berbew | 158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe
Size

96KB
MD5

28fe36194efe61c5b1347dd5c69449d0
SHA1

a29f74a33f476e7472445bf4876cee9989ecc0b1
SHA256

158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245
SHA512

3f90c50a1d47af598b55e8c39adc5bf94f649a6fbbc92d08386e10481402dc0856f1d80e01b35db0eb816889dcc6d668929d41d26bcfbdc469eb2681a57bc942
SSDEEP

1536:sewxGlpvXuq4F5b1Ri4hjdkaiOMy2LzA7RZObZUUWaegPYA:DRpvIbDi4hBkaibzAClUUWae

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pckoam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afiglkle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpjakhc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019625-384.dat	family_bruteratel

Executes dropped EXE 57 IoCs

pid	Process
2760	Pbkbgjcc.exe
2916	Pjbjhgde.exe
2628	Pckoam32.exe
2296	Pfikmh32.exe
772	Pmccjbaf.exe
2956	Pndpajgd.exe
1012	Qflhbhgg.exe
2108	Qkhpkoen.exe
796	Qngmgjeb.exe
2688	Qeaedd32.exe
2980	Qgoapp32.exe
2088	Qjnmlk32.exe
1816	Aaheie32.exe
2072	Aecaidjl.exe
308	Ajpjakhc.exe
1084	Aajbne32.exe
2896	Achojp32.exe
1684	Afgkfl32.exe
2724	Annbhi32.exe
1860	Aaloddnn.exe
1808	Ackkppma.exe
1936	Afiglkle.exe
2516	Ajecmj32.exe
1712	Aaolidlk.exe
2580	Acmhepko.exe
1716	Abphal32.exe
2800	Aijpnfif.exe
2676	Amelne32.exe
2672	Acpdko32.exe
572	Bmhideol.exe
2316	Bpfeppop.exe
2124	Bbdallnd.exe
1524	Bhajdblk.exe
2012	Bnkbam32.exe
2536	Bbgnak32.exe
2728	Beejng32.exe
2284	Bhdgjb32.exe
2160	Bbikgk32.exe
1036	Bdkgocpm.exe
1360	Bhfcpb32.exe
1472	Boplllob.exe
1740	Baohhgnf.exe
1132	Bejdiffp.exe
1536	Bkglameg.exe
1752	Bmeimhdj.exe
1968	Cdoajb32.exe
920	Chkmkacq.exe
1680	Ckiigmcd.exe
1596	Cmgechbh.exe
2860	Cpfaocal.exe
2652	Cdanpb32.exe
2748	Cbdnko32.exe
1048	Cklfll32.exe
536	Clmbddgp.exe
1520	Cddjebgb.exe
2976	Cgbfamff.exe
2960	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2848	158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe
2848	158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe
2760	Pbkbgjcc.exe
2760	Pbkbgjcc.exe
2916	Pjbjhgde.exe
2916	Pjbjhgde.exe
2628	Pckoam32.exe
2628	Pckoam32.exe
2296	Pfikmh32.exe
2296	Pfikmh32.exe
772	Pmccjbaf.exe
772	Pmccjbaf.exe
2956	Pndpajgd.exe
2956	Pndpajgd.exe
1012	Qflhbhgg.exe
1012	Qflhbhgg.exe
2108	Qkhpkoen.exe
2108	Qkhpkoen.exe
796	Qngmgjeb.exe
796	Qngmgjeb.exe
2688	Qeaedd32.exe
2688	Qeaedd32.exe
2980	Qgoapp32.exe
2980	Qgoapp32.exe
2088	Qjnmlk32.exe
2088	Qjnmlk32.exe
1816	Aaheie32.exe
1816	Aaheie32.exe
2072	Aecaidjl.exe
2072	Aecaidjl.exe
308	Ajpjakhc.exe
308	Ajpjakhc.exe
1084	Aajbne32.exe
1084	Aajbne32.exe
2896	Achojp32.exe
2896	Achojp32.exe
1684	Afgkfl32.exe
1684	Afgkfl32.exe
2724	Annbhi32.exe
2724	Annbhi32.exe
1860	Aaloddnn.exe
1860	Aaloddnn.exe
1808	Ackkppma.exe
1808	Ackkppma.exe
1936	Afiglkle.exe
1936	Afiglkle.exe
2516	Ajecmj32.exe
2516	Ajecmj32.exe
1712	Aaolidlk.exe
1712	Aaolidlk.exe
2580	Acmhepko.exe
2580	Acmhepko.exe
1716	Abphal32.exe
1716	Abphal32.exe
2800	Aijpnfif.exe
2800	Aijpnfif.exe
2676	Amelne32.exe
2676	Amelne32.exe
2672	Acpdko32.exe
2672	Acpdko32.exe
572	Bmhideol.exe
572	Bmhideol.exe
2316	Bpfeppop.exe
2316	Bpfeppop.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	Clmbddgp.exe
File opened for modification	C:\Windows\SysWOW64\Aajbne32.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cgbfamff.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Annbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Qjnmlk32.exe	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Acpdko32.exe	Amelne32.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Gdplpd32.dll	Pbkbgjcc.exe
File opened for modification	C:\Windows\SysWOW64\Pmccjbaf.exe	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Cklfll32.exe	Cbdnko32.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Afiglkle.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Afiglkle.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Afgkfl32.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Plgifc32.dll	Ackkppma.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Qjnmlk32.exe	Qgoapp32.exe
File opened for modification	C:\Windows\SysWOW64\Aaheie32.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Eelloqic.dll	Cklfll32.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Cdanpb32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Cklfll32.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Pbkbgjcc.exe	158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Aijpnfif.exe
File opened for modification	C:\Windows\SysWOW64\Bnkbam32.exe	Bhajdblk.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Qeaedd32.exe	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Amelne32.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Aajbne32.exe
File created	C:\Windows\SysWOW64\Bnkbam32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Ilfila32.dll	Pckoam32.exe
File opened for modification	C:\Windows\SysWOW64\Qgoapp32.exe	Qeaedd32.exe
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Amelne32.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Amelne32.exe
File created	C:\Windows\SysWOW64\Cgbfamff.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Plnfdigq.dll	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Hjojco32.dll	Qeaedd32.exe
File opened for modification	C:\Windows\SysWOW64\Acmhepko.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Qngmgjeb.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Bfqgjgep.dll	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Pfnkga32.dll	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Kganqf32.dll	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Cophek32.dll	Achojp32.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Afgkfl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2616	2960	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfamff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afgkfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklfll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeaedd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbonaf32.dll"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll"	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeaedd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll"	Afgkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll"	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afgkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2760	2848	158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe	30
PID 2848 wrote to memory of 2760	2848	158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe	30
PID 2848 wrote to memory of 2760	2848	158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe	30
PID 2848 wrote to memory of 2760	2848	158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe	30
PID 2760 wrote to memory of 2916	2760	Pbkbgjcc.exe	31
PID 2760 wrote to memory of 2916	2760	Pbkbgjcc.exe	31
PID 2760 wrote to memory of 2916	2760	Pbkbgjcc.exe	31
PID 2760 wrote to memory of 2916	2760	Pbkbgjcc.exe	31
PID 2916 wrote to memory of 2628	2916	Pjbjhgde.exe	32
PID 2916 wrote to memory of 2628	2916	Pjbjhgde.exe	32
PID 2916 wrote to memory of 2628	2916	Pjbjhgde.exe	32
PID 2916 wrote to memory of 2628	2916	Pjbjhgde.exe	32
PID 2628 wrote to memory of 2296	2628	Pckoam32.exe	33
PID 2628 wrote to memory of 2296	2628	Pckoam32.exe	33
PID 2628 wrote to memory of 2296	2628	Pckoam32.exe	33
PID 2628 wrote to memory of 2296	2628	Pckoam32.exe	33
PID 2296 wrote to memory of 772	2296	Pfikmh32.exe	34
PID 2296 wrote to memory of 772	2296	Pfikmh32.exe	34
PID 2296 wrote to memory of 772	2296	Pfikmh32.exe	34
PID 2296 wrote to memory of 772	2296	Pfikmh32.exe	34
PID 772 wrote to memory of 2956	772	Pmccjbaf.exe	35
PID 772 wrote to memory of 2956	772	Pmccjbaf.exe	35
PID 772 wrote to memory of 2956	772	Pmccjbaf.exe	35
PID 772 wrote to memory of 2956	772	Pmccjbaf.exe	35
PID 2956 wrote to memory of 1012	2956	Pndpajgd.exe	36
PID 2956 wrote to memory of 1012	2956	Pndpajgd.exe	36
PID 2956 wrote to memory of 1012	2956	Pndpajgd.exe	36
PID 2956 wrote to memory of 1012	2956	Pndpajgd.exe	36
PID 1012 wrote to memory of 2108	1012	Qflhbhgg.exe	37
PID 1012 wrote to memory of 2108	1012	Qflhbhgg.exe	37
PID 1012 wrote to memory of 2108	1012	Qflhbhgg.exe	37
PID 1012 wrote to memory of 2108	1012	Qflhbhgg.exe	37
PID 2108 wrote to memory of 796	2108	Qkhpkoen.exe	38
PID 2108 wrote to memory of 796	2108	Qkhpkoen.exe	38
PID 2108 wrote to memory of 796	2108	Qkhpkoen.exe	38
PID 2108 wrote to memory of 796	2108	Qkhpkoen.exe	38
PID 796 wrote to memory of 2688	796	Qngmgjeb.exe	39
PID 796 wrote to memory of 2688	796	Qngmgjeb.exe	39
PID 796 wrote to memory of 2688	796	Qngmgjeb.exe	39
PID 796 wrote to memory of 2688	796	Qngmgjeb.exe	39
PID 2688 wrote to memory of 2980	2688	Qeaedd32.exe	40
PID 2688 wrote to memory of 2980	2688	Qeaedd32.exe	40
PID 2688 wrote to memory of 2980	2688	Qeaedd32.exe	40
PID 2688 wrote to memory of 2980	2688	Qeaedd32.exe	40
PID 2980 wrote to memory of 2088	2980	Qgoapp32.exe	41
PID 2980 wrote to memory of 2088	2980	Qgoapp32.exe	41
PID 2980 wrote to memory of 2088	2980	Qgoapp32.exe	41
PID 2980 wrote to memory of 2088	2980	Qgoapp32.exe	41
PID 2088 wrote to memory of 1816	2088	Qjnmlk32.exe	42
PID 2088 wrote to memory of 1816	2088	Qjnmlk32.exe	42
PID 2088 wrote to memory of 1816	2088	Qjnmlk32.exe	42
PID 2088 wrote to memory of 1816	2088	Qjnmlk32.exe	42
PID 1816 wrote to memory of 2072	1816	Aaheie32.exe	43
PID 1816 wrote to memory of 2072	1816	Aaheie32.exe	43
PID 1816 wrote to memory of 2072	1816	Aaheie32.exe	43
PID 1816 wrote to memory of 2072	1816	Aaheie32.exe	43
PID 2072 wrote to memory of 308	2072	Aecaidjl.exe	44
PID 2072 wrote to memory of 308	2072	Aecaidjl.exe	44
PID 2072 wrote to memory of 308	2072	Aecaidjl.exe	44
PID 2072 wrote to memory of 308	2072	Aecaidjl.exe	44
PID 308 wrote to memory of 1084	308	Ajpjakhc.exe	45
PID 308 wrote to memory of 1084	308	Ajpjakhc.exe	45
PID 308 wrote to memory of 1084	308	Ajpjakhc.exe	45
PID 308 wrote to memory of 1084	308	Ajpjakhc.exe	45

C:\Users\Admin\AppData\Local\Temp\158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe
"C:\Users\Admin\AppData\Local\Temp\158403d67acd40217410ceccca6efbc24f662f1f6d27b5d7666680029ba1e245N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\Pbkbgjcc.exe
  C:\Windows\system32\Pbkbgjcc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\Pjbjhgde.exe
    C:\Windows\system32\Pjbjhgde.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\Pckoam32.exe
      C:\Windows\system32\Pckoam32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Qeaedd32.exe
        
        C:\Windows\system32\Qeaedd32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Afgkfl32.exe
        
        C:\Windows\system32\Afgkfl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Cddjebgb.exe
        
        C:\Windows\system32\Cddjebgb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Cgbfamff.exe
        
        C:\Windows\system32\Cgbfamff.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 140
        59⤵
        Program crash
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
96KB

MD5
ea3e53cd1550d36ddd280c4111d9bcfa

SHA1
9faa3467db495ac8b59eecf88ee81eda96e65fb9

SHA256
45075c6164f252b4335bbc37c49f235464a75b85825040acd1daf7bb1f8e177b

SHA512
3ff0a2c4a0e82b0ee976e6278020ac1ca064f54d37985b5b86bfecb9625ce02760496d9d26df40a86144db5752191560bdf8affafff1a6842133cfcf35a5f247

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
96KB

MD5
678b588b1cc8bbde670caa3694b40429

SHA1
fc1ffd36f8b82f0a7610bea95ea82c93df635ae6

SHA256
674af4960c735924bfbefa04008c4a3442c48bbfa6e618facdc21c7770827eb2

SHA512
441b0d450bd2f77a7bb3bb42cfaa6bf14894c2dba1da7cee3b2b9b88ef135d86b1151dd8122f18fd69fdce15ebc1b286690090f7475720b966e648ead9fb68df

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
96KB

MD5
9fe92250a5cd6c0f6fb7df994b7d230c

SHA1
c67f88fdbfa3bc11ccc5e6503e121ac9f3b19fc9

SHA256
322b5f8dae1efb2e9c8f5ff85f07fcbd147416120854485e73bae553bd9729ef

SHA512
ab00032db8169659043cde027ecc9dfb6f6a2577d2468e4c64acc1aa3ba7355459a1f6d3911eb2eb2d46dba138015297610bc6637f3319f0b497db7f98373709

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
96KB

MD5
e0f04b4d70e1e38db0569eb083fa0dac

SHA1
85dc8b8058440938318dccdc6662c63ab752c073

SHA256
d9de6cfd0ce9f8d935e391e37c1d2a65ac519e8cee25c289217c91a902ed8071

SHA512
20c5b9c46aae70c8e125554e39102d544b700a3736408068ae6c9ec95dec9fc86835bbbbb3f493f3c41a429faf791aa971895d985b3d8922241dec0171c40630

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
96KB

MD5
8156ba08103f61892b1a3ad89bf1f9e2

SHA1
d425cbb1412d0f6411b0e733082fc5c619017689

SHA256
9fa64c3b7d1ceeaf984aa997b1f281b2749242ef893b8a89f60a082e0b0f689f

SHA512
3e3329582f2dc61a6515bff0703a24790d2bac5a7122fe9fe9ae7ee53ff9704f97bcf2f4de7293c624d95372bea00140b178c22884e1ca8f75d7c56c41361da7

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
96KB

MD5
d8bd744197582710d26b2f3d88faae3b

SHA1
2e194997f399b90a807265ab1bf94535ba9f158a

SHA256
9e9851db0b7ed7cd5220ad60536a511228c01b4d046001d6e8c1836ee8ae839d

SHA512
a435d118b76521351122cb520d41e1577d41fbdcdc80d5ec4b63037c5d234f1d25818a73058f552f77f97ac9b606cd65fbac1a576ae24253d47bfb4b0d851c97

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
96KB

MD5
189ef64e730d6edbc3a43b035fd8fc5a

SHA1
e60c80810b001c56333a0ec93b839021a76c7003

SHA256
52ed1daf8d0f1894e41a4fffe7d10ba819a0f4c9eb4fbc050f821200bd490241

SHA512
0f96b875c94d33372f5826a2de5cfcada0d8ca986209d226d58266c51c143d71feb70300e3c47b0a8487510f0c759dea470de7e0ddd50a9aa7a26f1dd3f2a950

Download Submit
C:\Windows\SysWOW64\Afgkfl32.exe

Filesize
96KB

MD5
cd391eb128f38086bf42bf3e8e013cf7

SHA1
d55c3f423af6c1177810f143fa28584cf3689d09

SHA256
8111287d2afb1e405d6d3ab1142322c99d753e23a208b368362e48826ae6e34d

SHA512
abfc58072de1f1b908510f2cb6096269050d12e5659f01099294ee65d4474d01f88d028e44235a189b6684836e2dfff7f3e2e811ca693123ada1c557c0159d34

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
96KB

MD5
02f7aae3ffd203a1fbed009fabae8cc8

SHA1
499a37fa4033d5de645239fff067b3bd491cddb3

SHA256
8fcbc71ec8f9c1404e2e77b2187d74fc0552838c1af8d824645c551ad4e5c796

SHA512
2111cfbce4a476aec5bf3f6ef423aa4f811822eae78f68935b1a75f88d0ea8139712d95474b3f2037cbcd49d5f46466aad7fb61a8600fbea78b4b3b3da9fd105

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
96KB

MD5
dc495455270037deedd13e864dd0aed9

SHA1
425fa05ee97c401e805ab624b918c5145b62de30

SHA256
03ef20718c88e91bdf28492d6a6c76bd5efa7ba93c7883ff83a8e966c3f2e6bb

SHA512
ca1480f66c149c0ef128743aa0a9464a501a51920fbaa25bf1f1289b916be32309086674821afafe251928385c3a77947dc3e131896e303a834944a76fb22955

Download Submit
C:\Windows\SysWOW64\Ajecmj32.exe

Filesize
96KB

MD5
a222d2d1166568c566ff3f0b0c1e3b19

SHA1
00114ffe441d8061202d2f39306b527b6e345b9f

SHA256
2877d76cc876094a363a19ad9783aa60de4f72d35ff7b40ab53c4d9cc9037e27

SHA512
6918a1ce0153bcf3c7c86b9609ec5eba1ea8be428959a6a67694472245b513ff77b88dd50488f769369f51ae3a3fc148ebcf69d6d0d48e5e47fc0d3fd69245e8

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
96KB

MD5
71edd295cca3034dba34ea1ce0ad3a7d

SHA1
768633a937ce79a5d845eb1ccc15ff06944399be

SHA256
7db1cfaf49bf39e6f910122cb8957816406a016343456062a1da8d44a5590abe

SHA512
6e7a87b5bd928074695f7dd3515577dc5d2c707988cec92e69e74f77ff2edd8efada912c7ad66ceaf36092a300eb7a7b06b17369551602d803640e89409b1f48

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
96KB

MD5
98e3bbcd549d7aacc4a069b949bb92e9

SHA1
2f7f10ae815b8f4018d3adbc22ed9579ede477fd

SHA256
1c9cb6547238283b5b139a6294e3690c43e67027371385d623a434e66aa2d4b6

SHA512
7f32ca714a0090b1bc69dc64f420781e71b208c5aa8548291f88853a791786a277fd002470231e7ec38cc2f73e4493a51c299f8d3a2f025efa09d8eb804f828b

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
96KB

MD5
bf22232e5207271e7997e5e5c11e3a03

SHA1
16178ba06d509c201f14cf30bf5e5a4d29819d35

SHA256
ee317edef9c03d65225853dd204579309e1ebb9206f3d71f3550b89625debc64

SHA512
98136bd83ad7ab6cdb56cf02ea709fb2448db64f060ea5bdfa26b327d3e8f2bb02bf82b3a90148989a143b03b3ada97d54b6f93049daa89331a444d128eb9e15

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
96KB

MD5
3d148ee5eb22ab1fa025f7db2edd0d16

SHA1
451ab62d5b7c670a7cc84d0fb87485a271f9657d

SHA256
42082aba49dba1de025f15a18b9f07f6c73e7bc6f930fc284e1e1fbf2e1ae631

SHA512
c76b5eb2ee397019def0fdb4131ff9b80b24a8b9485981e3dfb7b2bc334565dcff34fd41c94ab369e0ed16cdba8bd0531dc67ed7edc596832d3daaf7a171d7c1

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
96KB

MD5
1898d44e4a76e4d88152dcc50e4c1eb0

SHA1
c208d4a01f08ecb33d46049d1b146388a5412cc3

SHA256
599cd5e2db90a70760e54c0866ab9c9e98ef2aa307bcb5d3942e0af5233375e5

SHA512
245234ab60b3a1b08bf4fa635c64918442ee433fc965a063d979aebac0f10470da3832ae76bbe28aa379491a158c2a290ecd81656685cd071c33c13f96ee15f6

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
96KB

MD5
05556236895047c42dfe8b7b17cd53c6

SHA1
ec388f0eede7542c5828d90d62c88a17cc8125d8

SHA256
d21e05f127e142e4af6a1b590ba9289aa763c8831178dee4d45f049ec699a688

SHA512
3fc455faf4777f653d513157590cc7669a2c92d67242cf2df530fdfe538539e2365e3a834cdc4904a0505b55504df60dc6ae1bb98557a36d4b9b7e7bd49736c4

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
96KB

MD5
5fabbffe82d2e3d0e23a5557a704ded6

SHA1
502c4390dd9575af9c2aca7251ba9ce26da17a12

SHA256
846d7ea60037e21dc15e70e9f6fe743412ddc93a0c25b221103cb7a3bfcb9fac

SHA512
02c610e708e1d72df67fe79d24711935a664bacb089be428f72cd3a9970fa622eb9a916a110cc535c68caecd60b9c0d8547370085dc946c74c26231a1fe75254

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
96KB

MD5
6e64f397f5b9d6603724dae1bc8fefab

SHA1
01bc617ac2db1a5b32e6f584cb2d369688e9ff89

SHA256
fbd78fc0d23e9e2f044264f1faacf516f0457a093e7f3527699880e31e44ee65

SHA512
e15b2bab7d7f34307a153a6eeac6ef375e6f24664c093e51b3281cdd05764bce6321f6e37f23f8be848ab0dd49ed4af1a6a3b06d08a093acb18bd059ce81e421

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
96KB

MD5
21fbce2c90c9ba2d47dc741d01f54771

SHA1
e06a6284edbee0b02efca8e3e802083fe4a582bb

SHA256
2e09516255d53e3cc5b6afe5379e4c36b3068f574690620fa7ff94af808393ac

SHA512
7ab0a7996041b4b28c01867ecfb505316396732a3db691a02bf18bb0324e8113b34d7d910a66ec66a6e5eb36634e8848ab25e8cce583ad7eb864a4b9c7735293

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
96KB

MD5
4e960e33593fb9627bdd3a23331ef1a8

SHA1
f393ee95bd5e02a0fe71d7ab9bd0fd176909df32

SHA256
82a050d043a34e9ce178e0ad1fc40db4b517f14acefdc024b6f8a2233ac08332

SHA512
21112469148053c4bc2d69d70b4af75265b55368b5e1615e12dc2c6c7e190faac35dcbf42a57e663725f88bf2f76dccdd5599f0ac4daa44655cdab5e90407ed7

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
96KB

MD5
d56fd7cc2a69f3585c5d81f75940b254

SHA1
b4f29913ba95b82677393b9c8a443d623ee7168b

SHA256
e50b97113c84e39d3decdd3837ac113e24c93c9d64eedcbdac43cdeb9ebf3909

SHA512
afd80c1dcd89b89aec7fce0a56b786605d20ed8805c455face5a1d567d7273643092670d43e80a9c19f4ea2f3cf1a7ec4ca810ea227edc603270af8b575af8d6

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
96KB

MD5
32c79a0a992aaa4d0c0720557b1dd6c9

SHA1
cb7ead647cdbb25028464119624a53bc9608c1be

SHA256
127b5c7153306015ba1179efdb873a7319133888b0f1b8a70a3a28e7e9b13370

SHA512
44b5dd61f00b66912d035b770c94fef081d629e5f7e543aaadb6e5eb594d53bbec5a16f4522c4f75b8685186f1898ddaa040e4eb9988215b2f5fa0d458ec4982

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
96KB

MD5
6b2c36c0f6b7cd66bce0497c884c4671

SHA1
e4cbf9014bcf2ee8f39011f81e10d188bd757c8e

SHA256
f7cb26c109e42a5b51584cb8d97e12b0829823640096382273f909c688b36563

SHA512
31b8731783b08e228b2a0dd0e48dc2c407d759295b1396272dba6d0713418f6f3e8a489b01f3e24a53e998c04d338ef6bc02f6d02ec723fd3a65f625ab6b4068

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
96KB

MD5
cd8e20e0d7181d53128bd08abb7fe6ea

SHA1
bfb004449bceb5d9a65fe8257e9686289c627717

SHA256
3ade20bac01fa421a86e7f5ebf5db1a7d48b4d1e5d110095aaaa32685dbb2bfe

SHA512
01ae0dc56a6679906719662a314b481e40078dccc3b17214d2b74b6cfc1ce42e3fcfe69c0dcb8688df6bacb8603a4aefcc5a2e145370be345839f23e26660b26

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
96KB

MD5
5c06b6e24b7e49d91d5cd076dd561ff4

SHA1
c7be398bdb8a98b08b2a18be0ec9d30ac8801eaf

SHA256
70bbd5a398d0ae05830e2baa7ea54b127eb3acb470f845b027da262087352453

SHA512
9e2ca8ad3cf6e02098b22191802ff029f95c0a87f289e8c783649f5a970be0460c43b22349b3b8a3850f2c297970f19c89a186acab5f571f9e1c423dbafb58da

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
96KB

MD5
824cfc8a38cd8dc7023ab394c70f1efc

SHA1
8b529ab540bb4629a5098ca06d3cee9b01038b8d

SHA256
8dc8ae7ba86dedbb0acfcedb240aec33363c934a903c20c0d478c8af7fb75418

SHA512
d400164a92f8b9071177a0e2d59141e79bac59a64c8cb45a49e57d32a92873b150bc57628d54a397ac47914a04ac0995dde758e68107cabedcfae12659744571

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
96KB

MD5
9963f17ee9cffab88ed501f455abb308

SHA1
6c5393b4c153c0ce7f72330695a49f6ee29b59d8

SHA256
39077c32d4b81d0f4edcdabbfac02a5308e39c21f2e35444aa410d64e8333f78

SHA512
8af7d598eb837b0ef2db8853999abb3bb95b38c527e270f31e4052352fb94957116acf1cee4545759e360cb6d23cdcd746b4b8bfc11d79f2ac358b9f128a61eb

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
96KB

MD5
dfc257446b6dd008b9f2133309252564

SHA1
82512e09495170c405f15aa2376935909de24b93

SHA256
a0438ea515cafb111cbc0c5dcbff7b32a7429768d479f2b45df0be4b461e2eb7

SHA512
56896265a28a9ea11f0c674a2a24a19d61d5e5ab8b39716e541803bc7261053705af8cf1a478261a74fb4fe01ca8881d0e6dc72fc68fada9c181f8c9ef9cd776

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
96KB

MD5
b8b91feae71e6ad744ddf846154ece57

SHA1
f5917d9806451d126fcf5352b435ef8f2fae7c22

SHA256
d1cf5ded226a221de03dd0a274c7c4922ab7bf632355986587db17ee7ab03579

SHA512
052961160029ffc94ef26cf07aa8d46691dba5a06a91dbe0d2b05ef97f673c59af2b9a342473af959575389a31d52d4f5bc900a92c00abe1342b45f1c7ab5ff9

Download Submit
C:\Windows\SysWOW64\Cdanpb32.exe

Filesize
96KB

MD5
24f93c0bfcf3b7d76873241e8684d2dc

SHA1
7e15a84e5d8f3aad1c222295251f8fd0840622f7

SHA256
c1ceae7a671a7eb5f97bfa50584ba3dc3bd3484f68b30f2f90accfd1ceb72d08

SHA512
f1098b0b84ac28979d39f0d77dde9d034824d9e834c977bd8d2aa96d93733abf79b308d66d7fd653b571a829df3217d1ae78b7bfae907461cd321d66dabbbbdb

Download Submit
C:\Windows\SysWOW64\Cddjebgb.exe

Filesize
96KB

MD5
b9496661a9ed061e4796915ffcb86a0d

SHA1
5b45b35cb48834b891d6deadd12cdb64c61671bc

SHA256
7b9760e06bc7ed0ce49d3089d1fdfdea7f153559c4f39ec72f660477b9f61781

SHA512
2d93e024d8dd14d0a96c6f097160c69885de5fcb23ba788c893a0d55bbb0b1532f1dc014c2f0ca0f8443fb7a8b6e817050291a493402d946c05ff29a6b2bd780

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
96KB

MD5
cf6bfbf78ea681a568edb6d0c83f8207

SHA1
397e23f23e0fa4209d6591f73052ee5fd18e5680

SHA256
9560a761476ebdc5adc94ba013bb39ca657232db9db9d5dc8ac0522c7eb48226

SHA512
29cbd3384f23b910f96c42b72f880767877062c1c88d0f492b1b35672efae30fc07787a82cf98b4d03705802b644c7791cd5f658a0194a7c35f5aaecf384a3c9

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
96KB

MD5
e9ed8e116b86ef2638fe885899c0d24b

SHA1
eb70802ce09b81e7773c846b49942726d238ea40

SHA256
9f850a5c096ce50ecc089b231f8cd6e321fd5016fc2c0c7bfd28e977ce0abc23

SHA512
985fe074755b9473d3733d7bafd0ea55e052292ca06d1934b8e1ab5b33700f268829205813cebab66b94ed00f125ea950f419d8dce71ceb256be6ccc4066f43e

Download Submit
C:\Windows\SysWOW64\Cgbfamff.exe

Filesize
96KB

MD5
7aff8f1dc225e522da174790c8442148

SHA1
8e596f5bc9ee1169f67af1a28a3cc1b0dac3eaa1

SHA256
1e07236a9877ba07ed317269ebbc41f8bd3ceee66fb822c5399ff11d0c31a928

SHA512
73db0c2fc81d1f3d6bf3143f4adb62769306be2180d4efa0e3f70f402ad756871db5ffb0b292d9032d4bd8b598a5582ae701422f621a2229a67788261a9f369c

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
96KB

MD5
7b1399ccf24812af7faa766cf20fe987

SHA1
cea1d74e70dbca3e1ba8c62358229484a8078cf0

SHA256
42e188f0e848e7a578d05ba1d8cf61fa72427b53577bf500d34c5ccabb2b08b8

SHA512
531d1fcdffa06f1636f8af0ae40992187466ae0c907c973ca12ce46530a054191c90ee938edc530bca7aad1023c0ac3d2282c392455d489d8ad6fe7b13073b17

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
96KB

MD5
bcea3f2dd7342e38fda6cdfa9c7d4904

SHA1
3a214a555a88504c571bd187fb5e3ff739baf840

SHA256
9ddb5c613f6d9324960550fe1e0878b101bc183301853b8932edff02f5e07d6e

SHA512
f42a5f33738253afcf174ce1003e544b6eebc763ded033dfbff84e2f82a6a4315841c2c69369ccd52e95141834a270e42bd1df1f0420a1ec7f8ed4a8375a05b1

Download Submit
C:\Windows\SysWOW64\Cklfll32.exe

Filesize
96KB

MD5
16683fdd37840c87acc99172f094ea11

SHA1
6412f3d9c8fa0ce1ca1a21506c25260b16f808f9

SHA256
5bd320538f4a7b16b106e105369aed2f774571c13e5424977c179be46152be8f

SHA512
0605fb4e82c5147414ffac8850fb4df72cfc0f7abe58118879d768f61aa85fbb90a78697a87cb2273c223562c06be84298706de7eb7f63b3754b6c1ac4c1e766

Download Submit
C:\Windows\SysWOW64\Clmbddgp.exe

Filesize
96KB

MD5
5ec09b59b0b605262e9fab69fa418982

SHA1
2edd92403ee65653a6f3d320d0019afccb66ab08

SHA256
c69e9481525a3431ad1c9eb2c904f136b14f6f48b6c6b1da3f76d5c91d18d6e7

SHA512
aca84dc22ea4327ee03ec333ad6a9a8cc616f4104a0232d3f74353ae7eaa9069c4b12e880b23266c9142848cc0064eb59dfee57265a979ba4280f0b0b6e041ac

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
96KB

MD5
a514e204fc0a6bba480a43b0b5319869

SHA1
c9f23359b9653fca9257c8a8fd36736551243200

SHA256
4cca4953121b98502304432deca0856573d9c2a1a787e1a3bdd56197671184ad

SHA512
fd6eb061faeed3aa3b660867d4f50309d118b2ba3b8ed9f2e6150c7ff1a0bc1fef8854cb9b0a41f0836638406b1b5fb1d668e257678c35e19720f41170ecafa3

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
96KB

MD5
c998d2ee18f8bbb7b7fb8ec0e8c71607

SHA1
cc3d1d8c6ba7c7d9e64e83cccead9422fe5e7499

SHA256
687b97005267b2f9f1b37a0e4f0fd8eb00c85758e76c94a161d5497257c7095c

SHA512
9e0a833147416de13a0ec314ac4379786d24b1babd2eee089dcdd4d139608a75cab770c135a5d640a56829a452e91d51a6ea9e09fce7b68d0d094aadb23901d5

Download Submit
C:\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
96KB

MD5
55e9df09d197868e4a9dce73a9baaa28

SHA1
739065d1b24fc94ab9d1d9662f2a5b1767202511

SHA256
433d934fd648cc01afacce2408310f7e0eabcd68679b0ef1f17380a18e6530ab

SHA512
cd40a5cf5be4f467409846dadac6f1e1e82bf143a88c93c11424adfba32fc4a2a49b261d28ddfe1cbb3fe9dc1026fc6c664dcaad2d2fb8cd7c7e3d36025f9321

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
96KB

MD5
f9c434fa85ef6a330f7b12a724e65486

SHA1
99c807872e9f9318e4b8ad79f3dfd2a6559f4482

SHA256
eb33dacb4f56e05ceb0d5bb30749b7a109e7e2c9d31c3f7c0ec247d7f5c8da17

SHA512
058331aabcb5ddd7ed3c08245e0d13996935fb6eb7531033895050d1e1766832429ba1bb240af99b2d76ffa93bad3dbc70323f307e549de25198f510a1f2cf6b

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
96KB

MD5
815c0a114232f1f58052de8d50a186c9

SHA1
8c5518ee98aae4c672c1eb5def559073fd454f4a

SHA256
4e6842ae8917c31d981190f6a7ec73c4e338e4b44523460ffe06ce8d9f5804b5

SHA512
98adff6aa085c10e7369892d11bc1512a4d72e288db3d698c825712df61e1d0da504be95be441841da49e3e7801a6d39eea5e5599d9d44266a05decca4ac3579

Download Submit
\Windows\SysWOW64\Aaheie32.exe

Filesize
96KB

MD5
29f8eccd634e85453c30943b9ba9b4a3

SHA1
711eef4aee207c84b01d2e88c8b3d22314d16bcb

SHA256
008c77ad912ce405c3453b5c8fba87782f0ae8e838268a54d480681a9df81e21

SHA512
4cc2c5e6d80a71a64aa0c1ea1d6358dc6ad27cd3fb3070a89896ea22a75a4c902343850b21d44341f0ed73d8e14d47205fb19129c8a2be9ec967d182c032f50c

Download Submit
\Windows\SysWOW64\Aajbne32.exe

Filesize
96KB

MD5
485cba326c2d611a19d1ead5755ce57d

SHA1
00c854655e57e5409551c6d53d693158d648166e

SHA256
1a4d2cd2e18bd589ed202fc93a22d175a85c616db04ae28726013776b51e1799

SHA512
21e5b834744cd2eddd7539f9da1b92adce7669c0a4bf0f45a72519115784cbe3495c8b1360b278431b7c0f15f70a3e11bf82b6cdb65f1e78909cbc16b9c37a01

Download Submit
\Windows\SysWOW64\Aecaidjl.exe

Filesize
96KB

MD5
da6bb18c94ed1035ba6fd74e2a6c13ab

SHA1
13ffa7f435e4b4b7f9faaecd5819aa2d5376ce7f

SHA256
96b4fd7a8109842614dd6aeb58128058714639975e617e44510879a85e9399a1

SHA512
6e7bf3dc96d75dc625d1b41979913436c5bef09693e1d0ab991db6e84741db06a01c30eddc074af6ab7a53c6c24550c1788c743964ec33bbfc1e68bed2bbc7ef

Download Submit
\Windows\SysWOW64\Ajpjakhc.exe

Filesize
96KB

MD5
807503208e0f3acee7cad7e9c3da7687

SHA1
95ff6922727c82810dcb3f48d601fd686496a0cd

SHA256
fcae4aefeaae456d1342d6667e947ad74648645a5eec77f4544908df8bee46bb

SHA512
6c3ccd71f2fc26dd6804210aa996edd6dbdc196d40e824636c5ce9753946381bd1ee61c07784152c6f79f901735fd3aef25b8e6a7364bad3d823e27d0918278d

Download Submit
\Windows\SysWOW64\Pckoam32.exe

Filesize
96KB

MD5
1ff0c660fc18fbd0cebc6839983565a3

SHA1
1552235a1576ecc167e911ffe3f35b4e19d32cd8

SHA256
1b0f4c979d51da702004640ca0c4dfa14c89caa2ecd51788564e16af1dd83384

SHA512
c21c2fae2cc09491313fdd1044b6e9c01c379208ccec93d2c9f647ea7dd95deff68297fb1dbcbb80be5ecaee06190c56edbf38e8349a561733900a01defd42ae

Download Submit
\Windows\SysWOW64\Pfikmh32.exe

Filesize
96KB

MD5
87b8d600f9ea1e17cfdc105d9f982448

SHA1
036c2f7dcc78d5da9a6efa4f8043a321f19c2ab6

SHA256
29ed88df98ddf6e7711f5d73318775e3e6bbf2cb262a4dae5a47c66f782dd942

SHA512
86b859a91c43bfec02a31fa1884d99e272ed17c0f19c72300056ad765d3611db4ad030444d42ad114f39c661e54292b7db3bfb1f66efcd875b366730f741526b

Download Submit
\Windows\SysWOW64\Pmccjbaf.exe

Filesize
96KB

MD5
3d3183379c1491815bcb94cb6568fd05

SHA1
8a19ad72d3852fc2ace6cdd0562dc8c5ca30816f

SHA256
db4d245e9ba4d8864ea48a82641c4337ac96adeba6397aea5d57f4c7368437a3

SHA512
5a58f8cfcf47d645268a64720d9f8ea32fb014ef8460fdf0e519b3f1b0aaf0865b2ba0de6b0b37100c220ab873d6775bc5616ba9a97edb2b45acad83d7ea4707

Download Submit
\Windows\SysWOW64\Pndpajgd.exe

Filesize
96KB

MD5
0063e16821c87f0e17464e307a4ab363

SHA1
7dd131754f29be429226afa25a3998293f56a023

SHA256
32097df649972f8800fba84387ab0e614f9a1cd3604176bc78332efcd73853ee

SHA512
9ed4b6c97622e9aadf1db6953cc0d1365091c1b89108e29400486257c2c41b2c565ce00bcf1feeacb7ec9e2d47ec21775c0aec902684b73921a513b255ce6525

Download Submit
\Windows\SysWOW64\Qeaedd32.exe

Filesize
96KB

MD5
2852c8ab6c93c67485d55bb23e14418a

SHA1
dfcbc7247c3eec44668137491831f1ab782c429b

SHA256
0fbb49b4f6dc5fbd00db261bdb07406bd05bc2a04d021206d2baf5eacf91bde6

SHA512
eaeae02167da4eaefcc71509fc05eb8ebb2aaac75395a9cb3b4e0572b802236b8c5e8d308845d67ec3e876a233924c03ca5d6bbbe983dee2dd4715cfaa9c444f

Download Submit
\Windows\SysWOW64\Qgoapp32.exe

Filesize
96KB

MD5
e7c2557c05e6a76ddbca0fdadfd6318e

SHA1
6e7ca0741a1e27b12647e844959b745deed2a68c

SHA256
76946e786c2c505ad8c563453443407891bad7f3904a2e3dbc6f9ddc36f8e315

SHA512
c5fea20607d2ca2db0e5e7aa7da128f5800691e3d6b6eea5fa7c37e977f5fef631ec2880c444cdec812073e90c982ec36100537aabf3f8e765a8569173eb6b7a

Download Submit
\Windows\SysWOW64\Qjnmlk32.exe

Filesize
96KB

MD5
337b2773a1b14876a2d73e0391217046

SHA1
44537a0151e1f6486b218cf2653361848b3e346e

SHA256
f71480eda4d73e4d2a6219fb3b580fba8e98c590ef254a72c5e410dfd5ce7cd1

SHA512
d54968a159432ed93dabb11f73feba1918371f576365235d20cbb76c4862636523367b1dec733c40282ff790e82d6021b060b05a97a385158fe93e2c703b8413

Download Submit
\Windows\SysWOW64\Qkhpkoen.exe

Filesize
96KB

MD5
eaa89dae95c80ea15ef252098f61f4a9

SHA1
e9858967f2ad7c65405bf0ecaab716789e021257

SHA256
e0c8bfa6e3b71591a09505a99c49e4ffab157ed80c9aba1d12a89cacea4fb231

SHA512
73e5eb756cf8f752d76e173a89c290162cbc4676f3fc0e946d7f86821aabab729c7fc1fb13675f3d8ff3da84ed959b794319c41f99cb6b23bd24b9a047bc0202

Download Submit
\Windows\SysWOW64\Qngmgjeb.exe

Filesize
96KB

MD5
f14abebf73ea2f5a6ea2bb0bba4c858f

SHA1
c2fb938d43b45a93e42f538c5bf9b254be4c5e6b

SHA256
5f695a621119cb7c8bbfea2d89a63d88835b7a96974be188a46689351bcae68b

SHA512
e4dd1a0889faa57545056e1e87e98dc027bc6cc158e1190053450af57a6630d4ceabeb099e442a0cb76fca4dc06a7b2700e196f5f3b5aac847448c4adf67bf99

Download Submit
memory/308-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-363-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/572-366-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/772-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-75-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/772-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-127-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/920-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-100-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1012-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-479-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1472-484-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1472-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-394-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1524-399-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1536-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-303-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1712-298-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1712-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-321-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1716-320-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1740-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-495-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1752-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-525-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/1816-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-179-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1860-259-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1936-278-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1936-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-277-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1968-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-408-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2072-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-383-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2124-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-440-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2296-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-419-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2296-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-376-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2316-371-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2316-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-288-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2516-284-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2536-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-306-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2580-318-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2628-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-52-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2628-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-353-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2672-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-349-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2676-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-342-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2688-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-247-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2728-430-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2728-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-431-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2760-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-334-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2800-336-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2800-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-17-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2848-18-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2896-228-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2896-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-88-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2980-153-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2980-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads