berbew | 3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162a

Analysis

max time kernel
16s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe
Size

337KB
MD5

11103b571784c0650a89c083ab13ede0
SHA1

96b0b2d939b9f15a3fa6176769c5c909d4091423
SHA256

3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162a
SHA512

8f85bfe41bd6909d117d105e855e48708610b28654274e8429af8d73f3082cd7fd8b777ab180175d2d75acf25fbbd96c4fd36e962026dc728048bc2a4f3cd3ae
SSDEEP

3072:hlTzQSarwQmFpgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:/TzOrwxp1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheppe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pabncj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgfmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcmjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofomolo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcmnaaji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpchl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdajpf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgdpgqgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbjbnoq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmlacdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aehmoh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anpahn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pabncj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijfihip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aehmoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anpahn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oheppe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pelnniga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijfihip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioodg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcmjpd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pelnniga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgfmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akmlacdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opmhqc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdajpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Panehkaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Podbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdhqpe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Podbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pofomolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqhkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aioodg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgdpgqgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqanke32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opmhqc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdhqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcmnaaji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbjbnoq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ailboh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panehkaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abgdnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgdnm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 28 IoCs

pid	Process
1760	Oheppe32.exe
2192	Opmhqc32.exe
2964	Panehkaj.exe
3048	Pelnniga.exe
3032	Podbgo32.exe
2652	Pabncj32.exe
2400	Pdajpf32.exe
2024	Pofomolo.exe
1356	Pqhkdg32.exe
2868	Phocfd32.exe
2864	Pgdpgqgg.exe
448	Qdhqpe32.exe
1180	Qgfmlp32.exe
588	Qcmnaaji.exe
2156	Aijfihip.exe
1228	Aqanke32.exe
1692	Abbjbnoq.exe
916	Ailboh32.exe
2640	Afpchl32.exe
2360	Aioodg32.exe
2576	Akmlacdn.exe
1996	Abgdnm32.exe
2200	Aehmoh32.exe
484	Akbelbpi.exe
2756	Anpahn32.exe
2168	Bcmjpd32.exe
1748	Bkdbab32.exe
2820	Bmenijcd.exe

Loads dropped DLL 60 IoCs

pid	Process
2296	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe
2296	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe
1760	Oheppe32.exe
1760	Oheppe32.exe
2192	Opmhqc32.exe
2192	Opmhqc32.exe
2964	Panehkaj.exe
2964	Panehkaj.exe
3048	Pelnniga.exe
3048	Pelnniga.exe
3032	Podbgo32.exe
3032	Podbgo32.exe
2652	Pabncj32.exe
2652	Pabncj32.exe
2400	Pdajpf32.exe
2400	Pdajpf32.exe
2024	Pofomolo.exe
2024	Pofomolo.exe
1356	Pqhkdg32.exe
1356	Pqhkdg32.exe
2868	Phocfd32.exe
2868	Phocfd32.exe
2864	Pgdpgqgg.exe
2864	Pgdpgqgg.exe
448	Qdhqpe32.exe
448	Qdhqpe32.exe
1180	Qgfmlp32.exe
1180	Qgfmlp32.exe
588	Qcmnaaji.exe
588	Qcmnaaji.exe
2156	Aijfihip.exe
2156	Aijfihip.exe
1228	Aqanke32.exe
1228	Aqanke32.exe
1692	Abbjbnoq.exe
1692	Abbjbnoq.exe
916	Ailboh32.exe
916	Ailboh32.exe
2640	Afpchl32.exe
2640	Afpchl32.exe
2360	Aioodg32.exe
2360	Aioodg32.exe
2576	Akmlacdn.exe
2576	Akmlacdn.exe
1996	Abgdnm32.exe
1996	Abgdnm32.exe
2200	Aehmoh32.exe
2200	Aehmoh32.exe
484	Akbelbpi.exe
484	Akbelbpi.exe
2756	Anpahn32.exe
2756	Anpahn32.exe
2168	Bcmjpd32.exe
2168	Bcmjpd32.exe
1748	Bkdbab32.exe
1748	Bkdbab32.exe
2904	WerFault.exe
2904	WerFault.exe
2904	WerFault.exe
2904	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Abbjbnoq.exe	Aqanke32.exe
File created	C:\Windows\SysWOW64\Ailboh32.exe	Abbjbnoq.exe
File created	C:\Windows\SysWOW64\Inmfkm32.dll	Ailboh32.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Bkdbab32.exe
File created	C:\Windows\SysWOW64\Pelnniga.exe	Panehkaj.exe
File created	C:\Windows\SysWOW64\Foefccmp.dll	Podbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Aqanke32.exe	Aijfihip.exe
File created	C:\Windows\SysWOW64\Aioodg32.exe	Afpchl32.exe
File created	C:\Windows\SysWOW64\Abgdnm32.exe	Akmlacdn.exe
File opened for modification	C:\Windows\SysWOW64\Pelnniga.exe	Panehkaj.exe
File created	C:\Windows\SysWOW64\Jbcimj32.dll	Pabncj32.exe
File opened for modification	C:\Windows\SysWOW64\Qdhqpe32.exe	Pgdpgqgg.exe
File created	C:\Windows\SysWOW64\Egdljhhj.dll	Pdajpf32.exe
File created	C:\Windows\SysWOW64\Phocfd32.exe	Pqhkdg32.exe
File created	C:\Windows\SysWOW64\Fcdcfmgg.dll	Aioodg32.exe
File opened for modification	C:\Windows\SysWOW64\Bcmjpd32.exe	Anpahn32.exe
File created	C:\Windows\SysWOW64\Cdhbbpkh.dll	Oheppe32.exe
File created	C:\Windows\SysWOW64\Akgdjm32.dll	Pelnniga.exe
File opened for modification	C:\Windows\SysWOW64\Pabncj32.exe	Podbgo32.exe
File created	C:\Windows\SysWOW64\Pofomolo.exe	Pdajpf32.exe
File opened for modification	C:\Windows\SysWOW64\Akbelbpi.exe	Aehmoh32.exe
File created	C:\Windows\SysWOW64\Lphdbl32.dll	Akbelbpi.exe
File created	C:\Windows\SysWOW64\Opmhqc32.exe	Oheppe32.exe
File created	C:\Windows\SysWOW64\Pgdpgqgg.exe	Phocfd32.exe
File created	C:\Windows\SysWOW64\Denlga32.dll	Akmlacdn.exe
File created	C:\Windows\SysWOW64\Anpahn32.exe	Akbelbpi.exe
File created	C:\Windows\SysWOW64\Nqhblj32.dll	Opmhqc32.exe
File created	C:\Windows\SysWOW64\Qgfmlp32.exe	Qdhqpe32.exe
File created	C:\Windows\SysWOW64\Naagof32.dll	Aehmoh32.exe
File created	C:\Windows\SysWOW64\Qdhqpe32.exe	Pgdpgqgg.exe
File opened for modification	C:\Windows\SysWOW64\Akmlacdn.exe	Aioodg32.exe
File created	C:\Windows\SysWOW64\Fapapi32.dll	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe
File created	C:\Windows\SysWOW64\Panehkaj.exe	Opmhqc32.exe
File created	C:\Windows\SysWOW64\Podbgo32.exe	Pelnniga.exe
File created	C:\Windows\SysWOW64\Akmlacdn.exe	Aioodg32.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Bkdbab32.exe
File created	C:\Windows\SysWOW64\Pdajpf32.exe	Pabncj32.exe
File created	C:\Windows\SysWOW64\Pidoei32.dll	Phocfd32.exe
File created	C:\Windows\SysWOW64\Aqanke32.exe	Aijfihip.exe
File created	C:\Windows\SysWOW64\Hoeqmeoo.dll	Aijfihip.exe
File opened for modification	C:\Windows\SysWOW64\Ailboh32.exe	Abbjbnoq.exe
File created	C:\Windows\SysWOW64\Kibmchmc.dll	Panehkaj.exe
File created	C:\Windows\SysWOW64\Qcmnaaji.exe	Qgfmlp32.exe
File opened for modification	C:\Windows\SysWOW64\Qcmnaaji.exe	Qgfmlp32.exe
File created	C:\Windows\SysWOW64\Hcnhpd32.dll	Qgfmlp32.exe
File opened for modification	C:\Windows\SysWOW64\Afpchl32.exe	Ailboh32.exe
File created	C:\Windows\SysWOW64\Akbelbpi.exe	Aehmoh32.exe
File created	C:\Windows\SysWOW64\Bcmjpd32.exe	Anpahn32.exe
File opened for modification	C:\Windows\SysWOW64\Opmhqc32.exe	Oheppe32.exe
File opened for modification	C:\Windows\SysWOW64\Panehkaj.exe	Opmhqc32.exe
File opened for modification	C:\Windows\SysWOW64\Podbgo32.exe	Pelnniga.exe
File created	C:\Windows\SysWOW64\Aehmoh32.exe	Abgdnm32.exe
File created	C:\Windows\SysWOW64\Omjkkb32.dll	Bcmjpd32.exe
File created	C:\Windows\SysWOW64\Ihdhmkjd.dll	Pgdpgqgg.exe
File opened for modification	C:\Windows\SysWOW64\Qgfmlp32.exe	Qdhqpe32.exe
File created	C:\Windows\SysWOW64\Aijfihip.exe	Qcmnaaji.exe
File created	C:\Windows\SysWOW64\Abbjbnoq.exe	Aqanke32.exe
File opened for modification	C:\Windows\SysWOW64\Aioodg32.exe	Afpchl32.exe
File opened for modification	C:\Windows\SysWOW64\Bkdbab32.exe	Bcmjpd32.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Bkdbab32.exe
File opened for modification	C:\Windows\SysWOW64\Pqhkdg32.exe	Pofomolo.exe
File created	C:\Windows\SysWOW64\Agefobee.dll	Pqhkdg32.exe
File opened for modification	C:\Windows\SysWOW64\Aijfihip.exe	Qcmnaaji.exe
File created	C:\Windows\SysWOW64\Jgelak32.dll	Abgdnm32.exe

Program crash 1 IoCs

pid	pid_target	Process
2904	2820	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijfihip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkdbab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opmhqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phocfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdhqpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anpahn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pabncj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgdpgqgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgfmlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqanke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheppe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panehkaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbjbnoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdajpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ailboh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aehmoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcmnaaji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpchl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pelnniga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofomolo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmlacdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgdnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akbelbpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcmjpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhkdg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlga32.dll"	Akmlacdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abgdnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagof32.dll"	Aehmoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdljhhj.dll"	Pdajpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdcfmgg.dll"	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oheppe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akgdjm32.dll"	Pelnniga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Podbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdhmkjd.dll"	Pgdpgqgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aehmoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdajpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pofomolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phocfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgfmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmfkm32.dll"	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjkkb32.dll"	Bcmjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcmjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Podbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afpchl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akmlacdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lphdbl32.dll"	Akbelbpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afpchl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opmhqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibmchmc.dll"	Panehkaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgdpgqgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqolemj.dll"	Abbjbnoq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcmnaaji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oheppe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opmhqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foefccmp.dll"	Podbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgdpgqgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdhqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pabncj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdajpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodlloep.dll"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbjbnoq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfamf32.dll"	Afpchl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aehmoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anpahn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmfllng.dll"	Pofomolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqhkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidoei32.dll"	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqhblj32.dll"	Opmhqc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdhqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgfmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoeqmeoo.dll"	Aijfihip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbjbnoq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Panehkaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pelnniga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aioodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqanke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcmjpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fapapi32.dll"	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1760	2296	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe	30
PID 2296 wrote to memory of 1760	2296	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe	30
PID 2296 wrote to memory of 1760	2296	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe	30
PID 2296 wrote to memory of 1760	2296	3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe	30
PID 1760 wrote to memory of 2192	1760	Oheppe32.exe	31
PID 1760 wrote to memory of 2192	1760	Oheppe32.exe	31
PID 1760 wrote to memory of 2192	1760	Oheppe32.exe	31
PID 1760 wrote to memory of 2192	1760	Oheppe32.exe	31
PID 2192 wrote to memory of 2964	2192	Opmhqc32.exe	32
PID 2192 wrote to memory of 2964	2192	Opmhqc32.exe	32
PID 2192 wrote to memory of 2964	2192	Opmhqc32.exe	32
PID 2192 wrote to memory of 2964	2192	Opmhqc32.exe	32
PID 2964 wrote to memory of 3048	2964	Panehkaj.exe	33
PID 2964 wrote to memory of 3048	2964	Panehkaj.exe	33
PID 2964 wrote to memory of 3048	2964	Panehkaj.exe	33
PID 2964 wrote to memory of 3048	2964	Panehkaj.exe	33
PID 3048 wrote to memory of 3032	3048	Pelnniga.exe	34
PID 3048 wrote to memory of 3032	3048	Pelnniga.exe	34
PID 3048 wrote to memory of 3032	3048	Pelnniga.exe	34
PID 3048 wrote to memory of 3032	3048	Pelnniga.exe	34
PID 3032 wrote to memory of 2652	3032	Podbgo32.exe	35
PID 3032 wrote to memory of 2652	3032	Podbgo32.exe	35
PID 3032 wrote to memory of 2652	3032	Podbgo32.exe	35
PID 3032 wrote to memory of 2652	3032	Podbgo32.exe	35
PID 2652 wrote to memory of 2400	2652	Pabncj32.exe	36
PID 2652 wrote to memory of 2400	2652	Pabncj32.exe	36
PID 2652 wrote to memory of 2400	2652	Pabncj32.exe	36
PID 2652 wrote to memory of 2400	2652	Pabncj32.exe	36
PID 2400 wrote to memory of 2024	2400	Pdajpf32.exe	37
PID 2400 wrote to memory of 2024	2400	Pdajpf32.exe	37
PID 2400 wrote to memory of 2024	2400	Pdajpf32.exe	37
PID 2400 wrote to memory of 2024	2400	Pdajpf32.exe	37
PID 2024 wrote to memory of 1356	2024	Pofomolo.exe	38
PID 2024 wrote to memory of 1356	2024	Pofomolo.exe	38
PID 2024 wrote to memory of 1356	2024	Pofomolo.exe	38
PID 2024 wrote to memory of 1356	2024	Pofomolo.exe	38
PID 1356 wrote to memory of 2868	1356	Pqhkdg32.exe	39
PID 1356 wrote to memory of 2868	1356	Pqhkdg32.exe	39
PID 1356 wrote to memory of 2868	1356	Pqhkdg32.exe	39
PID 1356 wrote to memory of 2868	1356	Pqhkdg32.exe	39
PID 2868 wrote to memory of 2864	2868	Phocfd32.exe	40
PID 2868 wrote to memory of 2864	2868	Phocfd32.exe	40
PID 2868 wrote to memory of 2864	2868	Phocfd32.exe	40
PID 2868 wrote to memory of 2864	2868	Phocfd32.exe	40
PID 2864 wrote to memory of 448	2864	Pgdpgqgg.exe	41
PID 2864 wrote to memory of 448	2864	Pgdpgqgg.exe	41
PID 2864 wrote to memory of 448	2864	Pgdpgqgg.exe	41
PID 2864 wrote to memory of 448	2864	Pgdpgqgg.exe	41
PID 448 wrote to memory of 1180	448	Qdhqpe32.exe	42
PID 448 wrote to memory of 1180	448	Qdhqpe32.exe	42
PID 448 wrote to memory of 1180	448	Qdhqpe32.exe	42
PID 448 wrote to memory of 1180	448	Qdhqpe32.exe	42
PID 1180 wrote to memory of 588	1180	Qgfmlp32.exe	43
PID 1180 wrote to memory of 588	1180	Qgfmlp32.exe	43
PID 1180 wrote to memory of 588	1180	Qgfmlp32.exe	43
PID 1180 wrote to memory of 588	1180	Qgfmlp32.exe	43
PID 588 wrote to memory of 2156	588	Qcmnaaji.exe	44
PID 588 wrote to memory of 2156	588	Qcmnaaji.exe	44
PID 588 wrote to memory of 2156	588	Qcmnaaji.exe	44
PID 588 wrote to memory of 2156	588	Qcmnaaji.exe	44
PID 2156 wrote to memory of 1228	2156	Aijfihip.exe	45
PID 2156 wrote to memory of 1228	2156	Aijfihip.exe	45
PID 2156 wrote to memory of 1228	2156	Aijfihip.exe	45
PID 2156 wrote to memory of 1228	2156	Aijfihip.exe	45

C:\Users\Admin\AppData\Local\Temp\3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe
"C:\Users\Admin\AppData\Local\Temp\3c9ece3e13ebaeaa008b30ec19ad05a005c681da5e33b074abc3f90ec981162aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\Oheppe32.exe
  C:\Windows\system32\Oheppe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\Opmhqc32.exe
    C:\Windows\system32\Opmhqc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\Panehkaj.exe
      C:\Windows\system32\Panehkaj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\Pelnniga.exe
        
        C:\Windows\system32\Pelnniga.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\SysWOW64\Podbgo32.exe
        
        C:\Windows\system32\Podbgo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Pabncj32.exe
        
        C:\Windows\system32\Pabncj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Pdajpf32.exe
        
        C:\Windows\system32\Pdajpf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Pofomolo.exe
        
        C:\Windows\system32\Pofomolo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Pqhkdg32.exe
        
        C:\Windows\system32\Pqhkdg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Phocfd32.exe
        
        C:\Windows\system32\Phocfd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Pgdpgqgg.exe
        
        C:\Windows\system32\Pgdpgqgg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Qdhqpe32.exe
        
        C:\Windows\system32\Qdhqpe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Qgfmlp32.exe
        
        C:\Windows\system32\Qgfmlp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Qcmnaaji.exe
        
        C:\Windows\system32\Qcmnaaji.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Aijfihip.exe
        
        C:\Windows\system32\Aijfihip.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Aqanke32.exe
        
        C:\Windows\system32\Aqanke32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Abbjbnoq.exe
        
        C:\Windows\system32\Abbjbnoq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Ailboh32.exe
        
        C:\Windows\system32\Ailboh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Afpchl32.exe
        
        C:\Windows\system32\Afpchl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Aioodg32.exe
        
        C:\Windows\system32\Aioodg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Akmlacdn.exe
        
        C:\Windows\system32\Akmlacdn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Abgdnm32.exe
        
        C:\Windows\system32\Abgdnm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Aehmoh32.exe
        
        C:\Windows\system32\Aehmoh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Akbelbpi.exe
        
        C:\Windows\system32\Akbelbpi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\Anpahn32.exe
        
        C:\Windows\system32\Anpahn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Bcmjpd32.exe
        
        C:\Windows\system32\Bcmjpd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Bkdbab32.exe
        
        C:\Windows\system32\Bkdbab32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abbjbnoq.exe

Filesize
337KB

MD5
be205f56c2619e84f6b845a3964d8624

SHA1
886c6d36c503d039abb713bddcc2e0af1ee29b04

SHA256
bc0fbfe96fed4106210afb1c4bf4d85041990004a994a684933789ff142f9836

SHA512
20b53b52cf39352ed8c241eed5158e72639ead20353d26505e75f77d2a14c5b7f9abc287b06be9be28c9d56fd41332d27d6e7c67fa17115359261abf0ef56c77

Download Submit
C:\Windows\SysWOW64\Abgdnm32.exe

Filesize
337KB

MD5
e877a598fa32bbd2f7e91f4876cf8442

SHA1
b938ea04a3af204252391a55860404bcb8c0b807

SHA256
be98ab7b2e3d4081db6e90707c36a41b648d9b703d287192701c8f2ac9a1d2ba

SHA512
cca191c8f714b5838ed0be6ee44c05051ede39b845574b5921031e7e0327c76149898073a2648ba6037cbdcbe1420da61c56134bd26f820a87e46844a50889d6

Download Submit
C:\Windows\SysWOW64\Aehmoh32.exe

Filesize
337KB

MD5
6f1f760e25dac1d2783f5c838cd300be

SHA1
3de234d194abbe3361c976ec1b52d44a9720eecd

SHA256
99ebf850067dd95bb969ac70e3bef8a0a7b7f442f0653e629ca9200e2a589903

SHA512
9aad8dac9a96af43a8b5bd930e42dfcf55aed9fc251a7b90eb204eb100c9d5774308ab25a22e1a5260f848ddbe862bcdf1c19d85207121ee32c613811d871b02

Download Submit
C:\Windows\SysWOW64\Afpchl32.exe

Filesize
337KB

MD5
8ad1bac71f5c881b9bdbf9893945db10

SHA1
cbd4b6c37e233249fcdbcc3a87ca423ca3a37f79

SHA256
fe77301a37358d2789adb8f7cef4339ec1bff3a73855ab2ff7a264546c72ad2d

SHA512
dc9d8da74e36db7e603e0274b002889e3ba770a719d4f45a6088b82ca0f1d606e399e33f1434cdf62410650f85c3bb4cbaaa988fe32fc0e381980c0e444125b4

Download Submit
C:\Windows\SysWOW64\Aijfihip.exe

Filesize
337KB

MD5
6d78ec9c692d32597167e10039eccc17

SHA1
7659add8797fc1ef1b48d7faa05e987211b6fe58

SHA256
f318f325659548b150cb97bf8cf47bfe52e4694767386f23e4d48f5ce95e4e6e

SHA512
004148dc596b6a09fe0636a2d69237e05c29ca2661f874a0afe7a831c5b23bb03205033edb445741f714a81880d0b994b2d883d7a121fa1e97d84b25c1f89bdd

Download Submit
C:\Windows\SysWOW64\Ailboh32.exe

Filesize
337KB

MD5
bae79e65217431eeb8e0f9fe772e25d1

SHA1
624ccd712066eb6f86eb872285dea3ecca59bc28

SHA256
4bccc438c57456ab9be8f1333f86d63bd309aa04512521bc5e0516415d5376d5

SHA512
831091787d020edecfee0ffe2a5d3d38feb14af9eb68ae0be87bdc9e58ee79d728ec98c8b3f7feca57f0ef014121b85dbcab1800e7b2fa9d3bb5a4194d62f6c9

Download Submit
C:\Windows\SysWOW64\Aioodg32.exe

Filesize
337KB

MD5
afbd82de39b478b04221c419254bccd3

SHA1
6a49b8cad45fb5182ac7a9dc99cce889c7d4b0e6

SHA256
2f4bfe7286e909c1b076981515db41294030ec4fc488ce22f96a314758ff6492

SHA512
157f39a1b0748799252c1e951135794b3ea8e173f31b5b5ec3434b908da61726ada241b5763cf70c8acdf35d18d14e30974928cd824cec836f0b3b717c6a1267

Download Submit
C:\Windows\SysWOW64\Akbelbpi.exe

Filesize
337KB

MD5
826df7ab2885b156706defd9e5b97aa3

SHA1
53933c78902b8c47515a0ff54f38f697295d657a

SHA256
766c127f60f21113177f0c7dda53dfcdf239b5fd75c6a129fe7bbaaddbfe6d34

SHA512
e6c70dcae0c727a0dcf71015def3342abbf403030c2efcf7a3aabcdc0eb88f8e9ba2fd5872fa580590b5845aa59b38328c6ae7859476d10e67dc22ea0faaeae5

Download Submit
C:\Windows\SysWOW64\Akmlacdn.exe

Filesize
337KB

MD5
844df95e82ffdcd73efce11652ebd9fe

SHA1
3260596c3fd5a5ecd60df07efa53a550f2dc5a2a

SHA256
1865b4a25a52f187bd7aa9344840c014d0faeebf3c1fdadcbb3ed2619cc27b02

SHA512
5fd0214d5f97c7045567b869874615bd967768c5782427e425699830a4493ba76ce167113560101c9a9b09865381c2d9356f37777abd34d1ab4aa072b7226dd3

Download Submit
C:\Windows\SysWOW64\Anpahn32.exe

Filesize
337KB

MD5
57aeaf7a0da18c39909659880f02d883

SHA1
8c4fcebeed34bde5231ac0f6770c2eece88f0c3a

SHA256
4d7b2cdda224ae41d19640a61b82e5499408a7db33c67cea79bd976e1e1695c2

SHA512
dd13d93f3c5812086c57691c77d008593b2532671faba284404bf21399d5e4cc3ecfce9bb1c5665d231c5cb51249bc30e4f2426930ec5dfae0607ffae2c5d333

Download Submit
C:\Windows\SysWOW64\Aqanke32.exe

Filesize
337KB

MD5
d6e2c9cd198a80fc2bcb31ac3ed9e60a

SHA1
25c387afa82fbaabd8e20c8fd2d3da5a489fe0a8

SHA256
b673f0785701eeb865f36bcb54a3930d5115410caa94aa14ee0c18203706326a

SHA512
ceab0bb04a133b7a4e450f082ff8c7756627e29011db3c4e8f9dded7560100468d13e67b2e76f7f2fefa71f3b8c3e99a5c79774388201a093b1879b6daa78012

Download Submit
C:\Windows\SysWOW64\Bcmjpd32.exe

Filesize
337KB

MD5
8716e4b997caafcc99a66c2f700ab9f3

SHA1
20c3b5930152e20a768d83b5c3eb544f3b0a19eb

SHA256
8b071e55b3f35430617b8c535c0e60e697a780480ebc59877383b2a3fbd11913

SHA512
f6ddbf5d820f42749d77243b91b430e391fe85f18a043161a46924f81b1650c6e4c284bd2976227ecd99272ac7d64c9f398240da161da3090df213725277c727

Download Submit
C:\Windows\SysWOW64\Bkdbab32.exe

Filesize
337KB

MD5
0d3c233274995e4169acbfdf452955d6

SHA1
613bd5da810eef2281a378d6aad4b71aa2a61884

SHA256
b48e50e62e23a36c73c77994dcda36963a4769c06ad01ace1d081780c5ad850c

SHA512
d40df468f57aa892a4b4a77bb9eed7ed9d3da08ab36c2fe3c1a4291c562384ce9c5b4dbd246e82cb62878d98a0f02ce44e191a4cac90edcade24d5c0a5bfa816

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
337KB

MD5
9556ad501d45302ce8c6480a93e5e0aa

SHA1
b9b9fb71e630e89f80c18ff80953a6707dd6daa7

SHA256
fb878152bd6cf68da3fbef09dc0444940499b43d037767a23c62b280bafd96ac

SHA512
529380185224459edaf00910205ae45e4ec41d37b0696da4c2e7168a94e850a84041fef71647a4227c4d9fed5d34fe942e008bbbd304311d27923003f73c57fe

Download Submit
C:\Windows\SysWOW64\Opmhqc32.exe

Filesize
337KB

MD5
8c65c9da3a784739430e72ccd99592e6

SHA1
6f09802db824ce434520a9531f2ecd31388c94ee

SHA256
8e1194c7c19713e5e1cef2b21b11b8de9b41531b4af279ed30e3063d02e638bc

SHA512
04b59c44663fa68ebdce9f3fcba8dd0dc2ad53272180b236c9ff66e8dfa08cb276f75f0418a019759a2d55fc4696cb59e0c773711e4bfc5aaaf03debf2695913

Download Submit
C:\Windows\SysWOW64\Pabncj32.exe

Filesize
337KB

MD5
d6e9b30d6a013c536e5faff5da68982d

SHA1
d2d8432bcf7000ed1cd095aa1c6946f77e6ca754

SHA256
93f37c7fbe76290dbf53beddbbd8c164dc4a616f105b268e29a6a7a4673bc616

SHA512
e72531a9fea4f8e127a43d758e12c055d0b625cbd7fb67a879cb3e8ea6bf920a9a363fd856e769dfb70b4ccdb2d7b435c44715c22319b6c4c6e261dbe296f6b7

Download Submit
C:\Windows\SysWOW64\Pdajpf32.exe

Filesize
337KB

MD5
86293b7da5762fed68e3b0452e8fe065

SHA1
5f32d64cb087132d0ae922b45979fd7b78807f1d

SHA256
56c14673dccaa58fde517dad3383418713bbb34b900abb1e4376d35a641f1438

SHA512
37d86c4dfeeca9f6506a22e8a52b06da631dacb3403d1a60b401e8e5a572e53bf52a505a9712936dbf1eaa7f4bf66093526f8369749b17280950e7a71881d986

Download Submit
C:\Windows\SysWOW64\Pofomolo.exe

Filesize
337KB

MD5
f919a388591c0953318f74acdc8218c9

SHA1
c1c047500ffe9df969c997ec10f0a0462deef4eb

SHA256
966c90a12583f02a366d937526f7f69e3d8eb8289413cc543cdaf708336eb78d

SHA512
edbe34c8f4d160da093c507fb6a33814c5825abbcf9ec4ec87c12852055804ee386a6ac249282b7d0f1386b2a92f12a71d184dbd2d314445d9ff8a068fa6ef84

Download Submit
C:\Windows\SysWOW64\Pqhkdg32.exe

Filesize
337KB

MD5
ca17d494868ce846ba60f4696600d268

SHA1
0737caa146bddb1de5b7c25039c0c521ba3c5db2

SHA256
885daf916e25e6f17af9732dec004c1edf838ec2450c7854b4a0753d0dde35dd

SHA512
d2473d496deac5720ec980c23b011944c769eb6828d21cb68041e3007899c1cd74584a82ee7ff878f2ec33446450d07260b30d1684e81ed1e86cc1cf6a99fc65

Download Submit
C:\Windows\SysWOW64\Qcmnaaji.exe

Filesize
337KB

MD5
eec65a31fd902d057e37b6fc6ddd0912

SHA1
f4ccf5026d80cd80a6ba7e42b9a965e01925b9a6

SHA256
245380e0764d4a0aafbd1ef514c5c0705687f90a653439d81f0a5bfb42610e53

SHA512
8af0f9ea7bb5d932c2d3ba4511c7855bf4a5593a6900caf80854d907091ad1cac62bf276e1cb2f86b74a3074054a3bbb275b9dbdbfaf70d95e6aa2c250d0c480

Download Submit
\Windows\SysWOW64\Oheppe32.exe

Filesize
337KB

MD5
a19acba10fd56c6c6b731db53a2381fd

SHA1
56d105b3951c7ec7041d4f473cdf5160c84119a2

SHA256
c322418130ac4b59968d4ba720c528915f50719624798a5f8083f53ce2f4d5d3

SHA512
948aa1e667b482271d3bcf8b5e1eb8f18a33336367d135456f372d94253656c88688a57cfca266aad3e792ab6b5309326b2d900f67777a7ab46494c6de696f75

Download Submit
\Windows\SysWOW64\Panehkaj.exe

Filesize
337KB

MD5
3b672d84e3261985cd96f020aa5d88d9

SHA1
8c077925000ac41654f05ea26ed22d02ce3fb05a

SHA256
bedb29c2f7020988ea7d54aaad2bd44dcc7c731a38c427df45fb298020300f7c

SHA512
47f79971d419de634a4775b93fe3e89bbc72b7067799b8779770441ba1cf05380e3e64c2e84a7ca26727c6984c4eea3c87be27bb221d78602acca8024a7bbb78

Download Submit
\Windows\SysWOW64\Pelnniga.exe

Filesize
337KB

MD5
87e0bd100a02066b39a1a8af6719b6a1

SHA1
0956707f240b036b3ba0acde0fbf12c0852f3622

SHA256
60ac311eabd8eb542ae66ad5eed45b09ccdffeafdabad27d1a167e9149d9d258

SHA512
e73fb43a634d48d67b8de7c9a19ea4e3237094bd334a00a1f6857ef0a1607264f39c72768693e6e802553483b168eba69cb2fc1b26531e3b72da46bf0a37efef

Download Submit
\Windows\SysWOW64\Pgdpgqgg.exe

Filesize
337KB

MD5
2371114a35cb5f98537b4da74a5eb441

SHA1
3850aa072d53f1c93aa7b19bab1472ea23422adb

SHA256
f11246b5df471c2a9862e0d437d18ef726c91cfbdc161b29e969d6e0052f1a84

SHA512
053ad9920dbbb4c706bb62ce05e85a2971bcc1eacd59cf9902f2bf96716004455b552be77988f7ab9a0246654ce9b554bc65f299fb659ff1ab3399eb0fc22647

Download Submit
\Windows\SysWOW64\Phocfd32.exe

Filesize
337KB

MD5
c291ae5b57729ef736bc930ba14026c0

SHA1
aaea4481c1eca1fb88f0baa9806a23c8a8fcf16d

SHA256
e88b158a1e855cc9a9dc2adfd84fb13b46efe3921e48e7ae176178e2e2deb47b

SHA512
3bd209c53f9c0ae452b07a5d352a8e8650beda82d2c05c0b818ac20d81f4b2434cb4e648d49952d95582de800568203f8abc3d1dc3f95e799854e5aebe686192

Download Submit
\Windows\SysWOW64\Podbgo32.exe

Filesize
337KB

MD5
b69e76426db2d4e5da8045435bfe1c0f

SHA1
1b46517ef86c5ba91afed989a81e5daf62b2d0e1

SHA256
c2d8b394a13c8f6b3f7038387fd7ea6667cffe9097fcfec00d5ecf60a95f6554

SHA512
949ccab922d95ec89169deeff13f20730b71f80c947ca15bb13bbbd98b005ac59ea748ff5fcd9c30c0a83c9f32367742db5539942c666f12b447bf67bfe7d180

Download Submit
\Windows\SysWOW64\Qdhqpe32.exe

Filesize
337KB

MD5
5eea9491b9cc485a61a0e8de5b02a8fd

SHA1
fd75d7d035c065abbf1bb904d1bd20af35da1094

SHA256
e98ff9e29b85c3f06c9381fd5a123b4c86d09eab0f4c88b12c957f0ba18730e1

SHA512
6434cd5e56bbdcc3222647e9d5b01b126b0b947288d3d81b387a7a6440d11cefe9d11251f1e47e0574b8474bcca109d599c26bfe15de3ac5d53a01196b7e3982

Download Submit
\Windows\SysWOW64\Qgfmlp32.exe

Filesize
337KB

MD5
49bc5076c4cb3f641e34262f0018059e

SHA1
38a9d90ce54d1039756286810442a31fae426111

SHA256
840a0d6662cf3f844997bdca34276bf9ea10f40251411006f8a6d88ea47274da

SHA512
ccd5a2089cb9bcd6a7d3a50699c0405fe1bb66efa2bbf17d208073e3ccb61a32d2ebcba24d84d44cb8dc010dc5ae9a0cecd7cd3f74920e29475748252b53704a

Download Submit
memory/448-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-170-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/484-304-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/484-308-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/484-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/484-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/588-202-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/588-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-246-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1180-184-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1180-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-227-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1356-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-129-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1692-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-237-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1692-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-341-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1748-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-337-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1748-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-286-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1996-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-121-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2156-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-211-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2156-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-329-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2168-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-331-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2192-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2192-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-297-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2200-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-296-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2296-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-12-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2296-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-13-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2360-263-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2360-267-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2360-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-102-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2400-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-272-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-257-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2640-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-253-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2652-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-92-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2756-319-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2756-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-315-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2820-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-157-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2864-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-147-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2964-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-48-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3032-75-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/3032-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-62-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads