download Submit
memory/808-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/808-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-172-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-384-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1252-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1252-385-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1328-319-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1328-313-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1328-315-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1592-286-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1592-285-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1592-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1592-276-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1616-387-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1616-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1616-242-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1624-203-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1676-221-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1676-211-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1676-383-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1804-27-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1804-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2008-339-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2008-340-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2008-380-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2028-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2028-52-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/2028-374-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2108-252-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2108-253-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2108-243-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2108-390-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2148-356-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2148-361-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/2172-115-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/2172-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2172-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2392-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2392-275-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2392-274-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2464-17-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2464-351-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-18-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2464-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2492-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2492-307-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2492-308-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2492-381-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2516-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-395-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-392-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-88-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/2588-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2608-391-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2636-330-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2636-326-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2636-378-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2636-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-341-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-377-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-347-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2716-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2716-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-263-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2720-396-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-268-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/2768-157-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-61-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2792-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2856-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2856-393-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-185-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2956-226-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2956-232-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2956-231-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/3008-295-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-297-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/3008-296-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads