berbew | 77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
Size

78KB
MD5

58a738f37f58db9e50e7058271e83738
SHA1

71ce80628a78eee5321981ad3abb0588650dcbe2
SHA256

77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555
SHA512

31e732532cae3e4492799728284bc6616ded0096016d1c0019b96b5f2184630766f755e0f2889b4a147eca631f1f52adf14833cb8e3616eae165122614c02cb5
SSDEEP

1536:rTcUrrw4zsj8ekt7aSr5co+jzif46yf5oAnqDM+4yyd:DsiaSr5c1jziACuq4cyd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfaeq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pckoam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 30 IoCs

pid	Process
2780	Pmagdbci.exe
2816	Pckoam32.exe
2684	Pfikmh32.exe
892	Pihgic32.exe
588	Qijdocfj.exe
2940	Qqeicede.exe
1012	Qjnmlk32.exe
1768	Acfaeq32.exe
2104	Ajpjakhc.exe
2904	Achojp32.exe
1856	Annbhi32.exe
1112	Agfgqo32.exe
1816	Amcpie32.exe
2072	Abphal32.exe
2556	Amelne32.exe
1084	Acpdko32.exe
2896	Bmhideol.exe
1444	Bnielm32.exe
1736	Bhajdblk.exe
920	Bajomhbl.exe
1228	Biafnecn.exe
2472	Blobjaba.exe
1028	Balkchpi.exe
2732	Bmclhi32.exe
3064	Bejdiffp.exe
1572	Chkmkacq.exe
1608	Ckiigmcd.exe
2744	Cgpjlnhh.exe
2644	Cinfhigl.exe
2424	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2836	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
2836	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
2780	Pmagdbci.exe
2780	Pmagdbci.exe
2816	Pckoam32.exe
2816	Pckoam32.exe
2684	Pfikmh32.exe
2684	Pfikmh32.exe
892	Pihgic32.exe
892	Pihgic32.exe
588	Qijdocfj.exe
588	Qijdocfj.exe
2940	Qqeicede.exe
2940	Qqeicede.exe
1012	Qjnmlk32.exe
1012	Qjnmlk32.exe
1768	Acfaeq32.exe
1768	Acfaeq32.exe
2104	Ajpjakhc.exe
2104	Ajpjakhc.exe
2904	Achojp32.exe
2904	Achojp32.exe
1856	Annbhi32.exe
1856	Annbhi32.exe
1112	Agfgqo32.exe
1112	Agfgqo32.exe
1816	Amcpie32.exe
1816	Amcpie32.exe
2072	Abphal32.exe
2072	Abphal32.exe
2556	Amelne32.exe
2556	Amelne32.exe
1084	Acpdko32.exe
1084	Acpdko32.exe
2896	Bmhideol.exe
2896	Bmhideol.exe
1444	Bnielm32.exe
1444	Bnielm32.exe
1736	Bhajdblk.exe
1736	Bhajdblk.exe
920	Bajomhbl.exe
920	Bajomhbl.exe
1228	Biafnecn.exe
1228	Biafnecn.exe
2472	Blobjaba.exe
2472	Blobjaba.exe
1028	Balkchpi.exe
1028	Balkchpi.exe
2732	Bmclhi32.exe
2732	Bmclhi32.exe
3064	Bejdiffp.exe
3064	Bejdiffp.exe
1572	Chkmkacq.exe
1572	Chkmkacq.exe
1608	Ckiigmcd.exe
1608	Ckiigmcd.exe
2744	Cgpjlnhh.exe
2744	Cgpjlnhh.exe
2644	Cinfhigl.exe
2644	Cinfhigl.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ncmdic32.dll	Pihgic32.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Pfikmh32.exe	Pckoam32.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Achojp32.exe
File created	C:\Windows\SysWOW64\Cgpjlnhh.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Dojofhjd.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Pmagdbci.exe	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
File created	C:\Windows\SysWOW64\Ffjmmbcg.dll	Pmagdbci.exe
File created	C:\Windows\SysWOW64\Pfikmh32.exe	Pckoam32.exe
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Amelne32.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Bhajdblk.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Pckoam32.exe	Pmagdbci.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Pihgic32.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Pihgic32.exe	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Acfaeq32.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Bnielm32.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Ilfila32.dll	Pckoam32.exe
File created	C:\Windows\SysWOW64\Pihgic32.exe	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Qqeicede.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Annbhi32.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Qjnmlk32.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Ljhcccai.dll	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Acpdko32.exe	Amelne32.exe
File opened for modification	C:\Windows\SysWOW64\Bmhideol.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Acfaeq32.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Lfobiqka.dll	Amcpie32.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Lhnnjk32.dll	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Acfaeq32.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Qijdocfj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
572	2424	WerFault.exe	59

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfaeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abphal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqeicede.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acfaeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcpie32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2780	2836	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe	30
PID 2836 wrote to memory of 2780	2836	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe	30
PID 2836 wrote to memory of 2780	2836	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe	30
PID 2836 wrote to memory of 2780	2836	77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe	30
PID 2780 wrote to memory of 2816	2780	Pmagdbci.exe	31
PID 2780 wrote to memory of 2816	2780	Pmagdbci.exe	31
PID 2780 wrote to memory of 2816	2780	Pmagdbci.exe	31
PID 2780 wrote to memory of 2816	2780	Pmagdbci.exe	31
PID 2816 wrote to memory of 2684	2816	Pckoam32.exe	32
PID 2816 wrote to memory of 2684	2816	Pckoam32.exe	32
PID 2816 wrote to memory of 2684	2816	Pckoam32.exe	32
PID 2816 wrote to memory of 2684	2816	Pckoam32.exe	32
PID 2684 wrote to memory of 892	2684	Pfikmh32.exe	33
PID 2684 wrote to memory of 892	2684	Pfikmh32.exe	33
PID 2684 wrote to memory of 892	2684	Pfikmh32.exe	33
PID 2684 wrote to memory of 892	2684	Pfikmh32.exe	33
PID 892 wrote to memory of 588	892	Pihgic32.exe	34
PID 892 wrote to memory of 588	892	Pihgic32.exe	34
PID 892 wrote to memory of 588	892	Pihgic32.exe	34
PID 892 wrote to memory of 588	892	Pihgic32.exe	34
PID 588 wrote to memory of 2940	588	Qijdocfj.exe	35
PID 588 wrote to memory of 2940	588	Qijdocfj.exe	35
PID 588 wrote to memory of 2940	588	Qijdocfj.exe	35
PID 588 wrote to memory of 2940	588	Qijdocfj.exe	35
PID 2940 wrote to memory of 1012	2940	Qqeicede.exe	36
PID 2940 wrote to memory of 1012	2940	Qqeicede.exe	36
PID 2940 wrote to memory of 1012	2940	Qqeicede.exe	36
PID 2940 wrote to memory of 1012	2940	Qqeicede.exe	36
PID 1012 wrote to memory of 1768	1012	Qjnmlk32.exe	37
PID 1012 wrote to memory of 1768	1012	Qjnmlk32.exe	37
PID 1012 wrote to memory of 1768	1012	Qjnmlk32.exe	37
PID 1012 wrote to memory of 1768	1012	Qjnmlk32.exe	37
PID 1768 wrote to memory of 2104	1768	Acfaeq32.exe	38
PID 1768 wrote to memory of 2104	1768	Acfaeq32.exe	38
PID 1768 wrote to memory of 2104	1768	Acfaeq32.exe	38
PID 1768 wrote to memory of 2104	1768	Acfaeq32.exe	38
PID 2104 wrote to memory of 2904	2104	Ajpjakhc.exe	39
PID 2104 wrote to memory of 2904	2104	Ajpjakhc.exe	39
PID 2104 wrote to memory of 2904	2104	Ajpjakhc.exe	39
PID 2104 wrote to memory of 2904	2104	Ajpjakhc.exe	39
PID 2904 wrote to memory of 1856	2904	Achojp32.exe	40
PID 2904 wrote to memory of 1856	2904	Achojp32.exe	40
PID 2904 wrote to memory of 1856	2904	Achojp32.exe	40
PID 2904 wrote to memory of 1856	2904	Achojp32.exe	40
PID 1856 wrote to memory of 1112	1856	Annbhi32.exe	41
PID 1856 wrote to memory of 1112	1856	Annbhi32.exe	41
PID 1856 wrote to memory of 1112	1856	Annbhi32.exe	41
PID 1856 wrote to memory of 1112	1856	Annbhi32.exe	41
PID 1112 wrote to memory of 1816	1112	Agfgqo32.exe	42
PID 1112 wrote to memory of 1816	1112	Agfgqo32.exe	42
PID 1112 wrote to memory of 1816	1112	Agfgqo32.exe	42
PID 1112 wrote to memory of 1816	1112	Agfgqo32.exe	42
PID 1816 wrote to memory of 2072	1816	Amcpie32.exe	43
PID 1816 wrote to memory of 2072	1816	Amcpie32.exe	43
PID 1816 wrote to memory of 2072	1816	Amcpie32.exe	43
PID 1816 wrote to memory of 2072	1816	Amcpie32.exe	43
PID 2072 wrote to memory of 2556	2072	Abphal32.exe	44
PID 2072 wrote to memory of 2556	2072	Abphal32.exe	44
PID 2072 wrote to memory of 2556	2072	Abphal32.exe	44
PID 2072 wrote to memory of 2556	2072	Abphal32.exe	44
PID 2556 wrote to memory of 1084	2556	Amelne32.exe	45
PID 2556 wrote to memory of 1084	2556	Amelne32.exe	45
PID 2556 wrote to memory of 1084	2556	Amelne32.exe	45
PID 2556 wrote to memory of 1084	2556	Amelne32.exe	45

C:\Users\Admin\AppData\Local\Temp\77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe
"C:\Users\Admin\AppData\Local\Temp\77ced14f1635c8c7324457bbfdb47c8b6f5658b7b35304ec3447f347a4503555.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\Pmagdbci.exe
  C:\Windows\system32\Pmagdbci.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\Pckoam32.exe
    C:\Windows\system32\Pckoam32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\Pfikmh32.exe
      C:\Windows\system32\Pfikmh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
      - C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Acfaeq32.exe
        
        C:\Windows\system32\Acfaeq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 140
        32⤵
        Loads dropped DLL
        Program crash
        
        PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
78KB

MD5
112e0b583281c68050a4110649241790

SHA1
0839f40c3855c543a113f3721e49ab46f15c35d6

SHA256
4e2d4657d929ad7cd4a6b0f6bd2cd09fb4cc84fde61ef84d04aa8a6a88956a3f

SHA512
7acb321cfd96a1e877e1a20be147c2a6af85da484f3a14336bc289b577c33c3c216c86fca3550fd5d2dfdfafc026ef2192e397b865b09d8a6a539ec2a6b109a7

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
78KB

MD5
48775c9c4466924d102ccbe05e415289

SHA1
fb586391357d050c1e35e9918838e12dc237a0f6

SHA256
90495a86329647ec6c0e03216b1159b974b08d4311036cd0c757685b3f3f2bee

SHA512
d8115e6aaebc2f06aab6fcfd9045c2d06adcd70bedd0643977808b0ec4d387ad4cefd52ceba5d059662052209f32ee55770ed7b4020e1ea8710e878bc1cc3d92

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
78KB

MD5
45c5ea114627183edc1140ba98496241

SHA1
eead6cf6a4863e944ebae9cd8bbf59cfa6b3d855

SHA256
9b376f10d2c89bbf11170ef04b716f4e37fbbcc0d675c15929ff86fd3a7856b5

SHA512
d6291286cc3f0841f9aeae52b79d21ce5a63baccab221904549888be35812e04828940de73573d242f6a0fef78b0a8497814d689fc8b35a2d319359ddec62b27

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
78KB

MD5
06b3e82ae23709e8457f4e6df1dd3735

SHA1
a1abecfd997016899ec3d9a3a8b1905a0e856a0e

SHA256
e968aecfc858772d644a04367a38b42d85b857567ed19b56ae12b7285235b432

SHA512
14a4b820bc872a922d14d0acec4e74cf07d7bee18cd0fb491f3ce368e6a50a996ce2a02acb080c2109ae272a92feeb63386ee350434414cc91ddff0a4740c90c

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
78KB

MD5
cd256fa9e6f47a8a595c1be99e0515de

SHA1
466469b9259e6cafce286fa055bb9eb1d7db31c6

SHA256
fdac8d82d31c82c18810a9f04575b07367b37ba8aa4162287e73ffcc5a652786

SHA512
852952b427e4513437d36fbd6d1d00f5aa3fe5ea5d5d461b81e5464ac77cc744b061005a2afe1a019e87792b165f4f53f34ec8cc17e2347e40fad3e5ef87a175

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
78KB

MD5
2abf86c5e451bf7cfcd152f155c84a99

SHA1
b9e0e81d94727871aa5fbfd50b10fe8581e2760b

SHA256
e0fd96c93d1193b7f833ebe404bf99ace1f296b69eb3b0f8d56815cd89335963

SHA512
4bf5f1f724cf2b5c46ef2646ab950912c0cbab01d0bf1b7440326c5a56fd29c30f7e2aaa86b17550ca456ef4b9d3041b7f33e4426e34661c6ba1f219131e578a

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
78KB

MD5
7bbc36c2cc21f1b16dc3bf9fa19172a2

SHA1
f08801511cea4440fe9e6b47c4e502473b38416d

SHA256
f7e6b57b0492f8ae6d4563f0f594e8d6e07c5c6edb02837dcbd1fb47f603ade2

SHA512
a4f0e34a11d31fd46a61f429dcd84fcbabd1ace6228218cafed59d6ffbf62b26ed8f396b4802916bd6ebc4efff2ba4f9e6b9284e256c72902252578782c4d24c

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
78KB

MD5
358f5fd69dc9b98a1954b61eb58736b6

SHA1
7a0bda99a87b2fd754197595b83dfecc339bc4e2

SHA256
92342169781feb11d5ee2419f31d5cc4c21aaeaa0f08a8f591ec2eb5e3e1a72f

SHA512
e841c6e97572afecb465afb0e516f40ae8bc437ff4fb94504fc6110fbbafc15427cffdc53f2bf7d7228819ee9b2c972765f68880909bac88a723d0be3c30fad7

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
78KB

MD5
f758209c38b5e9262da6092de2449a28

SHA1
360d496aaac0b909d5b8458cd45a8f615988da57

SHA256
b0f9f099d7828bc307d931a8369a039bb639c8040f3011553234c697f9907e9c

SHA512
bf6851644c76ba6acc92c7dc095d62181660fa0893b26c773ae303290ccb4c335cec9da71e39011c00d7234e78fe42d20ea3f6fdbef21f8bdeeb60a108c5d1ed

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
78KB

MD5
d3135e8e93ad24d28acd12c8a3308aed

SHA1
049d82e83a013814558e4da82f861f7230582df6

SHA256
7df87323f486604fa8ad12c2e1bbce91eca3dfb9fa0703afa51f839125bbbfe0

SHA512
a971903022321a68fc35b4de5e77bb2ee7825d6f843bcd1278a73cd0de9e911359a6af098599aecad6242ff77f9f93dee7988398c526265ff79347b86b94d2bc

Download Submit
C:\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
78KB

MD5
cbd71acfe282242a72f835a756c91013

SHA1
23401737139f79765097abf6c7c6a2bc3187ffd6

SHA256
a83f20175844a7e76205cd84bd2dda7b767f05b8c0a3feed9813f13b77a2e7d2

SHA512
c853e43edf843e39563106497c35bf82545ee9f7343de2e9070c5859e5001075fc880133858c4a81a3f6a21053df25a8de9a3ae7ce68d8a92287c5001ff8466b

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
78KB

MD5
09ad9fed5d312b2e63f6febe8544bb3d

SHA1
4ec3a8ca78a060b6699e7f0a4b779f4d5e4d4ff5

SHA256
492be4ea0fc4b6c0499a9982db14166d3c691df57e55f1f47f04f1cae34878bc

SHA512
34dfcd7ac5b7d87b8fde779c4e9f1a1f210e5f50aa43506c4775e3ff1d346b00ba1c400b11f578cf3cfb4d88d489619b3432928e3d02897e39822638002719d9

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
78KB

MD5
36503f49aabd794f81a3a55e93ce2550

SHA1
3f67e3fb7aed8af2cbec346667a49a5ad91c8962

SHA256
3aaf5facf8d48f13e3d452ae8b00fe57fc99b69f7f322a25ad0c646b35d9d7c9

SHA512
bee7af9929f19b187c6390bb53f0811e5364e7277421ccb502b5507c90cdeb3a6fece9823d09f367bcf81279f8c4a9e99f59d896057f306f23f861066ce086c4

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
78KB

MD5
be60ce2f61ad43d530f6a99fe3d11ec9

SHA1
b7de533a6e38f3182a122069dcf0977c278749db

SHA256
01b65ca8a6ae47e41aa714865dfd5fab75214aa303f012fc90ba6b63ba9dabbd

SHA512
8b089fee63825e5b2db6f35e6bef69f1e6c6c8d4a575e382edaf0e14c9db5df34ecd494f4d65440844cf810be35392ccae8a8f90e0107273d1a0a8b441042f09

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
78KB

MD5
7211fd3a7ca9d84a25395b2235bc7012

SHA1
5861ee890699f4896f15a27a40df4f274bc3760a

SHA256
61c41d4d27612daa0393696db287b8c32d5f7c35ff08413e7b983c8f19b0798d

SHA512
aa9ff187b59058b215d42fb8633a0b0ad559dc82d0e5d91f7e3b08f9d837a0a2d573a198a36af5a7b6d5976d1affdbf693bc48d6eccc0dd579686e9be068578e

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
78KB

MD5
e64093e26f0bdf19523d24ba335619c0

SHA1
2cb52b7f98c5b3822bfc390e12839b1a66dab928

SHA256
0b94f7d66cd106b66b3c38ba76eedc45deee515c39a3625ca2aa59507c6fd263

SHA512
d3b6959041fc9dd1442721b1f46a45cec26e192c093e176e4bd4f2b7fd8b179c9536d903a67809b3a490c473615dd6c52d53de5b0f97c2f92b9ad6ea97ab10bb

Download Submit
\Windows\SysWOW64\Abphal32.exe

Filesize
78KB

MD5
0479c350722a3606afb90734a5c3be8c

SHA1
6083e33df8a5686186482d0dbc08f091b59e7842

SHA256
1e9ee866323784909796ecc50f418d07f2c638118a30164510314e886a8428fd

SHA512
94457a237be7a7cc32d1cbbc664033d834318f87bea95679902b49c2b1981a41f15e5978dd790daf24e709d742ccf35f9499c70f7a3ac0028154f4a787d0a885

Download Submit
\Windows\SysWOW64\Acfaeq32.exe

Filesize
78KB

MD5
3fd22c829c0b2811df5bb0764deb3083

SHA1
ce87f35c636b3f05c30b23e2a2b90de71bd799e4

SHA256
e3be8c905874649756a19e012e8e912846cfbce9d7867f4232c7d9de933b8028

SHA512
ea4fcdcb34d50408d051290791896fe6e77335f871c01b1a2a1da010ec3432b946f8d051a78f2bcc89fdda1408a0bee20a48a2694b1ccda7ddf1840d277d1910

Download Submit
\Windows\SysWOW64\Achojp32.exe

Filesize
78KB

MD5
1375e4f7768822e60c8ddf437a13a73a

SHA1
72139a62afee439bf169f8eda76a86045e1f5494

SHA256
958206f54b32e0920eb33ae5c12a23a924d0adadff3081aac00b2465d1bb1a25

SHA512
b3ff5a65c7adc2a44bf76d34bc239fe86d42b35475cdac228b64a4bc47345db56e604bfba6ad693cbb979b444a037769a2b4aa71f01cd032a2b43e7b03c6dc18

Download Submit
\Windows\SysWOW64\Acpdko32.exe

Filesize
78KB

MD5
56b9f871cf2b6962e798cd5bb90ffa4f

SHA1
671098d1233f06e7849fbef181e9d34793d393c9

SHA256
c0a9b48f867c44b96dfb6bfdf26efb37a76dbb2787c25671949fbc04d306e1b2

SHA512
bbd4adba992ca4189ae82a71bad274986adc04fdf4c7677367d467abd91ec9e6a75ac0562aceb34a90ab7218d9bba29ff4fd0356f0112ce44a6ec7b665b57c51

Download Submit
\Windows\SysWOW64\Agfgqo32.exe

Filesize
78KB

MD5
35ba05a958f4030060b1a65a2bb9e5a6

SHA1
f48b5f57696bf9093ed52db7eab7e2daf04a1629

SHA256
290f7522c603ab806c82376de5374b1dfa2cddf53073b4decfb2b4ee3c170ee4

SHA512
8feba7b1d78d54a78bd32d2f3e219bfe8b60d3eb994cc60197f375cdd07d0ff1c56c9070787da69f1bd37b4278fd8df5f4cd6e9ac299dfd3680559627f11b906

Download Submit
\Windows\SysWOW64\Ajpjakhc.exe

Filesize
78KB

MD5
974a0fb7b19563a589ee6ba0c15070f9

SHA1
b438fadc8660e3766cdf54d040c8c1dde512e1e4

SHA256
aa8efa2dab2baf9ba23b48eb7ab0071008d0616e6b37e1046d1d23523f66f116

SHA512
15c9f97fcf69b97571794061d26dec7d8c4cc5146f932b3ced3af8c542c8ce7bbc8adb8955d42e7564a68ecb58ed8a7ee7b1db482e9d0f8b81ed025a3ee441ee

Download Submit
\Windows\SysWOW64\Amcpie32.exe

Filesize
78KB

MD5
b67aec4c68703c861ef41487a578b14f

SHA1
36b0ce29cfb091c30596366e4aaea6f90df2d221

SHA256
d01e79fbba0750e0a832244e518b919e65b7ac3c9c323fdd483e3aabdd162ae8

SHA512
242ed3ce350764781d1a7221bf5e6225d405b3dad6ee7d93bb900fd728fcfc08838a01911564ab52e64ac73b3f983551f87d547f3a96e1c987e11e856b547769

Download Submit
\Windows\SysWOW64\Amelne32.exe

Filesize
78KB

MD5
877c2e32a6052836f419058cf095ebb3

SHA1
ae0c56d51d9e220162c18386614b00ed9c8c8cf8

SHA256
8dd27a795d092b59e354a5388dacfa65151d54929b229097bea5ca3ef08fe2fe

SHA512
0eb9ec7279def0b3801fd0573b1769294e5ece6ce52ae5643425de2779b460c2ac4052397f04aeff1417166106a3ab2a01344641813ad33276326018df623157

Download Submit
\Windows\SysWOW64\Annbhi32.exe

Filesize
78KB

MD5
e0a4e61fcccfc329e00635144308710b

SHA1
58a1e27949685467af0c086da3c9bf5878998ff9

SHA256
60a3778fda8cef81d21706672d23bdcc6945c3d5cd8afd7bec6dbfdd714f48eb

SHA512
3e535ef1ba124b3ea47ec9b4adc798a1d266b5be70d723fc7dfe646d63ef2c807bf05ccaaca2cb60db196eb30efac7cd8d152435e2c67f24cbc430035d0aaf8f

Download Submit
\Windows\SysWOW64\Pckoam32.exe

Filesize
78KB

MD5
fe86366f1e8cc36a6e3750124b44aa18

SHA1
156bb5926dd4292b2399a91df44d372e7b6f260f

SHA256
7d133ae52595a4a17665e1760f3dc33ddbacf54756a91d8f7129f5e661891526

SHA512
c94fdb6d61abb7f28eb2fada3682f55b06ef0f1c15f130190211127ad9571321148eff3c9018cd47b4dc085d809c728731692546a8a790af6de496e648f8dfd0

Download Submit
\Windows\SysWOW64\Pfikmh32.exe

Filesize
78KB

MD5
f67557e373328b175e8ece1dec20382c

SHA1
d6b03b91720c031cd67049226c5ef72428989d11

SHA256
9f9246d6f0eb301c825f581afc1e6049e2af2b5db1d0d038c3c315de2cb0c435

SHA512
2666350ca34af385820515032d5cb41796709bbf656be021b40d591cc1f727a236ecd84bb9fa3d8ea354982967c0e1c945b0fc22e7963e5ba590b18e4d8a80d2

Download Submit
\Windows\SysWOW64\Pmagdbci.exe

Filesize
78KB

MD5
ddfef96f264940f8976224b9896e60db

SHA1
e687d5dbee82aeb651c1349216dd52a64ead727b

SHA256
52acbd7c750c9ad00dab2d713a6fdef2c4fef7200efbdf39c8095ef981b75be1

SHA512
c5cf7db36cd797b8d7151db166d4e42356bf5e22b75adfac9d35ea079a5f14fab28dfb3e9f8656423b213f528194c894623c44893aab78b3989e87bd0213645a

Download Submit
\Windows\SysWOW64\Qjnmlk32.exe

Filesize
78KB

MD5
25466014a98e5eeb29dac2c900286153

SHA1
ead089aab48499f23e90d4549e9e809fa923b2a3

SHA256
34ddfb99a3b94248154804ffd12744c22a0a549278a90a8b6307a9301ccfce37

SHA512
252e558070ecae1f53c063da9965647216ca938d38df2cb2d57848b130c619444847ff66937bcb12fa675ef248f6824f470bbb0c846ff64410939fc26751b647

Download Submit
\Windows\SysWOW64\Qqeicede.exe

Filesize
78KB

MD5
9181997c68a163112cdbfd86905d44f3

SHA1
4dd5cfcb65f5d34c9c58fef1011db27856789dee

SHA256
7cfdff93b1f83e5e2c0a8f3deabbc111f74a8f3e00d41b2ec98dae433e424520

SHA512
2de0e82938c67ced42f6ac4626487a1788c341977fbf8e19d79ba594de0d9c8dba6b58dda25b157eee021311cdbf1d0f41cf009c9669976c403986a78ba17c08

Download Submit
memory/588-81-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/588-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/588-387-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/892-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/892-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/892-67-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/892-66-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/920-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/920-268-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/920-267-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1012-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1012-385-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-379-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-295-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1028-296-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1084-221-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1084-373-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-380-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1228-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1228-275-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1228-274-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1444-244-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1444-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1444-240-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1572-325-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1572-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-329-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1572-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1608-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1608-340-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1608-339-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1608-366-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1736-253-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1736-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1736-254-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/1768-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1768-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-174-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1856-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1856-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1856-156-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2072-200-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2072-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2072-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2104-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2104-131-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2104-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2424-378-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2472-284-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/2472-285-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/2472-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-213-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2556-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2644-360-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2644-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2684-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-307-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2732-306-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2732-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-347-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2744-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-351-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2780-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2780-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-13-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2836-12-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2836-362-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2836-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-229-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2896-372-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2904-381-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-94-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2940-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-386-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-317-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/3064-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-318-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads