berbew | 74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855d

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855dN.exe
Size

337KB
MD5

7e3dff64c1b8bffda0acde06f1f17c20
SHA1

7723e876937fc6d18227ba3f359487638fefa267
SHA256

74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855d
SHA512

9dd3d93f4e47f006f722d6dd441070de57642ec14dc928697baf3332e946bf573134344bb71b5fb68db779aba4153d037c6f6006a87de2e6e16ea712756b1194
SSDEEP

3072:ZYceJ74IgiAngTdWgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:ZYTJcIqgTdW1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chiblk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coqncejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgeainn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 38 IoCs

pid	Process
2096	Pmblagmf.exe
516	Ppahmb32.exe
4016	Qjfmkk32.exe
4712	Qdoacabq.exe
632	Qodeajbg.exe
2772	Qdaniq32.exe
3016	Amjbbfgo.exe
4148	Ahofoogd.exe
1216	Aoioli32.exe
4500	Adfgdpmi.exe
3976	Apmhiq32.exe
3236	Amqhbe32.exe
4056	Agimkk32.exe
3284	Apaadpng.exe
3472	Bkgeainn.exe
4684	Baannc32.exe
2204	Bgnffj32.exe
2464	Bmhocd32.exe
2484	Bdagpnbk.exe
4476	Bmjkic32.exe
3680	Bddcenpi.exe
1396	Bahdob32.exe
3496	Bhblllfo.exe
3656	Bnoddcef.exe
3104	Chdialdl.exe
384	Cnaaib32.exe
1056	Chfegk32.exe
2492	Coqncejg.exe
4140	Chiblk32.exe
2708	Cnfkdb32.exe
2436	Cdpcal32.exe
4392	Cnhgjaml.exe
1468	Chnlgjlb.exe
1732	Cklhcfle.exe
1160	Dddllkbf.exe
2420	Dojqjdbl.exe
1584	Ddgibkpc.exe
3576	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aoioli32.exe	Ahofoogd.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Qjfmkk32.exe
File opened for modification	C:\Windows\SysWOW64\Ahofoogd.exe	Amjbbfgo.exe
File opened for modification	C:\Windows\SysWOW64\Adfgdpmi.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Nflnbh32.dll	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Ekiapmnp.dll	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Coqncejg.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Lpmkebjc.dll	Apaadpng.exe
File opened for modification	C:\Windows\SysWOW64\Bddcenpi.exe	Bmjkic32.exe
File created	C:\Windows\SysWOW64\Bahdob32.exe	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Chdialdl.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Amqhbe32.exe	Apmhiq32.exe
File opened for modification	C:\Windows\SysWOW64\Cnaaib32.exe	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Chnlgjlb.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Dddllkbf.exe	Cklhcfle.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Dllfqd32.dll	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Qdoacabq.exe	Qjfmkk32.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Agimkk32.exe	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Dbmdml32.dll	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Bkgeainn.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Biafno32.dll	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Eepmqdbn.dll	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Geqnma32.dll	Aoioli32.exe
File created	C:\Windows\SysWOW64\Bdagpnbk.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Cnaaib32.exe	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Ahofoogd.exe
File created	C:\Windows\SysWOW64\Ebggoi32.dll	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Bddcenpi.exe	Bmjkic32.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Cnaaib32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfkdb32.exe	Chiblk32.exe
File created	C:\Windows\SysWOW64\Cklhcfle.exe	Chnlgjlb.exe
File opened for modification	C:\Windows\SysWOW64\Baannc32.exe	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Dkbnla32.dll	Bahdob32.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Bhblllfo.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Qodeajbg.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Adfgdpmi.exe	Aoioli32.exe
File created	C:\Windows\SysWOW64\Ieoigp32.dll	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Hlfpph32.dll	Baannc32.exe
File opened for modification	C:\Windows\SysWOW64\Bdagpnbk.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Enfqikef.dll	Pmblagmf.exe
File opened for modification	C:\Windows\SysWOW64\Qodeajbg.exe	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Qdaniq32.exe	Qodeajbg.exe
File opened for modification	C:\Windows\SysWOW64\Apaadpng.exe	Agimkk32.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Apmhiq32.exe
File opened for modification	C:\Windows\SysWOW64\Cdpcal32.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Pipeabep.dll	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Dojqjdbl.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Lahoec32.dll	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Chfegk32.exe	Cnaaib32.exe
File opened for modification	C:\Windows\SysWOW64\Chfegk32.exe	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Hbobifpp.dll	Chfegk32.exe
File created	C:\Windows\SysWOW64\Pmblagmf.exe	74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855dN.exe
File created	C:\Windows\SysWOW64\Apmhiq32.exe	Adfgdpmi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3208	3576	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjfmkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppahmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdoacabq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahofoogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agimkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfqikef.dll"	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll"	74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkgeainn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmodn32.dll"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll"	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lahoec32.dll"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmkebjc.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppahmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdoacabq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndikch32.dll"	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhblllfo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2096	2868	74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855dN.exe	82
PID 2868 wrote to memory of 2096	2868	74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855dN.exe	82
PID 2868 wrote to memory of 2096	2868	74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855dN.exe	82
PID 2096 wrote to memory of 516	2096	Pmblagmf.exe	83
PID 2096 wrote to memory of 516	2096	Pmblagmf.exe	83
PID 2096 wrote to memory of 516	2096	Pmblagmf.exe	83
PID 516 wrote to memory of 4016	516	Ppahmb32.exe	84
PID 516 wrote to memory of 4016	516	Ppahmb32.exe	84
PID 516 wrote to memory of 4016	516	Ppahmb32.exe	84
PID 4016 wrote to memory of 4712	4016	Qjfmkk32.exe	85
PID 4016 wrote to memory of 4712	4016	Qjfmkk32.exe	85
PID 4016 wrote to memory of 4712	4016	Qjfmkk32.exe	85
PID 4712 wrote to memory of 632	4712	Qdoacabq.exe	86
PID 4712 wrote to memory of 632	4712	Qdoacabq.exe	86
PID 4712 wrote to memory of 632	4712	Qdoacabq.exe	86
PID 632 wrote to memory of 2772	632	Qodeajbg.exe	87
PID 632 wrote to memory of 2772	632	Qodeajbg.exe	87
PID 632 wrote to memory of 2772	632	Qodeajbg.exe	87
PID 2772 wrote to memory of 3016	2772	Qdaniq32.exe	88
PID 2772 wrote to memory of 3016	2772	Qdaniq32.exe	88
PID 2772 wrote to memory of 3016	2772	Qdaniq32.exe	88
PID 3016 wrote to memory of 4148	3016	Amjbbfgo.exe	89
PID 3016 wrote to memory of 4148	3016	Amjbbfgo.exe	89
PID 3016 wrote to memory of 4148	3016	Amjbbfgo.exe	89
PID 4148 wrote to memory of 1216	4148	Ahofoogd.exe	90
PID 4148 wrote to memory of 1216	4148	Ahofoogd.exe	90
PID 4148 wrote to memory of 1216	4148	Ahofoogd.exe	90
PID 1216 wrote to memory of 4500	1216	Aoioli32.exe	91
PID 1216 wrote to memory of 4500	1216	Aoioli32.exe	91
PID 1216 wrote to memory of 4500	1216	Aoioli32.exe	91
PID 4500 wrote to memory of 3976	4500	Adfgdpmi.exe	92
PID 4500 wrote to memory of 3976	4500	Adfgdpmi.exe	92
PID 4500 wrote to memory of 3976	4500	Adfgdpmi.exe	92
PID 3976 wrote to memory of 3236	3976	Apmhiq32.exe	93
PID 3976 wrote to memory of 3236	3976	Apmhiq32.exe	93
PID 3976 wrote to memory of 3236	3976	Apmhiq32.exe	93
PID 3236 wrote to memory of 4056	3236	Amqhbe32.exe	94
PID 3236 wrote to memory of 4056	3236	Amqhbe32.exe	94
PID 3236 wrote to memory of 4056	3236	Amqhbe32.exe	94
PID 4056 wrote to memory of 3284	4056	Agimkk32.exe	95
PID 4056 wrote to memory of 3284	4056	Agimkk32.exe	95
PID 4056 wrote to memory of 3284	4056	Agimkk32.exe	95
PID 3284 wrote to memory of 3472	3284	Apaadpng.exe	96
PID 3284 wrote to memory of 3472	3284	Apaadpng.exe	96
PID 3284 wrote to memory of 3472	3284	Apaadpng.exe	96
PID 3472 wrote to memory of 4684	3472	Bkgeainn.exe	97
PID 3472 wrote to memory of 4684	3472	Bkgeainn.exe	97
PID 3472 wrote to memory of 4684	3472	Bkgeainn.exe	97
PID 4684 wrote to memory of 2204	4684	Baannc32.exe	98
PID 4684 wrote to memory of 2204	4684	Baannc32.exe	98
PID 4684 wrote to memory of 2204	4684	Baannc32.exe	98
PID 2204 wrote to memory of 2464	2204	Bgnffj32.exe	99
PID 2204 wrote to memory of 2464	2204	Bgnffj32.exe	99
PID 2204 wrote to memory of 2464	2204	Bgnffj32.exe	99
PID 2464 wrote to memory of 2484	2464	Bmhocd32.exe	100
PID 2464 wrote to memory of 2484	2464	Bmhocd32.exe	100
PID 2464 wrote to memory of 2484	2464	Bmhocd32.exe	100
PID 2484 wrote to memory of 4476	2484	Bdagpnbk.exe	101
PID 2484 wrote to memory of 4476	2484	Bdagpnbk.exe	101
PID 2484 wrote to memory of 4476	2484	Bdagpnbk.exe	101
PID 4476 wrote to memory of 3680	4476	Bmjkic32.exe	102
PID 4476 wrote to memory of 3680	4476	Bmjkic32.exe	102
PID 4476 wrote to memory of 3680	4476	Bmjkic32.exe	102
PID 3680 wrote to memory of 1396	3680	Bddcenpi.exe	103

C:\Users\Admin\AppData\Local\Temp\74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855dN.exe
"C:\Users\Admin\AppData\Local\Temp\74af36117bf9cb07ebbb264183f991d6831746bf442b6edbc80f8b6b5824855dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\Pmblagmf.exe
  C:\Windows\system32\Pmblagmf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\Ppahmb32.exe
    C:\Windows\system32\Ppahmb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\SysWOW64\Qjfmkk32.exe
      C:\Windows\system32\Qjfmkk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 412
        40⤵
        Program crash
        
        PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3576 -ip 3576
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
337KB

MD5
6cf0525d85334b71ad4d418ee51355c8

SHA1
428d9a9d0d19aeb5ce2ce0a1c378251632ffada9

SHA256
2a7bc930bb83fd880dda940f7d80301389cf1cbd9421d090cc29a1f76c671006

SHA512
96eb5ec1ea2cc3fe4763697e6b87b58c4fc685d35096fdba2d3788480ff7cc8e5c951be8bbf5ee7ec2f150443bd4359bffc2a4da19f29c76994c44b031eaff28

Download Submit
C:\Windows\SysWOW64\Agimkk32.exe

Filesize
337KB

MD5
b519ade1172455c3fac875ff2b974dc5

SHA1
e96c5b375a56590cfd38cd58faee188001155f94

SHA256
11c6d0dbea71cb3c667500153da002d627072dae8ddcc25c8dc321708b981273

SHA512
243e8c71ec47fcb3d3cd8db2ccfb93b404e1d21ef00df299b8552c3ac6de06351462c8a7a44140b8e879abee28968073ff450082e1b4b1daba596e6c1bacf565

Download Submit
C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
337KB

MD5
d1dadd8a3b81e30f55770b40b4ec802f

SHA1
522a22436d01923b06369ddcd724608645b9e26e

SHA256
69b4b6a41da33692723a812790bbeb61d908cf10277c689ffd77ac4c40318cfd

SHA512
263510675e9d7b85f391ce9a266d3946ef649bc550ab7dbd56c46a6d4bc55e9d274990d5066c98b4df2edc2fa0d57409142253104b69215edd4699735c1ce4d1

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
337KB

MD5
08c8e9df470699fc904b267d6d0d50ff

SHA1
d5ceced314ff3b7b4d8d43a07d3278bb8b6c479c

SHA256
441302a96798caafd3bd67485534d7e02490105786b6a96cd1cbe518bf3ab850

SHA512
c4cdff2471caed9ef4120a8aebbfd63215bd1b3535437ecfee4f574980bd937aec7fd419fb8c741b470ac1e9fb970a8642594534694e624e286868a23fa24b7e

Download Submit
C:\Windows\SysWOW64\Amqhbe32.exe

Filesize
337KB

MD5
5c221fc75168b320860b3ef161caf5ff

SHA1
71f691965b6e257c9140313b6bb1c83548859096

SHA256
229bec9bc69ba40e823a48d492c392adf193dc0d423520497421842be5f906b3

SHA512
97aff8520a441c6c306ecdbd52190a1108a0ce3c2966bf70b589eb62623335569fb42d3886c0712cce2dce03fb2e95730432298b64e6d25c0108f957614acd5a

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
337KB

MD5
84435a244181c627de5b1232c399a2bc

SHA1
280afc3f0f17c02a5d990ef8a430576ebbe3e2e2

SHA256
44205b5c02af0465ef3e5be68d6dc3918303823749e65f2bb656e8adb397ee12

SHA512
81048e864b35ad26a78ffbab36fea1eaf6ca37c56988fed29ce0c0a43d2298223cf48b317616386b3c65ef6bb4a428859300b49af85f6d62b00cf61d2725a4ba

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
337KB

MD5
8991314121672d8722ba9eee7098030b

SHA1
f3ee0fad0d4326b487789cb147c161efa771491d

SHA256
82751727a0af28ec868be1955c20d1666428d414490e2d005f3914a080695e87

SHA512
4a341f936bcc127bcd5f214b8b652ce2840e0f1fbd7a396234be99b5464621a06137e89de74b7d017c50c67d79016befb9cc122ffbdaa4ce3563bcc1e700253d

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
337KB

MD5
204e14132f2b705a78ab914d3f29de4a

SHA1
302d2b9295504d1a4ac80c39cbb2870f0b34b649

SHA256
c0763ecd35e9a0485fa0c0698838d25d61f86ff6eea774b642b573dd850173d7

SHA512
e451ce969c0aa39128e3021e41d5f80b764035ce90bb30d832f0a2dc4c08f083dfcaa6e90de38f7666f3ac29db250b3e1740c3b63b05df2dc382494e61f6d11a

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
337KB

MD5
f4766529fb99c6a23a55bf759f7fc716

SHA1
72d3e40d2529d28f9b6534f5f9b85ff84b657401

SHA256
7c7ea33f77e40defc404fda9db05f8837e498014edffa26804af7c089745b451

SHA512
55a98112a5fd2587a579062429ed8f5c275fc2c26ee8febc243ba996d3dcf3e6752b012cc33b3d5d3005f1f31c29f92fa21815ab5535b90c6b16002922e07bdf

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
337KB

MD5
e2f7d9a929fa925e6f5d4ed6a0a18a24

SHA1
b71ca39fbaa2a3532d5e3a7e30cc39c855121758

SHA256
53dc85798d0f089d02759bafa52cb58500b734842feb2f92645a284660deb645

SHA512
d1831f36601af2e80b9453b1584ad56165cdebceb201b6128d4460c76e8467b0335a7cf392b6538f42fce1195584d45d5b03a59174094e73407c6c3b40f93b5c

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
337KB

MD5
93b47a7fa637222629626d0b4bcfaac2

SHA1
7aecba7fa9898a4a9f65c00bcdba1ae3fc48907d

SHA256
7972459992b93dd446cddc330bc694dbbdac73a1572610130839c97c7d0f1cd6

SHA512
3bfac163ff42309abb09e20fffde8b9019446b2f8759249d44d1cc98f54fcac3a98ee73384a3e3ae99d9274bb07d7c38044f19b311b95370e90269b86c810c8d

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
337KB

MD5
5201c4da657eef89b6f3e27e4c0e979c

SHA1
5d048888b87902f10f40687a8f780033e33b130a

SHA256
cbaefa4b78b436d94c4e534702d79997f5545f19ed0c01156fedf84701aa5af1

SHA512
57632c4af10f14ebb98e1fe8da87a8d2a0edb5e0c7653758d0073146c9b375063d56d7fc27ca9e36478dc310eb2bd6ebad29dfe6147b878b90b03a3d8eef4b5e

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
337KB

MD5
4cf8cdc3103f51e3c08fbf80970bec6f

SHA1
59993bdf179ba638f962c185c7c75b443c1e6db6

SHA256
afc11a7be164559993865b0bb3631a82f4d3d3152f99ecb84845db0985b06999

SHA512
bd43b535965bba704e0a740af97543c0f5a6368ed8807c343b03b7caca4b9258465acd45564e425fe6dd0143980d38298fbb7a13fad15b2747871a4ce4cd558a

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
337KB

MD5
b4d9136f5c0525cc5ffe893117568841

SHA1
91ecfec7404d81f51921ab9d0d9671b1c4e265fa

SHA256
8abb2cb4c7eea3f283fcf1440b932b81e528b2201caad1039241939d5486efb4

SHA512
a0d27c8d6d4059e4a419b3a9e51563e96ab719478c8e3988166d5aadec3b1caae31d154dd0ccf609d3affe52c9c43c720ef4193615ce927be472c08abe4322c3

Download Submit
C:\Windows\SysWOW64\Bkgeainn.exe

Filesize
337KB

MD5
bbce4e0a5b2375050ca476cd2d82eb27

SHA1
5dc85f2aa517f55c9e63273322b25082d34a8cb1

SHA256
a7dbcdc21e705b704d1b99a1efefbe1d4b9028b1ce76875801a7902c36662ab2

SHA512
7776a8163f9d6a991d5801c08b7cc6eb9afe82be09b2206acc1bf0015785c4ed6a44f58ea6e97570af82f88cc73e42d062412c08b249970162f59342c72bdcbd

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
337KB

MD5
d48d285f8ec467663ed7aa9599fc7c31

SHA1
a2fd88b5ebee719328d97fb2e794121e235197b6

SHA256
a12e54d924c6bc4d053dafb1edf0f1998cff6065faa8a94c8d3115b9c334419e

SHA512
b3ef230313fce533164d4d8e000ef17c9f67e1b84f73b2537553f0aa7a29e3e65e1b896684df61ae39c6b54fe10a5bccfb66ae18f4a96a75476fee961679b296

Download Submit
C:\Windows\SysWOW64\Bmjkic32.exe

Filesize
337KB

MD5
89c090d61d59d100154404c76223dcd7

SHA1
f29f2bb20396f329688f5e72a69e96504676a301

SHA256
796e803d655d048bd8a2149b67cdfadb4c347886d3e7a76a8c2bba8ddc4dba1b

SHA512
23d39d16d17f4e30817f0457145241a602748a3ce6ca71acc42d54565f18af0e896c0ae877d7119d316a186f5491b1a7e30b317af913e94db6db6c2e6d2ddc70

Download Submit
C:\Windows\SysWOW64\Bnoddcef.exe

Filesize
337KB

MD5
c15405b125d020813d5d8102de37a6d2

SHA1
38ce2099ea6dbc95586b2ebe789debd0586a8eab

SHA256
37a5b3e17496d58075799c39c92d370d407c55e1ce151cb5067d2e8d88df9af5

SHA512
bdee09a38c1854c028d179ec0934703d5fe30ae640ae79dacf59d001620d6b09778d94337517a418ba32f8a96d92477c2aafc5d96ee9845e6f0a873cb066478a

Download Submit
C:\Windows\SysWOW64\Cdpcal32.exe

Filesize
337KB

MD5
5ec3533e3bd9a0f7d649cad462de08b7

SHA1
048d2ae98a1d4cc092f199e356198e1c1d655c8f

SHA256
5be3754edfebc59612b9429ec686241a1e2ecd3dd0a577a33fa44879f04536e6

SHA512
c95c1e73fa3296d48b1932b3813d86e3a27b90cdc4f495f68e38b898ba0d7325f6552889fdd77e86c6ed8a5ee151c7571b6ec2057879dda0bd5cc0366579e832

Download Submit
C:\Windows\SysWOW64\Chdialdl.exe

Filesize
337KB

MD5
6f14fe69bfa5049d09c64da986fb4135

SHA1
e4833571eed585f1175ae35ac34da2c7f6085a11

SHA256
7e593cc66a85c178c9f45b155ea7786bb81fdc3d5518d1aa3228816469846f29

SHA512
1da7f2edd1f25a71ec5bb3c063ea225accf5ce6205c1abf3506987a6c32625686c3dbc138572e4c99925662efae8e8e0630c1b7912c8ee1bed962265a94610f0

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
337KB

MD5
81d3a15a28c9e40e3c822a3f71da10f0

SHA1
cea29dddd87e25e708d85ceb0bd3598ea7ec164e

SHA256
971bbc54c8c74ab2902be76f9033424ebc0aae4af2d1ce27f3e908717a51d1bb

SHA512
9f06b71260dd362530b83a3016955d53867c1943cae73c76241972f474dc24aceda595e630e42bbde13df3642eebaabbc9d810c1b6b96975e924916ca205f5e4

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
337KB

MD5
0d1e9c198ccfe487eb884183904a74a8

SHA1
290f2cd0808c3c7efe47eb43b1ba274930a838d5

SHA256
c380cb22909d14484387df26da2ee77f60419feff3bfeb89e7739f7954c4246e

SHA512
b8e6b4e7d5dece80402091277b623fdb2da00728dec4bb56ebb719100b12ecbbfbc15545664af4672a44abeab20a2fc42b5bdd3e6784d140d6db9959590c0040

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
337KB

MD5
24409f33b8a13722ffb5c68805b63b26

SHA1
3c8cd82e12264226f7e66d8b7d337da4c1d869d4

SHA256
e390483af43ea344ed7e69ba1c5c2242633ff1677c5d5df37cfaf2fe319660cb

SHA512
dc8988178e61a64bf52c492c2c1d1983d577ff1e627378c6af02d36808aa274602bf494e3550b403a6bae2e6d28c293ee3afa844cdffddcaffac982673796507

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
337KB

MD5
e0b1a25b74211228a13ccf8be19a588d

SHA1
d21ab42b385fc08f0a374a144163e2676a031da8

SHA256
551880746c9538311180cf2ce108f8c67fd92c9d097b3e8878a77fa15223d388

SHA512
0784087a8ec88178bb3d2524c2b6886d54c93931bcc428c95c5dcf2c48bdda7c5fa2e25500d59c1e8cef414690a6099a287b6750b21d89da22bcf1b500d43a77

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
337KB

MD5
8d1908cb72e936b09a43707413769127

SHA1
ddebdbc5169813a5129ff0044c77f5f45caae027

SHA256
d7f17a8df79a51624a33516b76da66a917b06ce26df0dbc04749031000aa962d

SHA512
3a02c4299c6044f15ba8b5dca168fe2e6dbee0344adecfcb74f5302936db3881d9e8f27075fd54398fe1f820ba4d2e3e345724c143938e3fc1bdbe823b611c74

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
337KB

MD5
cc2050bbd3c6d3b7c0b47aa7ba92403a

SHA1
3cc0e348a349b2ac140404a83409c3b271a579f8

SHA256
26b12f3d19bdf2ea534cbd91ce09c61d3211fa0c8a5a59ff79331a06a11f80f6

SHA512
b3cc18e173934a2434a4bef1fb27a728e12b40906283beed9d09c1327c07ea8eeeace6de54d778c2d62d7eb38d3fd0bda6b2df5f1911978819c2efc9619d9c8b

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
337KB

MD5
d6e86d03dc6e5b3c2bd626faa918e616

SHA1
7c3a12715df980e910dc5b0e62e86cc8bcf5d043

SHA256
cd4d61eea822adbf1fdb8d9880a83817447100b158dd07b4ca79b92252351e1f

SHA512
0cde1cd301a365523f08d26f489a45d38da566dc73b0af4a6d5294f6e9b06c8a3d18e085d4524d101a23f5e8317856f224c5e88cc2f81c9301ce8a9321a485d8

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
337KB

MD5
66967ced2fdf32ee78ef4837eb03f64f

SHA1
02367cb2eabda330d2672edad7d06bf8270bef54

SHA256
1f29c939a24e4e630743d1f872e95f12be681f65f5968c01e9ae2671a10e4b04

SHA512
b37ed62a219ffddf8914b7d6f8cafe2c7379ad37d36e863c85b690456a597633af956b88d9c6c50345b00796f95032168ae7cef11f36467ecb06e5cded80db1a

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
337KB

MD5
4f8648a3fa5fe168871db3cab94ff208

SHA1
a2010cefc2f8e7c64320801c679f30620be15c59

SHA256
117b9f090e7beecf93e53a4079c3934221448312fb124820949c17dfcd1c888f

SHA512
1e355c6b0e8580ed3ff3fb41c325511bd524e68ef146746056f14a139a5ef3af901e9b431fb98258480f8176bbb073a8d83783a843e890c2e96e920ca62416ef

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
337KB

MD5
7f510d777c8f32eebf545b5bee9c3eaa

SHA1
68a79f4d947780e2e28558637f900007fbd132ba

SHA256
8b483a97ee6c12e5ab597c5877094f04f6c425c6a9be4c40f5d2a0e523c09f19

SHA512
d6ffe8536c5c10a64b5e42c97d8dc4caeaf7aae19617956547e895a1279eb6700530602347a846865ddcfcbaa468541bc0a99ee366d59de8cb9da8227c0ec7d2

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
337KB

MD5
7baa3996bd24c713c6de987267d6bfb0

SHA1
4bf94ec4df86b9c0edb77f371c75509cd31de879

SHA256
d0e359f4c396e6a6a05dbd53f2c71ee3091139fb135a7f3dba8c0864699ebd01

SHA512
d052248832bbfb9bbbd783bef97959cbeeb38dd2f049017c0e851e998f49313e7363308e753986c04460fb43014688eafc033b6c7b0be1d2a3222e69b0007b28

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
337KB

MD5
8f3f2307a81f2099245ea03628dda3ea

SHA1
03e99f2fefd2317407d1733461621579635b5394

SHA256
7b7a74f0d555c171dd23b07c3f71dadd5cc4877ca4d289448ca5b1194ecf8fda

SHA512
05167295820e800078f78dc8048d4182a555a050167d4d2479ef95ec56614b91fc2787b3a360614fdcca0d78975ad62b768562fc964f5b84db054d4475e98988

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
337KB

MD5
ab9eae7046599d7356055f04db552fbc

SHA1
808020afc2d89ebaa3b81900d9a2a7aad4bc5ab9

SHA256
afc9a8d58b8b2af690ff34b799295d97a7917ac74a58c474b6a7d72a7ab9bfba

SHA512
c791af8731095918cb701d5c482bc5ce50289b0292b2094b45d53dfc8f01d9138ee1480e7648f1859a06af6ba656ff662129fb4507239cad2a7ed7d75a632bfc

Download Submit
memory/384-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2868-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads