c5809d7bd574b3bb87b1e35aa753d3b25f7557d31a9cd867a539d091d29d0eba

Analysis

max time kernel
105s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3aead85728eb8d3e98611dc7a0607e0N.exe
Size

1.5MB
MD5

a3aead85728eb8d3e98611dc7a0607e0
SHA1

399bebc056299dee6ca0c8cbe63ff2e8016b5767
SHA256

c5809d7bd574b3bb87b1e35aa753d3b25f7557d31a9cd867a539d091d29d0eba
SHA512

4f7ef9544212c1591c3e2f6fb9bf0973e780ab9c3ad9b0ce4950d7f0613cf6b1660e0cb5a58cbe238bb20f55336feda05634c8b0ea2de7b63e64eec88f8ecbf1
SSDEEP

12288:bRPbWGRdA6sQxuEuZH8WF50+OJ3BHCXwpnsKvNA+XTvZHWuEo3oWB+:9zecI50+YNpsKv2EvZHp3oWB+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a3aead85728eb8d3e98611dc7a0607e0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a3aead85728eb8d3e98611dc7a0607e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe

Executes dropped EXE 42 IoCs

pid	Process
1888	Qjfmkk32.exe
2772	Qacameaj.exe
2752	Afpjel32.exe
4540	Amlogfel.exe
1652	Aaldccip.exe
3228	Aopemh32.exe
4288	Aaoaic32.exe
1060	Bpdnjple.exe
1120	Bgnffj32.exe
1588	Bacjdbch.exe
4052	Bklomh32.exe
5044	Baegibae.exe
1048	Bgbpaipl.exe
228	Boihcf32.exe
3700	Bahdob32.exe
804	Bdfpkm32.exe
4484	Bkphhgfc.exe
3936	Bajqda32.exe
1056	Chdialdl.exe
2492	Ckbemgcp.exe
4140	Cnaaib32.exe
5084	Cammjakm.exe
2200	Chfegk32.exe
2984	Ckebcg32.exe
3600	Cncnob32.exe
3276	Cpbjkn32.exe
2232	Chiblk32.exe
2360	Ckgohf32.exe
2524	Cnfkdb32.exe
2780	Caageq32.exe
1972	Chkobkod.exe
3156	Ckjknfnh.exe
3824	Cacckp32.exe
4148	Cdbpgl32.exe
1744	Cgqlcg32.exe
4680	Cogddd32.exe
3992	Dafppp32.exe
1404	Dkndie32.exe
2488	Dnmaea32.exe
768	Ddgibkpc.exe
2464	Dhbebj32.exe
2528	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Baegibae.exe	Bklomh32.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Bkphhgfc.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Ckbemgcp.exe	Chdialdl.exe
File created	C:\Windows\SysWOW64\Cpbjkn32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Fgijpe32.dll	Baegibae.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Dgihjf32.dll	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Ckebcg32.exe	Chfegk32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjknfnh.exe	Chkobkod.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Bklomh32.exe
File opened for modification	C:\Windows\SysWOW64\Bkphhgfc.exe	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Ckjknfnh.exe
File opened for modification	C:\Windows\SysWOW64\Dhbebj32.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Amlogfel.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Baegibae.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Eekgliip.dll	Cacckp32.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Cnaaib32.exe	Ckbemgcp.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Ckjknfnh.exe	Chkobkod.exe
File created	C:\Windows\SysWOW64\Mnpofk32.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Dhbebj32.exe	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Nmocfo32.dll	a3aead85728eb8d3e98611dc7a0607e0N.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Aaldccip.exe
File created	C:\Windows\SysWOW64\Aaoaic32.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Chkobkod.exe	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Ckebcg32.exe	Chfegk32.exe
File opened for modification	C:\Windows\SysWOW64\Cogddd32.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Phlepppi.dll	Aopemh32.exe
File created	C:\Windows\SysWOW64\Bpdnjple.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Chfegk32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Cammjakm.exe
File opened for modification	C:\Windows\SysWOW64\Cncnob32.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Ckgohf32.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Aqjpajgi.dll	Chiblk32.exe
File created	C:\Windows\SysWOW64\Aaldccip.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Bdfpkm32.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Bhqndghj.dll	Bajqda32.exe
File created	C:\Windows\SysWOW64\Pkoaeldi.dll	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Amlogfel.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Cammjakm.exe	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Afpjel32.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Qgaeof32.dll	Afpjel32.exe
File created	C:\Windows\SysWOW64\Aopemh32.exe	Aaldccip.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Qjfmkk32.exe	a3aead85728eb8d3e98611dc7a0607e0N.exe
File opened for modification	C:\Windows\SysWOW64\Aaldccip.exe	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Ckbemgcp.exe	Chdialdl.exe
File created	C:\Windows\SysWOW64\Nflnbh32.dll	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Bgbpaipl.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Boihcf32.exe
File created	C:\Windows\SysWOW64\Cncnob32.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Cogddd32.exe
File created	C:\Windows\SysWOW64\Boihcf32.exe	Bgbpaipl.exe

Program crash 1 IoCs

pid	pid_target	Process
5116	2528	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbemgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caageq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaldccip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjfmkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qacameaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bklomh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3aead85728eb8d3e98611dc7a0607e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacjdbch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkicbhla.dll"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cammjakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaldccip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afpjel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkobkod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll"	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Domdocba.dll"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmlia32.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnmaea32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1888	2468	a3aead85728eb8d3e98611dc7a0607e0N.exe	84
PID 2468 wrote to memory of 1888	2468	a3aead85728eb8d3e98611dc7a0607e0N.exe	84
PID 2468 wrote to memory of 1888	2468	a3aead85728eb8d3e98611dc7a0607e0N.exe	84
PID 1888 wrote to memory of 2772	1888	Qjfmkk32.exe	85
PID 1888 wrote to memory of 2772	1888	Qjfmkk32.exe	85
PID 1888 wrote to memory of 2772	1888	Qjfmkk32.exe	85
PID 2772 wrote to memory of 2752	2772	Qacameaj.exe	86
PID 2772 wrote to memory of 2752	2772	Qacameaj.exe	86
PID 2772 wrote to memory of 2752	2772	Qacameaj.exe	86
PID 2752 wrote to memory of 4540	2752	Afpjel32.exe	89
PID 2752 wrote to memory of 4540	2752	Afpjel32.exe	89
PID 2752 wrote to memory of 4540	2752	Afpjel32.exe	89
PID 4540 wrote to memory of 1652	4540	Amlogfel.exe	90
PID 4540 wrote to memory of 1652	4540	Amlogfel.exe	90
PID 4540 wrote to memory of 1652	4540	Amlogfel.exe	90
PID 1652 wrote to memory of 3228	1652	Aaldccip.exe	92
PID 1652 wrote to memory of 3228	1652	Aaldccip.exe	92
PID 1652 wrote to memory of 3228	1652	Aaldccip.exe	92
PID 3228 wrote to memory of 4288	3228	Aopemh32.exe	93
PID 3228 wrote to memory of 4288	3228	Aopemh32.exe	93
PID 3228 wrote to memory of 4288	3228	Aopemh32.exe	93
PID 4288 wrote to memory of 1060	4288	Aaoaic32.exe	94
PID 4288 wrote to memory of 1060	4288	Aaoaic32.exe	94
PID 4288 wrote to memory of 1060	4288	Aaoaic32.exe	94
PID 1060 wrote to memory of 1120	1060	Bpdnjple.exe	95
PID 1060 wrote to memory of 1120	1060	Bpdnjple.exe	95
PID 1060 wrote to memory of 1120	1060	Bpdnjple.exe	95
PID 1120 wrote to memory of 1588	1120	Bgnffj32.exe	96
PID 1120 wrote to memory of 1588	1120	Bgnffj32.exe	96
PID 1120 wrote to memory of 1588	1120	Bgnffj32.exe	96
PID 1588 wrote to memory of 4052	1588	Bacjdbch.exe	97
PID 1588 wrote to memory of 4052	1588	Bacjdbch.exe	97
PID 1588 wrote to memory of 4052	1588	Bacjdbch.exe	97
PID 4052 wrote to memory of 5044	4052	Bklomh32.exe	98
PID 4052 wrote to memory of 5044	4052	Bklomh32.exe	98
PID 4052 wrote to memory of 5044	4052	Bklomh32.exe	98
PID 5044 wrote to memory of 1048	5044	Baegibae.exe	99
PID 5044 wrote to memory of 1048	5044	Baegibae.exe	99
PID 5044 wrote to memory of 1048	5044	Baegibae.exe	99
PID 1048 wrote to memory of 228	1048	Bgbpaipl.exe	100
PID 1048 wrote to memory of 228	1048	Bgbpaipl.exe	100
PID 1048 wrote to memory of 228	1048	Bgbpaipl.exe	100
PID 228 wrote to memory of 3700	228	Boihcf32.exe	101
PID 228 wrote to memory of 3700	228	Boihcf32.exe	101
PID 228 wrote to memory of 3700	228	Boihcf32.exe	101
PID 3700 wrote to memory of 804	3700	Bahdob32.exe	102
PID 3700 wrote to memory of 804	3700	Bahdob32.exe	102
PID 3700 wrote to memory of 804	3700	Bahdob32.exe	102
PID 804 wrote to memory of 4484	804	Bdfpkm32.exe	103
PID 804 wrote to memory of 4484	804	Bdfpkm32.exe	103
PID 804 wrote to memory of 4484	804	Bdfpkm32.exe	103
PID 4484 wrote to memory of 3936	4484	Bkphhgfc.exe	104
PID 4484 wrote to memory of 3936	4484	Bkphhgfc.exe	104
PID 4484 wrote to memory of 3936	4484	Bkphhgfc.exe	104
PID 3936 wrote to memory of 1056	3936	Bajqda32.exe	105
PID 3936 wrote to memory of 1056	3936	Bajqda32.exe	105
PID 3936 wrote to memory of 1056	3936	Bajqda32.exe	105
PID 1056 wrote to memory of 2492	1056	Chdialdl.exe	106
PID 1056 wrote to memory of 2492	1056	Chdialdl.exe	106
PID 1056 wrote to memory of 2492	1056	Chdialdl.exe	106
PID 2492 wrote to memory of 4140	2492	Ckbemgcp.exe	107
PID 2492 wrote to memory of 4140	2492	Ckbemgcp.exe	107
PID 2492 wrote to memory of 4140	2492	Ckbemgcp.exe	107
PID 4140 wrote to memory of 5084	4140	Cnaaib32.exe	108

C:\Users\Admin\AppData\Local\Temp\a3aead85728eb8d3e98611dc7a0607e0N.exe
"C:\Users\Admin\AppData\Local\Temp\a3aead85728eb8d3e98611dc7a0607e0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\Qjfmkk32.exe
  C:\Windows\system32\Qjfmkk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\Qacameaj.exe
    C:\Windows\system32\Qacameaj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\Afpjel32.exe
      C:\Windows\system32\Afpjel32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 400
        44⤵
        Program crash
        
        PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2528 -ip 2528
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaldccip.exe

Filesize
1.5MB

MD5
afdb66f8441e8a1e56c1966a14e59c46

SHA1
94fa1c932e7c661a3100cb49c22e2eb271edf477

SHA256
655068cd4291125d852804d0472034c7bcb17f226a46c320a7c68cdc6bcbd807

SHA512
aaa8c7b4841d2bf3e318e981334d498a3268d345e4b7cb1462417b77788d64d1b2641dab382c8ae2a09c6ae7deeafc6607f4ebfe0e8dc586a73d25129d0e4150

Download Submit
C:\Windows\SysWOW64\Aaoaic32.exe

Filesize
1.5MB

MD5
ec8b6ff60d0a5bb3e514b16f989d17a1

SHA1
863ae9146112b5d2227eb029f59cdb8e37ad6a4e

SHA256
83dcfa4685e4d6ad185b30c5662413b59dd82b4ab866833d24d2946b9ab166d8

SHA512
32aa7333246c2e667289099af8f1c0ca0892a82dcb4559e52434a30fdc38ae284cc75b0c638a9d886b3e38378b393a2fadea47ce9cad6bd4e2a632a2e5bf224a

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
1.5MB

MD5
462310175d972c67c19488d6a9bdd866

SHA1
b0b2dbfd9f0aabef8e1761147b2e10b7ce1a56c3

SHA256
805e89c085ddbc5ac0baf3e43140fe4e52f6425917513215acdaa4ad63200115

SHA512
969210b6de2eb90fc64571289d9f02dcae2f466e89b82fd0a614f961f3f101dfa9f892c4d892960ef6839f3aa75a6c1996c9fc052a2e10f1130ae2d46a753042

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
1.5MB

MD5
4d9f6d1954a76ddbeb7c31f00c8a36f6

SHA1
10f329dae0acac15c5542ea83945e4b35e3662d5

SHA256
76d3e652cead5c5f14bcd8709e2d66f6d3644ea77db3c9b00b5cbad059a87d21

SHA512
4e993678e25b7b46bc946f48318e8385caf0149becb9cc897415c1c0da7a802671c0a81b51c41d9deabe7d78a4dc725312c8c0575910921dce46fb66a0004fe8

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
1.5MB

MD5
501089d165f3a2c317acf5cbdf2c0049

SHA1
61646a77c40b9689822767110499a7ad9b3feb6f

SHA256
218de3a6a2db5ed16f8bab6ad795290da24087128cd08abbc6d67a45ddf4df8e

SHA512
08739016ce831511615bda81b8ce71f62085713bfaefb3f766f3429e2d94f137ca9970406186d25f1e3722ef73d6a17d5c94fc02f7c27192cfe262dfd5f00dcc

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
1.5MB

MD5
69ef94116881742d7f8252dbf4190d50

SHA1
99d94a5ce0711768eaff0c9bbab298edbb352037

SHA256
497a0bd30b1ecb4d0530a67be42ed420949b92a7afb3fd3b6ffce566b40f19ea

SHA512
0a4bfe038630903c72ef05644df8600557188189b16953bda87cf278879df3e5c4f2256d3529b66a17f84db13c1a6d34c4e12a8292483de27cc31bd891c78b50

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
1.5MB

MD5
008169fab1e28b2d8d263e619f6b62a9

SHA1
e1235af01fdaef13bf20f517c4f3fa7635848121

SHA256
c60993b3c05b03cd08416b5f8155270a35fa9535088b4b24bef586865325d249

SHA512
1edb833ae3a462dca96bca3e337617d0449571f595e43931a961b6225056ac074191cfd6f9108be817004e06bb9687773e5cc3c9eb9cc08c358f5a3524bd7a7d

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
1.5MB

MD5
0b3f4ae5fd73dffb8d9b3ad6ec4cdcc4

SHA1
b781a6d0b35db21557be3811e88ab9831425a4cf

SHA256
b5c5eac9f13c536c245f113cbb3d69739d39b2454c77ae76b6568e145d51b7e5

SHA512
6f668942af7ca1fb89056f1763f12601f69822bc3f46415bec575a0df886bd65e33a784f47b81375a2be20b4cda9ca47a5e538a2b735f245cd1ef3c665ab80ad

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
1.5MB

MD5
8b3c63958889e0dbbba382d9626c141c

SHA1
9341d31923c493b7932455747c537f194bb3c7a2

SHA256
9150f26f4fa3d6cf82621e00836ec9f155a99e39eaa776e24d51697843b2442a

SHA512
3558465869e3ec49e04240c208f3601f539a0a21accf7f723b3f4005648d2c3d2db77f4d4ba8fa74f15488bf2ff49d1f99d9a00c68e8c125f7e17f83d40a3a89

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe

Filesize
1.5MB

MD5
3df8ae3357a811e0e5fb38d42003a072

SHA1
b28a8b1f2da6430e2eaa0efef51789c830bd0cb9

SHA256
f66a0c6331b5f7d965fcfb16c36730909b6971a9463c995ab3f53ba2e517e29f

SHA512
5eb48bf1a17f68a78781914881bb7816a92389ec93f0433d26b3dc9592b0228a6b60c1ae9655f99169d155938ffafa71ad409220bfdd375902c9fdf3e033d53a

Download Submit
C:\Windows\SysWOW64\Bgbpaipl.exe

Filesize
1.5MB

MD5
e8de96e85b52a1b011fddbe70515e86a

SHA1
26c5d4e5646cdbbf84a04c3340a40b654ca3bc7c

SHA256
22439b57c8b3c397d6589cc62e1185490eaf822a0bcfa534c91dd71d4d6b4253

SHA512
80602f8b230852a450c346c82333044c0c4d5e74802c56116b2a27093e0e093fd24b4488c6eef576e38062658692d7e00098093aa160e3d29a82d0366a8addbf

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
1.5MB

MD5
6cc87b56c2b52dc6d28bfe8059479185

SHA1
3e3c4779006a43d5d3ad23990dbee05424fe6983

SHA256
342d478719355a380e06b87a5980298d3b480df51f6f0b05e3cdd4e85432db5c

SHA512
08a94fb618c57cb10ab8c15484b6ba0319382795ebfa85c5faeee7c84168dd172b451d23029e980582f3ea8cd0552217a3eefef2e8e4d66a9e19d319ae4998a4

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
1.5MB

MD5
6a93bdb0f89a4b65330eb3cc91c82d9a

SHA1
bfbfd2b7a3ff83e31b426b743edceb169f5d185c

SHA256
0022f039b038789d677872026f838496d044ac69ce0668fbdb06c303239a0bf4

SHA512
45650aa396ab67cd225db0d6559b1068d3ab10e1acbcd0c5c488f3e7d1e5a82c674ae300bbcde51d5b61bc865460dfe7d02503a129292ad949f2c0cae4d0a63b

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
1.5MB

MD5
903126621ed81c91a0d3ba485252debe

SHA1
fbde3c3aaa072ecf1d113bdeccc15594e1b7336a

SHA256
2a71abc97406aaacda05386b3f060124940a5cb1617fd4c9e8f9c666c14caecc

SHA512
3fdbd5529b1e5a1213fc1f9bb617aa28228d9de3883992878f9b1468823effe842ec67a3b4318b1f68d12482a9890f1d88a31dda4d8a2ca26bd1890655a3e730

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
1.5MB

MD5
47d5388dfb1edd25c9d1ee6367a843bb

SHA1
189dc034d6a92efab1ea63562649d4b0fb5de656

SHA256
e111b40aad54309f832785c786d1e7f0ac65e50679790add0ace05805fb65629

SHA512
e76983519fc75cea2fab0ec17e134d16fcd860f4eaeea0a768603f980bf6f282336a463cf6368d02112d1b4ccbd196121986c36028f1d33ebee5e587074bdbdb

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
1.5MB

MD5
c127837841c6ccbf40fc923e452197fd

SHA1
55c40942b562dfe42e6dfb89758152810e7d30a0

SHA256
b0a1a0a02bea580bc912b27d064fc8d891d10b095b255e87d63426a37859ff64

SHA512
c4892c2ca908a0ad91583af73e9f6c0b69e95da91e729d5a83c49fe56890b6aed3749c41e41d0487ca8f0d256ec445dd86b27edbdbe2b81575dd94209d8ca592

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
1.5MB

MD5
6fcbb414748ef30b6402d6c4e0a06067

SHA1
fffeb4f8b19bd73a256bc8fcf960d36597fd9141

SHA256
3f9b658d73c8fef480c449cf8d0725ab69cb7927ccc419e1e8ac34a8fc3ebe7b

SHA512
25856348a15efdd40d874281c0d5ec0d28c3e53b66b0147b4ff82e1449e0984b3f0281667c1905c928369172d051f07501a3f09d2c8a6bc8af037107a4ebe6d1

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
1.5MB

MD5
3daceafac88326c27178c4f8a46efcf2

SHA1
fe767f361174a86df742173c6795364746c36c82

SHA256
3de0f26410615a9ac4dc9c5887e46d737421d83bc1e08e3ee2a79db29dd56ba2

SHA512
e32aa27f7c73d5e497aca07acab559fa4f15cb28b8a729483948c8a4a1102cc79699933f050c25f732d47b27dfe1b5d8cbb5dc3e08cceba26e494ad50e94ba9f

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
1.5MB

MD5
01abc84909d1f92518ccd5751811e72a

SHA1
6791e8b791a3d94e1ac4db6c37fa0035cc5a40a7

SHA256
f0dade32dac8628ad6af0320432882d43a8ab4370187b3f603f84a6b9c9103b5

SHA512
a13a41c741876c0a968a10668a3fd0137bca24c3a85f082ef63e40d83492f5f3afedc676920924aed4838e0a075af3a185160fe63b62112f81892048d40672db

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
1.5MB

MD5
bda776fe1ed44d6f57caae1354c1f77d

SHA1
b4aedb1a5121477dcfc977f4f19d5b65435596a5

SHA256
25f5541d1db07bffd0e85ed2feb13d0fe4e3555ba417cc7393a570a5908c3a4a

SHA512
610ed67744f502082a3916a531112a858be9e97d07230adb84260ff90ebd2f76b96fe2897c41d96304af0556a9f2beda81230a14b63f1c90e579dbf230588d75

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
1.5MB

MD5
533f6ca95fcc7cea4fa13b481b4a6e92

SHA1
580afd16073e12db3929b709ebd50d9648247489

SHA256
a93690c52333217e105de2be4c33a86d7e5c4490a7f45318b71dcb167e7a01b0

SHA512
f4ced7853e1bae33aaa3ed44fa9b28c31b9e9e261228ddafda1d9d392aa07789b138eefe263dd4dc41075f8f7c97c4d5516bddf8a5f4cdc6006b733aae1ce7d2

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
1.5MB

MD5
4fa1f4a60014513b38760f509755ac69

SHA1
5ec426299f09d7a0efd1c82360101fecedda2686

SHA256
85a8ae093e4cb833f8beb1ea123d1f3465e5f1f9eb2d1a8509f8dcedc3debdb4

SHA512
95aba37a6642384d3b9bd9b200ce0e38f2453b961bfd346892b6921a2252e97788d7dadb80108c41327d9e0ad8050c5c841ff1fc8c816f438ddae69caea0e13a

Download Submit
C:\Windows\SysWOW64\Ckbemgcp.exe

Filesize
1.5MB

MD5
7c37dc2f8124999db43a1a0f1076c4bc

SHA1
0e8ee3bd6f2229a994f926296bf1882dcff1c9a1

SHA256
ea7af0e095d2ad9a5145fa670786876bd4fe81a9b88d8bae14e2c0ea066432c1

SHA512
217eaecc11d41814912e910d616af07c196aab3a7651003afa37bce4474b571de22bdbfe8207e5cda32e4ba4d1ff8f9a478573630e1b07aa18e61523f3dfe500

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
1.5MB

MD5
b7d5216f4a9740c0439951df978fd904

SHA1
e49e40bda9b97bdfcc5179dc07db9f2ca104098f

SHA256
9b0ecc3f1fabc2b2c6c411d64269a0ea737893c79176e5b1aeaebddaf2574033

SHA512
6a3e7742f344cba92bf2bf13119af3176d1e56913fe7aed137a90922b3eea1febf40b21a35618959e5e870d7b69ee4094e8ee888a0baaca55f96e27999952b77

Download Submit
C:\Windows\SysWOW64\Ckgohf32.exe

Filesize
1.5MB

MD5
42e8156afa14fbb297e5c08774c783dc

SHA1
368e0750a4138b2d3a2bc244de43094108067eac

SHA256
93ec5c21312cffcb1e02950bf8c69384f3b220e1fed0418c0a5da1cf7325d109

SHA512
3bc855c2202e3601b46957b123d07d51df57f67f0447bfebe144d85231e975f722c750803255c1003028dc6f38d699e0b56642a1bf04c12018fe0cb5762165f7

Download Submit
C:\Windows\SysWOW64\Ckjknfnh.exe

Filesize
1.5MB

MD5
b33fa32bb3cf3df56258c17bb297cfa2

SHA1
31ebd2988b567eb00c7ea5724cc642c7337b0957

SHA256
8c1c87288ce29efacf68130a54786b56dfef7c7a24ac0a374c18e08301fa74e5

SHA512
e6ad53a10d1f32d5b8aa9c31a38c756273a5dde8575734a34c6401d6e2de4261caee885db02a406710e9608ec294a65c866670319145878c94e440efead313b1

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
1.5MB

MD5
9d5c43ee623b7043738471dc84ce991e

SHA1
880533c5f7a949521326b5d181f5aab14dcaaac8

SHA256
a4d61dd77555be52ac83f186af16f2b40c92a079d6def1d9f55de71d7e695f1a

SHA512
bbed0f478d639c40a47fae315696eb4e52248e4463503d45f19f9e6dc5b2c3afc57656fe2df97995a8a4381ccf438156ab9871e7cc45611cc1034184ffe1ae3c

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
1.5MB

MD5
00f1a5b461fdfce66bca8cfbcec36558

SHA1
daf33ff63f513c6a9c3ebe5d5cbe1e5352ae32f0

SHA256
f5c5a6a4c5ff9394a626403fa5a4ac112dde61144dc01968bfd311f721dd418c

SHA512
4f9ac6ce7ad742411c890ce37d1320f050e0d7a22914f2df638b47d9fb3edc4bcf0c9212e9731c136e96a18814c6c866f2fe5cd1d6d3397226ab7aff2e4af1b9

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
1.5MB

MD5
73471b1df6e62431efc5044e86383612

SHA1
33235e3e86a7e020a8dd3f876cf3899a7300c083

SHA256
1b377522506949efd3afef920ba5577740d3d82db45ffcfced473b5af629b935

SHA512
6f4ddb21c578239bdf69d1a667a30f1e3d8dad7fc436ecd4bd9678625a54ebff5a8d5a4abb98752ea8a2b5289b2540cecf3b5bf4528eeaeb32710ff3794d23bb

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
1.5MB

MD5
05e73f2e254ad6fd68ccf985ba1bcdd0

SHA1
cf5bd37d84c936cf3ea588be3f6b2ff285ae81f5

SHA256
7a2bc5a2f42f749ddf28b3541ba9c59113410688d62a8fec26482533d1af7c60

SHA512
4250ca3185a10a4fcd8ff25ccffbe7db8f6c7a7dcba780045403c25e507eac48b3229aa3f6dd9a5cf7625e35875da892e1bca0bc31fd22378317b33e3b63e0de

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
1.5MB

MD5
d8234daba4637b95a6e8238585fa2790

SHA1
9fd227a73dfafe5595b1f5d9942ae1d46c1c8c3d

SHA256
3a3abdfa203ac78a9249d3ca6aa133eccd1408fda4027bf2757f3d79e457a9da

SHA512
5d0b2e9c02f98df291e14006024ba126fa79d78c07de03d5d1befae5867cf4397b797a4afcdf3752710ea5c9a651efad1b4cc171a7480ec01fdf1e87794ab12a

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
1.5MB

MD5
5a9b6091918f0a1d243b48894efbbda1

SHA1
a5e8f0dccb006a588d6abd2447a8f9119f9b50be

SHA256
fe9ab02d56f18e20850d86fc996b856b8534b8122550666a013e38de1b8192a1

SHA512
9faf94498cc0e129e6b9b681361d037f658c81615011a022648c8d5429c389fdc953a3f5d36125a6d5a1f00ead5637f2a25e7c74afd4f639d6d77f89ff0a322f

Download Submit
memory/228-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2488-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads