0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813

Analysis

max time kernel
31s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
Size

93KB
MD5

01909f2ad44deffc04270df4bab691df
SHA1

773f102404aac8fb5f0f1e4c90b1429e7c246cb6
SHA256

0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813
SHA512

41ce61e9205ea68513fef3b370619eaf4eae400e961a09c529a89c3bde96922e0e5f25e9be428a93671d8e3b9544eb457b46e20fcf391ec2a4d47e21e101218f
SSDEEP

1536:wOxQ/7EpzcaPaTmx5ma9qevfsRQRRkRLJzeLD9N0iQGRNQR8RyV+32rR:wOxYecZmxH9geRSJdEN0s4WE+3K

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akmlacdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfljmmjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aodnfbpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aofklbnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmlacdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokdga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aokdga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaondi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amebjgai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aodnfbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aofklbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajdego32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfljmmjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeghmmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abeghmmn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdego32.exe

Executes dropped EXE 11 IoCs

pid	Process
2372	Qfljmmjl.exe
3032	Amebjgai.exe
2888	Aodnfbpm.exe
2712	Aofklbnj.exe
2448	Abeghmmn.exe
2812	Akmlacdn.exe
2828	Aoihaa32.exe
1324	Aokdga32.exe
2240	Ajdego32.exe
2540	Aaondi32.exe
2952	Bmenijcd.exe

Loads dropped DLL 26 IoCs

pid	Process
3068	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
3068	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
2372	Qfljmmjl.exe
2372	Qfljmmjl.exe
3032	Amebjgai.exe
3032	Amebjgai.exe
2888	Aodnfbpm.exe
2888	Aodnfbpm.exe
2712	Aofklbnj.exe
2712	Aofklbnj.exe
2448	Abeghmmn.exe
2448	Abeghmmn.exe
2812	Akmlacdn.exe
2812	Akmlacdn.exe
2828	Aoihaa32.exe
2828	Aoihaa32.exe
1324	Aokdga32.exe
1324	Aokdga32.exe
2240	Ajdego32.exe
2240	Ajdego32.exe
2540	Aaondi32.exe
2540	Aaondi32.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qfljmmjl.exe	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
File created	C:\Windows\SysWOW64\Kcjklqhh.dll	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
File opened for modification	C:\Windows\SysWOW64\Ajdego32.exe	Aokdga32.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Aaondi32.exe
File created	C:\Windows\SysWOW64\Pgmobakj.dll	Aokdga32.exe
File created	C:\Windows\SysWOW64\Aaondi32.exe	Ajdego32.exe
File created	C:\Windows\SysWOW64\Glkimi32.dll	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Jpobja32.dll	Qfljmmjl.exe
File created	C:\Windows\SysWOW64\Aodnfbpm.exe	Amebjgai.exe
File created	C:\Windows\SysWOW64\Mlfibh32.dll	Amebjgai.exe
File created	C:\Windows\SysWOW64\Akmlacdn.exe	Abeghmmn.exe
File created	C:\Windows\SysWOW64\Fcdcfmgg.dll	Abeghmmn.exe
File created	C:\Windows\SysWOW64\Aoihaa32.exe	Akmlacdn.exe
File opened for modification	C:\Windows\SysWOW64\Aoihaa32.exe	Akmlacdn.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Aaondi32.exe
File opened for modification	C:\Windows\SysWOW64\Qfljmmjl.exe	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
File opened for modification	C:\Windows\SysWOW64\Aodnfbpm.exe	Amebjgai.exe
File opened for modification	C:\Windows\SysWOW64\Aokdga32.exe	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Ajdego32.exe	Aokdga32.exe
File created	C:\Windows\SysWOW64\Jahonm32.dll	Aodnfbpm.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Aaondi32.exe
File created	C:\Windows\SysWOW64\Aofklbnj.exe	Aodnfbpm.exe
File created	C:\Windows\SysWOW64\Abeghmmn.exe	Aofklbnj.exe
File opened for modification	C:\Windows\SysWOW64\Abeghmmn.exe	Aofklbnj.exe
File opened for modification	C:\Windows\SysWOW64\Akmlacdn.exe	Abeghmmn.exe
File created	C:\Windows\SysWOW64\Aokdga32.exe	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Oedqakci.dll	Ajdego32.exe
File created	C:\Windows\SysWOW64\Ejbmjalg.dll	Akmlacdn.exe
File opened for modification	C:\Windows\SysWOW64\Aaondi32.exe	Ajdego32.exe
File created	C:\Windows\SysWOW64\Amebjgai.exe	Qfljmmjl.exe
File opened for modification	C:\Windows\SysWOW64\Amebjgai.exe	Qfljmmjl.exe
File opened for modification	C:\Windows\SysWOW64\Aofklbnj.exe	Aodnfbpm.exe
File created	C:\Windows\SysWOW64\Bdinjj32.dll	Aofklbnj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1696	2952	WerFault.exe	40

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aodnfbpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeghmmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoihaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaondi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfljmmjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amebjgai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aofklbnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmlacdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokdga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajdego32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkimi32.dll"	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfljmmjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbmjalg.dll"	Akmlacdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aofklbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmobakj.dll"	Aokdga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjklqhh.dll"	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jahonm32.dll"	Aodnfbpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aodnfbpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Akmlacdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aokdga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amebjgai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedqakci.dll"	Ajdego32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aodnfbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aaondi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdinjj32.dll"	Aofklbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aokdga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdcfmgg.dll"	Abeghmmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abeghmmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akmlacdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpobja32.dll"	Qfljmmjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlfibh32.dll"	Amebjgai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfljmmjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajdego32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abeghmmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajdego32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aofklbnj.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2372	3068	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe	30
PID 3068 wrote to memory of 2372	3068	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe	30
PID 3068 wrote to memory of 2372	3068	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe	30
PID 3068 wrote to memory of 2372	3068	0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe	30
PID 2372 wrote to memory of 3032	2372	Qfljmmjl.exe	31
PID 2372 wrote to memory of 3032	2372	Qfljmmjl.exe	31
PID 2372 wrote to memory of 3032	2372	Qfljmmjl.exe	31
PID 2372 wrote to memory of 3032	2372	Qfljmmjl.exe	31
PID 3032 wrote to memory of 2888	3032	Amebjgai.exe	32
PID 3032 wrote to memory of 2888	3032	Amebjgai.exe	32
PID 3032 wrote to memory of 2888	3032	Amebjgai.exe	32
PID 3032 wrote to memory of 2888	3032	Amebjgai.exe	32
PID 2888 wrote to memory of 2712	2888	Aodnfbpm.exe	33
PID 2888 wrote to memory of 2712	2888	Aodnfbpm.exe	33
PID 2888 wrote to memory of 2712	2888	Aodnfbpm.exe	33
PID 2888 wrote to memory of 2712	2888	Aodnfbpm.exe	33
PID 2712 wrote to memory of 2448	2712	Aofklbnj.exe	34
PID 2712 wrote to memory of 2448	2712	Aofklbnj.exe	34
PID 2712 wrote to memory of 2448	2712	Aofklbnj.exe	34
PID 2712 wrote to memory of 2448	2712	Aofklbnj.exe	34
PID 2448 wrote to memory of 2812	2448	Abeghmmn.exe	35
PID 2448 wrote to memory of 2812	2448	Abeghmmn.exe	35
PID 2448 wrote to memory of 2812	2448	Abeghmmn.exe	35
PID 2448 wrote to memory of 2812	2448	Abeghmmn.exe	35
PID 2812 wrote to memory of 2828	2812	Akmlacdn.exe	36
PID 2812 wrote to memory of 2828	2812	Akmlacdn.exe	36
PID 2812 wrote to memory of 2828	2812	Akmlacdn.exe	36
PID 2812 wrote to memory of 2828	2812	Akmlacdn.exe	36
PID 2828 wrote to memory of 1324	2828	Aoihaa32.exe	37
PID 2828 wrote to memory of 1324	2828	Aoihaa32.exe	37
PID 2828 wrote to memory of 1324	2828	Aoihaa32.exe	37
PID 2828 wrote to memory of 1324	2828	Aoihaa32.exe	37
PID 1324 wrote to memory of 2240	1324	Aokdga32.exe	38
PID 1324 wrote to memory of 2240	1324	Aokdga32.exe	38
PID 1324 wrote to memory of 2240	1324	Aokdga32.exe	38
PID 1324 wrote to memory of 2240	1324	Aokdga32.exe	38
PID 2240 wrote to memory of 2540	2240	Ajdego32.exe	39
PID 2240 wrote to memory of 2540	2240	Ajdego32.exe	39
PID 2240 wrote to memory of 2540	2240	Ajdego32.exe	39
PID 2240 wrote to memory of 2540	2240	Ajdego32.exe	39
PID 2540 wrote to memory of 2952	2540	Aaondi32.exe	40
PID 2540 wrote to memory of 2952	2540	Aaondi32.exe	40
PID 2540 wrote to memory of 2952	2540	Aaondi32.exe	40
PID 2540 wrote to memory of 2952	2540	Aaondi32.exe	40
PID 2952 wrote to memory of 1696	2952	Bmenijcd.exe	41
PID 2952 wrote to memory of 1696	2952	Bmenijcd.exe	41
PID 2952 wrote to memory of 1696	2952	Bmenijcd.exe	41
PID 2952 wrote to memory of 1696	2952	Bmenijcd.exe	41

C:\Users\Admin\AppData\Local\Temp\0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe
"C:\Users\Admin\AppData\Local\Temp\0b4c2feb84223b4e12f31d52a7fe060027ee76b896c203dfd67a0da087bdc813.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\Qfljmmjl.exe
  C:\Windows\system32\Qfljmmjl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\Amebjgai.exe
    C:\Windows\system32\Amebjgai.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\Aodnfbpm.exe
      C:\Windows\system32\Aodnfbpm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\SysWOW64\Aofklbnj.exe
        
        C:\Windows\system32\Aofklbnj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\SysWOW64\Abeghmmn.exe
        
        C:\Windows\system32\Abeghmmn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Akmlacdn.exe
        
        C:\Windows\system32\Akmlacdn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Aoihaa32.exe
        
        C:\Windows\system32\Aoihaa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Aokdga32.exe
        
        C:\Windows\system32\Aokdga32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Ajdego32.exe
        
        C:\Windows\system32\Ajdego32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Aaondi32.exe
        
        C:\Windows\system32\Aaondi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaondi32.exe

Filesize
93KB

MD5
631b4df169664d7e28b351dadd77525e

SHA1
9a085771b54c2787e181a1ea0e934482ad8fdd86

SHA256
c9b0d6319dfecc6374558484f03627074585741e959764b1b9bd1aac6ad8b118

SHA512
4aec0e34af8f155ce64010ecd831828a9180dd7a5b51e2991de506b99b6b0b97b6839631c482d3acbad7de3fa1ce28020a9c2b8816d53da6f0ff7b88eb73b674

Download Submit
C:\Windows\SysWOW64\Abeghmmn.exe

Filesize
93KB

MD5
45cc5ef970a0325093273d4d95758966

SHA1
cb055301a3942356125a16eadf3cc3b8a9fcb2d2

SHA256
c2b820d05c03823577dd2444bd99417a94f9690cf649f35727b0fb20f69b0988

SHA512
d03df2cb6052d677620ff4125f19b4e9de55091e00ad8610cdc3067bbcb6b5ce28c41fef9e51d56ba65d417165a60cd86c02bf0feffb741c35b3f262b43948c7

Download Submit
C:\Windows\SysWOW64\Aokdga32.exe

Filesize
93KB

MD5
fec5cfc02f3c95e0bdce6446e67430d3

SHA1
8f24e93127aa095c6a2a593050c59c8807e7124c

SHA256
baa322d786cc58948934df9bb971ba437e43f56aad6a9116ec98e17ff65f9657

SHA512
2f8c14a90a02cc7d7576e1964a796477a0e2ab2dd0895b497319f41439d45d096aad62a8fbbf9483c661fb3c5fb8d6ed6390ae8ceabb25d8eaf342b786ecdb8f

Download Submit
C:\Windows\SysWOW64\Bdinjj32.dll

Filesize
7KB

MD5
7ef30b7320ef21debacabc731ede6c66

SHA1
89585d7f602ed4ad2a8a28260202fd9d7a8d55ca

SHA256
e4e69e9baeecc104dbc474b94bf9a7cc03515df17bd580ed2d6c6d8a8ca211e4

SHA512
b38b7f0a09cbfca89c3d1672a3c6bb53ee1b8798e5b49ab76e95dd86b2e8d3a131879f7d92ac2a7bc1e4f350e4d0bb4fddf28e0a28303e99054808425bee7f8d

Download Submit
C:\Windows\SysWOW64\Qfljmmjl.exe

Filesize
93KB

MD5
f51323813a43e07c6c58da1a745e8f68

SHA1
ab0d9e2c4e02517e75f5528609b58948cf13d4e3

SHA256
feb22129255f95917b8f5f728ce2f98f269b2e38aa5cb40d67c16443ba033d81

SHA512
54ec5ca65ee857b3efac6b39faf9d4ec6b9b8bda2a748944b1d317ea1f1ea675f8668432171b78e18c878a034e1389be9b428fde777928a527d072b137d7fb5f

Download Submit
\Windows\SysWOW64\Ajdego32.exe

Filesize
93KB

MD5
298f0567cdd531a907f6a21bfba33cdf

SHA1
746e3ded3f24731a8792e7c7ed4479470802b525

SHA256
6b5b8c27a3d349436fc7d7a8c1a7f1cd0a078e75129bdaf9c8344ddf30d27c14

SHA512
23fab69cbd56d09482b436555dcd9a5b154df6689a7f466ffef271cd0e5f67d6e4c5d0d1afcbe5b190be32b5f5ecbfa81307edcd890527d6c4d4eb675a9d902b

Download Submit
\Windows\SysWOW64\Akmlacdn.exe

Filesize
93KB

MD5
f831efd7bf6f4e375da6fadca6207191

SHA1
0e2cf4d97f0b00ba6e4339dc596a4f0513571df4

SHA256
4e77831b7c30698961943c5eb302e15be0a4106e6a035c213ab61ecbc3704857

SHA512
1987b080f1ffdb70f081b441fff42b43635e1b551ce9e303e24438f33c7408146f40ea83afa1c04c3d8094c983fb629f96505abdc92b8efd00370c8e34d2011d

Download Submit
\Windows\SysWOW64\Amebjgai.exe

Filesize
93KB

MD5
d347d8e30237120379a7bdaf3b2aab53

SHA1
33dfdfb2a43d9b2f80283dc1ac3c86ef16e874f2

SHA256
e04ce16d0ec35354590b80781b1021d766934f522cc2380b996ec435f80cb609

SHA512
ef8a080b6d0741628c8cacb3372c4ebe425bbfa6f4c342a77dd7386fd076742ae4d02f2799834f59369283454aae2e161ca480af9022d61f48deb4ca3ad34141

Download Submit
\Windows\SysWOW64\Aodnfbpm.exe

Filesize
93KB

MD5
f88113d3a1fc4351030fcaa2fb094f37

SHA1
1cba4428b4bbf6edc1ed3017eb6b525880fe7851

SHA256
d8c9b8c64e28a1e720a70a682b8fc5a85f62d08d20d9f28b9ecac994ae37f5a2

SHA512
e773f4420e46b1be579dd1eeaa3e18bb70d18cf3d5bf98edb9e984c44a51b136c6b007a54e0363aaa503b486db02bd65a9df2173a50a7840a44d9ca1722e689a

Download Submit
\Windows\SysWOW64\Aofklbnj.exe

Filesize
93KB

MD5
3a6314ad469a79b1b9b00bceef369121

SHA1
f66b0ef4739f1cb0f6bd65be81cc07ab07b542f6

SHA256
13c721e299b6dc3598ca2912f85641598b0674f6673d8a89aed62ddacf050bd6

SHA512
672023af8400a2ed432bb33ec6b24b651d2df3ecddaf7c08a3307b405a029f8e911a7c95d72ce8c6204193cbae874a5ec4c9c6f212c14c96a359c0ebfdeb1579

Download Submit
\Windows\SysWOW64\Aoihaa32.exe

Filesize
93KB

MD5
35405c99b2b8c49dbffe7703e5e1c572

SHA1
140e749a7e10f5cc3b8c8d76a76a84a710039c02

SHA256
7a621b80f39d57e5ecc7a46323e8a3b8357a54977c2a78cf004ed66cb4ae2f9b

SHA512
667fcc8c2d3eeec625e6281b0f26f080c978d230121302741059a9f5c9bb125615a7289cc7b4e0e1233645066682cfc2baec3f0347abc6d851a4a66a52c16287

Download Submit
\Windows\SysWOW64\Bmenijcd.exe

Filesize
93KB

MD5
25341066c1354b65abb1711821f2f2a2

SHA1
f3a73f045a4ab41c4ce6076e92210638d43a879b

SHA256
2d5ca74791e166a4e1f731b43fcc332eca9d910f5793438187c4bcfd03e5ec1e

SHA512
7dc88395a5ade13efb2d5f7507a1d89027ce5f0c2c157a535ad3d429097638c3043dfc3ecbd7fd020d75d47a6ab4a641140b6b092de99163b28b544ed61701cf

Download Submit
memory/1324-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1324-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1324-123-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2240-167-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2240-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-143-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2372-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-82-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2448-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-137-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2540-153-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2540-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-158-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2540-169-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2712-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-83-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-92-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2812-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-111-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2828-160-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2888-54-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2888-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2952-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-40-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/3032-33-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/3032-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-85-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/3068-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-17-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads