berbew | ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81

Analysis

max time kernel
26s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe
Size

163KB
MD5

f2deb3cb47fef2674b9ef84a9efd07b0
SHA1

ad36364fff6133fdf0f7501e876497ec08e455e7
SHA256

ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81
SHA512

cc0790bac530c5f00ba49344161f98efcd8b91a846c76d4f1a199db2adc6d28d075fa2826d9897cf0da2e2d187ab7b8714766c9488287091724a2d4c85e4156f
SSDEEP

1536:PdOcprYXI0ET1xkcFLmWU4ZtyEslProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:rpyI0cXfLmWHCEsltOrWKDBr+yJb

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdaheq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okdkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oghopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okdkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4a2-451.dat	family_bruteratel

Executes dropped EXE 54 IoCs

pid	Process
2720	Odjbdb32.exe
2236	Oghopm32.exe
2700	Okdkal32.exe
2708	Ojigbhlp.exe
592	Pkidlk32.exe
1480	Pngphgbf.exe
2404	Pdaheq32.exe
1228	Pjnamh32.exe
2932	Pokieo32.exe
468	Pfdabino.exe
2908	Pqjfoa32.exe
2768	Pcibkm32.exe
1064	Pfgngh32.exe
2008	Poocpnbm.exe
3060	Pfikmh32.exe
2324	Pihgic32.exe
2344	Qeohnd32.exe
704	Qkhpkoen.exe
868	Qqeicede.exe
1804	Qiladcdh.exe
1732	Qkkmqnck.exe
1992	Aniimjbo.exe
2672	Abeemhkh.exe
2332	Aecaidjl.exe
2000	Aganeoip.exe
2612	Ajpjakhc.exe
2488	Achojp32.exe
2652	Annbhi32.exe
2892	Apoooa32.exe
696	Ackkppma.exe
2504	Afiglkle.exe
2508	Amcpie32.exe
2360	Acmhepko.exe
2976	Ajgpbj32.exe
2676	Abbeflpf.exe
2280	Bilmcf32.exe
2260	Bnielm32.exe
2792	Bhajdblk.exe
1980	Bnkbam32.exe
1508	Bajomhbl.exe
2232	Biafnecn.exe
832	Bjbcfn32.exe
1364	Bonoflae.exe
1284	Behgcf32.exe
2304	Bhfcpb32.exe
1716	Boplllob.exe
2656	Bejdiffp.exe
2564	Bfkpqn32.exe
2752	Bkglameg.exe
2624	Baadng32.exe
2320	Cpceidcn.exe
560	Chkmkacq.exe
380	Ckiigmcd.exe
2536	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2884	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe
2884	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe
2720	Odjbdb32.exe
2720	Odjbdb32.exe
2236	Oghopm32.exe
2236	Oghopm32.exe
2700	Okdkal32.exe
2700	Okdkal32.exe
2708	Ojigbhlp.exe
2708	Ojigbhlp.exe
592	Pkidlk32.exe
592	Pkidlk32.exe
1480	Pngphgbf.exe
1480	Pngphgbf.exe
2404	Pdaheq32.exe
2404	Pdaheq32.exe
1228	Pjnamh32.exe
1228	Pjnamh32.exe
2932	Pokieo32.exe
2932	Pokieo32.exe
468	Pfdabino.exe
468	Pfdabino.exe
2908	Pqjfoa32.exe
2908	Pqjfoa32.exe
2768	Pcibkm32.exe
2768	Pcibkm32.exe
1064	Pfgngh32.exe
1064	Pfgngh32.exe
2008	Poocpnbm.exe
2008	Poocpnbm.exe
3060	Pfikmh32.exe
3060	Pfikmh32.exe
2324	Pihgic32.exe
2324	Pihgic32.exe
2344	Qeohnd32.exe
2344	Qeohnd32.exe
704	Qkhpkoen.exe
704	Qkhpkoen.exe
868	Qqeicede.exe
868	Qqeicede.exe
1804	Qiladcdh.exe
1804	Qiladcdh.exe
1732	Qkkmqnck.exe
1732	Qkkmqnck.exe
1992	Aniimjbo.exe
1992	Aniimjbo.exe
2672	Abeemhkh.exe
2672	Abeemhkh.exe
2332	Aecaidjl.exe
2332	Aecaidjl.exe
2000	Aganeoip.exe
2000	Aganeoip.exe
2612	Ajpjakhc.exe
2612	Ajpjakhc.exe
2488	Achojp32.exe
2488	Achojp32.exe
2652	Annbhi32.exe
2652	Annbhi32.exe
2892	Apoooa32.exe
2892	Apoooa32.exe
696	Ackkppma.exe
696	Ackkppma.exe
2504	Afiglkle.exe
2504	Afiglkle.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fnahcn32.dll	Odjbdb32.exe
File created	C:\Windows\SysWOW64\Aganeoip.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Plgifc32.dll	Ackkppma.exe
File opened for modification	C:\Windows\SysWOW64\Ajgpbj32.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Pngphgbf.exe	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Gneolbel.dll	Pfdabino.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Afiglkle.exe
File opened for modification	C:\Windows\SysWOW64\Bnielm32.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Pqjfoa32.exe
File created	C:\Windows\SysWOW64\Pfikmh32.exe	Poocpnbm.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Pihgic32.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Abbeflpf.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Pfgngh32.exe	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Aecaidjl.exe	Abeemhkh.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Nodmbemj.dll	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Odjbdb32.exe	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe
File created	C:\Windows\SysWOW64\Okdkal32.exe	Oghopm32.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Aniimjbo.exe	Qkkmqnck.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Ajgpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Pdaheq32.exe	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Pmmani32.dll	Apoooa32.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Pfdabino.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	Pfikmh32.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Afiglkle.exe
File created	C:\Windows\SysWOW64\Bnkbam32.exe	Bhajdblk.exe
File opened for modification	C:\Windows\SysWOW64\Bnkbam32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Abbeflpf.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Imogmg32.dll	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Pihgic32.exe
File opened for modification	C:\Windows\SysWOW64\Afiglkle.exe	Ackkppma.exe
File created	C:\Windows\SysWOW64\Acmhepko.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Odjbdb32.exe	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe
File created	C:\Windows\SysWOW64\Abeemhkh.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Oghopm32.exe	Odjbdb32.exe
File created	C:\Windows\SysWOW64\Faflglmh.dll	Ojigbhlp.exe
File opened for modification	C:\Windows\SysWOW64\Poocpnbm.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Fpbche32.dll	Qqeicede.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3000	2536	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okdkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojigbhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkidlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjnamh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjbdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apoooa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afiglkle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgifc32.dll"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcfjgdj.dll"	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okdkal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oghopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afiglkle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oghopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pokieo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfdabino.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjnamh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll"	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bkglameg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2720	2884	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe	30
PID 2884 wrote to memory of 2720	2884	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe	30
PID 2884 wrote to memory of 2720	2884	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe	30
PID 2884 wrote to memory of 2720	2884	ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe	30
PID 2720 wrote to memory of 2236	2720	Odjbdb32.exe	31
PID 2720 wrote to memory of 2236	2720	Odjbdb32.exe	31
PID 2720 wrote to memory of 2236	2720	Odjbdb32.exe	31
PID 2720 wrote to memory of 2236	2720	Odjbdb32.exe	31
PID 2236 wrote to memory of 2700	2236	Oghopm32.exe	32
PID 2236 wrote to memory of 2700	2236	Oghopm32.exe	32
PID 2236 wrote to memory of 2700	2236	Oghopm32.exe	32
PID 2236 wrote to memory of 2700	2236	Oghopm32.exe	32
PID 2700 wrote to memory of 2708	2700	Okdkal32.exe	33
PID 2700 wrote to memory of 2708	2700	Okdkal32.exe	33
PID 2700 wrote to memory of 2708	2700	Okdkal32.exe	33
PID 2700 wrote to memory of 2708	2700	Okdkal32.exe	33
PID 2708 wrote to memory of 592	2708	Ojigbhlp.exe	34
PID 2708 wrote to memory of 592	2708	Ojigbhlp.exe	34
PID 2708 wrote to memory of 592	2708	Ojigbhlp.exe	34
PID 2708 wrote to memory of 592	2708	Ojigbhlp.exe	34
PID 592 wrote to memory of 1480	592	Pkidlk32.exe	35
PID 592 wrote to memory of 1480	592	Pkidlk32.exe	35
PID 592 wrote to memory of 1480	592	Pkidlk32.exe	35
PID 592 wrote to memory of 1480	592	Pkidlk32.exe	35
PID 1480 wrote to memory of 2404	1480	Pngphgbf.exe	36
PID 1480 wrote to memory of 2404	1480	Pngphgbf.exe	36
PID 1480 wrote to memory of 2404	1480	Pngphgbf.exe	36
PID 1480 wrote to memory of 2404	1480	Pngphgbf.exe	36
PID 2404 wrote to memory of 1228	2404	Pdaheq32.exe	37
PID 2404 wrote to memory of 1228	2404	Pdaheq32.exe	37
PID 2404 wrote to memory of 1228	2404	Pdaheq32.exe	37
PID 2404 wrote to memory of 1228	2404	Pdaheq32.exe	37
PID 1228 wrote to memory of 2932	1228	Pjnamh32.exe	38
PID 1228 wrote to memory of 2932	1228	Pjnamh32.exe	38
PID 1228 wrote to memory of 2932	1228	Pjnamh32.exe	38
PID 1228 wrote to memory of 2932	1228	Pjnamh32.exe	38
PID 2932 wrote to memory of 468	2932	Pokieo32.exe	39
PID 2932 wrote to memory of 468	2932	Pokieo32.exe	39
PID 2932 wrote to memory of 468	2932	Pokieo32.exe	39
PID 2932 wrote to memory of 468	2932	Pokieo32.exe	39
PID 468 wrote to memory of 2908	468	Pfdabino.exe	40
PID 468 wrote to memory of 2908	468	Pfdabino.exe	40
PID 468 wrote to memory of 2908	468	Pfdabino.exe	40
PID 468 wrote to memory of 2908	468	Pfdabino.exe	40
PID 2908 wrote to memory of 2768	2908	Pqjfoa32.exe	41
PID 2908 wrote to memory of 2768	2908	Pqjfoa32.exe	41
PID 2908 wrote to memory of 2768	2908	Pqjfoa32.exe	41
PID 2908 wrote to memory of 2768	2908	Pqjfoa32.exe	41
PID 2768 wrote to memory of 1064	2768	Pcibkm32.exe	42
PID 2768 wrote to memory of 1064	2768	Pcibkm32.exe	42
PID 2768 wrote to memory of 1064	2768	Pcibkm32.exe	42
PID 2768 wrote to memory of 1064	2768	Pcibkm32.exe	42
PID 1064 wrote to memory of 2008	1064	Pfgngh32.exe	43
PID 1064 wrote to memory of 2008	1064	Pfgngh32.exe	43
PID 1064 wrote to memory of 2008	1064	Pfgngh32.exe	43
PID 1064 wrote to memory of 2008	1064	Pfgngh32.exe	43
PID 2008 wrote to memory of 3060	2008	Poocpnbm.exe	44
PID 2008 wrote to memory of 3060	2008	Poocpnbm.exe	44
PID 2008 wrote to memory of 3060	2008	Poocpnbm.exe	44
PID 2008 wrote to memory of 3060	2008	Poocpnbm.exe	44
PID 3060 wrote to memory of 2324	3060	Pfikmh32.exe	45
PID 3060 wrote to memory of 2324	3060	Pfikmh32.exe	45
PID 3060 wrote to memory of 2324	3060	Pfikmh32.exe	45
PID 3060 wrote to memory of 2324	3060	Pfikmh32.exe	45

C:\Users\Admin\AppData\Local\Temp\ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe
"C:\Users\Admin\AppData\Local\Temp\ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Odjbdb32.exe
  C:\Windows\system32\Odjbdb32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\Oghopm32.exe
    C:\Windows\system32\Oghopm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\Okdkal32.exe
      C:\Windows\system32\Okdkal32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Ojigbhlp.exe
        
        C:\Windows\system32\Ojigbhlp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Pjnamh32.exe
        
        C:\Windows\system32\Pjnamh32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 140
        56⤵
        Program crash
        
        PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
163KB

MD5
8d351da29061708fdf07055f0e0f6aa3

SHA1
abe984cef2d00e4874ebee0709091993e4940fb0

SHA256
0f23b359f974b52f9296d5e3fda85655bb99d6fe63a95d310f3041dfef931aaa

SHA512
c29b8823b908495aa0da35c06e5827e67c009fffca8d1056831129d020979a0edaafa0b9639402febd4157a1e097cf6736071051ba9767a16146f3b8be8ff8fe

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
163KB

MD5
666a63096a9c68d077d7b93f9b2660a4

SHA1
015aabc4d8612da81c20cddf31e105b4804779f4

SHA256
f3aa18dee7e5a03eb44d9af10554e9160a8fb6dc30b6608d252200f8a3b14bdc

SHA512
59d12b77f490621dd5d83f8737616d5f4fdaa2db44348d61c65cc588c71ec69a9d357694bf8dee8281e9510e0d1e35e0a9c6e222b652c8a2e030b8b172acfd06

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
163KB

MD5
07428c3de9c333642b387c896004659e

SHA1
be46b0af666b7100e7a6c3ea37107fef800c190e

SHA256
2632aaf5c77f886eb096a346f57175871e37922ef5ee8335685eb68130f5a861

SHA512
4b92a659080180cc16e6e4a908f2c96a3f9224188c329882225c71ddd8a9486721095aaf1978578a0ab2270c1dc5806ffb386f9e9ebf313ada9fe5789d09c440

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
163KB

MD5
2337e5803ad4e2efdd6808eb0378e69a

SHA1
592db599b32ec9ce77fa33d67ba7f66fa300b965

SHA256
dcaded7e5acc555366dfd931a6a58016a1e07de403b71a16af6c8ef1e02ef918

SHA512
d3d8b27d2a900075f3e4fdce91d0740c2356cbb69cff5cc1ef0f02d536d6efce300464910f697abad3c286f0e4214a41d91952a766bcd30ba7f5def62a5ba736

Download Submit
C:\Windows\SysWOW64\Acmhepko.exe

Filesize
163KB

MD5
61fdd8229c8af31af0545213434fc751

SHA1
edf9605388360fca9ef0232052b7550822ee265b

SHA256
2cb7047de7ba709adb32b9ed90f20469cca7f2da9ec4b88d68b878adb5545ff3

SHA512
78896aefdb26d9bc873e7a6e1304e0a9f73498847079da4c694bf8e061fd35ef2b58893f3e1db2b42c5ea5957627b08d9188fff7bc78bac4dc78b8694362467c

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
163KB

MD5
fd8866b00d027f68cc7fd4dd961df6fe

SHA1
d6ed2c4d940c09f187d8250ea33ba434acad404d

SHA256
a565d67f7ecf1279c12034d5a42d41944a8fa4a6220e09540bb807ff45162da3

SHA512
b26bb1fcf4783e09000dc1397a50658ccb1223338d6b75c13da4a4e3a92133a6059cd0a29648a45479a41f9fe485af243e6f636dbe394cb6a7f9f4612a708369

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
163KB

MD5
ef72a0d0efb3ac902d798dc58277090c

SHA1
8fa6dfac40afae12523c5b62d3ea74557c2e9bb5

SHA256
a850320ade74042c7806845ac18416b519e2c23cbe69badd5e7198afa05edae5

SHA512
228741beb82bdf08779bc0712c061c5236e830ae16744a9ee6181f0f41978408e8f96aed347e589c5dcc621a502081534e0b849f9e841083f2c190b4b623bf71

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
163KB

MD5
8b7b20ea8dd73ba3165c3a833b215d25

SHA1
fe53f076043f642f7e755e35080db460dbe99936

SHA256
a7e79bb9194b2c6538ebf03b9bc77099f76767668a45926d1270cfbc45f76ec2

SHA512
259eab6d935d31338cb6ed6a81795ee6ae9d71d181ba2ac1c82f9b8d839fe56536bbc03aeb51c4417e8f0c79beefb8a6edd40ec131db0306b80d3c993383e736

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
163KB

MD5
606b4c8b219c955925259fd3e70c8f69

SHA1
18942a3e000c48731b9e179763dbb39dd46e5c18

SHA256
a53ae3e2161797a8a36a570c00dc2d53e4f132e18c3a1725f965e34f2ae8102e

SHA512
b050e3e5e5bbc141013ff06e013f557f26c69e4737720091e9e23cbc17c9fffc6eaad4f1647bb458868b7fb87b1956fe4d303fe297d1fcf258faf9231a622d69

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
163KB

MD5
b53e3a83f367484adfe98118d43a7e31

SHA1
b59c16f57d189e14249626c38b09acb955ca7e96

SHA256
70f21f7c422c424bf51fa12f691543c188acd90d57c8a425d9f2e824cc703685

SHA512
66e0e578f70a8fbf7e82ec9ed7f922f9aa99f8070a5e1006f4159766a6d67c931b9740efb0cac86971f12267f89e123e44933daf06822714d991345e0d4946c3

Download Submit
C:\Windows\SysWOW64\Amcpie32.exe

Filesize
163KB

MD5
31e8d24c6b24a7d0b836356c9c9855a8

SHA1
edb94cdc9d2e47b49c0faa684d4f060a94aa56c7

SHA256
034a178d0903b662c52efd13df376fa3b12302191cc03a946fb686bab9be22b9

SHA512
e6f2f5e5f3e1323de0fd6095b4d669bf86c37cbc1eb54c38fc9554c25e699ca02f4fd583ccad5ba5e390be13d446642ba3a6008bb43bccd68e3ae57576775de2

Download Submit
C:\Windows\SysWOW64\Aniimjbo.exe

Filesize
163KB

MD5
44f5ea6501602d79287a358f054cafa7

SHA1
dc0df76bd85e8e15dc512d4423aa43520cf9d528

SHA256
90fec788930400383f35c5064adc561a10b72c49aa2edd8354f05dd342f8caec

SHA512
ac686cfcaa82d7d86c95697481bfcf65c959ac63c4d847bc37e4399faeff7beb63e1075c56debfc59c6db3e45d69f58ae3f3b7fb9d40c0e0e40e017c6c53181c

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
163KB

MD5
6ac40000a7dcd247f93b531425cdee79

SHA1
face2a61c82aed7b3f23ba9f57718c1416b1fa69

SHA256
2ab418fdcde7ab7b6babf4763db30fc62735844867b3d35d57aa6a949e58d311

SHA512
d3055af862633fcef8c6de39ad15dcd9b47726cde3a606f43023f645f514e150e24014b0e797ee834023f6f2e117dde39e92f9dd6352bdffc83cbba236027bcf

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
163KB

MD5
9178c21c281848c48c2c60f926da4ff3

SHA1
7d5d57b90028bc2fbdd193f4b40ed01b849da70d

SHA256
c48f217a5d0775a5127332aad56e15b7cc033f4796a868ef330df4e01b1f3995

SHA512
d3f6c9b81aa48c28c76b95e5e7611d3f160aedad4d131306d791ffe7866c925e52c57df831316630646d7b3c01ba63a15c8bc1bc6947d72d76c0ab85b3208039

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
163KB

MD5
56a6b1ce07a7ee513e771f8e81abbaf3

SHA1
ba1f41059fac7d147207d2a8a02610f289824fd9

SHA256
1014d3fd4ae0c7712660b4b3df26c85ac475a095b03c04a0c950da852ac2284f

SHA512
b29297cbc9b1ad97bbe34b6ecb0559f0adf117d9c91257d90cabe1791462440594444b4f16e1d0bbbee40996a98d062060a11e906465886b6cabfbc0bb27b2f8

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
163KB

MD5
767a627df9dc692a6835825eaa3a4983

SHA1
fa029934cea2481911c23ef9639941710cd93d0b

SHA256
553e77086dcaa25603cec32df955e27f513e72291539675fef5bec65d8b1327f

SHA512
9e2664d037ca9ea8cc4fd34978d033d9b067371b05cb584e0d88ddfa3c1b86e88663538a4ab99613f9c15094dce9ffaba9519d0d2835f32ae4f181f63bf2a2a6

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
163KB

MD5
c846f3d612e3e0d45e8f5d5c02e1830c

SHA1
46bae26313ec0e2535149a8b70c9f47b33f8c286

SHA256
d9acd9c9464714a8a165d067c1c700868ab9c6c146bd7046d939e3e96afae9a9

SHA512
ac774d5be54d5267ec487733fdc8bcc08e94d57bcb90676f3b28d4a6d90335de3cb3d9dc664b68c8864ddee6306afd1f8400cb01d564257c858c7c9b3317b7e4

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
163KB

MD5
6f26f9bae1c1f3a9719126a9c752c924

SHA1
c08ac61cef54d4a4ace711298066bf6e80849b3a

SHA256
7ea3b2cee4fee4d5b6e1d26e1a570b0ad98f4d478c2f5c7720689e1420d64ce4

SHA512
a247f0e64adb019bdb8a3598cb45c3209e4441237f469cd4bbf3a7ae9b4e2fe7f328b43c8b6be9a6e8a6aca189b23ff2a2c0de6adcbb0fe6d3f77e9c996c6fa8

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
163KB

MD5
db21e05cd78b8a761aa03b642933a045

SHA1
3e259755bffa6ad79367d95ea937642632a50462

SHA256
a7c1f7d474b87ee1cf6548c852cc3e51c98812af30db3326e6e0524f36f8cd36

SHA512
14c142dabc12f803ceb96f4f91464d44d33212c21b7a1cfbea34b32bd5be61d2ede9516d2bd5388bc6c4e29c8e494a992c2dec2cd3784c4eee11038cda7ed684

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
163KB

MD5
52ac12dcb9a6c8ec0437ed54d19c5dd2

SHA1
35e451b53208b386009e9ee97e7555ea2e9701cf

SHA256
a3f122d6093f4ff0ad20b3da4d9b5dedc9d1248748bcafea54b6cda488d9e5ee

SHA512
cc43c77bd7e08f4e21e1ba20405011fe43fa5bec6e1b45f26ff4357d697e41f1844d61b1f3af20ef0b0affaa56a69c0e0cbd05eb27ca08ddf3d8538fc3cc8c0c

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
163KB

MD5
85f34b6b8a7bdf06dfa1b8ab79428668

SHA1
523bc09a6faf552ed722ddacd2d59fc2ad5b4801

SHA256
35c90776f6c616d9f3e5417334cd3ecfbb36394914f2fdde2b8c984896579a77

SHA512
826ea2e3e22f2993e2029868ba2ca2a0bdcc2d806b70267bf1c64ad46599f0c1bb4a492080abc6b5f0681fca4ae72952d2ce63ad2faa2997c5bbd9eb73ad0150

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
163KB

MD5
96ac5860df28abc996a84b6e34bf2347

SHA1
23f4dd0e800c2dcc07b12947114492874d5c48c8

SHA256
00eb43b61b3dfcefd5d9868e809d2f35a28fe14abe0000bc5ed27427ec65498c

SHA512
580826ef8f79c2c9cf42e5efc465e3a999aa3171915a0dd492396d3cb0b067f74cfe5219fe663ead18564ba345498be75686ae32e0415c7ac761639dc66b8779

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
163KB

MD5
db6063cfe10bc8877d75c528e201c8f4

SHA1
075d4416fac0a05b7a5f28d1a1ded3df6f9d5734

SHA256
894835763345eea4e2f43f3a8c2e59639a1f8877c2ccc69182cd5d701b0595fd

SHA512
627012e21daca6fde0ea98cb979f6ca42e910c01163e7e5e7733a8062d85ee87556dda95be118bc99c4dc17f33aa22751dc0dd65c6a6f3e36a1da95bf669ac7e

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
163KB

MD5
01e2eafb0c5ce71a43597fb214f76163

SHA1
6a7dc992fabafdc4006434f4b282ea5e9952413d

SHA256
f041e9a8a47f58aed5162a63c7dfd0b4748f638b7aacac736e52a8bb3ec83be4

SHA512
f67b6f0a1db156b4d3ea506e119fa79f3b35ad88d0112962b2e9817e53f94f102b338065a11dea0ab6680c17f0c5dab4c7e659b66a3bd9042e59949bb24bad5f

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
163KB

MD5
eecbb51e23a0c5099e0b167a342b4179

SHA1
7f523c3ed700f2ec6e355ba209a66b9846b560ab

SHA256
d0035f1c4996024eb620e1b60d58be13a28575904d7a4ba96c68bf8f4534aecc

SHA512
a2797897dbb5c2a316317cee1c18a4a2292a971e77138aa7b0081ab003a0e0b4f1498f2e00bd77002861f242241f38eb1530c35170d40b91152ade5b25ef1346

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
163KB

MD5
c916afcc22b7f8e3ec4a4bb52e8a05b8

SHA1
f9297734a51279fa4c8dae38e36332006120b159

SHA256
c7234f52131cd1b35536e32654df2eae77805109ffad3f91905467bc17cb6998

SHA512
6a0924889281903623b2d7df728dcae65aac52b7f9f9e6b74f3914d452573b16a6dc0ffabf8155b117bd6098a368c2bf6a2339d505e68785f25704125edcf92b

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
163KB

MD5
c2741f31b8e5606b6a749987f1560a81

SHA1
e7598afb6d45a9151dae19f26457aeaf8499b201

SHA256
68aab7e02ae51b84101c1735898498ff333170f3a346bfc4534a99b7da12a95f

SHA512
4cec1e9a3b1cdbcc03dc69298e7b94d89545d2f84fac148e946e174922a5d9a420717a06cea007a35d06dd8bdbcbc9e458ab1a92ada788a74834e1c52d547ecb

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
163KB

MD5
ae794067a1d5cf9cae09578dbbc325ff

SHA1
74e5ab375408c094a1bffd91a3355a822f2067c9

SHA256
e7745720e7ebb3a882e62d13d324bbfba6c5e6b2a1387945b9e2400f7301d307

SHA512
cd1cf373a3060f3d92624caa65a1dc6e373c029f72c8fd6b053ae55f3a9753070f326a46c2538755323513fa015c3bd38e4c8a34788f1460daaab8166127b232

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
163KB

MD5
b63150382aa79acc5719e484ee8aa0be

SHA1
24b59af7e47efe9477964c25a8f705bdfc9500f9

SHA256
5136fdc60dbd0bfa4cbbebdf8a554cc08c98b0552b3ce4ce3465f0818b12e28e

SHA512
f2e4e1a47a9ed6397883d1880614a7f36833ad18a7fe5ad249ec8779b989626c1889057f34797526723f059ef0906ceacaf2f96642a543499f475dfe5e1b0b66

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
163KB

MD5
07f31bd55c92bc492747c27f8dffa108

SHA1
79eb651b73c608aa62453a97521e3d2d83ef43a9

SHA256
ada476bbbb0cab66a0912bca7967a414cb587d86e3c6b99e2cf77aa461dc84fe

SHA512
efec4df909f75dde50f58d17b6defc435e4bd2da59b1b90ed77a3cee1f04fc335da22f04742647f3cf2233daf46fbb1c1d2cfb04c51831fd0ca5592722c6cbc7

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
163KB

MD5
331c233ec5b04a7aa587dcf8f65bdaa4

SHA1
15e6fc7519c87b7c8bbe1050eb095596c48a8ab0

SHA256
c8b93b3219d9539463be66d218ce9701345d54568bc68698d5190f788c9b631a

SHA512
420b382afbde93a39c2a945ceb171a87046c4c6b643c268882ad444c00a42943fc4296955989179aec8f140d2a9bab1e54ac2ec5a2ebbd6ac83f11b508e40acf

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
163KB

MD5
b781fa48ef0a70c6f9149b7ff2b877ce

SHA1
02aa97fa7f1af7573d7dbe0c24d48b6c0271e7c0

SHA256
5e3992910c16ba26825694251cdb635ee69d45bc2c44863180e367088d00dd52

SHA512
fc993e6197fbabadc6aa5c65bd93bdd0f4a56771cea2a0543e3564c5e7e448531d66ce46a60db06eefe60b23c8cc191cab19e591e03f4540f6bde4571d6793e4

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
163KB

MD5
ec3f9072dc99afcb8802159ab8a37bc6

SHA1
af6b203ab88eec179864a649272c403985fe471a

SHA256
4a05601b49829e91ea1dd84f9c42b48e8e53b75eb85633177c5679c6c817033e

SHA512
09f0a08fdb1fa225b6e2068026580c25154cdc1640b12aebc320d586b8772c88bea87e984b7aa2e420ebb192229f7c3ba04318bad96f4b1e9497527757cc5a9c

Download Submit
C:\Windows\SysWOW64\Odjbdb32.exe

Filesize
163KB

MD5
971f2ae86e294aa9ce5f660e1f3bf00c

SHA1
a2d1240f9edcf98da40a7e4e23def04d44dec0d6

SHA256
e8322a188943a394b02f2d86cedfee354f16f015c3a70efe11d66fe577f9c0a8

SHA512
58ac494bcd2e11206a583c68bbfd45302f508329f510b21d4ef4632a663c65765ebd224706c58951b62b48183b6b292c549b401059ec5dcbc95a97fe58b840cb

Download Submit
C:\Windows\SysWOW64\Oghopm32.exe

Filesize
163KB

MD5
ea6c245337b52b551da23c42c0c83599

SHA1
938e039b269e458e873bf5dab9228ee768e7f0df

SHA256
9be6082b2e2c8973261c67ea05e67f220e853bb127d859e0dbcc4af0544ac105

SHA512
3654a96238fdc92b92a371b44208fa6faa3dc8e8008829b850523d0e81ae76f31adbecdf26739b37b112d520563ca1df484c979258c559388d865bbc9698f71b

Download Submit
C:\Windows\SysWOW64\Ojigbhlp.exe

Filesize
163KB

MD5
b9a75cef2b35fd0d4d32a44ed5ab82f5

SHA1
10619a9df1cae65a8a161204114398b560d36eea

SHA256
ca843fa6473ef537db0820ea654718111b802dcfb80c22329510673be2a7307c

SHA512
f1a98f727a1004b6ec1e9117cdbb47303c0054a21c6e8a064b4e7a1e845827f27967279fc617b80bceb9e14a5131fa1576fc588a95b834007b282094bc3ad9ec

Download Submit
C:\Windows\SysWOW64\Pfikmh32.exe

Filesize
163KB

MD5
38a267c8a271b3b3ecf750287c6d4076

SHA1
acfc86864e42b96332a1b77251001326c11d1a72

SHA256
9a4a481b38c76c83f7854abfd6db8499be8bd2bbef671df5be4c2c6b8c2b9472

SHA512
a76deba16fe72dfc32cb2fa4dc89e602551a19a35590c3e73f0b41c5b547693d27ea0a6bc7deafabe3711e5ede730d0e113137943d703007bce5eb0c283f9deb

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
163KB

MD5
c696d8c5cf3b2130cc139ba6763d7ba6

SHA1
af5df0f3306675130151b24fcee5384b76c6a71d

SHA256
6d79d2b760140f3cb5b363004a31c0e4786813a9591b5f6a2a46154163c03a70

SHA512
a86cfe1673af69fb4229a1ad6c74f376e8d76bcc58ec2d02c8e471046e287efefd768e4a5e9f77475d366473897db59ea5e64223a7b07879d1e92770027c86d5

Download Submit
C:\Windows\SysWOW64\Pngphgbf.exe

Filesize
163KB

MD5
816af67ca717c2a943201848ad11c218

SHA1
1d2efb982ca0627b87b8b6efaf68a1b008109819

SHA256
68f49e75f487084b9c454878f96034c93852b1381359e222d02fae424fa4e71e

SHA512
f76541e60c7a2941b48885fc599dcd40f255bdbd99465409bf005829c8cefc7c2868ecbcc4be9007797016c11d1a4602f96514813ef3ed84e16337daabd52da7

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
163KB

MD5
12f8c3907e789b6c91d505fc3fd57f9a

SHA1
41cb1d08bc05c2e9232221231eb5a3d1e6efe55f

SHA256
d2a239e921d5520163f66f6eeed502066db324fd01c62ac8bb091330191a2408

SHA512
5fc59807788a9c7be7fc4acfbf6f08bdc01b034181a7b863822e2eae7a25e3384e140d5c2ea59553740495208116ab98306f6005f6f966e5c87e4cb6a89b064e

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
163KB

MD5
96deeeaf214c59b37554052f27602634

SHA1
bc6c731e789a457d24bb1e5b16c13b4c642771a2

SHA256
5a3752a816545121474cf990e1a1d820a163b60d76f0863be32ddc9914216dad

SHA512
c184a557d371e9f5a261fca8f14229a4352e9ea9ab781e27b4a55c44e155a0090ba086c4b16d5196542248b78ce961aec0edbc4579952ebe6b3378777f93cfcb

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
163KB

MD5
2286ed4304a1bf9ce63287c5264ccbf9

SHA1
f4c0d9e7cbcb3c0afee23ee785b722ba77970486

SHA256
863e545c5aad8b9482482666ef7308ae29749fc3ce92fd7423fa543721e068df

SHA512
365def76b9378215a2240cf7f804b37eb93a2905fda03fcd9754afc53d9c3ebb87267ae219e3319fa68cdecdc1f7b1e6aa89f9415fba3e3fd19249e0b43b76a2

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
163KB

MD5
2ff12e7f5bffe698db33b50a4f7efdb6

SHA1
37e4bbcb9444930c23fc883d951f2dd4332c8c9e

SHA256
dddec1b4ecdde1f8f7a323ab9f6dc73fd266c291f3fb6c4ca64971e2ee0f1d1a

SHA512
a07a0e84e5aa248fd2ad6ba959e1ee35fbcc7f5ca227e892513715ab94c60fe022c153693194c1c0c18fb205589cede0fb02fb831b0b464c6dd947114b9675d0

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
163KB

MD5
46bc5e1ff74ec88fa057483a56e2fa42

SHA1
31e69209e901dc8eaa75d25cffb2582aed19d3b9

SHA256
63c8e857e3656c1a8fe8e3c440961693fc60622efa6f65484d8df79689689f66

SHA512
7b32babc0c1364c77ff7972196382d28c6c93cb43ee21fe9ec3dbaf347fbd1f34832e28c5dbe5ae822fc67f2d931e01a454c8c68d9eb7c4009e6b2369c99b8e5

Download Submit
\Windows\SysWOW64\Okdkal32.exe

Filesize
163KB

MD5
9a18943440defaedc9da5523b7800fbd

SHA1
fff1cf76ca322ac2bdd444d0b8f54fde2f59ce1f

SHA256
623fee2d2fb7f5bf4e554bcfb0ebd2edd613106b0843e5376e1bc5c9680125c2

SHA512
47a4fa2f058161cb6467a6ef98fae3d8757fe9208939db3d293548518460e97c1890dc8453dceacbe965bbbbea705185bb437938b2fafa3c43e9e5f9bbfb08d3

Download Submit
\Windows\SysWOW64\Pcibkm32.exe

Filesize
163KB

MD5
50b1f9d13f016507617cc325f88a6b9f

SHA1
c7bdb6e9f766ddf638d44cb4e55c52214ca8c808

SHA256
657036ecc1316398ee214634b2da6ba3ad44c12c68608a3cc255082b97161450

SHA512
a2a03fa4632185c9c0013a93edb5527a4c61c4ed3b4fb4282d3c5db506130ffe71bee9f82afdc473d54b5e7c531190a848db9d5eea0e3cdf78734825e97a659c

Download Submit
\Windows\SysWOW64\Pdaheq32.exe

Filesize
163KB

MD5
7f9b18cc2f88ea716933c37f5bfdd28e

SHA1
bc0168e6c5769ae31d22a15a5d72709ce8b734c5

SHA256
c56c0f761dd367a9c8884af1cc3875eb45ed8a2799ea68d2ab4c76654fbfe1b7

SHA512
1146852a0eddee6afca2c695f2cc32aadbadc6986e1a7daa51d607eee2be99b7839b04c05901b1a16ef551711a5f5db0ba92f263ff2027c75237fa17afc5bd5f

Download Submit
\Windows\SysWOW64\Pfdabino.exe

Filesize
163KB

MD5
312ee5d25eae0cdf03be10619b3adbe0

SHA1
56b78b11158619f91de0e7daf7309a9e896bb867

SHA256
2d4a67688c9891fbcb9c797fa444a0764869b342ba50d9c16fd0f6af13cc4de0

SHA512
14e633fcaee9c6c5a67cd3da41637a9ddb67bc5d441ff047a6d87348cc51c66e19ec95225a2061dbdfa4004013236c8495f2bc68cc9e68a7baf9c3bc9a7a2783

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
163KB

MD5
5ce0f146b81eccf84871e71a71f30171

SHA1
1cde68dce75a42e6d448c680f67f88993dc4dc01

SHA256
c4b946f3f995af32a4b8e4869b0269ff01043b2db2072a2f6eaa12ab472bd29d

SHA512
7d5ba804737653ec16e8460547e5b8c06ab126568d9aaaa1d7eeeb17e8e357cb1f8aced5dd6d23482cfc46ec7ba7117816d5413bdea3ea75974d84b41b314d62

Download Submit
\Windows\SysWOW64\Pjnamh32.exe

Filesize
163KB

MD5
86d2ba1ae7e1fa67ae69daed1480e62d

SHA1
512efbc4e222d47c93025eb55752b28fdc245d3d

SHA256
8d7a0eb931f9a4d0f7b029d352c5a5e6372972fb88c7f6be85509eb89129d055

SHA512
ca868000af007bea3c17245f691cd8af7902622d32132c859881ddb1cfbe639d4a21988d60781cf83c1974ea7110e2c4c1cd5de80ad2dda179607bb84cab126e

Download Submit
\Windows\SysWOW64\Pkidlk32.exe

Filesize
163KB

MD5
9c6704475246c548ed87058a4652d915

SHA1
156a98d8f4e0b51ea3002a3c304143171b91f06c

SHA256
bff741c5c7356841eca58fda91cc7a594808046c7428cfd112aa4ed1eb65e4d7

SHA512
cd31d1e0454adc0adeaf381404f60637755ba0b866e5991d2754bf47b7637a255ae5b86ba251bbebb5f1663398b42f9321652eb6a919e66f1e31da55704f49fb

Download Submit
\Windows\SysWOW64\Pokieo32.exe

Filesize
163KB

MD5
a91893a40dad38e338d47114f16f138f

SHA1
6d448d3897b3899659cebb3981f7b7a5a9aee489

SHA256
5875976a6ef22a4ad162b04e99cd3f39930f68c296497e77f932ec2c045c8764

SHA512
95e52e5d64d52305cda35d1e2289d495a5e61178b11a6ccdab1f4d70689f21e2029b6333826d8d098dc0944543865fce26aae904a93435aed0f98190c1c53d80

Download Submit
\Windows\SysWOW64\Poocpnbm.exe

Filesize
163KB

MD5
b4ae90eebf4e0e6164bb35e53844a6ce

SHA1
8f54f4efed75a9d0fff56ec989e4f2832e340e1a

SHA256
b275eeadd29ab061a2b5383a0defd70be1d5149806ee5719bbf44ead448e9862

SHA512
7e80710f245f1204944e65b3b4215af4a42c3a71ca73ce9d10be35ebb6cd3f26186225a7a223a0af1c6291b3d2abfb4339f6ba36955108fc758d4e5920697d94

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
163KB

MD5
52b29ed1b1aca7d335df3fedaafc57ed

SHA1
0954b269c9d4f8ad8aa5ba924d326b05c612d50f

SHA256
f7c72795a9f53a792d3da0372e70590edfb172d9fb03f897622e3d1c8f197058

SHA512
417fb1fb2e9aec49029ab4bbafaba23844ad943c68b0651cdc9da2271e5a3c2a8cfe5bc905c75c41cb5b35316aa3794f013d3643ff88fae0204987bc11673df9

Download Submit
memory/380-650-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/468-134-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/468-142-0x0000000001F80000-0x0000000001FD3000-memory.dmp

Filesize
332KB

Download
memory/592-76-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/696-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/696-376-0x00000000005F0000-0x0000000000643000-memory.dmp

Filesize
332KB

Download
memory/704-250-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/704-246-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/704-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/832-490-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/868-260-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/868-261-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/868-255-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1064-185-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/1228-108-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1228-116-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1284-511-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1480-82-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1480-90-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1508-474-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1732-281-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1732-272-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1732-282-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1804-262-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1804-268-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1980-463-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1992-283-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1992-313-0x0000000001FD0000-0x0000000002023000-memory.dmp

Filesize
332KB

Download
memory/1992-289-0x0000000001FD0000-0x0000000002023000-memory.dmp

Filesize
332KB

Download
memory/2000-318-0x0000000000330000-0x0000000000383000-memory.dmp

Filesize
332KB

Download
memory/2000-323-0x0000000000330000-0x0000000000383000-memory.dmp

Filesize
332KB

Download
memory/2008-518-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2008-200-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2008-187-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-199-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2008-514-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-481-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2236-34-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/2236-397-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/2236-403-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/2236-40-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/2236-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2260-448-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2280-444-0x0000000000280000-0x00000000002D3000-memory.dmp

Filesize
332KB

Download
memory/2280-434-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2280-443-0x0000000000280000-0x00000000002D3000-memory.dmp

Filesize
332KB

Download
memory/2304-524-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2320-646-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2324-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2324-227-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2324-228-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2332-316-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2332-315-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2344-238-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2344-239-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2344-229-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2360-409-0x00000000002F0000-0x0000000000343000-memory.dmp

Filesize
332KB

Download
memory/2360-404-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2488-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2488-344-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2504-383-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2504-387-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2508-391-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2508-398-0x00000000002A0000-0x00000000002F3000-memory.dmp

Filesize
332KB

Download
memory/2536-653-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2612-334-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2612-324-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2612-330-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2624-649-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-355-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2652-345-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2652-354-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2672-317-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2672-314-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2676-433-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2676-432-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2676-427-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2700-47-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-62-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2708-55-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2708-426-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2708-420-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2720-21-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2768-491-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2768-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2768-172-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2792-454-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2884-18-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2884-17-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2884-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2884-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2892-366-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2892-365-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2892-356-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2976-421-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2976-410-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2976-419-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/3060-202-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3060-216-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/3060-215-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads