berbew | b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 22:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe
Size

69KB
MD5

5d7e7fc5272585c800601c21a368bb40
SHA1

a9ff4bf957dff4ade7e1aaa56b5039a63c4b717d
SHA256

b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028
SHA512

e350df0a9bdbfd340063570cc62efed07674bcb51c7b9acfaf4a5cf82cc8c23d82325ea792eca05670bb86543929cae215017f0d9c4cabe6edc1189b87910935
SSDEEP

1536:JQCtgLc1kIQ3Wt7y/ZXORKTNPgUN3QivEg:JQCtIcilw7y/ZNPgU5QM

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnghel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adifpk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 52 IoCs

pid	Process
2944	Qnghel32.exe
2080	Alihaioe.exe
2244	Apedah32.exe
2892	Ahpifj32.exe
2552	Apgagg32.exe
2684	Aaimopli.exe
2620	Achjibcl.exe
1052	Adifpk32.exe
564	Aoojnc32.exe
1156	Abmgjo32.exe
2052	Adlcfjgh.exe
1272	Agjobffl.exe
2800	Adnpkjde.exe
1996	Bhjlli32.exe
1116	Bjkhdacm.exe
948	Bbbpenco.exe
2248	Bkjdndjo.exe
940	Bjmeiq32.exe
1076	Bceibfgj.exe
2140	Bjpaop32.exe
552	Bqijljfd.exe
316	Boljgg32.exe
2492	Bjbndpmd.exe
2320	Bmpkqklh.exe
2956	Bbmcibjp.exe
2788	Bjdkjpkb.exe
2676	Coacbfii.exe
2568	Ccmpce32.exe
2592	Cenljmgq.exe
2972	Cmedlk32.exe
1032	Cnfqccna.exe
264	Cepipm32.exe
1732	Cgoelh32.exe
568	Cpfmmf32.exe
2520	Cnimiblo.exe
2028	Cebeem32.exe
2004	Cebeem32.exe
2400	Cinafkkd.exe
2432	Ckmnbg32.exe
2516	Cbffoabe.exe
1540	Ceebklai.exe
1736	Cchbgi32.exe
1560	Clojhf32.exe
908	Cnmfdb32.exe
2256	Cmpgpond.exe
2232	Calcpm32.exe
1828	Ccjoli32.exe
1992	Cfhkhd32.exe
348	Djdgic32.exe
2084	Dnpciaef.exe
2700	Danpemej.exe
2708	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2832	b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe
2832	b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe
2944	Qnghel32.exe
2944	Qnghel32.exe
2080	Alihaioe.exe
2080	Alihaioe.exe
2244	Apedah32.exe
2244	Apedah32.exe
2892	Ahpifj32.exe
2892	Ahpifj32.exe
2552	Apgagg32.exe
2552	Apgagg32.exe
2684	Aaimopli.exe
2684	Aaimopli.exe
2620	Achjibcl.exe
2620	Achjibcl.exe
1052	Adifpk32.exe
1052	Adifpk32.exe
564	Aoojnc32.exe
564	Aoojnc32.exe
1156	Abmgjo32.exe
1156	Abmgjo32.exe
2052	Adlcfjgh.exe
2052	Adlcfjgh.exe
1272	Agjobffl.exe
1272	Agjobffl.exe
2800	Adnpkjde.exe
2800	Adnpkjde.exe
1996	Bhjlli32.exe
1996	Bhjlli32.exe
1116	Bjkhdacm.exe
1116	Bjkhdacm.exe
948	Bbbpenco.exe
948	Bbbpenco.exe
2248	Bkjdndjo.exe
2248	Bkjdndjo.exe
940	Bjmeiq32.exe
940	Bjmeiq32.exe
1076	Bceibfgj.exe
1076	Bceibfgj.exe
2140	Bjpaop32.exe
2140	Bjpaop32.exe
552	Bqijljfd.exe
552	Bqijljfd.exe
316	Boljgg32.exe
316	Boljgg32.exe
2492	Bjbndpmd.exe
2492	Bjbndpmd.exe
2320	Bmpkqklh.exe
2320	Bmpkqklh.exe
2956	Bbmcibjp.exe
2956	Bbmcibjp.exe
2788	Bjdkjpkb.exe
2788	Bjdkjpkb.exe
2676	Coacbfii.exe
2676	Coacbfii.exe
2568	Ccmpce32.exe
2568	Ccmpce32.exe
2592	Cenljmgq.exe
2592	Cenljmgq.exe
2972	Cmedlk32.exe
2972	Cmedlk32.exe
1032	Cnfqccna.exe
1032	Cnfqccna.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aaimopli.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Ibbklamb.dll	Adifpk32.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Ahpifj32.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Bhjlli32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Egfokakc.dll	Achjibcl.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Bbbpenco.exe	Bjkhdacm.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Bhjlli32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Fnbkfl32.dll	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Alihaioe.exe	Qnghel32.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Komjgdhc.dll	Adlcfjgh.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Agjobffl.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Qnghel32.exe	b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Apgagg32.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Achjibcl.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dcllbhdn.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dcllbhdn.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	2708	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll"	Alihaioe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2944	2832	b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe	31
PID 2832 wrote to memory of 2944	2832	b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe	31
PID 2832 wrote to memory of 2944	2832	b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe	31
PID 2832 wrote to memory of 2944	2832	b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe	31
PID 2944 wrote to memory of 2080	2944	Qnghel32.exe	32
PID 2944 wrote to memory of 2080	2944	Qnghel32.exe	32
PID 2944 wrote to memory of 2080	2944	Qnghel32.exe	32
PID 2944 wrote to memory of 2080	2944	Qnghel32.exe	32
PID 2080 wrote to memory of 2244	2080	Alihaioe.exe	33
PID 2080 wrote to memory of 2244	2080	Alihaioe.exe	33
PID 2080 wrote to memory of 2244	2080	Alihaioe.exe	33
PID 2080 wrote to memory of 2244	2080	Alihaioe.exe	33
PID 2244 wrote to memory of 2892	2244	Apedah32.exe	34
PID 2244 wrote to memory of 2892	2244	Apedah32.exe	34
PID 2244 wrote to memory of 2892	2244	Apedah32.exe	34
PID 2244 wrote to memory of 2892	2244	Apedah32.exe	34
PID 2892 wrote to memory of 2552	2892	Ahpifj32.exe	35
PID 2892 wrote to memory of 2552	2892	Ahpifj32.exe	35
PID 2892 wrote to memory of 2552	2892	Ahpifj32.exe	35
PID 2892 wrote to memory of 2552	2892	Ahpifj32.exe	35
PID 2552 wrote to memory of 2684	2552	Apgagg32.exe	36
PID 2552 wrote to memory of 2684	2552	Apgagg32.exe	36
PID 2552 wrote to memory of 2684	2552	Apgagg32.exe	36
PID 2552 wrote to memory of 2684	2552	Apgagg32.exe	36
PID 2684 wrote to memory of 2620	2684	Aaimopli.exe	37
PID 2684 wrote to memory of 2620	2684	Aaimopli.exe	37
PID 2684 wrote to memory of 2620	2684	Aaimopli.exe	37
PID 2684 wrote to memory of 2620	2684	Aaimopli.exe	37
PID 2620 wrote to memory of 1052	2620	Achjibcl.exe	38
PID 2620 wrote to memory of 1052	2620	Achjibcl.exe	38
PID 2620 wrote to memory of 1052	2620	Achjibcl.exe	38
PID 2620 wrote to memory of 1052	2620	Achjibcl.exe	38
PID 1052 wrote to memory of 564	1052	Adifpk32.exe	39
PID 1052 wrote to memory of 564	1052	Adifpk32.exe	39
PID 1052 wrote to memory of 564	1052	Adifpk32.exe	39
PID 1052 wrote to memory of 564	1052	Adifpk32.exe	39
PID 564 wrote to memory of 1156	564	Aoojnc32.exe	40
PID 564 wrote to memory of 1156	564	Aoojnc32.exe	40
PID 564 wrote to memory of 1156	564	Aoojnc32.exe	40
PID 564 wrote to memory of 1156	564	Aoojnc32.exe	40
PID 1156 wrote to memory of 2052	1156	Abmgjo32.exe	41
PID 1156 wrote to memory of 2052	1156	Abmgjo32.exe	41
PID 1156 wrote to memory of 2052	1156	Abmgjo32.exe	41
PID 1156 wrote to memory of 2052	1156	Abmgjo32.exe	41
PID 2052 wrote to memory of 1272	2052	Adlcfjgh.exe	42
PID 2052 wrote to memory of 1272	2052	Adlcfjgh.exe	42
PID 2052 wrote to memory of 1272	2052	Adlcfjgh.exe	42
PID 2052 wrote to memory of 1272	2052	Adlcfjgh.exe	42
PID 1272 wrote to memory of 2800	1272	Agjobffl.exe	43
PID 1272 wrote to memory of 2800	1272	Agjobffl.exe	43
PID 1272 wrote to memory of 2800	1272	Agjobffl.exe	43
PID 1272 wrote to memory of 2800	1272	Agjobffl.exe	43
PID 2800 wrote to memory of 1996	2800	Adnpkjde.exe	44
PID 2800 wrote to memory of 1996	2800	Adnpkjde.exe	44
PID 2800 wrote to memory of 1996	2800	Adnpkjde.exe	44
PID 2800 wrote to memory of 1996	2800	Adnpkjde.exe	44
PID 1996 wrote to memory of 1116	1996	Bhjlli32.exe	45
PID 1996 wrote to memory of 1116	1996	Bhjlli32.exe	45
PID 1996 wrote to memory of 1116	1996	Bhjlli32.exe	45
PID 1996 wrote to memory of 1116	1996	Bhjlli32.exe	45
PID 1116 wrote to memory of 948	1116	Bjkhdacm.exe	46
PID 1116 wrote to memory of 948	1116	Bjkhdacm.exe	46
PID 1116 wrote to memory of 948	1116	Bjkhdacm.exe	46
PID 1116 wrote to memory of 948	1116	Bjkhdacm.exe	46

C:\Users\Admin\AppData\Local\Temp\b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe
"C:\Users\Admin\AppData\Local\Temp\b4e76d460d58c7dd50d00dd43e45b40cd457a80648614f6d0f38b3db71c57028N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\Qnghel32.exe
  C:\Windows\system32\Qnghel32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\Alihaioe.exe
    C:\Windows\system32\Alihaioe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\SysWOW64\Apedah32.exe
      C:\Windows\system32\Apedah32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 144
        54⤵
        Program crash
        
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
69KB

MD5
0c7357d6e19013dcaa1390560d633047

SHA1
9359f711599f519b3face9446c99fe29d441b49b

SHA256
32c529cbd83fb313f3c7332ba78e0afebcb297bb503a49e0552c12b8ee1a4f00

SHA512
d330c067d92da524af8c493c7792dba981e0f45e561feea32eba3cb92164e1d4d4a8509bc0193a681dfafde4510e621623049aedadc136a5e24e5fc15f01aca1

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
69KB

MD5
4a4203b445c35ac7d8b529cfff896842

SHA1
47a2a56594936068ac7ff06d4b12f87812858c3d

SHA256
b4aefdbe079197f142036ea470a48676afb73e944dfa248c0c6188fe1a5cdf37

SHA512
1ecfe17a4d7388107abe6cfb080341f162b03b0b8810a682a3146275cbc6b5a3f833da66f36a6d21f9589aaabcd1869293eb9f995d245f4f8f61ea96c1bf41d7

Download Submit
C:\Windows\SysWOW64\Alihaioe.exe

Filesize
69KB

MD5
df11dc4079e6c4dfb47a7b28342cde73

SHA1
129a69efd50f9dc9e7563bf3c58f5d8db8ece5ef

SHA256
d47e2ce48d85d7638464019f280e9538400357a2d574826fd53b4e2b182dbdc4

SHA512
c391e4bbb803170b0d84e653ffef481efde52fc355b9992bcd22f139a0fa7a8140eee60ed98a3f281a1ed690c3118fd7da0e9d4d68dd6f21c2ece29074aea9ee

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
69KB

MD5
c0676f6fb89b90f50d54e6d95fa3a459

SHA1
5b75d541976fb4d369521f74662307760a97e20a

SHA256
fe5e4291c3582b171ce50868ab4165d00f7e71b8f16c1b9050ad6771fe5bd017

SHA512
34af0c3b69a164a6e04239ab5cbe4c6e9026635e3c799b306ff6f8d784b5c68ed1ac9ebc01619b68d236f5a615fa5fcc5ee30a77eaedc2e241d15b71dac63395

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
69KB

MD5
67b974382e9268c497ec870f0c88a689

SHA1
f4ab67eaf00effcdde8abd67890fb63ee9b70220

SHA256
f5adb72c4e57d2b4c147c0f6b6cdcb28bb6a9e221dae581c3fa08e486da62b22

SHA512
235610de0535f727fb1f636b38afd480eb9d14c3cb1f737f5b122f0d66fab82e1466bb664960bd0f5569b22f1ff87597bfc123adb168c043674224c1c2dcaddb

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
69KB

MD5
7efe1c3ec017d59a8727efb0f85e2860

SHA1
983358165ebf29ee9bce77cee8ae184c0fc660de

SHA256
3fc1b11b51ab9b13e5e41dc3c34da6cae97060356cd3495fcc2de009239944f3

SHA512
d3c513abbfc3423ef50282ec1328a583915a85f7fe457d47fafedffc890b821b85986f980385240f1aecd0af6e0096180f6f47bd564ee43d6f72c4484a7211e3

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
69KB

MD5
e89448733006604ce07bab42318b5ec7

SHA1
4d356540fdea8a8c588dab8c61284761ac151e31

SHA256
54576a5dff0184d0269d1dbdb5cf0d008ac5754e1396ee89b16c9b085e346de1

SHA512
ca707ccd73d4a443b7a7b63023a47fd5a3e0ef01be3b01a1b8768e6d7692b59c69db4dca5ee0c881a0e80246b06cc4667f7aa3af5f24044d6979a323a8f38ad3

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
69KB

MD5
02a8992cd0f75ccacbb6b494308d61de

SHA1
9320f6e46cf1413d42a83350a977d8bcf6b8153a

SHA256
c522c37647980042c99d39a41912a538f8ed3e915ec4aa0834d3808acae48583

SHA512
d71bf4e282889d6172d5ddc3b837ab6d08cb83e3af05ff183068fc02073edcb86279f3a5969db14f936ba472dd77930f62247ac06d556dfc089fe30ce99c6343

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
69KB

MD5
5ee243987580f4ad9274c494a8a615e7

SHA1
083b2e4f92fc9a304499737d767f22e450315f5d

SHA256
11e043a54ddd597c82f671496aa17bb851d54652b6c52b51096780789da6ce5e

SHA512
b58f75a2cf79f0ffcae3599237e122051952320d6c57eebf6a1162b8cd9e5ba46bbdbc037b48d4ae279775b39f2f30d52317e21627447dba19f773dc9dbb4956

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
69KB

MD5
104431038893a2520607fea8c621308a

SHA1
6577e5139b9714a6272e3c9cd15c1badd0b9ae68

SHA256
b36df9a27f8a293c9ba2b848e90059978ddc4ca7cb5b58e98fd5f71d454f5747

SHA512
10c5d8d5ac15d2c9f3ea6e246f16f05853cf6d529283531392ce04df2c71cda9f4eb62ab23cfae9d6c8961100255b717f79c3753dfe246e101bab6ae44cfa99f

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
69KB

MD5
c573000ff0110ba39b29246c40a12d85

SHA1
5ba88dcb48191eb3d5be22f4117f096d72594b78

SHA256
7997344b925cf79db4f872eab9e39a2392c66d3182c0f6b54a4468907eb82653

SHA512
2c393bfd3cb9b9b6f564c8464dc3d67ee81662eaa70c01df17c80ab0350701017a85540f747fd6b30578389594fcaf9c5d5da7ea7df7c970a652bb25ad140fe5

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
69KB

MD5
ed572c60c6e9b3abdb746aefbe65494d

SHA1
f093b80fad5ad9b9bc1abd8537695d0f07889bff

SHA256
5bfb2f5f0a846750e7c79ad6fc17e665f93461f515c46b591091ea8568413276

SHA512
46b414479a4db8d0fada248b3d2db3b67918f8fdb1ce62ab7dc1d4834b6e347272758d20c36dcb9bb75879a96e4ec98cf500de695f75e9a807d604e1c283e9f3

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
69KB

MD5
1c9b0abd944b673782187950ea0b747a

SHA1
2ec0d64160a976724a5d5befd5dbea5869771781

SHA256
f476c3304aa1f6cc7a845d8edc9ed9187867f568f5c3815d990ecce06037d894

SHA512
5e602270f6c8f04b04b8d78319bc15124246e29da5cec5156cf8dc71c6a380e4738bc951bbb5303c8162d76bb1c1f75b487216b4d6e768dbc7ae6b9ddb46d8b6

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
69KB

MD5
d395c8512f8b18e1abe8899b44d21343

SHA1
4f90e6df76c3f813aba071171adee3c2e224f12f

SHA256
1be3b6e387147df62023654fba1eb7d5271d20b7d75324902fced658dc3c8879

SHA512
ab9c82e9a441ec5d6335e24b11a186028f533487fa1e74cf7da22aa6f7d29a8f4b83c6f40dfcbe66791166677a59bd4f9756a27ce5a0a897f2a4dd4e2c869533

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
69KB

MD5
8dde53a746fbe127e8c5585b3b48bd25

SHA1
b43e229d84545a9a2a7406d01226392b0c0a38ac

SHA256
b84917adb7c900cdbac091cf08ec378835c0fb0061e2e52ae6444f323239e84a

SHA512
02243fdf94d33d381093de923817ed165b4b21381f1d2a72705af3816b542ccadee5a41032405357b95240b3742d9ca2ff90a794a138e90d960940b85381ba2f

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
69KB

MD5
d31ef7c92028f0788101050e3eb1b5b8

SHA1
6f255108c0fd299d233a63d8ac6f76c259ca1765

SHA256
13fe03117f4f0a216c5e53a1603454082322f87ab38552c3488577cb0d17ac10

SHA512
394d51c879d98e7ba8b44d13aaae384a5cafe5f567da6162cb9c09542673b1f612a6a10bcf03bdc2e0051b38cd6182ead4ef708b3a5a580474c0db33a46eaed9

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
69KB

MD5
2e42b5960ff736b8f7706a0c9cdf5389

SHA1
e4672a898f1f31578431d2ab0524ff62f6240ac9

SHA256
fcf067e96b583bd9657c7d17869d5cbd7492c27057959d2d57c29798f77d2193

SHA512
e10bc626256ad81255b4b7757acc290c1f8dc5a11bc41d604211abbbab23eaefa255ee511f5a508a9fa39bfa3b1eb7d33099e57a2e976fee8662794546e7918d

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
69KB

MD5
2098979038a481e19520b5f48f34efa1

SHA1
e94a7c1bfd23f0d6312323bb5802ed0feb97e08b

SHA256
a88313e17027950c08621bdf85989a3d9550d9986be932b3fcd06a56ff762e4c

SHA512
01cc8fbfd99acd02423fe74ab1abd8761f8b259d2a0f183896d89e33f7c3d85447527e19fa79b33fe5a1221d81309640dceba246594e695eb3213447bae8d81c

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
69KB

MD5
6d35c87e3a85a0b448bf08ba7104591d

SHA1
4ffd92f5874191f895194f64984332e0ce2c89df

SHA256
9106e453569c1fbd502596ee41c35866a35fba9ab70c80ec450380849fedfd1d

SHA512
9ff727aef2089f50e4b43467a362258e1119572b70840167edc27a8d50fe90805fd91dff4046262f25c4f55dc533370c9c0fec1bd57a96a9ecd93c3952b33385

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
69KB

MD5
556a442203572863adbac89a66c78d71

SHA1
d229a575d32892d2490c0809f96c6b5b8c01fe1c

SHA256
d25e28b4a16a89bbf0a4abcb6c740040ccabfc8c918354f4f2418a4fc7eda269

SHA512
780970686a28a7156026ce06f457fe10e4e7864f84bfa36ecc376f9a9f4743e8aea622b4fc1da4bc57f7b7a2b6eb0b585b86a898273336ac04b4bf8d84a32c6a

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
69KB

MD5
8c8f4f70853808cf2f588f1f544f4163

SHA1
e0410118107ac40f30c7e1146e4d476ad9d47d01

SHA256
bca9ab752da3d8b927596dd1c1e2e741564cc327fdfb9cc010fb699bfcf03153

SHA512
e5cacb6d796c29fedbd4da153d4ac218b63b91e657ec9c316322f823e05a30972ee5ad05e0ea2c2ead45c38fc7fb5bd86eda52ca39bc19c715a23a4beaeb7b67

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
69KB

MD5
e7b936c3a563c76834438e0811269014

SHA1
b1979f86d96efc0885fc054b99f249ddb50b1355

SHA256
9543456060e9aee76245347438fced5c8d5955330d95facca58cd36fcfea3987

SHA512
027f210cfd4256f911275fc395080f933811ef1297ff7e8e78396d12f66d372c27f6727840a6b7a0f688030c8e4c7df54d237da616299d4c9f231bd23bc0f199

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
69KB

MD5
c3bc1f925e73e5125a8433f63bd3fb67

SHA1
92985dc9e2abfa63bfbde39b97b3e7bf94aca358

SHA256
9220055195a4a7328ad648091548315963de92c902130c7dc6e3b306dc6ce401

SHA512
69de8d582d2483ec996e15208c74db5dbd63af5fb76bd6e074bbe79865338a5c9d082298d8e21901ba879e99a15f4c310de2d1be949b69e13b14da1f5c47998f

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
69KB

MD5
c8a39123efb01004c3d8d1a26592a568

SHA1
bfc8499f55949b544aaa32b0965da95329e66a7e

SHA256
596d2ce0e3dd9c8ac28ea3ad64203a51e2332f404fea163c389463aac2b5f44b

SHA512
c3ec78fea0392dfaef7616a14149860a6079a21840d58b1ce4d9bb50a92fa51ac22ae4b3d6575721b288536fd32c2b52184540441fc95e59de79fe7f2a9ecc5d

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
69KB

MD5
885a160f9cb39f73bd27b6595261e98e

SHA1
870fc59aa5939eb23e7c41e89eb05d1d792e44fe

SHA256
3c907671ffcbf3186894e671dfdfdecc9ddc6fdad950c267ee68fa11d362f695

SHA512
babf6a33e9096d970e66025a14c37a1ff88536dfe649edb7aba418775f6662054e9e07b21234bcb9e2f5e2180ec76ae7fb89bffc3de6e99e6b9ea72deb8b340f

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
69KB

MD5
cdd4636a40e79f43f45c939dc3c0c9ee

SHA1
67c515c0cf5d765a27cc66b2764b1fe6a7adc4f9

SHA256
dda36cba341d7213b40ec4e00bee7556b4dac52fe1959ff7f8d59b58a7c42d12

SHA512
875456ade42f9f774ae04b91ed3fb29ad34c9d5c79ae7aeb2462a697efdfc38ab9d78f9f750ef817e9953e6194c2af64eeea4a89ea6dd0f3898dc213f01d7bfc

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
69KB

MD5
32058161960e423fefec215592386b6f

SHA1
3e2126d9478e2d003e3a75656ddbba6b46f89573

SHA256
7b0d71460b44d1d1283721a251fb967419b961ab3ccc8f164136275bdcc77c29

SHA512
76033f67fa6ad1307eb83e2463fafffa63f1b075c89d9b0fdab4389ca91b4854dbc9c387af90e5f1285dedc2906914ae4d43ee48ba97bf0534eb71b5f7283a92

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
69KB

MD5
55155e86092079deacec08f4aa45d8d0

SHA1
d2943861f997b98898e74590793dbb302a9a2a2f

SHA256
392409eb3070f9cf37052879a371deed576eb730b0b1d86309d0c9e96be0ee46

SHA512
8b58f94eb5304e98f593082b425843a9efa2153a1277d7bfc49fe33ad666c8d1259fdaf0ff3fb8d617123a33f4fac6853d2ff07777ea512bc63cd48507ba20e8

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
69KB

MD5
57c86cf95108ebcb2a485109ba8fdc45

SHA1
a8ec131e8ff067ad5e48af9a5183152813ea7839

SHA256
029bdca11af6a484239be40db6ec3286440ec2477e19bb1afc3fc9411c7e34d3

SHA512
8b4354f1396326e0c9a86265ea2fa8419032d2ba1d29412eeaee81dd41a67e0880e562b32fdc94396b265bebabc474cc1e5956d300feee1ab4624e372898d3e3

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
69KB

MD5
797427d6e75d118d12addd606cc76fec

SHA1
8d1ab8fef8e966608908cad01f41128575b4185a

SHA256
e3ddbd8151659df2a3f06f6988fc980fee088c0de7321e02547bc215ed99394c

SHA512
aae0cc7bc3fce690b502c739d1d22251a661315b7981a0a303b273d67634bee3a5ed603a3f292a373c9a2d777d2d484a7d4fada2c4df3b9a93be9a431255c9be

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
69KB

MD5
888e36dfa7a387019543e06d5cc029e5

SHA1
7a1b6463dc8c6f2373e1c51f06c5b4897827fc9b

SHA256
cef4aae44bf268691bbf73cb7191c32f9e9b500aed93d3636fab95ec8824d8a0

SHA512
401374ea9f0c2954ec1989b6f388d0a7279293bd43326ef4e85e7bfd546d9e78dacbfe2bcfb9040dc55d33cfcfa11dab2e35c97a1de2a58153f62c267b0277bf

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
69KB

MD5
542517f180d3e3209db6daabcf4854ad

SHA1
fc39b58aceb1e88cba43b125488c298dc1516e60

SHA256
87af9115cc49991b93b1115da8ce6760c87a1bb1633b96a9fef0f73e6c0491a5

SHA512
e976fd55aaad3071de2024bf57b27450cea581a4e43feb1396a2ce0a16fcacb20ecac88c83fc1e4d47dec9e5b627f6f488d094a4b36589a603bc79a753d8f54e

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
69KB

MD5
66ee37fdd7641c0f14b63cba4ee86445

SHA1
3c5b7ad3abb38abc86a0dd75bf1989fae31b67cf

SHA256
9339bdb271c85ce83883b4d2ea46465ea84cace6dbd4922f94c23cc07b1375e7

SHA512
63de645adab7c7cf82744fd3c767e3c90b7b5d5bc9ea0304a6a136406558f7d86684c177694e9e9a9940362710e9dbb628fe4ae061655ff67eebd3e150e32701

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
69KB

MD5
3536a09d20cff994b92e75c39d87e2b3

SHA1
47bc67ee3d3e5c8d283a33818223d8172b96fd18

SHA256
eb8a5b4ddd0dbb40ad3c962d3054a27ea2424f139d6f0b50abf4149a464f5362

SHA512
91dfb90f6d87cab4267a06630b8a16f8bd205ec53f5f8e1a0d7310a2c87b157e99dc7eabbe4c67285f42b45851d3e28607ba827cf843b9fabddf16d253fecf5f

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
69KB

MD5
9707362dd3d5b65c05724f4c52a04575

SHA1
f9cf132bfb1894516aafffe5c36909425e9c93f4

SHA256
d7a09e343bff8a733ae368ea4ea5c77c2e62d19d8a828b4c3d8a916e8365cb20

SHA512
f3f45f445a0a72c1944112fb38c992ee0e95a47697a7ce5d5f71c0f1495fd44cd2f77cdc5fc6f3f38f6cce5e234ae872dbaa3b8842c6fc74974dce59913a17ab

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
69KB

MD5
22059743a8b24029ba6dd3f3cd5d3366

SHA1
a8cf7b19880b2bb4941331a515dabf6a7776ec64

SHA256
208945633f66daa5bec0442e347f77812af4686aefa8eca836262a0ed64ce307

SHA512
88e5fabc441acc2026f4e1a2afe2b39b21dc6a673775fae489c241e7154561a8e032fedf1a025ee22aacc1f410eb87c6022e3d9d03dd447512c227fdd5274064

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
69KB

MD5
83413bc645f3e10254fd110fd6b82f0a

SHA1
5bac86d157eb4ec30046b8073c018f6ac83d67ba

SHA256
90c03a729144c3eede5c6c07d77653fda011d2bfa196ce6a7936762b1e4e6ac4

SHA512
765791b80dc31f18a92ea6cab678e97f53a968550a520bcb0b12597341800700d56d2a8cdba4a53eb92986d332287e804ac7f3eefacaa86a582c3886a85f8f7f

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
69KB

MD5
572177ff1558196d10524ce0e5a90d4b

SHA1
8a6806c3d91ad50ff8cbb36acf60ceda623cbc4e

SHA256
41e12111ab7e7cf2a5bec4e28f391b95b17e365f30e778b27a04f0ebc383b86f

SHA512
f7a0db7c37d938b12471e4af3a1cfae2050407661a5d3d397c820e0ae274bcade8a354fffa602e0803e923a098e357d6b8d58f560a95a36fa9982800db1a849d

Download Submit
C:\Windows\SysWOW64\Qnghel32.exe

Filesize
69KB

MD5
03fa87a25e6980fa2ef16a4cae94dd73

SHA1
062fc8b77e16728aff6fc26208ad61b3ba07c61c

SHA256
07207f1a14f22d98bc76236437a821300a9d416eb9f0a02b41fc330542051dc1

SHA512
bcab0552e81b45ff15d80625ac33c1b6a22f2ebb172ae2b0091c2b8ca42016665e6070bfef83e1cd4d8e1f41c1992f2e2091b1c6fcfc1c081c2e9ad84361c06c

Download Submit
\Windows\SysWOW64\Abmgjo32.exe

Filesize
69KB

MD5
2689dffffd2a144df8ff0143c58ba940

SHA1
b690f2015759e68c724ff3a0687403de923df844

SHA256
19eb0270874d85deb44a97ee686a244919e125b5070b7b65eaec7d9f38b52252

SHA512
672ac906f007e6ed92003f451a3c477d26716ab39a4cee915de8f3e88a35b6dbd1529773af97c0e66d2590f9a0124b34bb1e16dc385777ace1b05e83582012d6

Download Submit
\Windows\SysWOW64\Achjibcl.exe

Filesize
69KB

MD5
301c260de2c70c00a117485c8d96a9d0

SHA1
0382b15dca385b8f38886b16e2fc872fe5bf401d

SHA256
ea1f78b50038ad97e3b946d5e9af01998f4f25e3e866301062375b7284a6a303

SHA512
808893806f9841d924288b82477f1c0e72284f191f45c6d7ba342e509a6b0995e5cc8eefd8cb05a55d2b4106a967cb6ed342d7ee088febd587e6991dc3c4dc01

Download Submit
\Windows\SysWOW64\Adifpk32.exe

Filesize
69KB

MD5
1f9c4b1e489952c387913dae24acf0bc

SHA1
51638907fd183a0fe1ed835aecdbf0af9539dd57

SHA256
eb9377cdd544c34a09b609eb6f6599ca256e23b4287df1a54fb718c227dabfe7

SHA512
1e738de5e6fd2b56e418e9131de71fb764651b78b9970b665abe1ae8550131f2bd6f55f8ed892e9d0e3ff117aae07d8724bfb2a79e0b11c9034af8063fca0ebb

Download Submit
\Windows\SysWOW64\Adlcfjgh.exe

Filesize
69KB

MD5
8e50c08e6320baf6d29006b75ee32f80

SHA1
a735a096a7bedff60a5fd738fd78f6a911f2de97

SHA256
f152b5e3a1ab63d147b059c35d6a6ae87a2c338bfc2f02aabf9b7208daff5cfe

SHA512
9eebf489f1f6e6d04d946979c393e3ff1439a6d919ccba4827ca8725b6cbc25ecb7110acc065e458a8734bb870b725fd6c5eae0fcb95cb483f2d8665743d0442

Download Submit
\Windows\SysWOW64\Adnpkjde.exe

Filesize
69KB

MD5
18e5d7a55a93a55e6a436363273a38a5

SHA1
7674bc5bfdc173e3af7089479b16a9ddeb19c216

SHA256
09d29792e4792a5df013a59ce83a0fc57caf72016f197c275df58ae5fe87b2fc

SHA512
382f86dc80f4f159c0964ddabad6c588e9b9d31b794038127afb5b0735dfa8b4ccf53853d96936bc416620f3a1762cfef3bc8da6996ad69f4e4778cc46c07ce9

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
69KB

MD5
76955ff6d02ece8b8b86777de4dfe01c

SHA1
9ef274e6bd8f5521fe47688079d73ca3ae7ed95e

SHA256
866f0e678e05baf93f0a56eddefc9335205a75f16d61330b65672e830d6b5841

SHA512
681b6099141b16783fb9629af734563b90575a961cafd7111be199aa24a490779f5c1bea4ce5d69cddb147292d2df1815b25db0aab39279a0d4467156a4cbb60

Download Submit
\Windows\SysWOW64\Aoojnc32.exe

Filesize
69KB

MD5
29428022e91c0da6c847d245ccdc5946

SHA1
3f720c501432a1aec3dca84f49aec328456e0ed5

SHA256
9ec5ce703c33688b01781fa739e4313698aeeda0b8cbeb7b2dd2a2bd7338927f

SHA512
a997bf3eb4fefe251d91d1a257db2dc13296c19df9ae87d9b6b593dcd6f77df61c7026bc7f4002396961fa1e6d9bdc66fdebb7d6ea2ae7713c1c10515d03279c

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
69KB

MD5
b83dfb60805fd60b95fd4db8416ff0b7

SHA1
f02747ad48970013d5223192f201e8510a01e5fb

SHA256
1ea1881a27805bf1cfda9f9665290bdb39c4951e57175c72117c3c6084bcc65c

SHA512
937bbebfd4d26f5221516b3e08363f5901ff7845e2a07befa39835a2da6a7255163699fb1805f7767f9dc53cd04b42d46d5cf9317b8248cfe7eea3b8fdf5c798

Download Submit
\Windows\SysWOW64\Apgagg32.exe

Filesize
69KB

MD5
3822ee69b084acdc7d0fbcf6ac5bdefe

SHA1
75a918f5042f7a5b0ed8842ccea6a3b41d010bfe

SHA256
3df118a352ce0ab0906457a9f30de87e6c5fc3309df3ed9ede9a9706824774f5

SHA512
45f2870a015d6384e738d964db6724f93c52f4d20d9b0faa2e47c27135562d07bfece2d0ed004bba74945de3c046bca672997c7a6ec5d214461273c8920ebf9b

Download Submit
\Windows\SysWOW64\Bbbpenco.exe

Filesize
69KB

MD5
2b82d40ff7db9b725cd2bf001a2a48de

SHA1
d99810425c222c45aa8354548e0fd18c17d1b000

SHA256
dd3927c549c017291664821706bf27c9df7023a56e4ed47f532a789e700e6fae

SHA512
6b11c2b2afdac2e43d60a97f444d041b40459f83355f021cc8d67c4f10018858f98481dc1061d7e5017f0b946c74982c72ea60295b9f384ea50f6c4a743770bd

Download Submit
\Windows\SysWOW64\Bhjlli32.exe

Filesize
69KB

MD5
d0ba6f06f98b3f9855af4aea93890edc

SHA1
e86006a51207f2f13799cdbf995191cb84432151

SHA256
9b6d4684f50dcb3a0a00756767e25230625ddcbe7c4a3726dad6a19c41fd0b31

SHA512
e51917dcec380bca39f454396782233fc912edea082cc038603c4b8f1355d26f2112aff603b2151a9c8d8407de78a9f669878a4d15c6df6732b252bd58c19865

Download Submit
\Windows\SysWOW64\Bjkhdacm.exe

Filesize
69KB

MD5
090a08da65cfcda02941b73a4c8ae281

SHA1
242cead4ea190b5ba8db1bf0652a1149e6df7c79

SHA256
4d6d71831fd1e968e4f8b7dd468254fb6c1edc84e1228b755f5750e62378826d

SHA512
8e933f0ffc6233034419e0d8b0c216dbc94b15811c0f721339fc2f3d38de604dcaf1bc32efa876aed1a2d1a22feadf3cea419ca27286733f67fba695b5b33b3c

Download Submit
memory/316-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/316-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/316-317-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/552-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/552-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/564-191-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/564-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/940-314-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/940-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/940-274-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/940-264-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/948-248-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/948-237-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/948-249-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/948-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/948-286-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/948-285-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1032-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1052-126-0x0000000000330000-0x000000000036C000-memory.dmp

Filesize
240KB

Download
memory/1052-177-0x0000000000330000-0x000000000036C000-memory.dmp

Filesize
240KB

Download
memory/1052-174-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1076-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1076-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1116-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-155-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1156-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-161-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1156-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1272-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1272-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1996-263-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/1996-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1996-219-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/1996-260-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/1996-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-222-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2052-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2052-175-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2080-84-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2080-35-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2080-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-293-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2140-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2244-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2244-101-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2244-53-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2248-262-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2248-261-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2248-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2248-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2248-298-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2320-338-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/2320-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2320-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2492-327-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2492-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2492-362-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2552-85-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2552-83-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2552-132-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2568-380-0x0000000001F30000-0x0000000001F6C000-memory.dmp

Filesize
240KB

Download
memory/2568-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2568-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2568-384-0x0000000001F30000-0x0000000001F6C000-memory.dmp

Filesize
240KB

Download
memory/2592-394-0x0000000001F30000-0x0000000001F6C000-memory.dmp

Filesize
240KB

Download
memory/2620-116-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/2620-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2620-162-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/2620-110-0x00000000005D0000-0x000000000060C000-memory.dmp

Filesize
240KB

Download
memory/2676-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2676-367-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-95-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2684-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2684-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2788-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2788-358-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2800-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2800-206-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/2800-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2832-17-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2832-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2832-18-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2832-69-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2832-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-124-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2892-70-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2892-64-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2892-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2944-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2944-26-0x0000000001F70000-0x0000000001FAC000-memory.dmp

Filesize
240KB

Download
memory/2956-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2956-347-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2972-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-402-0x0000000001F50000-0x0000000001F8C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads