Analysis
-
max time kernel
26s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:47
Static task
static1
Behavioral task
behavioral1
Sample
180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe
Resource
win10v2004-20241007-en
General
-
Target
180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe
-
Size
435KB
-
MD5
bb12b3bf4f973506a6c121afb92b4a40
-
SHA1
69de7554cdd1f53b06dc00d4b8c8446d8ebf1375
-
SHA256
180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5
-
SHA512
ebe1058e873e8f71b7c1d05715b00793544c877029a4dc9e9f9834b3c09a7ff63afdf186d48453c2b0fa67423d1a96e27d0d9655908331128678b56241f8bcbf
-
SSDEEP
6144:WMaM1dbXywbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/Y+mjwjOx5H:hXVbWGRdA6sQhPbWGRdA6sQvjpxN
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bhajdblk.exeOagmmgdm.exePckoam32.exeQgoapp32.exeAfgkfl32.exeOghopm32.exePjbjhgde.exeAnnbhi32.exeBalkchpi.exePihgic32.exeAeenochi.exeBilmcf32.exe180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exeQgmdjp32.exeApoooa32.exeAjgpbj32.exeAcpdko32.exeBphbeplm.exePngphgbf.exePicnndmb.exeAaolidlk.exeBhhpeafc.exeCilibi32.exeOkoafmkm.exeAbeemhkh.exeAjecmj32.exeAbphal32.exeBfkpqn32.exeCdoajb32.exeOhaeia32.exeBnielm32.exeBaohhgnf.exePcfefmnk.exeBhdgjb32.exeBdkgocpm.exeOdlojanh.exePcdipnqn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhajdblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagmmgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgoapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgkfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbjhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Annbhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Balkchpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbjhgde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihgic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenochi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Annbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bilmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oghopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apoooa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajgpbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acpdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhajdblk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pngphgbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeenochi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaolidlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhhpeafc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cilibi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abeemhkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajecmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abphal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphbeplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohaeia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pckoam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnielm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abeemhkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apoooa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoajb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acpdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdkgocpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhdgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Balkchpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odlojanh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odlojanh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdipnqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bilmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oagmmgdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abphal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcdipnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajecmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdkgocpm.exe -
Berbew family
-
Executes dropped EXE 40 IoCs
Processes:
Oagmmgdm.exeOhaeia32.exeOkoafmkm.exeOghopm32.exeOdlojanh.exeOappcfmb.exePngphgbf.exePcdipnqn.exePcfefmnk.exePicnndmb.exePjbjhgde.exePckoam32.exePihgic32.exeQgmdjp32.exeQgoapp32.exeAbeemhkh.exeAeenochi.exeAfgkfl32.exeAnnbhi32.exeApoooa32.exeAjecmj32.exeAaolidlk.exeAbphal32.exeAjgpbj32.exeAcpdko32.exeAfnagk32.exeBilmcf32.exeBnielm32.exeBhajdblk.exeBphbeplm.exeBeejng32.exeBhdgjb32.exeBalkchpi.exeBdkgocpm.exeBaohhgnf.exeBhhpeafc.exeBfkpqn32.exeCdoajb32.exeCilibi32.exeCacacg32.exepid process 2936 Oagmmgdm.exe 2596 Ohaeia32.exe 2584 Okoafmkm.exe 3024 Oghopm32.exe 1152 Odlojanh.exe 2748 Oappcfmb.exe 1260 Pngphgbf.exe 2276 Pcdipnqn.exe 2324 Pcfefmnk.exe 2856 Picnndmb.exe 2160 Pjbjhgde.exe 1220 Pckoam32.exe 3064 Pihgic32.exe 2316 Qgmdjp32.exe 1028 Qgoapp32.exe 1528 Abeemhkh.exe 1960 Aeenochi.exe 1556 Afgkfl32.exe 1692 Annbhi32.exe 2352 Apoooa32.exe 760 Ajecmj32.exe 3056 Aaolidlk.exe 2436 Abphal32.exe 1512 Ajgpbj32.exe 2580 Acpdko32.exe 1576 Afnagk32.exe 2608 Bilmcf32.exe 2604 Bnielm32.exe 2524 Bhajdblk.exe 1140 Bphbeplm.exe 1852 Beejng32.exe 1992 Bhdgjb32.exe 2064 Balkchpi.exe 2020 Bdkgocpm.exe 2308 Baohhgnf.exe 2696 Bhhpeafc.exe 1420 Bfkpqn32.exe 316 Cdoajb32.exe 560 Cilibi32.exe 904 Cacacg32.exe -
Loads dropped DLL 64 IoCs
Processes:
180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exeOagmmgdm.exeOhaeia32.exeOkoafmkm.exeOghopm32.exeOdlojanh.exeOappcfmb.exePngphgbf.exePcdipnqn.exePcfefmnk.exePicnndmb.exePjbjhgde.exePckoam32.exePihgic32.exeQgmdjp32.exeQgoapp32.exeAbeemhkh.exeAeenochi.exeAfgkfl32.exeAnnbhi32.exeApoooa32.exeAjecmj32.exeAaolidlk.exeAbphal32.exeAjgpbj32.exeAcpdko32.exeAfnagk32.exeBilmcf32.exeBnielm32.exeBhajdblk.exeBphbeplm.exeBeejng32.exepid process 2724 180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe 2724 180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe 2936 Oagmmgdm.exe 2936 Oagmmgdm.exe 2596 Ohaeia32.exe 2596 Ohaeia32.exe 2584 Okoafmkm.exe 2584 Okoafmkm.exe 3024 Oghopm32.exe 3024 Oghopm32.exe 1152 Odlojanh.exe 1152 Odlojanh.exe 2748 Oappcfmb.exe 2748 Oappcfmb.exe 1260 Pngphgbf.exe 1260 Pngphgbf.exe 2276 Pcdipnqn.exe 2276 Pcdipnqn.exe 2324 Pcfefmnk.exe 2324 Pcfefmnk.exe 2856 Picnndmb.exe 2856 Picnndmb.exe 2160 Pjbjhgde.exe 2160 Pjbjhgde.exe 1220 Pckoam32.exe 1220 Pckoam32.exe 3064 Pihgic32.exe 3064 Pihgic32.exe 2316 Qgmdjp32.exe 2316 Qgmdjp32.exe 1028 Qgoapp32.exe 1028 Qgoapp32.exe 1528 Abeemhkh.exe 1528 Abeemhkh.exe 1960 Aeenochi.exe 1960 Aeenochi.exe 1556 Afgkfl32.exe 1556 Afgkfl32.exe 1692 Annbhi32.exe 1692 Annbhi32.exe 2352 Apoooa32.exe 2352 Apoooa32.exe 760 Ajecmj32.exe 760 Ajecmj32.exe 3056 Aaolidlk.exe 3056 Aaolidlk.exe 2436 Abphal32.exe 2436 Abphal32.exe 1512 Ajgpbj32.exe 1512 Ajgpbj32.exe 2580 Acpdko32.exe 2580 Acpdko32.exe 1576 Afnagk32.exe 1576 Afnagk32.exe 2608 Bilmcf32.exe 2608 Bilmcf32.exe 2604 Bnielm32.exe 2604 Bnielm32.exe 2524 Bhajdblk.exe 2524 Bhajdblk.exe 1140 Bphbeplm.exe 1140 Bphbeplm.exe 1852 Beejng32.exe 1852 Beejng32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Odlojanh.exeAfgkfl32.exeAaolidlk.exePcdipnqn.exePckoam32.exeAjecmj32.exeAjgpbj32.exeAcpdko32.exeOagmmgdm.exeOhaeia32.exePngphgbf.exeBdkgocpm.exePcfefmnk.exeBeejng32.exeBhhpeafc.exeCilibi32.exeOkoafmkm.exePicnndmb.exeQgmdjp32.exeBnielm32.exeAeenochi.exeApoooa32.exeBilmcf32.exeBhajdblk.exePihgic32.exeAbeemhkh.exeBphbeplm.exeQgoapp32.exeOghopm32.exeBfkpqn32.exeOappcfmb.exeAfnagk32.exeAnnbhi32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Oappcfmb.exe Odlojanh.exe File opened for modification C:\Windows\SysWOW64\Annbhi32.exe Afgkfl32.exe File opened for modification C:\Windows\SysWOW64\Abphal32.exe Aaolidlk.exe File created C:\Windows\SysWOW64\Aceobl32.dll Pcdipnqn.exe File created C:\Windows\SysWOW64\Hepiihgc.dll Pckoam32.exe File created C:\Windows\SysWOW64\Bfqgjgep.dll Ajecmj32.exe File opened for modification C:\Windows\SysWOW64\Acpdko32.exe Ajgpbj32.exe File opened for modification C:\Windows\SysWOW64\Afnagk32.exe Acpdko32.exe File created C:\Windows\SysWOW64\Ohaeia32.exe Oagmmgdm.exe File created C:\Windows\SysWOW64\Okoafmkm.exe Ohaeia32.exe File created C:\Windows\SysWOW64\Pcdipnqn.exe Pngphgbf.exe File created C:\Windows\SysWOW64\Baohhgnf.exe Bdkgocpm.exe File created C:\Windows\SysWOW64\Eebghjja.dll Odlojanh.exe File created C:\Windows\SysWOW64\Picnndmb.exe Pcfefmnk.exe File opened for modification C:\Windows\SysWOW64\Picnndmb.exe Pcfefmnk.exe File created C:\Windows\SysWOW64\Jbodgd32.dll Beejng32.exe File created C:\Windows\SysWOW64\Bfkpqn32.exe Bhhpeafc.exe File created C:\Windows\SysWOW64\Cacacg32.exe Cilibi32.exe File created C:\Windows\SysWOW64\Oghopm32.exe Okoafmkm.exe File opened for modification C:\Windows\SysWOW64\Pjbjhgde.exe Picnndmb.exe File created C:\Windows\SysWOW64\Qgoapp32.exe Qgmdjp32.exe File created C:\Windows\SysWOW64\Afnagk32.exe Acpdko32.exe File created C:\Windows\SysWOW64\Bhajdblk.exe Bnielm32.exe File opened for modification C:\Windows\SysWOW64\Bhajdblk.exe Bnielm32.exe File created C:\Windows\SysWOW64\Cophek32.dll Aeenochi.exe File opened for modification C:\Windows\SysWOW64\Ajecmj32.exe Apoooa32.exe File created C:\Windows\SysWOW64\Bnielm32.exe Bilmcf32.exe File opened for modification C:\Windows\SysWOW64\Bphbeplm.exe Bhajdblk.exe File opened for modification C:\Windows\SysWOW64\Baohhgnf.exe Bdkgocpm.exe File created C:\Windows\SysWOW64\Pjbjhgde.exe Picnndmb.exe File created C:\Windows\SysWOW64\Doojhgfa.dll Pihgic32.exe File created C:\Windows\SysWOW64\Aeenochi.exe Abeemhkh.exe File opened for modification C:\Windows\SysWOW64\Beejng32.exe Bphbeplm.exe File opened for modification C:\Windows\SysWOW64\Qgoapp32.exe Qgmdjp32.exe File created C:\Windows\SysWOW64\Abeemhkh.exe Qgoapp32.exe File opened for modification C:\Windows\SysWOW64\Afgkfl32.exe Aeenochi.exe File created C:\Windows\SysWOW64\Bhdgjb32.exe Beejng32.exe File created C:\Windows\SysWOW64\Pkfaka32.dll Bhhpeafc.exe File created C:\Windows\SysWOW64\Odlojanh.exe Oghopm32.exe File created C:\Windows\SysWOW64\Oappcfmb.exe Odlojanh.exe File created C:\Windows\SysWOW64\Lfobiqka.dll Aaolidlk.exe File created C:\Windows\SysWOW64\Cdoajb32.exe Bfkpqn32.exe File opened for modification C:\Windows\SysWOW64\Pihgic32.exe Pckoam32.exe File created C:\Windows\SysWOW64\Naaffn32.dll Abeemhkh.exe File opened for modification C:\Windows\SysWOW64\Bfkpqn32.exe Bhhpeafc.exe File opened for modification C:\Windows\SysWOW64\Aeenochi.exe Abeemhkh.exe File created C:\Windows\SysWOW64\Annbhi32.exe Afgkfl32.exe File created C:\Windows\SysWOW64\Icdleb32.dll Oagmmgdm.exe File created C:\Windows\SysWOW64\Ifbgfk32.dll Oappcfmb.exe File opened for modification C:\Windows\SysWOW64\Pcdipnqn.exe Pngphgbf.exe File opened for modification C:\Windows\SysWOW64\Cacacg32.exe Cilibi32.exe File created C:\Windows\SysWOW64\Aaolidlk.exe Ajecmj32.exe File created C:\Windows\SysWOW64\Bilmcf32.exe Afnagk32.exe File created C:\Windows\SysWOW64\Beejng32.exe Bphbeplm.exe File created C:\Windows\SysWOW64\Pngphgbf.exe Oappcfmb.exe File created C:\Windows\SysWOW64\Bfbdiclb.dll Pngphgbf.exe File opened for modification C:\Windows\SysWOW64\Apoooa32.exe Annbhi32.exe File opened for modification C:\Windows\SysWOW64\Bhdgjb32.exe Beejng32.exe File opened for modification C:\Windows\SysWOW64\Bnielm32.exe Bilmcf32.exe File created C:\Windows\SysWOW64\Ldhfglad.dll Bhajdblk.exe File created C:\Windows\SysWOW64\Nfolbbmp.dll Bdkgocpm.exe File opened for modification C:\Windows\SysWOW64\Oghopm32.exe Okoafmkm.exe File created C:\Windows\SysWOW64\Pihgic32.exe Pckoam32.exe File opened for modification C:\Windows\SysWOW64\Abeemhkh.exe Qgoapp32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2500 904 WerFault.exe Cacacg32.exe -
System Location Discovery: System Language Discovery 1 TTPs 41 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bhajdblk.exeOkoafmkm.exeAbeemhkh.exeAeenochi.exeAjgpbj32.exeOhaeia32.exePcfefmnk.exePihgic32.exeBhhpeafc.exeCdoajb32.exe180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exePjbjhgde.exeAbphal32.exeBilmcf32.exeAnnbhi32.exeApoooa32.exeBeejng32.exeAcpdko32.exeBalkchpi.exeCilibi32.exeOghopm32.exeOdlojanh.exePckoam32.exeAjecmj32.exeBnielm32.exeBphbeplm.exeOappcfmb.exePcdipnqn.exeQgoapp32.exeAaolidlk.exeBfkpqn32.exeCacacg32.exeOagmmgdm.exePicnndmb.exeBhdgjb32.exeBaohhgnf.exeBdkgocpm.exePngphgbf.exeQgmdjp32.exeAfgkfl32.exeAfnagk32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhajdblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okoafmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abeemhkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeenochi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgpbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohaeia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcfefmnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pihgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhpeafc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdoajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbjhgde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abphal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bilmcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Annbhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apoooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beejng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balkchpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilibi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odlojanh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckoam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajecmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnielm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphbeplm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oappcfmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdipnqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgoapp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaolidlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkpqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oagmmgdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picnndmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdgjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baohhgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdkgocpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pngphgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmdjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgkfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afnagk32.exe -
Modifies registry class 64 IoCs
Processes:
Bdkgocpm.exeOappcfmb.exeAcpdko32.exeQgmdjp32.exeBhajdblk.exeBaohhgnf.exe180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exePjbjhgde.exeBnielm32.exeOhaeia32.exeAeenochi.exePngphgbf.exeQgoapp32.exeApoooa32.exeBphbeplm.exeOkoafmkm.exePckoam32.exeBfkpqn32.exeBhhpeafc.exeOghopm32.exeAfnagk32.exeAbeemhkh.exeAfgkfl32.exeAnnbhi32.exeAjecmj32.exePcfefmnk.exePihgic32.exeBalkchpi.exeCilibi32.exeBeejng32.exeBhdgjb32.exeCdoajb32.exeOagmmgdm.exeAaolidlk.exeAbphal32.exeBilmcf32.exeAjgpbj32.exePicnndmb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdkgocpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oappcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acpdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll" Qgmdjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhajdblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll" Bhajdblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdkgocpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baohhgnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll" Pjbjhgde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfglke32.dll" 180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbnoibb.dll" Ohaeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll" Aeenochi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbdiclb.dll" Pngphgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgoapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apoooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll" Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnahcn32.dll" Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll" Bdkgocpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll" Pckoam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll" Bnielm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" Bfkpqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll" Baohhgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll" Bhhpeafc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhhpeafc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afnagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll" Qgoapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naaffn32.dll" Abeemhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll" Afgkfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Annbhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajecmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bphbeplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doojhgfa.dll" Pihgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Balkchpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beejng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhdgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balkchpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll" Cdoajb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oagmmgdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbgfk32.dll" Oappcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaolidlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll" Ajecmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abphal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll" Afnagk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bilmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pihgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaolidlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Picnndmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajecmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Picnndmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll" Picnndmb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exeOagmmgdm.exeOhaeia32.exeOkoafmkm.exeOghopm32.exeOdlojanh.exeOappcfmb.exePngphgbf.exePcdipnqn.exePcfefmnk.exePicnndmb.exePjbjhgde.exePckoam32.exePihgic32.exeQgmdjp32.exeQgoapp32.exedescription pid process target process PID 2724 wrote to memory of 2936 2724 180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe Oagmmgdm.exe PID 2724 wrote to memory of 2936 2724 180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe Oagmmgdm.exe PID 2724 wrote to memory of 2936 2724 180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe Oagmmgdm.exe PID 2724 wrote to memory of 2936 2724 180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe Oagmmgdm.exe PID 2936 wrote to memory of 2596 2936 Oagmmgdm.exe Ohaeia32.exe PID 2936 wrote to memory of 2596 2936 Oagmmgdm.exe Ohaeia32.exe PID 2936 wrote to memory of 2596 2936 Oagmmgdm.exe Ohaeia32.exe PID 2936 wrote to memory of 2596 2936 Oagmmgdm.exe Ohaeia32.exe PID 2596 wrote to memory of 2584 2596 Ohaeia32.exe Okoafmkm.exe PID 2596 wrote to memory of 2584 2596 Ohaeia32.exe Okoafmkm.exe PID 2596 wrote to memory of 2584 2596 Ohaeia32.exe Okoafmkm.exe PID 2596 wrote to memory of 2584 2596 Ohaeia32.exe Okoafmkm.exe PID 2584 wrote to memory of 3024 2584 Okoafmkm.exe Oghopm32.exe PID 2584 wrote to memory of 3024 2584 Okoafmkm.exe Oghopm32.exe PID 2584 wrote to memory of 3024 2584 Okoafmkm.exe Oghopm32.exe PID 2584 wrote to memory of 3024 2584 Okoafmkm.exe Oghopm32.exe PID 3024 wrote to memory of 1152 3024 Oghopm32.exe Odlojanh.exe PID 3024 wrote to memory of 1152 3024 Oghopm32.exe Odlojanh.exe PID 3024 wrote to memory of 1152 3024 Oghopm32.exe Odlojanh.exe PID 3024 wrote to memory of 1152 3024 Oghopm32.exe Odlojanh.exe PID 1152 wrote to memory of 2748 1152 Odlojanh.exe Oappcfmb.exe PID 1152 wrote to memory of 2748 1152 Odlojanh.exe Oappcfmb.exe PID 1152 wrote to memory of 2748 1152 Odlojanh.exe Oappcfmb.exe PID 1152 wrote to memory of 2748 1152 Odlojanh.exe Oappcfmb.exe PID 2748 wrote to memory of 1260 2748 Oappcfmb.exe Pngphgbf.exe PID 2748 wrote to memory of 1260 2748 Oappcfmb.exe Pngphgbf.exe PID 2748 wrote to memory of 1260 2748 Oappcfmb.exe Pngphgbf.exe PID 2748 wrote to memory of 1260 2748 Oappcfmb.exe Pngphgbf.exe PID 1260 wrote to memory of 2276 1260 Pngphgbf.exe Pcdipnqn.exe PID 1260 wrote to memory of 2276 1260 Pngphgbf.exe Pcdipnqn.exe PID 1260 wrote to memory of 2276 1260 Pngphgbf.exe Pcdipnqn.exe PID 1260 wrote to memory of 2276 1260 Pngphgbf.exe Pcdipnqn.exe PID 2276 wrote to memory of 2324 2276 Pcdipnqn.exe Pcfefmnk.exe PID 2276 wrote to memory of 2324 2276 Pcdipnqn.exe Pcfefmnk.exe PID 2276 wrote to memory of 2324 2276 Pcdipnqn.exe Pcfefmnk.exe PID 2276 wrote to memory of 2324 2276 Pcdipnqn.exe Pcfefmnk.exe PID 2324 wrote to memory of 2856 2324 Pcfefmnk.exe Picnndmb.exe PID 2324 wrote to memory of 2856 2324 Pcfefmnk.exe Picnndmb.exe PID 2324 wrote to memory of 2856 2324 Pcfefmnk.exe Picnndmb.exe PID 2324 wrote to memory of 2856 2324 Pcfefmnk.exe Picnndmb.exe PID 2856 wrote to memory of 2160 2856 Picnndmb.exe Pjbjhgde.exe PID 2856 wrote to memory of 2160 2856 Picnndmb.exe Pjbjhgde.exe PID 2856 wrote to memory of 2160 2856 Picnndmb.exe Pjbjhgde.exe PID 2856 wrote to memory of 2160 2856 Picnndmb.exe Pjbjhgde.exe PID 2160 wrote to memory of 1220 2160 Pjbjhgde.exe Pckoam32.exe PID 2160 wrote to memory of 1220 2160 Pjbjhgde.exe Pckoam32.exe PID 2160 wrote to memory of 1220 2160 Pjbjhgde.exe Pckoam32.exe PID 2160 wrote to memory of 1220 2160 Pjbjhgde.exe Pckoam32.exe PID 1220 wrote to memory of 3064 1220 Pckoam32.exe Pihgic32.exe PID 1220 wrote to memory of 3064 1220 Pckoam32.exe Pihgic32.exe PID 1220 wrote to memory of 3064 1220 Pckoam32.exe Pihgic32.exe PID 1220 wrote to memory of 3064 1220 Pckoam32.exe Pihgic32.exe PID 3064 wrote to memory of 2316 3064 Pihgic32.exe Qgmdjp32.exe PID 3064 wrote to memory of 2316 3064 Pihgic32.exe Qgmdjp32.exe PID 3064 wrote to memory of 2316 3064 Pihgic32.exe Qgmdjp32.exe PID 3064 wrote to memory of 2316 3064 Pihgic32.exe Qgmdjp32.exe PID 2316 wrote to memory of 1028 2316 Qgmdjp32.exe Qgoapp32.exe PID 2316 wrote to memory of 1028 2316 Qgmdjp32.exe Qgoapp32.exe PID 2316 wrote to memory of 1028 2316 Qgmdjp32.exe Qgoapp32.exe PID 2316 wrote to memory of 1028 2316 Qgmdjp32.exe Qgoapp32.exe PID 1028 wrote to memory of 1528 1028 Qgoapp32.exe Abeemhkh.exe PID 1028 wrote to memory of 1528 1028 Qgoapp32.exe Abeemhkh.exe PID 1028 wrote to memory of 1528 1028 Qgoapp32.exe Abeemhkh.exe PID 1028 wrote to memory of 1528 1028 Qgoapp32.exe Abeemhkh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe"C:\Users\Admin\AppData\Local\Temp\180ff413dc6e9fe0b486e4bd2d90ffea6d3aeff3424d1ded01c8ab229dccdbe5N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Odlojanh.exeC:\Windows\system32\Odlojanh.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Picnndmb.exeC:\Windows\system32\Picnndmb.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Qgoapp32.exeC:\Windows\system32\Qgoapp32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Balkchpi.exeC:\Windows\system32\Balkchpi.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Bdkgocpm.exeC:\Windows\system32\Bdkgocpm.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Baohhgnf.exeC:\Windows\system32\Baohhgnf.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Cacacg32.exeC:\Windows\system32\Cacacg32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 14042⤵
- Program crash
PID:2500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435KB
MD57e6c931cbbcb2ae5b4425b7a135c7457
SHA1b1eac336ed01a7d62b9c7554e1cd3b6af806e08a
SHA256c80737060951e66af4f2fef03ad7c4e19ca1ad6385afb71aa2975dd5c00dde35
SHA512d9f345d6be9e84477be63d15d4b77314f971a5391adda121f801063b301347909901b758ee14e31d8ae072e0a26906be151d3699c585a3191d27389ae0caa017
-
Filesize
435KB
MD575c4e6234f4c860eabf4530923379226
SHA15f4fafd39d0dcf32806a18c8bb1522ad8dec25fc
SHA256a0e278195e03c5713c023cf9f30e4953e1c1bdf5ae52d96b81f57fc49d6b0d73
SHA512ffcf6a372693d1e3f29466bc9346130135662355d7dfa7813b7cc2508ddccfb82a845b55a95d35eec1dc8114893adeefdd84bdf6630615f738f597eb39be4c19
-
Filesize
435KB
MD5eef401846f9f720b603891d0177283d9
SHA1f99a944bf7ae3520acd10a4cc3af265a2af2b8c0
SHA256e3f991111cac0e5de9f1bf3cb61889e05d93fdfb545f2e44ed9e5956838dbbe8
SHA512a60fefce7726c690a3d7adb74ec3e4edcdcaaa73093580a9d854107e53405460682ccf95aee21abb3bf1b304d357b05974a8a17abc3b866fa4c2bbbb9cebe441
-
Filesize
435KB
MD560f47f8f0e146f9fd44763446eb54d2e
SHA1d289468eb47fd972bedf4bdbf7fb5a699b6ca39e
SHA2566fc81283d80a96d71f545c8cf2a0b41ac49bbdd2841b6a6537dab227a865e39d
SHA5126d6a7a810cc270b8f212ef46a0826cf668f1e83172a70c1545d9d1e95776533220ed8cf3295cda8913ccda8ae862ca87e3c85bc5581b462a3b59c6b554cdd7ed
-
Filesize
435KB
MD5a7a76c99ffe7d23eb60f71022ee8af38
SHA1e53bb948608c011a90bcda110d9361aaf83b1d56
SHA256089783e4e5d226603a3fcd03865f0e23466e39e10d2162c362028c81dd25fc6e
SHA5120e8909e94cebe0c01cab0a79c69a1c073ece804ce85bcf30a25081314b88c9310b6b2c676670f250b9d0087f10818fa95e573c340f7bb620dfe6cc703072397d
-
Filesize
435KB
MD51570605337154341c58210fcb7412394
SHA11f734c0a76b7a05a77da5a23d84cc7e0ddd96e25
SHA256bfbf7e207e2da7a5c91960cb909e5af5e89dd4d478f3577834e38c93a24420a5
SHA51207d049af85825d3b361e03151197d71b604e3483669ca4b4ae75ae6ebc2420ab02e80f12cc35ffe2618d575ed24370bd9a34057a8f2212bd2495b257e7bab2c4
-
Filesize
435KB
MD5abc0982810a130b5e905a5f3ec8213eb
SHA1d008a4840ac02df84c3cd2cd2d0570a527e5ff2a
SHA2566ac5143873a513b20edf894da14dbb23de87ec4a0c25e531fd192436bef5c635
SHA51283c7a22e1c1a5b50985bdb4a22579406f3f07fa2b8ba6d85c5ad6b24362cdb358cb04e7345b72f20c353c6a7cc80fad51372ed0332764c03e94008e5a9f3f8e1
-
Filesize
435KB
MD5fb158c7bd73eacbfd717c702576274e7
SHA1f0b6edd89fc24aa38998d843cd2b2073713411e4
SHA256ce866203e06ff983f21db3218f799b85ca555844152c74791e74a12c7db9fbda
SHA5127982d429fc4c2d243746cd1cf9229d15a2286ee982b11dbbb13764eda6e6c1d640363f48f2f9420e4b7cdd9e938739c70457b8af78cc9ddc905f01c182e8cbe0
-
Filesize
435KB
MD5113c448b299e0536f5d424d66c7e61e3
SHA14d3c559e36e2d93d8aed41ae537b410349633595
SHA2569fce5cf654be526c3c15210369d8b46b1865b34fd71001b6fd803de4b80c4c46
SHA5129251ba00e3d84044c2b91549200f1492b81f3263440f498c75fd5758cba84cad22b89e177b6eee3793ed742a4c9bf840af448228ad3fa4b5902fa41420886d79
-
Filesize
435KB
MD5b845d27ec0b9214b86c680b08c0dba59
SHA1e8cf82cc55bf96cbd9687a9c5dc3fb1790012d34
SHA256fb9a3d6cba475be6f35b729bc70aa8ea52acef93d498a03c56d0f40c793e185e
SHA512bfb58c611686211afb3b7144047ff308f11738b6d365b9b63d814c358edd847c377f65648a6d854e8a426ce533f2dc5b938e17875af3536e158a4e360a8d71a7
-
Filesize
435KB
MD594eb80db4fd84ed0f1abfac7901fb26c
SHA1e13fc290d58e2f6578ffbbb83f39a2e621551b35
SHA256b712dff986950e3be2830392bdde250a779bc50c394588fdb9a192c7135fabf5
SHA512289889be046a2e91f49f5dab8d39a0a9bf32e9f6f3a99c435c555e33db34e7f25ed06e399dfae5cad15607d2cb87a14307ba581a78be74d489de1b668f239c35
-
Filesize
435KB
MD51d05b9b69822f0fda7adeebf00831347
SHA1b39b215128b15f7f3fffcc59eb2913dae116475c
SHA25610b29b053d8556bc5b32d5fb87757105d7e8bc2908881ef4093a10bc6c9ce7c7
SHA51297d6fd310deb7776372bba0200f33ac35e38b2dee9f57a99a1e1e240269d61443f97f762e7644e6ebaad4b3ac70c1e6026d555477527fa75c84170b51f7ccb15
-
Filesize
435KB
MD50753f415339858ececdab0cadecdb155
SHA1e49918656ffc739513c49a79bf4dcd63c1629c11
SHA256c614fe9f9898c9a6b90cfa08cef47150e944d28d7ceecdc4222681dabaf0546c
SHA512eb18a571772a9b881be4f63c482a165e16e060981456f5e51b6c2e26b3bdf56e763dc9e4c5d993b5553c2c588dfe97cb9335fd20ff21d2776b1821f782f5479e
-
Filesize
435KB
MD5a7fe9b3743f27f33e3f1acad18125246
SHA1ecb558df0db4ce96db2ec7cd93b4f3e6596c27f6
SHA256c8e9aad1c191c5aa8f9b205ad525a0f58eb632147a7e774aef1561b6470c6ec6
SHA51243d198368de301308a75d104806fdcfc8d93452e05927219a44c5034bb4999bd5e38d0100139f6d6153fffbc417d7c8f3a35cb8fc9940bd42dc7e3a2f4b38b99
-
Filesize
435KB
MD57ee863d5ffb7378c3e3f678b0fee743b
SHA1d1906c0d99daadc1459897d5994a190f1a275277
SHA256e3a04e35c5c4cde00ae7be12f80304241e2fabdd36b5a89510d8f0b2f874eddc
SHA5125259e693758567d579b679d1b4f0eea0f6ec9092639c0be98b8326db9aa9f52336b42cadd1a32ca58611b98fe9257c94cb1bd5b7546f9ee6e1ad12146d923660
-
Filesize
435KB
MD5f69124975aafd29acbdfd6f1b5c1b795
SHA11c93234f213189b7100fd188546b3fe4c105cec5
SHA256709c59edcc31c016ecc28c6ef21689d997d5846927c3f207ee46c5706ace015e
SHA51239376e0b23e7334096f1564a211158eeba41a8ab9a565db4133f8254b4d77f893d571e893407cd6904bf693d9edb6e36663e571ed9f4e5fb957c0cfec7461d38
-
Filesize
435KB
MD55f8853fdb7d20c002e55a297b9b37aee
SHA1df2f29cb4694051f34b9f599b02e957e91664e96
SHA256b7c3094d0a39c15af4d3fbb13263d61b905cdf6f68da3690ebd5069b1092cb3b
SHA512509cbefe36bca718f7f4e507e9c60e2d4f3d07f5ca3f15b87aec70be3a60145672ff5f357c853f348a947e2236c3ea0bf79cb1b7baffe214bdfcc39c93ade854
-
Filesize
435KB
MD5e08724ae2a305ff9b863a1dac576fa15
SHA12fef0890e91ac1e53e4a4ed80229d48491de0886
SHA256c974e797aed42e76090d4d1d1cd02607c43ce7fe21f94c0d33346eb68c20ff3b
SHA512b8dd448b7b3c63339a1348dee27e414290386b47a122276879d31f1be36f36dbd737ca8ac89fe8ea793015dc02b739ed377adecae646395165ed30b9f79bddf7
-
Filesize
435KB
MD525c034f1de300ceef1e48e6667879e89
SHA1fb8507181538e3aaaddbc4ddb2aaf21bbb48152b
SHA256151180fafa699ccd5c086448663cbf9753166d94b11acc36620643218e69fb2b
SHA5127df5f6eb639827f8fa4eb0a7702897810461572bc82137022ce82e8869d7c65f852ead43e72676d73338314d55eae67b195d9b1636c6507ddcb552fd8f526daf
-
Filesize
435KB
MD5a8e734c84096b303b9618ab7284fbc04
SHA1301ef281b488921fae62a1e046918bc88a9fd212
SHA25689e209abcc061a3462198e9f718a737fed440dc263dbcafcd32060c1ba69e000
SHA512bcaba9b27ab8096be51cb9f286a9594f80b6fba92673400bab52f35cb1281fad388c9a771fec2083ddf37baf1459ab3f53741504da66e3884a62bb0308640fd2
-
Filesize
435KB
MD5221c175f810235570fc6578f4e694c9a
SHA13f7b608aa694797b780bf7f740fbb922af2d0c09
SHA256d3bb3a5a3f03fcb9c1d1b6543d7b5c049ab1660f961c22660cf21bf8d4cffb58
SHA512fb745870f09ca5505b919f6bbbf7390dff1ee012eb82bfc0260c48bb0024c40a64a7c4ff65ee15cb07ffc4dc31e04f53cb8adf9d0897854ab6d17ccb11014454
-
Filesize
435KB
MD5f0f35ba011aa4d397d21ab3c6cbcb1df
SHA12d689ecf98c5d395ebe377f2266bae15c76bb3e4
SHA25609e22bf3b26ed0c4efc7847deb0ddf1c998b4d4ec9d4b1be4b5d708a18c4a9fb
SHA512145015bda1b55c8d80bf68e764b584c33e4cb7c291adf787770dc43f171d8e8b7ecc838dcddcbbdccab5115f3673f6ff39b6f91e6b3949c16020e42b7e9f0c3a
-
Filesize
435KB
MD57f67ad03177aea4109bba0931fdd25ea
SHA164bd752e696204994ce0b8f66fcd1ecaf465a03b
SHA256bb5434545362db2e5959c736e6b143ad1b12a36c36cf69c83dc1b67a5b1d0114
SHA5122cbd88ff184317881f70bdac89ddf4757c8a2a7413ef96789a185f5f7dfd8618978a3b6b63bb84f1a6d7c5170c2198dff174f033d3b36bd71a3708b8bd414cda
-
Filesize
435KB
MD59798ee048be8d388262d2a91906388c2
SHA14151217894261af7f69378ab641b93b20b46834c
SHA2565aee7171d921205fe4a51d72e00695e21698c2318e96ec18f4d65c631e0dc76f
SHA5128b25c7643f689c4e7ceaec5b72792dcb20d6adb32d5283ce50bfacc4987bbfd1a3b88058b278684656b76d11870d585b9f339d381b4c24aca492d9475a502bb8
-
Filesize
435KB
MD50c72464b57ba2925d5e89d2cfbd68269
SHA14ab72f905cf29b799ee9b8ac02f7e4942cea642d
SHA256808de85460b73617a085fbb9cd2a242c7b0dd8f2e70f77b58f095fbb55b9706d
SHA512904502347740de931fd1a884abfcdddcb693b037406acec8dd8d664048aefecac089b865d7b30b48191b9216e6eab6af2a08bd5f3558549e9fc18ed49667e4ba
-
Filesize
435KB
MD5d08aca065f60cdfe1c8c2fdb5b3c9161
SHA1bcfb7119b9aa0ec67dc9f7ce5e0cf9bedcc8f1fe
SHA256435275c63542dca772b1fecd6b74350e29fab76395e6c7452fc8b7a799a1e898
SHA512ff60c85f6b30bada4b7ce5f0183a4dca857f63acc5bb68a45e00d606d2d0899f62c3ea9d45ebd291001ca2cfca6f44ec0824abe11183234ea9230b151100c9c0
-
Filesize
435KB
MD5529da5ff6cb65f396cfa77b17b3f25d5
SHA18d0a22da9c91fb43d453428a47cc163791b1a9d9
SHA2563857e767b21bf9173c5ff657a93e2094eb0b74d181a0f5a06f01f7ccf3613a48
SHA512d8d4285fae9ec5d3549a4e67100a5b1ae622db77b82f86dcc09cc2427551a0d5fcafe5e34743d1a540f6d0328293055bc8d95d8b1c39204b8909fbbd120e3a24
-
Filesize
435KB
MD54283c7ed02cf3fa7d73af394d7fd78c9
SHA18a1ceb00900a1cffa938cc7fe996312a8842885d
SHA2568e3363a0ed360a562b472e741b4b661ea5b542b64a5582535c98d895dbcfb52d
SHA5122864b1bf6054c008fdc1f419790f15d26240a40b56979122f2c4462d21fe1b4c7cfcbd5e186784607d9993ee5a3fbe5460eee4177ecdb45e37aa3575c9d65593
-
Filesize
435KB
MD50842c9c6fc2e25bf24072ac004bc23dc
SHA1494f5a1f462c6072aa738fb65b2f4823d6ec79f8
SHA256043f2003b1b85f67e42778f62cc80206f6af005c552525c93d9f670bbcada73e
SHA512b1b8e09327f4883b4d560dee5cf3ed3bb93a89eb1ea5498cc2bbcbaf944fcf91d092e2da2ae623437441291b9efd00826365d2cc7d3817ec8489427bacebb935
-
Filesize
435KB
MD5e9a57454e3f3600606f1484d4f2c0d75
SHA1098196c143e0657cbda6a822d9fbae2eb5c780e2
SHA2566bd7f7c430d4f0a0018496d734bda03227d8197fab64244a470a012dbfb07491
SHA5124ce8642ac9d620841d1fff1558c800fdfb11ff60cde3d75387dd28e22d10a2de283e1fc545a5c90b2014c2522327ae6edc8b813c0b2dad7102788fb34182d294
-
Filesize
435KB
MD55e0931ab7b73222a5e78681426e58505
SHA17a1160eca24f62a51e4d458fbc7a097a4cf73bf4
SHA2561214ef5c60de6602a028cc69cefa9f92e49770a25251aa0ed9788e34efe14f14
SHA512d0d52afda3164df1379920367c80eaa85eed1024dd5d2474ee4f706ed7a5ac5ca3b5d6eacd33e7785b90e65cf3e3f3c09d86a02f949b8510296ad2e9b2f9d496
-
Filesize
435KB
MD5d6a38f874c44ef51e39b366a12d20a13
SHA151e6217a087a17cc9e57fc2b53e0ac4bee264c5a
SHA2567b436677ed7d8c70b8c5069b5949e6686df8679d26cd1c904b5a5b0eff48bb71
SHA5121e3a707a744b07e93e59c555d98c07350821b8e761082e160a76fa42289c01d765619eefa338a81bb81b1692207f5df12e76ff21939d8811d0b27d93b325123e
-
Filesize
435KB
MD5ea5e17658059dc1e9610253e3c1865e7
SHA1d2f866e43f24995e8e9f3c91cf6066c60c18f48f
SHA256f8cac0e82a7438564169946b9f97719c4d68bc89247a5d963cb42a9f05eed530
SHA5127fa17a22421dfabae82f2a9e5751ded74204da4172a5a4bbeff5dbaf05bbce1b24f218820410395d3800d36890235ef1a00cc2278b5a1438243468135b81d8e8
-
Filesize
435KB
MD548e1e9932fda90c9f557e6d92b82435c
SHA15bca5d4aa2e6e78196c76fd6735554b084365851
SHA256f4009d8e1dc84b403c422254d08b0f4caa82ade711647b47df820a27cd68c342
SHA512da5ae2e5dd04101759e796a4b850cce18320c6e98667e28a41989a22b97ef32dd33b20dae667c85ca651ffc22cfa8431a9fecacc11f164a83fffece673ce951a
-
Filesize
435KB
MD506ab50b0f381fe22c58a37e9265e8b60
SHA1d8ba7333ff613c7b39298dde05eeb50ce9d3383a
SHA256aa8d471cb846d3793370aa09bf5ae54841c2e9cc0fa13c763abbb94210bd25d8
SHA512ace412a5b8bb47f8073ae4c5dab783d524cf6084909b0897779cc18d219a7a8001f4ec28d638948af5630e281e557ab4dcb2878ae342889700f21bba04b26edf
-
Filesize
435KB
MD581ab88af34f52b606d75f607d0579df4
SHA19c72cf66ad301a48ed8f545c8fdbe3c8b50c5497
SHA256060e4e37321055d2a37191b8ca7a9f36135d705f72c9825b055a051461cb6eea
SHA51271cf0ae8fddaf781231c05fb8baa02b20b19956d86e9a904e44219b9b84d1c710ad4c5fdb6dad26f91fbce4fd28acf9dd4b8db04ee15f2fac4c8faf0584ce7d6
-
Filesize
435KB
MD5d71e0baaa42f1feddb6a84337463f9d3
SHA1d9c99d5e21de9c200c8237f2489f245f1d5b8b73
SHA256d58f84adb4dd278dff5cbb8087d53b5beed20529b63c93f2af22864aacafe98e
SHA512a6b497ee106c714fb7437f2fbfc3a53198065a7ce00ce9c786ae62cad989387ab4c9c641ef45271734f124e80f8bec7a2e1b47d5682414162791dd43e40c7778
-
Filesize
435KB
MD56cf8c206676975d64191022cd5941774
SHA1616dc4650bdea74f44599fb9499b670e8a6b344a
SHA2568d4ef05714c1cff0e283ed6a0b405b02817da50f1a938ff86c65c371e88fdae1
SHA51256c4ac04393a581daa170cc626810ad631cc3654a2c706fb7371cad6db8ef3870cde915fad75d07412c5ea97e7dc74591f68ced55e10e5ba1c7c6040d0dbc1b7
-
Filesize
435KB
MD565359c1afcb3e205a05192f7314a2bc3
SHA130deb3c48da42a283e5ed8818ed45b270cd513a1
SHA25699d48a6915321d648c5cc96c7e09f43279b01a0a55aabae30c75738fcf900ea9
SHA512653bcdf2161040711ee1240ab50b9dbf531a124fd5be22a81123506de69e8b0b9264da478c35a1d0567dcaf9e67c4a19d1632388095fcb959a2d6da8975526d3
-
Filesize
435KB
MD5d58fed57b310923378d2b553f5fc3565
SHA1ca0a634cc42234986dd20051eabb5042027b41d8
SHA256556325db268a0f68ed7dbace5e75a1ff4b1c16fa4c376194c98d4131874a03ce
SHA5125fd6457b17d80a325b7fc96896ab6b0bdbde23a80474be974d7cfcac93e2d75410c012385e3e59059487349dea3829d3a505ecc7327ca2e62a8e5439929d8b4b