berbew | 20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730

Analysis

max time kernel
73s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
Size

464KB
MD5

57c2e64eab52c30874f1aacc13b0c020
SHA1

c405107804a5cf96d09fee4063410608ead345f1
SHA256

20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730
SHA512

07c741306dacf4fe23c35b79e4b89f17d1ade421ea7efce75191b90d219e3386297049fb65968b898e102abc380afd6d95d8fc1fa128b44fb92f31dd5686e549
SSDEEP

12288:puGf/pftPh2kkkkK4kXkkkkkkkkl888888888888888888nI:puGfxlPh2kkkkK4kXkkkkkkkky

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afffenbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afffenbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alqnah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 17 IoCs

pid	Process
584	Qeppdo32.exe
2800	Apedah32.exe
2752	Aaimopli.exe
2896	Ahbekjcf.exe
2576	Achjibcl.exe
2140	Afffenbp.exe
2876	Alqnah32.exe
3000	Anbkipok.exe
1420	Adlcfjgh.exe
1764	Akfkbd32.exe
668	Abpcooea.exe
592	Bgllgedi.exe
2392	Cepipm32.exe
2328	Cgaaah32.exe
2240	Cmpgpond.exe
2508	Dnpciaef.exe
1636	Dpapaj32.exe

Loads dropped DLL 37 IoCs

pid	Process
628	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
628	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
584	Qeppdo32.exe
584	Qeppdo32.exe
2800	Apedah32.exe
2800	Apedah32.exe
2752	Aaimopli.exe
2752	Aaimopli.exe
2896	Ahbekjcf.exe
2896	Ahbekjcf.exe
2576	Achjibcl.exe
2576	Achjibcl.exe
2140	Afffenbp.exe
2140	Afffenbp.exe
2876	Alqnah32.exe
2876	Alqnah32.exe
3000	Anbkipok.exe
3000	Anbkipok.exe
1420	Adlcfjgh.exe
1420	Adlcfjgh.exe
1764	Akfkbd32.exe
1764	Akfkbd32.exe
668	Abpcooea.exe
668	Abpcooea.exe
592	Bgllgedi.exe
592	Bgllgedi.exe
2392	Cepipm32.exe
2392	Cepipm32.exe
2328	Cgaaah32.exe
2328	Cgaaah32.exe
2240	Cmpgpond.exe
2240	Cmpgpond.exe
2508	Dnpciaef.exe
2508	Dnpciaef.exe
1464	WerFault.exe
1464	WerFault.exe
1464	WerFault.exe

Drops file in System32 directory 53 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Bgllgedi.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Ahbekjcf.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Bgllgedi.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Alqnah32.exe	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Bgllgedi.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Aaimopli.exe	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Alqnah32.exe	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Anbkipok.exe	Alqnah32.exe
File opened for modification	C:\Windows\SysWOW64\Anbkipok.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Qeppdo32.exe	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
File created	C:\Windows\SysWOW64\Qoblpdnf.dll	Afffenbp.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Apedah32.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Qeppdo32.exe	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
File created	C:\Windows\SysWOW64\Ljamki32.dll	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
File created	C:\Windows\SysWOW64\Apedah32.exe	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Bgllgedi.exe	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	Anbkipok.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Afffenbp.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Pkdhln32.dll	Achjibcl.exe
File created	C:\Windows\SysWOW64\Jjmeignj.dll	Abpcooea.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Apedah32.exe	Qeppdo32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Apedah32.exe
File created	C:\Windows\SysWOW64\Bodmepdn.dll	Alqnah32.exe
File created	C:\Windows\SysWOW64\Fiqhbk32.dll	Anbkipok.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Adlcfjgh.exe
File opened for modification	C:\Windows\SysWOW64\Abpcooea.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Cpqmndme.dll	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Ahbekjcf.exe	Aaimopli.exe

Program crash 1 IoCs

pid	pid_target	Process
1464	1636	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll"	Afffenbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll"	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afffenbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpgpond.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 584	628	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe	31
PID 628 wrote to memory of 584	628	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe	31
PID 628 wrote to memory of 584	628	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe	31
PID 628 wrote to memory of 584	628	20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe	31
PID 584 wrote to memory of 2800	584	Qeppdo32.exe	32
PID 584 wrote to memory of 2800	584	Qeppdo32.exe	32
PID 584 wrote to memory of 2800	584	Qeppdo32.exe	32
PID 584 wrote to memory of 2800	584	Qeppdo32.exe	32
PID 2800 wrote to memory of 2752	2800	Apedah32.exe	33
PID 2800 wrote to memory of 2752	2800	Apedah32.exe	33
PID 2800 wrote to memory of 2752	2800	Apedah32.exe	33
PID 2800 wrote to memory of 2752	2800	Apedah32.exe	33
PID 2752 wrote to memory of 2896	2752	Aaimopli.exe	34
PID 2752 wrote to memory of 2896	2752	Aaimopli.exe	34
PID 2752 wrote to memory of 2896	2752	Aaimopli.exe	34
PID 2752 wrote to memory of 2896	2752	Aaimopli.exe	34
PID 2896 wrote to memory of 2576	2896	Ahbekjcf.exe	35
PID 2896 wrote to memory of 2576	2896	Ahbekjcf.exe	35
PID 2896 wrote to memory of 2576	2896	Ahbekjcf.exe	35
PID 2896 wrote to memory of 2576	2896	Ahbekjcf.exe	35
PID 2576 wrote to memory of 2140	2576	Achjibcl.exe	36
PID 2576 wrote to memory of 2140	2576	Achjibcl.exe	36
PID 2576 wrote to memory of 2140	2576	Achjibcl.exe	36
PID 2576 wrote to memory of 2140	2576	Achjibcl.exe	36
PID 2140 wrote to memory of 2876	2140	Afffenbp.exe	37
PID 2140 wrote to memory of 2876	2140	Afffenbp.exe	37
PID 2140 wrote to memory of 2876	2140	Afffenbp.exe	37
PID 2140 wrote to memory of 2876	2140	Afffenbp.exe	37
PID 2876 wrote to memory of 3000	2876	Alqnah32.exe	38
PID 2876 wrote to memory of 3000	2876	Alqnah32.exe	38
PID 2876 wrote to memory of 3000	2876	Alqnah32.exe	38
PID 2876 wrote to memory of 3000	2876	Alqnah32.exe	38
PID 3000 wrote to memory of 1420	3000	Anbkipok.exe	39
PID 3000 wrote to memory of 1420	3000	Anbkipok.exe	39
PID 3000 wrote to memory of 1420	3000	Anbkipok.exe	39
PID 3000 wrote to memory of 1420	3000	Anbkipok.exe	39
PID 1420 wrote to memory of 1764	1420	Adlcfjgh.exe	40
PID 1420 wrote to memory of 1764	1420	Adlcfjgh.exe	40
PID 1420 wrote to memory of 1764	1420	Adlcfjgh.exe	40
PID 1420 wrote to memory of 1764	1420	Adlcfjgh.exe	40
PID 1764 wrote to memory of 668	1764	Akfkbd32.exe	41
PID 1764 wrote to memory of 668	1764	Akfkbd32.exe	41
PID 1764 wrote to memory of 668	1764	Akfkbd32.exe	41
PID 1764 wrote to memory of 668	1764	Akfkbd32.exe	41
PID 668 wrote to memory of 592	668	Abpcooea.exe	42
PID 668 wrote to memory of 592	668	Abpcooea.exe	42
PID 668 wrote to memory of 592	668	Abpcooea.exe	42
PID 668 wrote to memory of 592	668	Abpcooea.exe	42
PID 592 wrote to memory of 2392	592	Bgllgedi.exe	43
PID 592 wrote to memory of 2392	592	Bgllgedi.exe	43
PID 592 wrote to memory of 2392	592	Bgllgedi.exe	43
PID 592 wrote to memory of 2392	592	Bgllgedi.exe	43
PID 2392 wrote to memory of 2328	2392	Cepipm32.exe	44
PID 2392 wrote to memory of 2328	2392	Cepipm32.exe	44
PID 2392 wrote to memory of 2328	2392	Cepipm32.exe	44
PID 2392 wrote to memory of 2328	2392	Cepipm32.exe	44
PID 2328 wrote to memory of 2240	2328	Cgaaah32.exe	45
PID 2328 wrote to memory of 2240	2328	Cgaaah32.exe	45
PID 2328 wrote to memory of 2240	2328	Cgaaah32.exe	45
PID 2328 wrote to memory of 2240	2328	Cgaaah32.exe	45
PID 2240 wrote to memory of 2508	2240	Cmpgpond.exe	46
PID 2240 wrote to memory of 2508	2240	Cmpgpond.exe	46
PID 2240 wrote to memory of 2508	2240	Cmpgpond.exe	46
PID 2240 wrote to memory of 2508	2240	Cmpgpond.exe	46

C:\Users\Admin\AppData\Local\Temp\20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe
"C:\Users\Admin\AppData\Local\Temp\20ff32369021e95c4c7be4ed67d66c818022119524a667a9ba443ae61a95c730.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\Qeppdo32.exe
  C:\Windows\system32\Qeppdo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\SysWOW64\Apedah32.exe
    C:\Windows\system32\Apedah32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\Aaimopli.exe
      C:\Windows\system32\Aaimopli.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 144
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
464KB

MD5
091ff2610200288f497f98fa2a0578eb

SHA1
3d42e7e80f596c7dfa1b2b93c2ae6c7bea9e755c

SHA256
65197d7b5ac34a659c8fdffd9d836acccd75d3708cab54cc7336fec1b0594681

SHA512
6e9c3c3af08e61cb701e80bbcb4ae36706cfc91436eceed2b8089072022a393ed519268c0447c4fe19a320aed029a4c500ac6d308990ffefd5b87a7bf228d20f

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
464KB

MD5
2568d37c768566249f5835acb9d0ac08

SHA1
d18e4ad8cfbd9842eaf74c5ecee9a02d61ef4bcd

SHA256
e9422b4c239ebb820c551e6877fa46924c3d32c4d17a91ee7f83b2a0abb75c05

SHA512
ef2b386f64ab9b5ac09d4365b8c1818e5eac3127179a91886b01e9ab86d76e2823cf8125a87da45866c9c34b383017816df761a25aecd0b054d0885ade469342

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
464KB

MD5
3a833b3080e398be0b65db0098bea26d

SHA1
c8d99ed1cbfef2af8db4de7028a8b8d9f629b68a

SHA256
f82a40b5ec6312fa6ae8ddb8913edaa0b40147e0a2c3dbf57a1537352659e41d

SHA512
6e7f289efbb8fa2c7352b44cb34e8b00f6d3018a7b3e24b8bf2ea7b53d2989b78dc82d5ff4161167b82323e87853a83cd31b9c344706a2f0bb0faba0202da784

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
464KB

MD5
23070916d9dde2c505f84729632a6155

SHA1
b628fd333a1081722b173a81a59ef2f76d7f8b31

SHA256
f277a780d24e508aa6e9e2589b79f86d5ca0785350a48b8d45b5c9cc62adb080

SHA512
047e7c378d6f5cefa1f257f24c318d36e569562e53c001dbc80097f176f3de5667711e701139f08ccecab6bfd3e260a42aecd4a95bda7cc9a9f6aa0285d1207f

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
464KB

MD5
84d9b25f0b7c8d509736f1db51a346dd

SHA1
027d57173e2cf0cf5b97a3327c514a914a968652

SHA256
ac47d6e3164bc7dcf2dbb5a3be90a6084333dc50be77bff402dfc519802294c3

SHA512
bd71441d04e8464ef56533567300ef705d4f436e262168886dac9bb7dbad6b4f0099066b1e0456e697d1c84f1ef7657aa6e2d9bae3a4e5efe1740b65d3cd2b4a

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
464KB

MD5
7c140f716bb65e7f10bd9d841cf62453

SHA1
10ea8114e927c2ced93dd7ce137fbc5362d00106

SHA256
5a826ae758d2d2b45cfb84b58ce11d3d7a11c10c0e514c46a33a79915dd4014d

SHA512
c4b4aea95fb18af700c8816da5a32dee325f6db0248bdc7720cb1515e1448ea94cdb52d840def7bfb47306752d8e6ccfcadebfad8c3a6cadaf0b21c7a3e9c940

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
464KB

MD5
916c5cbf67919202c239d8a0f5fa9466

SHA1
40d64b3779cb6a24def8a322e806fcc0602d9108

SHA256
bcfe2cb33dfbd5b140939c714ea42a5c565e15af3fb19b0beafbe89e8f346830

SHA512
d85ab9472f051e5101d8ee083c57d920bf3ce191db89f28848466bfbe5ba072558e5227bdec6a894ba72e5306345eac48447601c82a4982127dd17e5a5a30f05

Download Submit
C:\Windows\SysWOW64\Alqnah32.exe

Filesize
464KB

MD5
883e5ee8fbc2d3a07d91ede75b747226

SHA1
4bf61ccc99683bedbf2967b601a0179d98da38a5

SHA256
336f96c74d80beade7dfca0ac4cf0743f8ff96f0cbae3a1d78cff81d418ed592

SHA512
bd045817ca49ccc8e0ecfa535fd5de0f4befae5453d6992d728ac83928504b1e6742ad2d874545b6fd4c6391c31f6783036ff3318399b6cc6fd5649b6e898542

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
464KB

MD5
940f021eb3cf38fb0cb455d87367d745

SHA1
0395bdbffba2340af2aed9fb85b55fb97d26736c

SHA256
35fe8646c4e0d88deb6432886cf92c4c8a0fb66825f488bfbfdc65c61a07ef4e

SHA512
070520bb1f22b35af967b424153d78504769c5fe7ae43a67513ae81f2d49c28aecf099be25e18779d69c17f52d647725f3bd280d06307fd7d3c19dfc5de591d2

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
464KB

MD5
756492b55527895b10dc6c2184564a82

SHA1
e28b3c0c770d63092c2b2f22cf5d8231021ec3b2

SHA256
1a8a374fa926861b189e628e2161dd59a6006789ba947b62819df4afb0616d5b

SHA512
588bc02e3021a55c9504771d8eff107f27ee2a12d9fa0adbacce568cf9d4fbec84382a1d571c394f5cf663e1c993a5504a74f6cf57d6a85484a01c7f67d5bcab

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
464KB

MD5
486b1846fa0e30dca4f61381e77545e2

SHA1
3f19a2bac358b32b2b3ce926033bfb002b1b93b7

SHA256
2bec0a0a57e46f8fc88c5696b911f58d8aa2860deb8b22c03a630e76b0ca0b38

SHA512
744f11d178d0c6040ba1684ca2e685f617051bf90e51cf52faa3d05112c3d7bac103cafc909d50b96889e3ce8f46801237a69b47c399b6ca25a949dfbd90d918

Download Submit
C:\Windows\SysWOW64\Mfhmmndi.dll

Filesize
7KB

MD5
8a1a00e5e548f321dba472331e464bb7

SHA1
bace3a376fc9ef5621af3f35685d7117279a3469

SHA256
6e7d1cef26c13da08015568292093fbcf1c797c55711e463dd6de30b1934e3c9

SHA512
d1fdde7f489879a0f19d6fb92bca2f040527ec5d3144a209e846a791e7388538cf52a808ce717b93d6e5439221c1f5c97df1ed1b8896fad40cbb0e55236729b2

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
464KB

MD5
d8214a7c1cb8403dced5aac322cbbe4b

SHA1
8715736e1a2e1e51e28b18e1f4fd246b1d9c3cf2

SHA256
12ddba9ddbe6f16b2ea93dcce21e7e3c9be2eb502c3205949d4182aa633537f7

SHA512
d0d33e9610b0f0733082dd11a1431dfa8812e8dbde958eae93e121eb0255055b366d2b0b4e3406fef373c7ac476624e9904a0c64a2dec112a481cadd2504c2ec

Download Submit
\Windows\SysWOW64\Bgllgedi.exe

Filesize
464KB

MD5
1fd0ec0c1158abaa3a804d47c4dab468

SHA1
9e75e830e202360e64d865b7d8c0c5c2ca05c6fa

SHA256
972802e58b4ce2ed4445fc887a10b02b941d9674ad3155904896719cf2b0f1ee

SHA512
61bd2f2e892433b1f2539e69d3ca7e56cb2bf779ca419b5d895799b375921558f354e99f96351edee29f8c92e0c90e5190120dcacaf81877625cde10fbf744ec

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
464KB

MD5
4a53b915854dab11bfb42b7adc1af7d1

SHA1
4c3557eccbadedb176320723b6c4e33841e8c2c3

SHA256
efb528e2e00470acf2b5aef352a508ebcb99392191d0052a20d5e64c19f7aa56

SHA512
37da40ee5a1e43dcd84257bb260a9bd764477ade2f6e556b228ae62f87801eb8234a28935496b6e6995770467731506ef36afa28bbbf724dffdd5b13df429377

Download Submit
\Windows\SysWOW64\Cmpgpond.exe

Filesize
464KB

MD5
f4ec5140706f7daed40d0217f7ff8946

SHA1
90a83bc3e8d04b21e6614632cacb97c82d172bfe

SHA256
76d8dbc9a69d8a6397326093dd4f042ff461a43d1ce573eaa016145a8eef693c

SHA512
acda599b9bcc18e04da84ca67a78c8c279b675b3db0048f157684e1e3ef0915fae69330c030c87e4c18bf72e6eb3451124d36e61c4e0dffc49079068055942b4

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
464KB

MD5
437969fbaeb60a393bb10c164c0becff

SHA1
44f3eff4a2c6a7e9b1a7ef1b4c3ace176b86a65c

SHA256
50da66829a21f12e81b86d47b3559588e337510b81daac94e35734e414f4f689

SHA512
2032c15d3a2d2942d9db0d5f9ba59c72cd09c8658cebcc5aa026371146ae966f3d36661e7b7187d77cad613385c2ebd5aca40ba12bf08c1cd970fd35d879df42

Download Submit
\Windows\SysWOW64\Qeppdo32.exe

Filesize
464KB

MD5
5300597871409cc249cfa0c1a85d4392

SHA1
9b355974f144c6f2ba2c6078857d9e6d9a95c05d

SHA256
0bc48f3a1570c6301223709db7bc6ac58c155fa070a0fae029da3a1a5cfea5bc

SHA512
f2d86760d09126aeb807abbce588bebecb696b6c6ac9cbb5961805b9e1db71da2fe248c4ad686456fe9978d9e9a8cedfc79dc66c6a20f583339c91b82a502cea

Download Submit
memory/584-24-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/584-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/584-253-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/592-180-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/592-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/592-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/628-12-0x0000000000470000-0x00000000004A6000-memory.dmp

Filesize
216KB

Download
memory/628-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/628-13-0x0000000000470000-0x00000000004A6000-memory.dmp

Filesize
216KB

Download
memory/628-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/668-155-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/668-246-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/668-162-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/1420-140-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1420-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1420-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1636-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1636-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1764-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1764-154-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1764-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2140-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2140-98-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2140-245-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2240-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2240-220-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2240-211-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-242-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-197-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-209-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2392-196-0x0000000000350000-0x0000000000386000-memory.dmp

Filesize
216KB

Download
memory/2392-195-0x0000000000350000-0x0000000000386000-memory.dmp

Filesize
216KB

Download
memory/2392-241-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2392-182-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2508-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2508-235-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2508-230-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2576-248-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2576-84-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2576-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2752-60-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2800-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2800-45-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2800-254-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-243-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2876-115-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2896-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2896-70-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/3000-117-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3000-126-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads