berbew | 044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
Size

111KB
MD5

4828f60064a9d92af71ec4b63517eff1
SHA1

3a61507c657d3e5433bb59b7d3c224f486d81c0b
SHA256

044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6
SHA512

e228d522c9fb3ccbefdeda09c24fa60bab2687fb676f80835b23249729886ff0ea4fec20ed9c417726f572f8452d12d721095b3ac979d12f49d02c825d3175b0
SSDEEP

3072:WYG3zIWdtKjCWbNjH0neDw0v0wnJcefSXQHPTTAkvB5DdR:XGD/0JbNjH0eFtnJfKXqPTX7D7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Papank32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phjjkefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqjhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amhopfof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acbglq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoihaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abgdnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agfikc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkkblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acpjga32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfikc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abgdnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phjjkefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phmfpddb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgacaaij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjhjf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckalamk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Papank32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phmfpddb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnpeijla.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acbglq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkkblp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnpeijla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aijfihip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpjga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phhmeehg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phhmeehg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amhopfof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aialjgbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aialjgbh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 18 IoCs

pid	Process
300	Phhmeehg.exe
2192	Papank32.exe
2964	Phjjkefd.exe
3048	Phmfpddb.exe
2676	Pkkblp32.exe
2656	Pgacaaij.exe
2696	Pqjhjf32.exe
1108	Qckalamk.exe
2428	Qnpeijla.exe
1588	Aijfihip.exe
2872	Acpjga32.exe
448	Amhopfof.exe
3000	Acbglq32.exe
588	Aoihaa32.exe
2496	Abgdnm32.exe
2216	Aialjgbh.exe
2276	Agfikc32.exe
1644	Bmenijcd.exe

Loads dropped DLL 40 IoCs

pid	Process
2296	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
2296	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
300	Phhmeehg.exe
300	Phhmeehg.exe
2192	Papank32.exe
2192	Papank32.exe
2964	Phjjkefd.exe
2964	Phjjkefd.exe
3048	Phmfpddb.exe
3048	Phmfpddb.exe
2676	Pkkblp32.exe
2676	Pkkblp32.exe
2656	Pgacaaij.exe
2656	Pgacaaij.exe
2696	Pqjhjf32.exe
2696	Pqjhjf32.exe
1108	Qckalamk.exe
1108	Qckalamk.exe
2428	Qnpeijla.exe
2428	Qnpeijla.exe
1588	Aijfihip.exe
1588	Aijfihip.exe
2872	Acpjga32.exe
2872	Acpjga32.exe
448	Amhopfof.exe
448	Amhopfof.exe
3000	Acbglq32.exe
3000	Acbglq32.exe
588	Aoihaa32.exe
588	Aoihaa32.exe
2496	Abgdnm32.exe
2496	Abgdnm32.exe
2216	Aialjgbh.exe
2216	Aialjgbh.exe
2276	Agfikc32.exe
2276	Agfikc32.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe
1556	WerFault.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ajdnie32.dll	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
File opened for modification	C:\Windows\SysWOW64\Pqjhjf32.exe	Pgacaaij.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Agfikc32.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Agfikc32.exe
File created	C:\Windows\SysWOW64\Cfjjhnge.dll	Qnpeijla.exe
File created	C:\Windows\SysWOW64\Amhopfof.exe	Acpjga32.exe
File opened for modification	C:\Windows\SysWOW64\Amhopfof.exe	Acpjga32.exe
File created	C:\Windows\SysWOW64\Denlga32.dll	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Einkkn32.dll	Phjjkefd.exe
File created	C:\Windows\SysWOW64\Hnjfjm32.dll	Phmfpddb.exe
File created	C:\Windows\SysWOW64\Qckalamk.exe	Pqjhjf32.exe
File created	C:\Windows\SysWOW64\Aijfihip.exe	Qnpeijla.exe
File created	C:\Windows\SysWOW64\Phhmeehg.exe	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
File opened for modification	C:\Windows\SysWOW64\Aijfihip.exe	Qnpeijla.exe
File opened for modification	C:\Windows\SysWOW64\Aialjgbh.exe	Abgdnm32.exe
File opened for modification	C:\Windows\SysWOW64\Phhmeehg.exe	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
File created	C:\Windows\SysWOW64\Cimjoaod.dll	Phhmeehg.exe
File created	C:\Windows\SysWOW64\Acpjga32.exe	Aijfihip.exe
File created	C:\Windows\SysWOW64\Acbglq32.exe	Amhopfof.exe
File created	C:\Windows\SysWOW64\Dcemgk32.dll	Abgdnm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Agfikc32.exe
File opened for modification	C:\Windows\SysWOW64\Phjjkefd.exe	Papank32.exe
File created	C:\Windows\SysWOW64\Dlbloflp.dll	Papank32.exe
File created	C:\Windows\SysWOW64\Pkmnfogl.dll	Pgacaaij.exe
File opened for modification	C:\Windows\SysWOW64\Abgdnm32.exe	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Pjmgop32.dll	Amhopfof.exe
File opened for modification	C:\Windows\SysWOW64\Acpjga32.exe	Aijfihip.exe
File created	C:\Windows\SysWOW64\Pkkblp32.exe	Phmfpddb.exe
File opened for modification	C:\Windows\SysWOW64\Pkkblp32.exe	Phmfpddb.exe
File created	C:\Windows\SysWOW64\Phmfpddb.exe	Phjjkefd.exe
File created	C:\Windows\SysWOW64\Ejbmjalg.dll	Acbglq32.exe
File created	C:\Windows\SysWOW64\Aialjgbh.exe	Abgdnm32.exe
File opened for modification	C:\Windows\SysWOW64\Acbglq32.exe	Amhopfof.exe
File opened for modification	C:\Windows\SysWOW64\Pgacaaij.exe	Pkkblp32.exe
File opened for modification	C:\Windows\SysWOW64\Qnpeijla.exe	Qckalamk.exe
File created	C:\Windows\SysWOW64\Biepbeqa.dll	Qckalamk.exe
File opened for modification	C:\Windows\SysWOW64\Papank32.exe	Phhmeehg.exe
File opened for modification	C:\Windows\SysWOW64\Aoihaa32.exe	Acbglq32.exe
File opened for modification	C:\Windows\SysWOW64\Agfikc32.exe	Aialjgbh.exe
File created	C:\Windows\SysWOW64\Mikelp32.dll	Acpjga32.exe
File created	C:\Windows\SysWOW64\Abgdnm32.exe	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Agfikc32.exe	Aialjgbh.exe
File created	C:\Windows\SysWOW64\Ddgoncih.dll	Pqjhjf32.exe
File created	C:\Windows\SysWOW64\Lbdcfl32.dll	Aijfihip.exe
File created	C:\Windows\SysWOW64\Papank32.exe	Phhmeehg.exe
File created	C:\Windows\SysWOW64\Phjjkefd.exe	Papank32.exe
File created	C:\Windows\SysWOW64\Pgacaaij.exe	Pkkblp32.exe
File created	C:\Windows\SysWOW64\Pqjhjf32.exe	Pgacaaij.exe
File opened for modification	C:\Windows\SysWOW64\Phmfpddb.exe	Phjjkefd.exe
File opened for modification	C:\Windows\SysWOW64\Qckalamk.exe	Pqjhjf32.exe
File created	C:\Windows\SysWOW64\Okcnkb32.dll	Aialjgbh.exe
File created	C:\Windows\SysWOW64\Aoihaa32.exe	Acbglq32.exe
File created	C:\Windows\SysWOW64\Klhejn32.dll	Pkkblp32.exe
File created	C:\Windows\SysWOW64\Qnpeijla.exe	Qckalamk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1556	1644	WerFault.exe	47

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgacaaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnpeijla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acbglq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phmfpddb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckalamk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpjga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoihaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abgdnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Papank32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkkblp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjhjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijfihip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phhmeehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phjjkefd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhopfof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aialjgbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfikc32.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgacaaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgoncih.dll"	Pqjhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnpeijla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aijfihip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acpjga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phjjkefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfjm32.dll"	Phmfpddb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkkblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acpjga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abgdnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phjjkefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aialjgbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mikelp32.dll"	Acpjga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlga32.dll"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmgop32.dll"	Amhopfof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aialjgbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agfikc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkkblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhejn32.dll"	Pkkblp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qnpeijla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjjhnge.dll"	Qnpeijla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cimjoaod.dll"	Phhmeehg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amhopfof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amhopfof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgacaaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aijfihip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phhmeehg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phhmeehg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abgdnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phmfpddb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcemgk32.dll"	Abgdnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqjhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Agfikc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agfikc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einkkn32.dll"	Phjjkefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcfl32.dll"	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acbglq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okcnkb32.dll"	Aialjgbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepbeqa.dll"	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbmjalg.dll"	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmnfogl.dll"	Pgacaaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqjhjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Papank32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlbloflp.dll"	Papank32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdnie32.dll"	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Papank32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phmfpddb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 300	2296	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe	30
PID 2296 wrote to memory of 300	2296	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe	30
PID 2296 wrote to memory of 300	2296	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe	30
PID 2296 wrote to memory of 300	2296	044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe	30
PID 300 wrote to memory of 2192	300	Phhmeehg.exe	31
PID 300 wrote to memory of 2192	300	Phhmeehg.exe	31
PID 300 wrote to memory of 2192	300	Phhmeehg.exe	31
PID 300 wrote to memory of 2192	300	Phhmeehg.exe	31
PID 2192 wrote to memory of 2964	2192	Papank32.exe	32
PID 2192 wrote to memory of 2964	2192	Papank32.exe	32
PID 2192 wrote to memory of 2964	2192	Papank32.exe	32
PID 2192 wrote to memory of 2964	2192	Papank32.exe	32
PID 2964 wrote to memory of 3048	2964	Phjjkefd.exe	33
PID 2964 wrote to memory of 3048	2964	Phjjkefd.exe	33
PID 2964 wrote to memory of 3048	2964	Phjjkefd.exe	33
PID 2964 wrote to memory of 3048	2964	Phjjkefd.exe	33
PID 3048 wrote to memory of 2676	3048	Phmfpddb.exe	34
PID 3048 wrote to memory of 2676	3048	Phmfpddb.exe	34
PID 3048 wrote to memory of 2676	3048	Phmfpddb.exe	34
PID 3048 wrote to memory of 2676	3048	Phmfpddb.exe	34
PID 2676 wrote to memory of 2656	2676	Pkkblp32.exe	35
PID 2676 wrote to memory of 2656	2676	Pkkblp32.exe	35
PID 2676 wrote to memory of 2656	2676	Pkkblp32.exe	35
PID 2676 wrote to memory of 2656	2676	Pkkblp32.exe	35
PID 2656 wrote to memory of 2696	2656	Pgacaaij.exe	36
PID 2656 wrote to memory of 2696	2656	Pgacaaij.exe	36
PID 2656 wrote to memory of 2696	2656	Pgacaaij.exe	36
PID 2656 wrote to memory of 2696	2656	Pgacaaij.exe	36
PID 2696 wrote to memory of 1108	2696	Pqjhjf32.exe	37
PID 2696 wrote to memory of 1108	2696	Pqjhjf32.exe	37
PID 2696 wrote to memory of 1108	2696	Pqjhjf32.exe	37
PID 2696 wrote to memory of 1108	2696	Pqjhjf32.exe	37
PID 1108 wrote to memory of 2428	1108	Qckalamk.exe	38
PID 1108 wrote to memory of 2428	1108	Qckalamk.exe	38
PID 1108 wrote to memory of 2428	1108	Qckalamk.exe	38
PID 1108 wrote to memory of 2428	1108	Qckalamk.exe	38
PID 2428 wrote to memory of 1588	2428	Qnpeijla.exe	39
PID 2428 wrote to memory of 1588	2428	Qnpeijla.exe	39
PID 2428 wrote to memory of 1588	2428	Qnpeijla.exe	39
PID 2428 wrote to memory of 1588	2428	Qnpeijla.exe	39
PID 1588 wrote to memory of 2872	1588	Aijfihip.exe	40
PID 1588 wrote to memory of 2872	1588	Aijfihip.exe	40
PID 1588 wrote to memory of 2872	1588	Aijfihip.exe	40
PID 1588 wrote to memory of 2872	1588	Aijfihip.exe	40
PID 2872 wrote to memory of 448	2872	Acpjga32.exe	41
PID 2872 wrote to memory of 448	2872	Acpjga32.exe	41
PID 2872 wrote to memory of 448	2872	Acpjga32.exe	41
PID 2872 wrote to memory of 448	2872	Acpjga32.exe	41
PID 448 wrote to memory of 3000	448	Amhopfof.exe	42
PID 448 wrote to memory of 3000	448	Amhopfof.exe	42
PID 448 wrote to memory of 3000	448	Amhopfof.exe	42
PID 448 wrote to memory of 3000	448	Amhopfof.exe	42
PID 3000 wrote to memory of 588	3000	Acbglq32.exe	43
PID 3000 wrote to memory of 588	3000	Acbglq32.exe	43
PID 3000 wrote to memory of 588	3000	Acbglq32.exe	43
PID 3000 wrote to memory of 588	3000	Acbglq32.exe	43
PID 588 wrote to memory of 2496	588	Aoihaa32.exe	44
PID 588 wrote to memory of 2496	588	Aoihaa32.exe	44
PID 588 wrote to memory of 2496	588	Aoihaa32.exe	44
PID 588 wrote to memory of 2496	588	Aoihaa32.exe	44
PID 2496 wrote to memory of 2216	2496	Abgdnm32.exe	45
PID 2496 wrote to memory of 2216	2496	Abgdnm32.exe	45
PID 2496 wrote to memory of 2216	2496	Abgdnm32.exe	45
PID 2496 wrote to memory of 2216	2496	Abgdnm32.exe	45

C:\Users\Admin\AppData\Local\Temp\044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe
"C:\Users\Admin\AppData\Local\Temp\044634d4973f70d9064b2fcb196e4c19cdf17c0dbe3d77aefcc9922eff8d59d6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\Phhmeehg.exe
  C:\Windows\system32\Phhmeehg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:300
- - C:\Windows\SysWOW64\Papank32.exe
    C:\Windows\system32\Papank32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\Phjjkefd.exe
      C:\Windows\system32\Phjjkefd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\Phmfpddb.exe
        
        C:\Windows\system32\Phmfpddb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\SysWOW64\Pkkblp32.exe
        
        C:\Windows\system32\Pkkblp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Pgacaaij.exe
        
        C:\Windows\system32\Pgacaaij.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Pqjhjf32.exe
        
        C:\Windows\system32\Pqjhjf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Qckalamk.exe
        
        C:\Windows\system32\Qckalamk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Qnpeijla.exe
        
        C:\Windows\system32\Qnpeijla.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Aijfihip.exe
        
        C:\Windows\system32\Aijfihip.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Acpjga32.exe
        
        C:\Windows\system32\Acpjga32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Amhopfof.exe
        
        C:\Windows\system32\Amhopfof.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Acbglq32.exe
        
        C:\Windows\system32\Acbglq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Aoihaa32.exe
        
        C:\Windows\system32\Aoihaa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Abgdnm32.exe
        
        C:\Windows\system32\Abgdnm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Aialjgbh.exe
        
        C:\Windows\system32\Aialjgbh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Agfikc32.exe
        
        C:\Windows\system32\Agfikc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 140
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abgdnm32.exe

Filesize
111KB

MD5
c2590f781b1a9d0bc46f2bda30745c44

SHA1
d1e82a0ba64ab4a19b7579a8138e128a678481ff

SHA256
42440eaa5c68ed1fffa7a883ffe8ccf73358978e43b18d8c67e543f2a853c5ea

SHA512
05d0ca331eaaaabaa056453a85ea720bf4540984bfdf655cd498c930a1612613d7b6cef1913d346c352ea537623d2283b52b3688c9228a18caa788cd028b0d1e

Download Submit
C:\Windows\SysWOW64\Agfikc32.exe

Filesize
111KB

MD5
ceec79a7cfec40e219fc2dbb297a8ba0

SHA1
37b052f661ffed26b6d639fe2b29f5706f934c1e

SHA256
7e87d31fb8fa0b591c0298bc1bb5683da41a5f301e9e4499ee9efe10bf5b4df0

SHA512
617c2719bdfa4e1dc854ae5c5d445e9d38307d18c72761ab5076f5bd1fa1da70e8e1b9fc971fe458d1360f2c3934a43aa5c935071d2a4635b75ef5618611793a

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
111KB

MD5
a4d58b66716ec73ce96f1ee240823145

SHA1
22522ba40120e2a1f63167a33a55b7711dc61cc3

SHA256
5469f6fa91b0f38176e84bc391629a4d072b7554b0e9d4aa55cc6a9ece312824

SHA512
0555ef26e032b88f6f2fbea44a356355262c86da2b03e723f8a62ccc6d863281c6a2bd31011183176f7faff5d8b63d5ae06668c91e13f2e5899195b84ba90570

Download Submit
C:\Windows\SysWOW64\Hnjfjm32.dll

Filesize
7KB

MD5
f16dc3cf780123165b36ff62facc61bf

SHA1
b357a4337f3c4fe648a6a2c688f8fae94972b1a5

SHA256
fe8c72bcad66ca85b524653973c7b4dc69bbb8c0703296ad79dd4380697bcc64

SHA512
4092319c9abcba462e1d0fab7c6b307906822990987288c8030cb1d2565ee49ee4028206b4c4657159a387a9bd88f0b334966a7b9473a25d5e10e62a5720df9f

Download Submit
C:\Windows\SysWOW64\Papank32.exe

Filesize
111KB

MD5
b72395e0b267b220365302029becd9bf

SHA1
d4d0451faccb435f6ca49a1a38733fbf46ec158e

SHA256
9af1ed8cbedaaeb57e191a72a5ab9b412d74e6fb33759590026b313ad1feb992

SHA512
1a658de93136541c7047cfe281f2f315094dc5b6cbaf1ca81ae404db919765648a1479fd3f58db7f5c3f0b9cb93ba1f2c28ed9ac3f9f9419773c5df520e1e9fb

Download Submit
C:\Windows\SysWOW64\Phjjkefd.exe

Filesize
111KB

MD5
91f9d58cf8a3ce0dbe9f2fb0db7b3bf4

SHA1
457502aa9e5b05a466a78ac803d6f9594acf78f4

SHA256
ad7145bd522b61ec526f41496e04da64e68baee3beaa891b616d8c1a9a9ad1d2

SHA512
673ade940bc920dfab43c77c39c526708513c11f66595587b1479612427cf979a79ab87f19581e2b9acfad2fbb7a9be6a0f74347ae2566cc90a66786e5fa3f3d

Download Submit
\Windows\SysWOW64\Acbglq32.exe

Filesize
111KB

MD5
251203c56ff6c11bfbbb9f3f0916365c

SHA1
3421e3408418cfa551f763043562159229a82b99

SHA256
3a034f1d0316f67ba2ffdad8285e3d8b575a0be885e816b55368a83618dca03e

SHA512
093307cec377ad6c5cdd5cadfde0bb7c84caa600230ac7d6083fd43d965d8d9f15b478cbb2736f45aad523140b6ce52fff45418c777c7731cd9cbbe5da0d5567

Download Submit
\Windows\SysWOW64\Acpjga32.exe

Filesize
111KB

MD5
a863dea00ef7a3e965174f9aa7bd3bc9

SHA1
10f4669ba118a4f81887f42466538c6c37561586

SHA256
0053086fd7bbf016f7b8fd5923085d0d4ab5f1ad76ae8a3db262ea80b935a5a7

SHA512
9a4b10bc6d6f20d24295cca6470d60b17d6c89fd55da80b801ffa9be8997b0d9beb9bec996f791feaaea847fbaee85303a0b0de1f3d78417e49a3317f65b76c4

Download Submit
\Windows\SysWOW64\Aialjgbh.exe

Filesize
111KB

MD5
743808bf4f7716356d52a5e61fcc842b

SHA1
0dc7513f7a12cbbe6906002854287bb2de13870a

SHA256
d5af09d31537acbd3e0aec976a5b45c4ba58f3d4f46a9659c25a806207feee3c

SHA512
92cb8f1566213a3ec1ffa88e6a4b50eb2032d641b4eb9751e9f5d07a4ee670aba1384822775edabadbb7f3dbcabfc533a75e9a520c11abe493386e8bca68bbb7

Download Submit
\Windows\SysWOW64\Aijfihip.exe

Filesize
111KB

MD5
f5a5814352e2ffd8c7a95f3b8ab36e56

SHA1
3ede3fca02362f1c865554ed814cb6e24249919a

SHA256
aee488c3c0be1d26053dde19ed265f636f974357896076d565ebe0ec904bd9f0

SHA512
7db348dbff03c49ae4e53801a321b0af14634a8a89a48c7f930457bd9a5cfbb67a71dd8178456ca38557eef45cf0e483b85a76946e8f74d04e8ac5fc78a4b2ca

Download Submit
\Windows\SysWOW64\Amhopfof.exe

Filesize
111KB

MD5
13944b575767f025f84c2fa483af4312

SHA1
5dc0b3b2b360af736153543150161f952e4423d8

SHA256
7638609354efb689f76abca93f48a0fc010e41058730f2d0c3969dde09519f07

SHA512
2acdb99b84706c5c8fc6792d3ba2c44f4606b4801bdc5d3030600c27f2b3de71493ef3944dcab83439423e7fd751af4003903c990a3791e3a4475173d00a2268

Download Submit
\Windows\SysWOW64\Aoihaa32.exe

Filesize
111KB

MD5
8a9498dc3a03ef4c7eb5f52a14a4caf2

SHA1
18c8d929843914708047af33506221b271e77ec7

SHA256
639b38032ff22d01a783015650190fbab0022263e110704293ca810a5d33da40

SHA512
4edff329de0bf71b7a4f8012d71d7e4b842b26fd8c3380abc5d387d6fff768a3f5a11e71bc03221397e055064b6089affcf9abd8510d839d33d3786e7ff6f80b

Download Submit
\Windows\SysWOW64\Pgacaaij.exe

Filesize
111KB

MD5
0bc7c7e351b3e29e7365f0c4124771fd

SHA1
de20e67d998917d53ff72694e2542269b5f27325

SHA256
4fdc56e165439c1ef73fd67130ec063c55818cde76bff98c272647b414c1542c

SHA512
b07ccb099e7ab72445110a86451c51835730062085622f8677e8e8439c93335cabc4e02b700c56b8ccd14f8f12b7344cde17fb90aa5593ed8d12195199f5c7c9

Download Submit
\Windows\SysWOW64\Phhmeehg.exe

Filesize
111KB

MD5
faa4466c480c900068d4b99708efd09f

SHA1
f7bfed014d4559f443ff80d32dc35f2e9ea9b3b0

SHA256
1525e238989ca59a6cfe53fa1c0b5206ce6504a9b4b2d39ddfad77842c548615

SHA512
703ced8f010224c46b6e70ecd3e00cec14224c30e28ebcbfdde498fd5f96cccdb23e65f012afed464fc12972e5bdecd5f9ca65c528da473740792c1a7d08d11a

Download Submit
\Windows\SysWOW64\Phmfpddb.exe

Filesize
111KB

MD5
76eaa36b5d053eaf818d8b21583dac13

SHA1
588dfce7d7b1fdaea817951631a5a6ab4feaeb5d

SHA256
d2149a039a92e36d5bd3e25e3b3bccdb18e6a855e9761aa306c9d85edc60c142

SHA512
bc2fdaff1bfd03ddb1b331cf35d25adcc15a041b1eff6c1af187ed562834ac18e8afd095e260a3e9029ad28c4e3638a53eb609f801fecb5ee0313d33e2f732ca

Download Submit
\Windows\SysWOW64\Pkkblp32.exe

Filesize
111KB

MD5
87e1167126167355b9f886c45a435c52

SHA1
2ea3263ed00677f33c12d4a566ae1f0522aa7010

SHA256
d9d37c43a5512f728c8c317435658498bb63c9dbd98846b0ff295584790dbca2

SHA512
40ecb23ca94592e33cdbeefb74713662c00e33e2ccd53d7f8923b8d609dc9a61ba3fac447edcf15f02139fcfa98a30b868e6f497a62d1a9dbd49c86a225df5ed

Download Submit
\Windows\SysWOW64\Pqjhjf32.exe

Filesize
111KB

MD5
dbf523ace1460876094527bcd42137e8

SHA1
17f4a8db325bf98248ee76e85e42b65758a9183b

SHA256
ffabf04d7f931f836db1d292d6670ab41532ae43d539dcaff0fbe988ccc8d455

SHA512
c926baacec11b2f688fbceccac75eb74b9f40ae75bc65ab07c5cf351e9028a9f7f8980a1bfb62ae483afef05d126bedef3399a6ed62c5e1cb9ba2c0ce0aea6e1

Download Submit
\Windows\SysWOW64\Qckalamk.exe

Filesize
111KB

MD5
0ba1b1891b6ea546012fea90896fe61e

SHA1
11607fe58765df3cad962ba6827f8c5241536c12

SHA256
d4f5076b596c8138e471390fd245a4db9c2cfe5017aec6ff93ea6ac4d6ad064f

SHA512
3fbce6980a98b4533d0818b3cb20d4b32920ce7ad4b7bad41a7497f3b69b593f9a3fa3458084da53da0d20e25ab75f3897179ef6c2bfcb9764de2f290317c4d9

Download Submit
\Windows\SysWOW64\Qnpeijla.exe

Filesize
111KB

MD5
3ab8f05ea1014e409c22c2e7d4589f48

SHA1
5d985ddcdfdf7a34ab76eb2a35162fc513ef2847

SHA256
1f577646cfbf2367bd3a6a67810c9a39c89c9452d797c02ac538d121aff0319a

SHA512
b47d55acbcccc577b6877c47fa7c3ac596214a7e7f667907a4c1abe01119b7e6ec8f97a0d2b404929fa1f27e97efbdaf70f3bee3ae3872fe8c381d697e742a09

Download Submit
memory/300-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/300-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/300-27-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/448-164-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/448-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/588-190-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/588-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1108-114-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1108-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1588-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1588-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2192-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-225-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2276-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2276-235-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2276-239-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/2276-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-13-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2296-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-12-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2428-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2428-122-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2428-129-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2496-216-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2496-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2496-215-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2496-204-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2656-83-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2656-251-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-76-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2696-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2696-103-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2696-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-156-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/2872-149-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-54-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/3000-188-0x0000000000340000-0x0000000000383000-memory.dmp

Filesize
268KB

Download
memory/3000-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3000-254-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads