berbew | ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Size

337KB
MD5

26dc676d5627f429799472e98139df8b
SHA1

1916b0ed8ee03e7aadf15958728c2727e80bfbbe
SHA256

ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1
SHA512

e6be26019d360d386b1266f2078169480425de0df5dd16566cdd16608d742e78a983a5a5a6c919410c768fc7e8ee5e3614e24caafb8b3cfba67d565e51e851d8
SSDEEP

3072:9sT3DXVo8M1e+sQPgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:GTzlYIeP1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdgmlhha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplaki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 32 IoCs

pid	Process
2340	Pojecajj.exe
2840	Pplaki32.exe
2668	Pdgmlhha.exe
2760	Qdlggg32.exe
2844	Qpbglhjq.exe
2652	Qgmpibam.exe
592	Ajmijmnn.exe
1424	Aaimopli.exe
588	Aomnhd32.exe
2012	Adifpk32.exe
2000	Adlcfjgh.exe
3056	Andgop32.exe
2220	Bqeqqk32.exe
580	Bkjdndjo.exe
2880	Bfdenafn.exe
1296	Bnknoogp.exe
1972	Bbmcibjp.exe
2208	Bigkel32.exe
1276	Bkegah32.exe
1696	Cfkloq32.exe
1660	Ciihklpj.exe
2860	Cbblda32.exe
1788	Ckjamgmk.exe
3016	Cpfmmf32.exe
1616	Cebeem32.exe
2228	Cjonncab.exe
2304	Ceebklai.exe
2752	Cgcnghpl.exe
2548	Calcpm32.exe
2568	Ccjoli32.exe
2204	Dmbcen32.exe
3048	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2312	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
2312	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
2340	Pojecajj.exe
2340	Pojecajj.exe
2840	Pplaki32.exe
2840	Pplaki32.exe
2668	Pdgmlhha.exe
2668	Pdgmlhha.exe
2760	Qdlggg32.exe
2760	Qdlggg32.exe
2844	Qpbglhjq.exe
2844	Qpbglhjq.exe
2652	Qgmpibam.exe
2652	Qgmpibam.exe
592	Ajmijmnn.exe
592	Ajmijmnn.exe
1424	Aaimopli.exe
1424	Aaimopli.exe
588	Aomnhd32.exe
588	Aomnhd32.exe
2012	Adifpk32.exe
2012	Adifpk32.exe
2000	Adlcfjgh.exe
2000	Adlcfjgh.exe
3056	Andgop32.exe
3056	Andgop32.exe
2220	Bqeqqk32.exe
2220	Bqeqqk32.exe
580	Bkjdndjo.exe
580	Bkjdndjo.exe
2880	Bfdenafn.exe
2880	Bfdenafn.exe
1296	Bnknoogp.exe
1296	Bnknoogp.exe
1972	Bbmcibjp.exe
1972	Bbmcibjp.exe
2208	Bigkel32.exe
2208	Bigkel32.exe
1276	Bkegah32.exe
1276	Bkegah32.exe
1696	Cfkloq32.exe
1696	Cfkloq32.exe
1660	Ciihklpj.exe
1660	Ciihklpj.exe
2860	Cbblda32.exe
2860	Cbblda32.exe
1788	Ckjamgmk.exe
1788	Ckjamgmk.exe
3016	Cpfmmf32.exe
3016	Cpfmmf32.exe
1616	Cebeem32.exe
1616	Cebeem32.exe
2228	Cjonncab.exe
2228	Cjonncab.exe
2304	Ceebklai.exe
2304	Ceebklai.exe
2752	Cgcnghpl.exe
2752	Cgcnghpl.exe
2548	Calcpm32.exe
2548	Calcpm32.exe
2568	Ccjoli32.exe
2568	Ccjoli32.exe
2204	Dmbcen32.exe
2204	Dmbcen32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Andgop32.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Fkdhkd32.dll	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Qdlggg32.exe	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Jhbcjo32.dll	Pdgmlhha.exe
File opened for modification	C:\Windows\SysWOW64\Adifpk32.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Egfokakc.dll	Aomnhd32.exe
File opened for modification	C:\Windows\SysWOW64\Aomnhd32.exe	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Ckmcef32.dll	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Jpefpo32.dll	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Fiqhbk32.dll	Adifpk32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Pojecajj.exe	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
File created	C:\Windows\SysWOW64\Aaimopli.exe	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Pmmgmc32.dll	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	Adifpk32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Pdgmlhha.exe	Pplaki32.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Pplaki32.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Hqjpab32.dll	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Ajmijmnn.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ajmijmnn.exe	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Kmgbdm32.dll	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
File created	C:\Windows\SysWOW64\Qpbglhjq.exe	Qdlggg32.exe
File opened for modification	C:\Windows\SysWOW64\Qpbglhjq.exe	Qdlggg32.exe
File opened for modification	C:\Windows\SysWOW64\Ajmijmnn.exe	Qgmpibam.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cebeem32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Pplaki32.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	Andgop32.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bkjdndjo.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2056	3048	WerFault.exe	62

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgmpibam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbcjo32.dll"	Pdgmlhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmcef32.dll"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhpmg32.dll"	Pplaki32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2340	2312	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe	31
PID 2312 wrote to memory of 2340	2312	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe	31
PID 2312 wrote to memory of 2340	2312	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe	31
PID 2312 wrote to memory of 2340	2312	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe	31
PID 2340 wrote to memory of 2840	2340	Pojecajj.exe	32
PID 2340 wrote to memory of 2840	2340	Pojecajj.exe	32
PID 2340 wrote to memory of 2840	2340	Pojecajj.exe	32
PID 2340 wrote to memory of 2840	2340	Pojecajj.exe	32
PID 2840 wrote to memory of 2668	2840	Pplaki32.exe	33
PID 2840 wrote to memory of 2668	2840	Pplaki32.exe	33
PID 2840 wrote to memory of 2668	2840	Pplaki32.exe	33
PID 2840 wrote to memory of 2668	2840	Pplaki32.exe	33
PID 2668 wrote to memory of 2760	2668	Pdgmlhha.exe	34
PID 2668 wrote to memory of 2760	2668	Pdgmlhha.exe	34
PID 2668 wrote to memory of 2760	2668	Pdgmlhha.exe	34
PID 2668 wrote to memory of 2760	2668	Pdgmlhha.exe	34
PID 2760 wrote to memory of 2844	2760	Qdlggg32.exe	35
PID 2760 wrote to memory of 2844	2760	Qdlggg32.exe	35
PID 2760 wrote to memory of 2844	2760	Qdlggg32.exe	35
PID 2760 wrote to memory of 2844	2760	Qdlggg32.exe	35
PID 2844 wrote to memory of 2652	2844	Qpbglhjq.exe	36
PID 2844 wrote to memory of 2652	2844	Qpbglhjq.exe	36
PID 2844 wrote to memory of 2652	2844	Qpbglhjq.exe	36
PID 2844 wrote to memory of 2652	2844	Qpbglhjq.exe	36
PID 2652 wrote to memory of 592	2652	Qgmpibam.exe	37
PID 2652 wrote to memory of 592	2652	Qgmpibam.exe	37
PID 2652 wrote to memory of 592	2652	Qgmpibam.exe	37
PID 2652 wrote to memory of 592	2652	Qgmpibam.exe	37
PID 592 wrote to memory of 1424	592	Ajmijmnn.exe	38
PID 592 wrote to memory of 1424	592	Ajmijmnn.exe	38
PID 592 wrote to memory of 1424	592	Ajmijmnn.exe	38
PID 592 wrote to memory of 1424	592	Ajmijmnn.exe	38
PID 1424 wrote to memory of 588	1424	Aaimopli.exe	39
PID 1424 wrote to memory of 588	1424	Aaimopli.exe	39
PID 1424 wrote to memory of 588	1424	Aaimopli.exe	39
PID 1424 wrote to memory of 588	1424	Aaimopli.exe	39
PID 588 wrote to memory of 2012	588	Aomnhd32.exe	40
PID 588 wrote to memory of 2012	588	Aomnhd32.exe	40
PID 588 wrote to memory of 2012	588	Aomnhd32.exe	40
PID 588 wrote to memory of 2012	588	Aomnhd32.exe	40
PID 2012 wrote to memory of 2000	2012	Adifpk32.exe	41
PID 2012 wrote to memory of 2000	2012	Adifpk32.exe	41
PID 2012 wrote to memory of 2000	2012	Adifpk32.exe	41
PID 2012 wrote to memory of 2000	2012	Adifpk32.exe	41
PID 2000 wrote to memory of 3056	2000	Adlcfjgh.exe	42
PID 2000 wrote to memory of 3056	2000	Adlcfjgh.exe	42
PID 2000 wrote to memory of 3056	2000	Adlcfjgh.exe	42
PID 2000 wrote to memory of 3056	2000	Adlcfjgh.exe	42
PID 3056 wrote to memory of 2220	3056	Andgop32.exe	43
PID 3056 wrote to memory of 2220	3056	Andgop32.exe	43
PID 3056 wrote to memory of 2220	3056	Andgop32.exe	43
PID 3056 wrote to memory of 2220	3056	Andgop32.exe	43
PID 2220 wrote to memory of 580	2220	Bqeqqk32.exe	44
PID 2220 wrote to memory of 580	2220	Bqeqqk32.exe	44
PID 2220 wrote to memory of 580	2220	Bqeqqk32.exe	44
PID 2220 wrote to memory of 580	2220	Bqeqqk32.exe	44
PID 580 wrote to memory of 2880	580	Bkjdndjo.exe	45
PID 580 wrote to memory of 2880	580	Bkjdndjo.exe	45
PID 580 wrote to memory of 2880	580	Bkjdndjo.exe	45
PID 580 wrote to memory of 2880	580	Bkjdndjo.exe	45
PID 2880 wrote to memory of 1296	2880	Bfdenafn.exe	46
PID 2880 wrote to memory of 1296	2880	Bfdenafn.exe	46
PID 2880 wrote to memory of 1296	2880	Bfdenafn.exe	46
PID 2880 wrote to memory of 1296	2880	Bfdenafn.exe	46

C:\Users\Admin\AppData\Local\Temp\ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
"C:\Users\Admin\AppData\Local\Temp\ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\Pojecajj.exe
  C:\Windows\system32\Pojecajj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\Pplaki32.exe
    C:\Windows\system32\Pplaki32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\Pdgmlhha.exe
      C:\Windows\system32\Pdgmlhha.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 144
        34⤵
        Program crash
        
        PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adifpk32.exe

Filesize
337KB

MD5
eb645ea2e90df8b40235a35b9cd211ba

SHA1
a3fd1108ef27e0d8eadcd98e6a6e02892e546de4

SHA256
771ee4cf6aac7a2a6e34881ad61b08196a8082b103f8f4c6306e768bde20394f

SHA512
3ea1ccb94e36282d2b22c8d1f6d52258c9830ba7ec3c964f82623e78c7e8ca320e368aad6295b1493a164659316f1098f1729048917c880ce7b307b0de27b937

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
337KB

MD5
2a8e4e0b27175b8bce70446b89a6deb2

SHA1
295acb6f42fc0dea156e5d3f86b1a681939003cb

SHA256
a90c287c7bc2ace33b1e5ec68c33dc5f0b50d9fa187fd5a1d6304d6c821fe6ce

SHA512
2f5845227fae123a1fb6be20fd2d7128458c712cf3e61c2de15e9d1e02896a9b1934417fd4150bce374bf7eff56226c76c2f21c9e0bafb3f6d0d0531ada822be

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
337KB

MD5
e90f05b9e25486ad1e040526a5f1a1a7

SHA1
c092fa98a68ba3e104313b289511cef63998a62a

SHA256
0a7ab812510dd8228f0b1cdbdec01a72ff268541362e4b164e3c1d48cf85b2cf

SHA512
fffcbae4a8a76697d18aade1e41a33a049e8e9acae8908dc790fc8c45e1e275a5edf79142a9bd8deae3f6c38d165b8bae798cc4f4b11e678d1a2e97251310c73

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
337KB

MD5
321fed6e17d123eff16ed298b4c434c7

SHA1
bb931541c9b20c5b09cec004dc37a556818e79f3

SHA256
b21736b50be8c476dcaabe5a944db2290249994aec9b84bf61988b8f200bca4e

SHA512
d711479fceb32bc966e636036c95321ab87bb07e124f28ff2bb15da04ab22ee98df4ba85fe50b782ea954b99fcabc68836a3a2c1ef2131e4b6ba4c00c6d477fa

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
337KB

MD5
42fa20241f1172c5ba0533c3355bdf90

SHA1
8e37c36057c4a9d4fb013f4b4c61f6ab4b87962c

SHA256
2c4bef5fb511e50a234589645fd0d4d38d6933d339e0083869db5af0a57b0625

SHA512
df312bb2e2ff7ba307c9b1e074e45697132d77fd11613f9cfc412db33692d4aed68fa371dbc3e3f8fd7e687592274fdcfd088fff2fe4ab7c35ef91f6865ada32

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
337KB

MD5
ec567afbe74336efefcc0bfa7d548032

SHA1
c341a3764fe243bb7752eb7c483b57ef3c42fb78

SHA256
7856041adaf6884f4ff03eb7ae6a6e021dccf195d77a3b88d0101db978d79eb1

SHA512
d45f6396c0b21ef83d4bf886271e5aea7d00773dcef16151e7d1fd77fe4aea02587b5b94dec548746ea21e4667b4af0a2499e6d75983a73a54208509517347d0

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
337KB

MD5
58dcad8a9c1bb6c758192f43fc5a32cb

SHA1
2f7650578fd232290f326ea6e98db7cf95e60abf

SHA256
3a6cd6f601dd3375056abe089a95b8adc6a8b14a0b8919e3ba09775080bc1429

SHA512
61e9a840caf0f05986411dd3634f949e68be713b0125b2bcb0c4eaf5021a8acc6f0b648e95a3573c679455d5274b5d9a600be525a55e04d60dccf28cfd500921

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
337KB

MD5
a4fab38162c26209781d1cb9177f8a81

SHA1
494dd73c829d7fff2dcf389d38ddd956595cf64e

SHA256
997f374770560d5792ff686807633ff8c79a8d75303d641f0b2501b3630ffc1e

SHA512
6cc1a8bb5524d6c30ac2477e25372c6fb283144ed14e65ead1e4047bf62e7de3958502be23ac3e12cc0ece4ea9f79a89fab76b413e55c0855c37b8e05350e22f

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
337KB

MD5
33c38fa118c92ae9c2016bc1a0a105a2

SHA1
342729aa51be471b3643e5b74f6425f66c06b0bc

SHA256
9b19030b4417eb4bfbf2cd4ff46db4018abcb4e14a3e28d8cb6ff1d35e23801a

SHA512
cfde46b9e4512568fd399bc3a23e52eb4e7b28820db7eb70c1913e3232fbb027530ed0413d1b02056978d083de5359a2900b82e1e37457af553115d3aa3e2950

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
337KB

MD5
49bf7f8da98ba7a224a6a189bd1bfec9

SHA1
6a109919fe4e69dbeaa615484fc80a102d9d54c6

SHA256
88a6e4f7957dce055d71d0c994de0eda8864056b334332cff4105fbf5d631ad8

SHA512
f42e0527e5156bb015f9e334ceabc79d6de59fc506988d80387607e2471fecf46fdc152d3913a5609d3f26426cb28bf0d629124bb453d2d913977e06b1cc6b54

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
337KB

MD5
427841a5cf96f6e584006e7e033b7252

SHA1
3b96cf6b407137cddf59495ff2491f2cd5ba6472

SHA256
bf1368c00f3d5069f045bee4afd9ffe917f63ff8652900728693043d023bfe7d

SHA512
45b0dc292e6bc1aa9df95474b8c3f08a72cc05eea529c885b73a58d97f52b167fc9993d5f60e4d000106762df9634de7a064daf615d02884ff6ca439ffd9aff1

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
337KB

MD5
4249fada616c6d0b1c4d413e911d1611

SHA1
e2774975abda86382b1db9acbf4dbd8afa521a3f

SHA256
0ff03648a02245cb9108b57c8f642e2987b4abef5f908bdb745d90f6c4f10544

SHA512
640278c6b4e0e6ab924b795c6d11cf38108d035f198ab0cd8163c333cc7c4b7f2dd6c37787baeee62d1d10761842050b4bd93957d372847437599925c42fdfd4

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
337KB

MD5
c34f3839a880a5e9841be7e52a1bbf2f

SHA1
72598aae9c71aeb4d935be13ba1b4921d31e279b

SHA256
fab146dbe521b27108753e21e109d3358cca58ced23a74b6299ea7488b7e3d3c

SHA512
dbe36181909622f027a98e4bbfafce78935abfea819e1c94ab7d7418fa90eda9a67dbb71b41154ad5fd3cb5fc23b0e143abe94dda0766736857614957a8201f9

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
337KB

MD5
d2505c2b020347c9b3d6859199bb37fa

SHA1
b1255bde809c772684f1cddf0c7c683b056f61a4

SHA256
c1f005a5567aebbcb2cec7d594d1da9424adc5626058ebf381f47e2a29814272

SHA512
78df44dffc232752ad3e4f4c47dd5a12eb41e1fcda21215c81c5f9b0c5d0615f9fed0e808dd9ed8d1c6d6cfc15f1f1232536b7a1b78141bca901d527fd05514f

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
337KB

MD5
153f87fade31034c0ef03f072444e69d

SHA1
cf3bffb848a59aee97a90b24231ca5b3064007b2

SHA256
84ee734fabba28cae9d0a4fc11cbda97f03cc92cabdf8e1d945969907b15bf6b

SHA512
e281eea724cbdf6a99f61baa1a8deb5d9767aeaf982006c35a67ce157c5b60d2330864a90ae041319710feaa65cb4d3e152b4fa3a6f3a98e9e228331df97ce7e

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
337KB

MD5
730863bf37fe291c8bd8ed89485419f1

SHA1
0ee4f914e1deea16a280785693aee1a1e3276ebb

SHA256
1814e552475dcb673837e5f2482f432d8d93d2cbb26140d71af5589abc832c26

SHA512
eca71a1e8ba7cd79fe7ebe71d939eaf1a2b0a81e02ebc8f18263cb668f9a5b3101fa3e9fc65d4cf2932f368e44b4aba80b5151747844a34c748280b89036223c

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
337KB

MD5
0bb63560ff7bc6589a0891d2f0a1206d

SHA1
cb9227fd7fa77aa4871610bdbfbd2b69f98a557d

SHA256
2cd0229d07aeb477b71ac6b34fbfcc900522438472566e2cd1fc262a0a888c47

SHA512
1f904ed795f2050c765593f5400842bc31349f7bab0b1d4af8e6a05c73ba8d28baf36196f4b4fafd5ad942370643487aee09ae3ee39cbf4acd31707538edff86

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
337KB

MD5
2163177d825dbac5539fa24ec17cc395

SHA1
0e883345037080ad8cca0a9e512f0148d48d8a3b

SHA256
ecb1a5baaec329e5761f509d6c1f40ad286ba419c00fdf8087539522d7c87c45

SHA512
7165e32401ee169b7b21babbee2cfb0dc0165d9816c651a0b3d12be7c88d213b13e94cd0652a3f2a6c6b371be588d7762cfe7a6655fc2a4259d90797720f0139

Download Submit
C:\Windows\SysWOW64\Pplaki32.exe

Filesize
337KB

MD5
f63d94f5fa4fb629be2d93fc4243b867

SHA1
88cacba3658096580d5f1061acbc2799f45af074

SHA256
5287d6b77c27160309c27f54785d4ec733dd86c30d1d0e806d8437c2379839e7

SHA512
cb9b1b7e0fb4f8d1b818ee629b93f3035bc2cb80563176c8deeef77e53f45d5c74b9f4eadb85478a39e2b1a6467371ea5039457af54351d711ccf687bdaaf165

Download Submit
C:\Windows\SysWOW64\Qdlggg32.exe

Filesize
337KB

MD5
62eb1d7f43bf397299f3e7d8a77c1a6d

SHA1
1496d1bb4411a9974c10fa6eebda3c94c8895020

SHA256
463ec073cf3bf4bb47f72221c11253f3af440efbcc4479222fddd72d173460b0

SHA512
e3967ea2864e8e8ea0aae0d4d88363cfcfb08dd9010cafa39cad3ad9b92b6aab17bf5a77ff11a6706fd7918fd10a2e2569f5e12d91cea52c39f2660d67e1d0ff

Download Submit
C:\Windows\SysWOW64\Qgmpibam.exe

Filesize
337KB

MD5
5549423c130b327f106f050cda418f90

SHA1
4cc56b592d8d9be68e1e0010aa62cef8812a5694

SHA256
06ea7ca9d1b802dd4ecd244a27f7ab1cf977a58a3b8514c0ccd29156b4a212e7

SHA512
52c7977482d30ba86ba7ce8543e6c700c6709d09f2e0060174188aaa6682e024593b013545a627a8c0641d793f98e3729a6a658ee82674db8714c76224ad9af3

Download Submit
\Windows\SysWOW64\Aaimopli.exe

Filesize
337KB

MD5
3c3f1fda7e5c1a1ee5e0543831cc4ab7

SHA1
381041b13b46d39ad5002d3cba6e767852b779d7

SHA256
fc824d94f354d02a123c258ef2fa9cb855a36d42b7a3971b74c9e3fe7fd0593e

SHA512
2a6b22fc6fe55b958c51e7d53dde4eba4ec021cab36e373fd199ac0251849dc85ff94ee050f7a96014e4ed607fef26cd3a02aae9a1caa8281574c14f4961f88a

Download Submit
\Windows\SysWOW64\Adlcfjgh.exe

Filesize
337KB

MD5
137348d961159a9a1c49dcd2adaee2d8

SHA1
9e4c70a80e74c7a77aaa426f7df8bd487b807411

SHA256
41d1b7ac06f73e6441141af29ace86ae65f8393d255a962695e9b2a74fdc168b

SHA512
a61a5818a028441ad6fa14c0194e0a56d4ef35ba2a224b8af01ff2f60681d9d70eb6a500fb9f87e34d62cdbb4272ea3e7a654b1c39e2240846cbfe6e4718edf7

Download Submit
\Windows\SysWOW64\Ajmijmnn.exe

Filesize
337KB

MD5
cd85e761e878e7976f69e849b88eb93a

SHA1
f3688c4f3494a9dfc925301f704ef46445090818

SHA256
85de06e3bb2b001c1a8d7bb3beae98e38557034254f8fbf077054ce691876fba

SHA512
184c4a0bb6b41fbc94fa963748a205404a6a826d4a99bc6e78c99e58100dbc94caed72afbedc5383be51450444b6739011ab044ed12517628a97e83ecb9bbcc5

Download Submit
\Windows\SysWOW64\Andgop32.exe

Filesize
337KB

MD5
dcf9ddd29eeea4832f71b57a5417736e

SHA1
95abce27e9b0896f3558de0ad052fca130c43a39

SHA256
f8ebdbb3944e0bad8139c93ff8bf00fdc5eaf24d3e8c7d8589bb3b52fd456e5f

SHA512
d9b91f5befae3593ae253a6bcb236a9431d538cc96c8bc7531c56a6e262c7ccf6cc4fbbfab75c67cb2d754ecdf3ce0cd87dad28e10488f2970743272446aba94

Download Submit
\Windows\SysWOW64\Aomnhd32.exe

Filesize
337KB

MD5
26fee2ce89850c925f8b15cb1a61e22e

SHA1
c6a89fbacdf080b86d5830b3b08c0bf45c087ef0

SHA256
809cee60cf5d12119ce112a26db0d17d99d73350c52acef8f509c9632412683e

SHA512
4ba5ca19c47020eb641c2f99c3a248b5cf40bbe8811207d3a3b4cd3d714dbea79c19de299c4580b06f2ad655e47d71e5b0623e6e728ee77154202bdb8bd1617d

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
337KB

MD5
62e693dbe569eae715b70bce23e5658c

SHA1
b2afb678ee40a216d989d6a38f8741b046d804ab

SHA256
4d00073d6c4e4c808a215079c8e6c8e1cde61e1269ec88ef0d43b56762adf9d0

SHA512
25890ea68ec3c5084b6f3c71ca2b845e46e8a46fc7e908d776b7e37f70a5dc6d91ef9e819b5977b17b667719e09fc2afe8e1f1dc6cbcc7d7e99c273881f31459

Download Submit
\Windows\SysWOW64\Bkjdndjo.exe

Filesize
337KB

MD5
2f2c23b0dbc9840b1192043ae46081a2

SHA1
d843b02c4db1c531aad6e374cb7b9d3697abc654

SHA256
f4f7e28eba7b9d73ece5e84e3e8432e0651c61713304dfeec2c61cb5afb97562

SHA512
76df7df7fce20e38cd290a4ccab15680abeb91c30ae88e2cc2b1aa05aa72bb011a6d5f4863ecfbf3b996a2081cc31f1d664f7877a9e21e2d7f236af5e2d2439b

Download Submit
\Windows\SysWOW64\Bqeqqk32.exe

Filesize
337KB

MD5
228b694f27ea7acbf1efc35138ba0150

SHA1
fc9b3048ec2b9d1e453e0257103f72a407962446

SHA256
57db986577f4160343fcdb9b13e8294a4c3c62e574cc33e7c9479d1efcc567b3

SHA512
69371d42d9ade5993638bc29bec1d00700c608bd504bc1e9216530494862ffb4345b89a42c8e4132ec9e9836a21a2aae8a56731319a176301e947f17f6842887

Download Submit
\Windows\SysWOW64\Pdgmlhha.exe

Filesize
337KB

MD5
aed0cac7114534a52d738f047d9862f8

SHA1
4dc63cc54ed3669738c562ba192d85c32950fc95

SHA256
1d006e337ff7e6e9edb600cbcf65ff1866725f670660a50fc7b481dee960faa3

SHA512
a31df2b1bb6057d9fb2c13d1873fca03a56b07836ee6b3d826736459116a26d8e96b3afe8bec2aea497afe05fde993307503fa5c2302d3adbdd81348888a9d63

Download Submit
\Windows\SysWOW64\Pojecajj.exe

Filesize
337KB

MD5
1bf5c4cdde9b04f73012b6f9ce54fa5c

SHA1
eeda9f4ce7347accd60c30cd7bc8104fbdaf7ed3

SHA256
52720529f22afb81ab47927dcd6a95c23d100ac46feab61316232270f629ff22

SHA512
e43dc7465437451ba6aa8f8efa4c577883c46034bf319122ac621ad4252a20d3fe5c64869395f7932f050c2e2b1a57a3a2f8bc93f149451dcbd9aea0be2f841a

Download Submit
\Windows\SysWOW64\Qpbglhjq.exe

Filesize
337KB

MD5
79470c8a42653910fe55d5f360fc3800

SHA1
f48e067741df516f26a41d7ce6fe50fa54d1f527

SHA256
295b385a3e4c64de063d1cf4cb05cf23ebb75db292c5213b7be86f5bf853db1e

SHA512
e8469b5e7bc3c7943362717200c663f1cb37334275fd8f6ef7723fb7d75dfe07c36114e073a6cb6d7a6dbfd5069839f35e38472d961282555d0f641a50158d42

Download Submit
memory/580-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/580-203-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/580-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/588-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-107-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/592-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-259-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1276-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-226-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1424-116-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1424-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-318-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1660-280-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1660-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-279-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1660-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-266-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1696-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-300-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1788-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-301-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1972-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-239-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2000-162-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2000-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-161-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2000-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-143-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2012-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-386-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2208-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-246-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2220-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-330-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2228-331-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2304-342-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2304-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2312-18-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2340-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-362-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2568-374-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2568-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-376-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2568-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-89-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2652-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-48-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2668-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-375-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2752-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-390-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2760-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-61-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2760-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-34-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2840-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-363-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2844-392-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2844-80-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2844-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-290-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2860-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-217-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/3016-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-312-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3016-308-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3016-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-172-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/3056-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads