berbew | 851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe
Size

93KB
MD5

b07dfd00b26277acbcba4fd0ff058c15
SHA1

3040a74ec441a616c94da39f3654212e99e5b5e0
SHA256

851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66
SHA512

31b5f5c62b0759e808b8ef9397c41fc396e21b061338d97a11456a029ac7a2d9d71d93fd4d56beec0fc582a3a8618d38575b1119f16fa8a34fe3eefc5c10ce5b
SSDEEP

1536:PKDEYPDawo1VIeBrA625JcssssPWs21DaYfMZRWuLsV+1Z:PzYk1VLh2gYfc0DV+1Z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acmhepko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajecmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgoapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfikmh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 32 IoCs

pid	Process
2636	Pfgngh32.exe
3004	Piekcd32.exe
2640	Pfikmh32.exe
2672	Qbplbi32.exe
536	Qkhpkoen.exe
964	Qbbhgi32.exe
1288	Qgoapp32.exe
2928	Abeemhkh.exe
1704	Aganeoip.exe
2972	Aajbne32.exe
3040	Achojp32.exe
624	Aaloddnn.exe
2808	Ajecmj32.exe
1976	Acmhepko.exe
2524	Ajgpbj32.exe
1764	Apdhjq32.exe
2068	Bmhideol.exe
1392	Bnielm32.exe
920	Bbdallnd.exe
2564	Bbgnak32.exe
1676	Bajomhbl.exe
288	Blobjaba.exe
748	Bonoflae.exe
3048	Bbikgk32.exe
2916	Blaopqpo.exe
2792	Bmclhi32.exe
1596	Bejdiffp.exe
2704	Bobhal32.exe
2796	Bmeimhdj.exe
1476	Cfnmfn32.exe
1300	Cilibi32.exe
2220	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2876	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe
2876	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe
2636	Pfgngh32.exe
2636	Pfgngh32.exe
3004	Piekcd32.exe
3004	Piekcd32.exe
2640	Pfikmh32.exe
2640	Pfikmh32.exe
2672	Qbplbi32.exe
2672	Qbplbi32.exe
536	Qkhpkoen.exe
536	Qkhpkoen.exe
964	Qbbhgi32.exe
964	Qbbhgi32.exe
1288	Qgoapp32.exe
1288	Qgoapp32.exe
2928	Abeemhkh.exe
2928	Abeemhkh.exe
1704	Aganeoip.exe
1704	Aganeoip.exe
2972	Aajbne32.exe
2972	Aajbne32.exe
3040	Achojp32.exe
3040	Achojp32.exe
624	Aaloddnn.exe
624	Aaloddnn.exe
2808	Ajecmj32.exe
2808	Ajecmj32.exe
1976	Acmhepko.exe
1976	Acmhepko.exe
2524	Ajgpbj32.exe
2524	Ajgpbj32.exe
1764	Apdhjq32.exe
1764	Apdhjq32.exe
2068	Bmhideol.exe
2068	Bmhideol.exe
1392	Bnielm32.exe
1392	Bnielm32.exe
920	Bbdallnd.exe
920	Bbdallnd.exe
2564	Bbgnak32.exe
2564	Bbgnak32.exe
1676	Bajomhbl.exe
1676	Bajomhbl.exe
288	Blobjaba.exe
288	Blobjaba.exe
748	Bonoflae.exe
748	Bonoflae.exe
3048	Bbikgk32.exe
3048	Bbikgk32.exe
2916	Blaopqpo.exe
2916	Blaopqpo.exe
2792	Bmclhi32.exe
2792	Bmclhi32.exe
1596	Bejdiffp.exe
1596	Bejdiffp.exe
2704	Bobhal32.exe
2704	Bobhal32.exe
2796	Bmeimhdj.exe
2796	Bmeimhdj.exe
1476	Cfnmfn32.exe
1476	Cfnmfn32.exe
1300	Cilibi32.exe
1300	Cilibi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qgoapp32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Aganeoip.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Ajecmj32.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Qbbhgi32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Qgoapp32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Abeemhkh.exe	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Aajbne32.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Aeqmqeba.dll	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Gioicn32.dll	Ajecmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ajgpbj32.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Bonoflae.exe
File created	C:\Windows\SysWOW64\Qkhpkoen.exe	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Hjojco32.dll	Qbbhgi32.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Qbplbi32.exe	Pfikmh32.exe
File opened for modification	C:\Windows\SysWOW64\Qbbhgi32.exe	Qkhpkoen.exe
File opened for modification	C:\Windows\SysWOW64\Bnielm32.exe	Bmhideol.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Bajomhbl.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Ajecmj32.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Acmhepko.exe	Ajecmj32.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	Ajgpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Apdhjq32.exe	Ajgpbj32.exe
File opened for modification	C:\Windows\SysWOW64\Bbgnak32.exe	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Aajbne32.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Achojp32.exe
File created	C:\Windows\SysWOW64\Ajgpbj32.exe	Acmhepko.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Ilfila32.dll	Piekcd32.exe
File created	C:\Windows\SysWOW64\Gcnmkd32.dll	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Pfikmh32.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Ghmnek32.dll	Aganeoip.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Momeefin.dll	Bnielm32.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Pfgngh32.exe	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe
File opened for modification	C:\Windows\SysWOW64\Piekcd32.exe	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Fekagf32.dll	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Bmnbjfam.dll	Acmhepko.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2336	2220	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgngh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajecmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acmhepko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcicn32.dll"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll"	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajecmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acmhepko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2636	2876	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe	30
PID 2876 wrote to memory of 2636	2876	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe	30
PID 2876 wrote to memory of 2636	2876	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe	30
PID 2876 wrote to memory of 2636	2876	851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe	30
PID 2636 wrote to memory of 3004	2636	Pfgngh32.exe	31
PID 2636 wrote to memory of 3004	2636	Pfgngh32.exe	31
PID 2636 wrote to memory of 3004	2636	Pfgngh32.exe	31
PID 2636 wrote to memory of 3004	2636	Pfgngh32.exe	31
PID 3004 wrote to memory of 2640	3004	Piekcd32.exe	32
PID 3004 wrote to memory of 2640	3004	Piekcd32.exe	32
PID 3004 wrote to memory of 2640	3004	Piekcd32.exe	32
PID 3004 wrote to memory of 2640	3004	Piekcd32.exe	32
PID 2640 wrote to memory of 2672	2640	Pfikmh32.exe	33
PID 2640 wrote to memory of 2672	2640	Pfikmh32.exe	33
PID 2640 wrote to memory of 2672	2640	Pfikmh32.exe	33
PID 2640 wrote to memory of 2672	2640	Pfikmh32.exe	33
PID 2672 wrote to memory of 536	2672	Qbplbi32.exe	34
PID 2672 wrote to memory of 536	2672	Qbplbi32.exe	34
PID 2672 wrote to memory of 536	2672	Qbplbi32.exe	34
PID 2672 wrote to memory of 536	2672	Qbplbi32.exe	34
PID 536 wrote to memory of 964	536	Qkhpkoen.exe	35
PID 536 wrote to memory of 964	536	Qkhpkoen.exe	35
PID 536 wrote to memory of 964	536	Qkhpkoen.exe	35
PID 536 wrote to memory of 964	536	Qkhpkoen.exe	35
PID 964 wrote to memory of 1288	964	Qbbhgi32.exe	36
PID 964 wrote to memory of 1288	964	Qbbhgi32.exe	36
PID 964 wrote to memory of 1288	964	Qbbhgi32.exe	36
PID 964 wrote to memory of 1288	964	Qbbhgi32.exe	36
PID 1288 wrote to memory of 2928	1288	Qgoapp32.exe	37
PID 1288 wrote to memory of 2928	1288	Qgoapp32.exe	37
PID 1288 wrote to memory of 2928	1288	Qgoapp32.exe	37
PID 1288 wrote to memory of 2928	1288	Qgoapp32.exe	37
PID 2928 wrote to memory of 1704	2928	Abeemhkh.exe	38
PID 2928 wrote to memory of 1704	2928	Abeemhkh.exe	38
PID 2928 wrote to memory of 1704	2928	Abeemhkh.exe	38
PID 2928 wrote to memory of 1704	2928	Abeemhkh.exe	38
PID 1704 wrote to memory of 2972	1704	Aganeoip.exe	39
PID 1704 wrote to memory of 2972	1704	Aganeoip.exe	39
PID 1704 wrote to memory of 2972	1704	Aganeoip.exe	39
PID 1704 wrote to memory of 2972	1704	Aganeoip.exe	39
PID 2972 wrote to memory of 3040	2972	Aajbne32.exe	40
PID 2972 wrote to memory of 3040	2972	Aajbne32.exe	40
PID 2972 wrote to memory of 3040	2972	Aajbne32.exe	40
PID 2972 wrote to memory of 3040	2972	Aajbne32.exe	40
PID 3040 wrote to memory of 624	3040	Achojp32.exe	41
PID 3040 wrote to memory of 624	3040	Achojp32.exe	41
PID 3040 wrote to memory of 624	3040	Achojp32.exe	41
PID 3040 wrote to memory of 624	3040	Achojp32.exe	41
PID 624 wrote to memory of 2808	624	Aaloddnn.exe	42
PID 624 wrote to memory of 2808	624	Aaloddnn.exe	42
PID 624 wrote to memory of 2808	624	Aaloddnn.exe	42
PID 624 wrote to memory of 2808	624	Aaloddnn.exe	42
PID 2808 wrote to memory of 1976	2808	Ajecmj32.exe	43
PID 2808 wrote to memory of 1976	2808	Ajecmj32.exe	43
PID 2808 wrote to memory of 1976	2808	Ajecmj32.exe	43
PID 2808 wrote to memory of 1976	2808	Ajecmj32.exe	43
PID 1976 wrote to memory of 2524	1976	Acmhepko.exe	44
PID 1976 wrote to memory of 2524	1976	Acmhepko.exe	44
PID 1976 wrote to memory of 2524	1976	Acmhepko.exe	44
PID 1976 wrote to memory of 2524	1976	Acmhepko.exe	44
PID 2524 wrote to memory of 1764	2524	Ajgpbj32.exe	45
PID 2524 wrote to memory of 1764	2524	Ajgpbj32.exe	45
PID 2524 wrote to memory of 1764	2524	Ajgpbj32.exe	45
PID 2524 wrote to memory of 1764	2524	Ajgpbj32.exe	45

C:\Users\Admin\AppData\Local\Temp\851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe
"C:\Users\Admin\AppData\Local\Temp\851583c0a8981c1ba9efe8482c46f33abd84a638de5cd951debacb6644bc1e66.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\Pfgngh32.exe
  C:\Windows\system32\Pfgngh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\Piekcd32.exe
    C:\Windows\system32\Piekcd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\Pfikmh32.exe
      C:\Windows\system32\Pfikmh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Ajecmj32.exe
        
        C:\Windows\system32\Ajecmj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Acmhepko.exe
        
        C:\Windows\system32\Acmhepko.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 140
        34⤵
        Program crash
        
        PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
93KB

MD5
ffdc1c25edcb1052a63f8d95e1b1acc7

SHA1
207716917f912e6c9138d174d9fcca4a5229b660

SHA256
c97fb9f774615aabc2f41290117f48efb89d643f963138297abe909d45854f4b

SHA512
bf66e1f975c43cf7466a1e78c75b9062b05c43e0e232c475bafae907cbd2e83aa07e73652afddcdd5cddd4111262316a4ef016a1109ae48bbdc56beea11a5a9c

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
93KB

MD5
086fab7de43fb3748d918f3422aab0ca

SHA1
3f73f9d38d6b3ae487cdb39a280a2ea64087c5f9

SHA256
48aa1b76cb502d1de1a69935389a7ed8b2661a0165b6c4d92216830b82a93111

SHA512
183b48c27caa704a6d5314d5369f60c1f87c6eca85b638f5cd95d54ed3c81b80f129527ff368668152b25614e158a36d242c42060a756457be26af055c2bdb91

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
93KB

MD5
0d21b6da9e29c07de9d4194d350ae9a2

SHA1
d77a31354b1ef94bfb98995ca401d4111920a776

SHA256
f7e487c3e75752e13c4786f9d8860dca1dcd95ae9614abc47364e663035c857a

SHA512
0273aabb94621851d02686b84c47ef5c918aaaee129fb5377c5cfdc29296821ac3bdccdbb71855e1488cab39ba8e1c2e0874c4832c23b4b87cf6b1421f64d783

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
93KB

MD5
9de2dffdc8dacbce1bc615ffa6645da1

SHA1
c30ac0a54ee9cd42d2f3799cff8148793b372fe9

SHA256
412f464bdafc5237c20393a416d4b89734b53a5c3bf32a92cc3ade7e19bc27f2

SHA512
64a8bf41cd69afa1cb7e4428ffcccde18ed97dc9c6470b76c682e00e1ef6ca4df99b24661bc9e950dc7b988aa2ab7e1285df51bb547731291982173e5a49ba2b

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
93KB

MD5
2c337123a6a961c367127a612d7507bb

SHA1
96f0b66e063bfd3089c05a49c6de3c66278c0e94

SHA256
41ba42e7c564fe8e48b62a5e6440862d8a055abc3ec266af0a4c72c64d401e2c

SHA512
898e61daa6326b32f18b4c44b8ec23714159981af7a303262c0565d0a9b86ba6e4fc3ca2cdc1346f3c7ad4b1d768586a613819133b224fa0cbea906d48253674

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
93KB

MD5
f39b627d0645b3fb94b7a24b3c313ba0

SHA1
5fb6133f1dba593d477255f06498e1f68ef8a32e

SHA256
fbe63962500497cb5ffa0950f2b7c6cda3a42d4ce6fc09db918fbbf037d8ae7d

SHA512
7c3fae72859ec1560496396cf354df33b4f0a2a6742857c21996f69bb8b6508bec6534e1fd844b9ab384310aa03f798ac2c7c9b0fa7f0e7c1d4213359600b778

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
93KB

MD5
14703f949d6ac2ef584eaedf3d84b2d1

SHA1
fcf46bdc9310483fadd237c144b9511c1ecb73b7

SHA256
61d0b9d43d81c7c9f8109c01b290dbb1ca3046fd7860b21d8dac89a4cfc3b156

SHA512
de6646b2e23814e7c6be503700c025d1ba5d9a5a1544a8d40833bb61039b10bb796c86b79bbefce072853ce6300d59d34226088cb19bcaefc6b2a306002c8b4d

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
93KB

MD5
81805450ae557c5020c340292ef51ee8

SHA1
e5e3fd5df305251da2467c35cb3ef046df08638c

SHA256
9ef900d681aeeeec95f6793a488f25f9abbea5b317e20af488aa2ddab28f4e9b

SHA512
c7fc5170a8ea4f72e6fe1ed5e90d61d918d2a9b190ec1f05a5bdd7e4b36b4f8b7ef7dc2f9b382584812772b3762c780fbdfb0c1e00c3e1431f4580f6ca711b3d

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
93KB

MD5
02961208f5da373b7423c92e8483d08a

SHA1
f0550b3016ad32df1efc304fce4ef916ef442cdb

SHA256
92730109a122e2ed4a2c7afa7d3601316d632d431f4bec4d66604dd3867361ce

SHA512
034153314636b44973ffe87df1be1b3e16c1aa89c604b3b029060defa8c23b27465af27ff597e270a405b8042c86fda7730cec5909517957123f96358ee4cb55

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
93KB

MD5
eea588d7de1e0e3c31057dbda7696209

SHA1
d49faca79d75e10503a646a84e2cede71553ea35

SHA256
da3dbf4c240c1650ef1e084bf726cd71d4da53542ba03811f16a3d75168bed0e

SHA512
eab9bf7620f931ff668b328a9da7c11718b6c2a341183ed30491ac7cbb0c77f7f2fa109d9f57652209e79332a66f0917fabd1ab9d284328bdba8cd279b873616

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
93KB

MD5
87776daa167bbae3921ee8e5181173f7

SHA1
a109a950953c3342b0a7540388695317c0e2de1b

SHA256
b317f30d14674a3950882bd72f3dd1ffcdb1a279f0d307f09fc10740badd6505

SHA512
c1d4b91b889bc34901ccaa38f954ba770f4085ea3db2ef85c2334ef43bdfc153643d9958b8a7570eb8c2ce95af17caade3f44fc9efb031eef6f87e588c0fa79c

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
93KB

MD5
22a3b996724b1bf61846ff27910784d6

SHA1
85b75dd81d2dee8050853d0928bbdca430d380b4

SHA256
cb4a6aad39c052b730aeb1314ef396f997f9a983133a40e2a75f2bcabda02545

SHA512
ce4b4270bd6ef9a6e50818408163ccd0cffa9598e6703ff5248dde352b67581448d10d2f1f99244a06974344d30bb160b8c8449b68b97a4c550606616aa57be0

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
93KB

MD5
d1ca9ced9d221bd610f2ad27b83f3255

SHA1
181fdac0697d95f43ae80404bfd2146f574ae356

SHA256
f655848eb4ba173ee5cc8f312e9c68c1dbfd0d9357ab1451bc0a5ea4bc01a801

SHA512
3315b4624e040a4d4ea3c9ac4a0bcd9fb43c78b3961570a4bd5779712c458a04b1553a52eaf1a259d0b52af5aeb07b171720c46aa1a240c3e3aab5011b594252

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
93KB

MD5
d281080845eafabaf155a14d37924422

SHA1
e6be628f2b2bb01e7326d25dea144d6b537dd311

SHA256
7e9972911d99ccc0007ecf071512f34415bca1d7864f2104ed7f3c59e2fb4739

SHA512
d9d73ab0c54d89b997118661f647f4599b580f5087b5b6d103cb6434d63e1cd4944246b39da219e81a69dc736436a7ccc865faeff36aecc4294d2cdb1d18772a

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
93KB

MD5
b5df06a2319def671715b8474018d859

SHA1
76499a79b40b0420ee310cd4225425a6d53dffcb

SHA256
de0f9ec0a2df7e243f5942013f778d41a2cac0a4433edb4a3e04a12b4e385bcb

SHA512
aa28afdb05f19310b2c7f49a895cc37c475c984fecd6e736125c55fc8d7410d56b4918d80276013be265454a5c3b0e428fa7f11457060c9a2fcceae9459e800e

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
93KB

MD5
be42219e49e169334fb9da279d2c1c77

SHA1
7da9dc4aebc67070a8ad2aedff307b226c2c9627

SHA256
3c1bb28bde64c47bb6a5899f3a5aadac8b273f7a07d8e3e2eb958433cd5ef27a

SHA512
1ee4d339ee259dac5d3ac34d31ed51e810ec57752f085e2c342c937637521f34fab2dd18de76107ba31c18a50d8a77b8324ca989d98649c5c9fb15efd94b8887

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
93KB

MD5
efeb6a9843ef55c074b6611679ee9f50

SHA1
f81866efab29b537094fddc9ca65fb6da1d52579

SHA256
c59e0be19948d84daf246d1ea8365e2d260322664981add7835819895eaff571

SHA512
3271cbee2f99a3421b869605455a2e04584747710d5d6d60445fd92244ea8c059cfa6a7f5688d95254a77f994552bf974cfbb0cadcf459eedf2f99c3d9ea795e

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
93KB

MD5
ea6876b7bd27c43cb75d0471fd692683

SHA1
9634934206d153d4689dba0ed9f4d9fa77a95bfc

SHA256
e42094b028e229916a1e4ffd651562a744cc02024a27b6af71032bd9b60e68fc

SHA512
4d22513c4f0a45a05faf2d91c0d52a6a5b67257d4a3a3ab868a85aca3c03f327ef303903d6f6c4f4520f677a05def54d80082f8b48268934aed0c6348a2a78cd

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
93KB

MD5
b273ab27682659757bd6496a8bee59cd

SHA1
a83ad3fc3462c85ac8c3e23fcd9abef35f82106f

SHA256
a25e4c53ea1fb1644cef5be641edc06a3fa70b612528be32d2d31aeff0bac380

SHA512
ec225dda37eadd190f0fbb0bfad4fbd2d7cdc0f264817903be47fb0818c53e2162c15b0e2e3a4c53ae9f0c7e9c828abaefbf411aa151139f031d654fc5fd8c71

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
93KB

MD5
d6750779169ad40af30e5eddf02e6882

SHA1
a1735357ab6e9a7470fbe9ed8aa73626b86514a9

SHA256
46790668f9355c1b66c3cfbc82c9eea0e7bcc8523e12ce94d0ed5926e4ffcd69

SHA512
4013cb4286788600f332bba0761eb6ff977390beb0e31a8becbdff7633bb98dcefc241c885ee0ac44e88c5cfdbbec65d4f02539caf4b2a766cc3c97f55d20b6d

Download Submit
\Windows\SysWOW64\Aajbne32.exe

Filesize
93KB

MD5
89ad4c3b63534deb5bd3b8922647b732

SHA1
0f952b364b0b3c17cf72f4b4c2666a8753438525

SHA256
c8a2c13c8e1d0c2cac57a0d4823c0f52b813c3130101d173777df23f9f45da03

SHA512
a515c847bd11b4e5214cbf004958a51864135a2a7af16f9548ac671888ee8a778f86bbad100f63fb9ec792c57458578120b31d4f3dfed3df7e407c4c49f50fcc

Download Submit
\Windows\SysWOW64\Abeemhkh.exe

Filesize
93KB

MD5
713ba3a4b80bd9ec53df6d56de023839

SHA1
ba72f382ddb78e8d95bb3c5fb884cb7ba7fe9fc2

SHA256
5128fc1cc3c1711b1c8e499236d1f13c4f4238c0d01f0a484fd0416138829271

SHA512
674c08fa2447ee5aefab50378964d529307a856c2d9f4eda88d0d45ee176584f80fc5c178e4d1be6216aa5050e5f524195b8513b4753f34ea2d29ae397dc4aaf

Download Submit
\Windows\SysWOW64\Acmhepko.exe

Filesize
93KB

MD5
67dc6fe768bcddacfe474a6d11cb575d

SHA1
a86ae05594ffe35a8fcd80ce149e04db20b18b52

SHA256
eedfef1a4455227905682e8bd8e5aa4e5de6c9b2a6c905f4253593c02657d233

SHA512
05d763bdcda6d5cbe2a01ec1f6da5b9128cd93bb83eed4e5375f3c68752db7b47c1e158a8edd602a09c15a5e8d5885bbf90493cc23f632c9a14101b692808b26

Download Submit
\Windows\SysWOW64\Aganeoip.exe

Filesize
93KB

MD5
d04fd7c8a4e46f847e1f840a94009948

SHA1
35d38d12130786e8506815ad6ca920c824302c96

SHA256
f9a48f89ed71843071b546ebd992c9cef48483c5a8cef98a2897c809809413b4

SHA512
76f2fb99de82f98a6a6b6289b628c0dcc202119c876eb9e7eeb759e8755dd0042f8d7cd324e6e32f7cee3354ddcaa42572bbb19c9c0179e498a3e7d81d1b32a9

Download Submit
\Windows\SysWOW64\Ajecmj32.exe

Filesize
93KB

MD5
07202a0d4678e43363f85922a4b37217

SHA1
b4d24452da0a84e0eca491995ab2fa46690dc076

SHA256
289dbcfc4320f4de72188b96b6c25dc2168dfe65570cd4f15b702a7e44a66cc2

SHA512
b6feefc0fdd34b34c4af5b2a6798fc315e8e69f794a1640150f5a7d29ba5bafb34c2d596d082d9ff6530327088033697df92941ce2431d4d64dfa8b6e060ff3e

Download Submit
\Windows\SysWOW64\Ajgpbj32.exe

Filesize
93KB

MD5
3a26d2e5cf9281c195d354582be85207

SHA1
d46ce88dac56e63580445259d03cdafdf16ba930

SHA256
55da0aae73f8e097b4ffc0e56d4a323b26e02ff31092a5b9b5b587c0a233cea9

SHA512
b986188b758fbd1e8f96ede843122d4ac9ed3aa33e06413840bec66681d4292b89d72fc999da4a98633bee56e7e1dd1eafb6aef449eb09ce54c994a85392cc8f

Download Submit
\Windows\SysWOW64\Apdhjq32.exe

Filesize
93KB

MD5
483765b7a697ffd1bb0ecf16f1c33054

SHA1
9c1e8916c89883feb221fb1c8588b31907248f9f

SHA256
846e96f1874652365a9b5afd59ef5a2f71395b43a201d84732e68d0c860f5867

SHA512
5c57b42b65fac377d40e095299d1af812ab4d0844a0fdb9d19f7c4504399310a96cb2ce81bf3015597fd433bcaf9725e92dfc82093f84a35e05f48241c832461

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
93KB

MD5
b168307aa1cd3aa62cbe8b38bc40cfe9

SHA1
421a4f0372aa4bb1d49bb13b4db2188b46cc3f14

SHA256
95c4ceac494d2b5cda675e0a28f6c1da809d941e7131cec9e3d19d9d1a6a698a

SHA512
8d5e3d0a33743445a8b4e46276e300d4ee0ebb044e099331206cee3af24ee3e5485e4b9b4e84bd78da3a4bbfb019797915c4f982b609335d8dd60817192a747c

Download Submit
\Windows\SysWOW64\Pfikmh32.exe

Filesize
93KB

MD5
ff428d79a71b0ea4df9256a492a31b7b

SHA1
eb838fd7ee099af5493fbd4d3ceb928279513135

SHA256
f9b6286ab53e0c5e9098d458f47992847cd42ba111335d64ea50dc14a0efeb76

SHA512
29d662c7088080104210eb9ae370767e759727589f970cccf1cf287f8e528dd83f779ac2991d1094fc665d018b14c7bab554de67f6469e49d085591aa5efe675

Download Submit
\Windows\SysWOW64\Piekcd32.exe

Filesize
93KB

MD5
ebac246bee86bc8b11886fa03e7cc7a6

SHA1
279e9e4dd025703c87940df5ce29e8e22334211d

SHA256
9a50d423865eb3b2c38090cece2ba51508809b18ac4bf1b39a51c8007e1e76dc

SHA512
7db38e677a80bb0102b647f860b9a35405358582e6dc51832de30d652805dbd124f6852ff323107f70a90fbd7f6f59aea9f2e5b67d01efdc08c0df4ef7d1b5ed

Download Submit
\Windows\SysWOW64\Qbbhgi32.exe

Filesize
93KB

MD5
e5d31c674597f948f3781c9e9838ce40

SHA1
cfdf9ce0da4493f1146ce6243e157bd3bf50cb9e

SHA256
4017170cd55d6ffb4fea676cf74f4b2e539279dfc797337683aef55e93a611fc

SHA512
bb0ec8f5a8dbedc355334a6137e21e7735b34302303895ab296216163d58430eb2ee31af54cb28aaab800c0637c3e34d98058aca2a753997b22144c1471cda19

Download Submit
\Windows\SysWOW64\Qkhpkoen.exe

Filesize
93KB

MD5
add8acf5cbe695bae6ad632928561ed4

SHA1
b1a80f1428f4dfe3d78d6253cedbb2df87202cd7

SHA256
84b0998be24777f74add1a0d11077cac51ea1d0b5348b47fb897de0d7771d182

SHA512
22e535e88ee1f820c7eb92917fd1fee478411d2ae5ae691bac0383cd936bfaac4ef2516d355f0079039ea5e9ac761d331cd4d4365168bba0932aeff3c97ebc18

Download Submit
memory/288-281-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/288-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-81-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/536-75-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/624-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-291-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/748-287-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/748-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-103-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1300-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-240-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1392-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-369-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1476-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-331-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1596-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-333-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1596-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-222-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1764-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-197-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1976-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-234-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2220-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-210-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2524-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-262-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2564-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-49-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2640-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-343-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2704-342-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2704-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-321-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2792-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-353-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2796-354-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2796-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-184-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2876-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2876-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2876-365-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2876-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-310-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2916-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-311-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2928-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-147-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2972-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3004-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-379-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3040-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-162-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/3040-156-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/3048-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-301-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3048-297-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads