berbew | e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe
Size

67KB
MD5

a640bf84bf580ca26f58586ccccf3351
SHA1

aaa9e9d032cab85806fcf1f97bb6ee54e6bd2048
SHA256

e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e
SHA512

33f4469950fd1c929455f8584b8c0180c41cf80a20bea25738419398ffc225ec42ebfd3da4863873bd81a057ed658f76f35ba29f08ff89820be8d2933ecce084
SSDEEP

1536:cwAxMEPT1/eCoTHJc+Gy0XgtY/sJifTduD4oTxwB:cwPEPT1/HOp5fg/sJibdMTxwB

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdeqfhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aohdmdoh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aohdmdoh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 49 IoCs

pid	Process
2172	Pdeqfhjd.exe
2636	Pojecajj.exe
3068	Pdgmlhha.exe
2840	Pkaehb32.exe
2928	Pdjjag32.exe
2724	Pkcbnanl.exe
2628	Qcogbdkg.exe
620	Qndkpmkm.exe
680	Qcachc32.exe
872	Qjklenpa.exe
1496	Aohdmdoh.exe
1716	Allefimb.exe
1280	Aaimopli.exe
2392	Ajpepm32.exe
2248	Achjibcl.exe
1600	Ahebaiac.exe
900	Anbkipok.exe
1516	Adlcfjgh.exe
572	Abpcooea.exe
1740	Bhjlli32.exe
3064	Bccmmf32.exe
1572	Bkjdndjo.exe
2044	Bdcifi32.exe
2236	Bjpaop32.exe
2828	Bqijljfd.exe
2564	Bgcbhd32.exe
2580	Bqlfaj32.exe
2552	Bfioia32.exe
1964	Coacbfii.exe
2016	Cfkloq32.exe
1820	Cmedlk32.exe
1640	Cnfqccna.exe
536	Cepipm32.exe
1400	Cgoelh32.exe
1920	Cpfmmf32.exe
2196	Cbdiia32.exe
2644	Cebeem32.exe
1328	Cinafkkd.exe
1256	Cjonncab.exe
1680	Cnkjnb32.exe
1968	Caifjn32.exe
632	Cchbgi32.exe
2300	Clojhf32.exe
1448	Cmpgpond.exe
2504	Cegoqlof.exe
2916	Cgfkmgnj.exe
2808	Djdgic32.exe
2688	Dnpciaef.exe
2752	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2452	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe
2452	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe
2172	Pdeqfhjd.exe
2172	Pdeqfhjd.exe
2636	Pojecajj.exe
2636	Pojecajj.exe
3068	Pdgmlhha.exe
3068	Pdgmlhha.exe
2840	Pkaehb32.exe
2840	Pkaehb32.exe
2928	Pdjjag32.exe
2928	Pdjjag32.exe
2724	Pkcbnanl.exe
2724	Pkcbnanl.exe
2628	Qcogbdkg.exe
2628	Qcogbdkg.exe
620	Qndkpmkm.exe
620	Qndkpmkm.exe
680	Qcachc32.exe
680	Qcachc32.exe
872	Qjklenpa.exe
872	Qjklenpa.exe
1496	Aohdmdoh.exe
1496	Aohdmdoh.exe
1716	Allefimb.exe
1716	Allefimb.exe
1280	Aaimopli.exe
1280	Aaimopli.exe
2392	Ajpepm32.exe
2392	Ajpepm32.exe
2248	Achjibcl.exe
2248	Achjibcl.exe
1600	Ahebaiac.exe
1600	Ahebaiac.exe
900	Anbkipok.exe
900	Anbkipok.exe
1516	Adlcfjgh.exe
1516	Adlcfjgh.exe
572	Abpcooea.exe
572	Abpcooea.exe
1740	Bhjlli32.exe
1740	Bhjlli32.exe
3064	Bccmmf32.exe
3064	Bccmmf32.exe
1572	Bkjdndjo.exe
1572	Bkjdndjo.exe
2044	Bdcifi32.exe
2044	Bdcifi32.exe
2236	Bjpaop32.exe
2236	Bjpaop32.exe
2828	Bqijljfd.exe
2828	Bqijljfd.exe
2564	Bgcbhd32.exe
2564	Bgcbhd32.exe
2580	Bqlfaj32.exe
2580	Bqlfaj32.exe
2552	Bfioia32.exe
2552	Bfioia32.exe
1964	Coacbfii.exe
1964	Coacbfii.exe
2016	Cfkloq32.exe
2016	Cfkloq32.exe
1820	Cmedlk32.exe
1820	Cmedlk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pkcbnanl.exe	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Cceell32.dll	Qcachc32.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Gmoloenf.dll	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe
File created	C:\Windows\SysWOW64\Mdhpmg32.dll	Pojecajj.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Ahebaiac.exe	Achjibcl.exe
File opened for modification	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cebeem32.exe
File created	C:\Windows\SysWOW64\Pkaehb32.exe	Pdgmlhha.exe
File created	C:\Windows\SysWOW64\Anbkipok.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Hpqnnmcd.dll	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Qcogbdkg.exe	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Pojecajj.exe	Pdeqfhjd.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Abpcooea.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Kqcjjk32.dll	Pkaehb32.exe
File created	C:\Windows\SysWOW64\Imafcg32.dll	Qjklenpa.exe
File created	C:\Windows\SysWOW64\Allefimb.exe	Aohdmdoh.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bhjlli32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Pdeqfhjd.exe	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Allefimb.exe	Aohdmdoh.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Bodmepdn.dll	Ahebaiac.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Peblpbgn.dll	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Pdeqfhjd.exe	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe
File created	C:\Windows\SysWOW64\Ajpepm32.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Hdaehcom.dll	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Anbkipok.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cnfqccna.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dcllbhdn.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dcllbhdn.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2612	2752	WerFault.exe	79

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdeqfhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdgmlhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll"	Pdeqfhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll"	Aohdmdoh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodmepdn.dll"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdeqfhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imafcg32.dll"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcjjk32.dll"	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkcbnanl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2172	2452	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe	31
PID 2452 wrote to memory of 2172	2452	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe	31
PID 2452 wrote to memory of 2172	2452	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe	31
PID 2452 wrote to memory of 2172	2452	e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe	31
PID 2172 wrote to memory of 2636	2172	Pdeqfhjd.exe	32
PID 2172 wrote to memory of 2636	2172	Pdeqfhjd.exe	32
PID 2172 wrote to memory of 2636	2172	Pdeqfhjd.exe	32
PID 2172 wrote to memory of 2636	2172	Pdeqfhjd.exe	32
PID 2636 wrote to memory of 3068	2636	Pojecajj.exe	33
PID 2636 wrote to memory of 3068	2636	Pojecajj.exe	33
PID 2636 wrote to memory of 3068	2636	Pojecajj.exe	33
PID 2636 wrote to memory of 3068	2636	Pojecajj.exe	33
PID 3068 wrote to memory of 2840	3068	Pdgmlhha.exe	34
PID 3068 wrote to memory of 2840	3068	Pdgmlhha.exe	34
PID 3068 wrote to memory of 2840	3068	Pdgmlhha.exe	34
PID 3068 wrote to memory of 2840	3068	Pdgmlhha.exe	34
PID 2840 wrote to memory of 2928	2840	Pkaehb32.exe	35
PID 2840 wrote to memory of 2928	2840	Pkaehb32.exe	35
PID 2840 wrote to memory of 2928	2840	Pkaehb32.exe	35
PID 2840 wrote to memory of 2928	2840	Pkaehb32.exe	35
PID 2928 wrote to memory of 2724	2928	Pdjjag32.exe	36
PID 2928 wrote to memory of 2724	2928	Pdjjag32.exe	36
PID 2928 wrote to memory of 2724	2928	Pdjjag32.exe	36
PID 2928 wrote to memory of 2724	2928	Pdjjag32.exe	36
PID 2724 wrote to memory of 2628	2724	Pkcbnanl.exe	37
PID 2724 wrote to memory of 2628	2724	Pkcbnanl.exe	37
PID 2724 wrote to memory of 2628	2724	Pkcbnanl.exe	37
PID 2724 wrote to memory of 2628	2724	Pkcbnanl.exe	37
PID 2628 wrote to memory of 620	2628	Qcogbdkg.exe	38
PID 2628 wrote to memory of 620	2628	Qcogbdkg.exe	38
PID 2628 wrote to memory of 620	2628	Qcogbdkg.exe	38
PID 2628 wrote to memory of 620	2628	Qcogbdkg.exe	38
PID 620 wrote to memory of 680	620	Qndkpmkm.exe	39
PID 620 wrote to memory of 680	620	Qndkpmkm.exe	39
PID 620 wrote to memory of 680	620	Qndkpmkm.exe	39
PID 620 wrote to memory of 680	620	Qndkpmkm.exe	39
PID 680 wrote to memory of 872	680	Qcachc32.exe	40
PID 680 wrote to memory of 872	680	Qcachc32.exe	40
PID 680 wrote to memory of 872	680	Qcachc32.exe	40
PID 680 wrote to memory of 872	680	Qcachc32.exe	40
PID 872 wrote to memory of 1496	872	Qjklenpa.exe	41
PID 872 wrote to memory of 1496	872	Qjklenpa.exe	41
PID 872 wrote to memory of 1496	872	Qjklenpa.exe	41
PID 872 wrote to memory of 1496	872	Qjklenpa.exe	41
PID 1496 wrote to memory of 1716	1496	Aohdmdoh.exe	42
PID 1496 wrote to memory of 1716	1496	Aohdmdoh.exe	42
PID 1496 wrote to memory of 1716	1496	Aohdmdoh.exe	42
PID 1496 wrote to memory of 1716	1496	Aohdmdoh.exe	42
PID 1716 wrote to memory of 1280	1716	Allefimb.exe	43
PID 1716 wrote to memory of 1280	1716	Allefimb.exe	43
PID 1716 wrote to memory of 1280	1716	Allefimb.exe	43
PID 1716 wrote to memory of 1280	1716	Allefimb.exe	43
PID 1280 wrote to memory of 2392	1280	Aaimopli.exe	44
PID 1280 wrote to memory of 2392	1280	Aaimopli.exe	44
PID 1280 wrote to memory of 2392	1280	Aaimopli.exe	44
PID 1280 wrote to memory of 2392	1280	Aaimopli.exe	44
PID 2392 wrote to memory of 2248	2392	Ajpepm32.exe	45
PID 2392 wrote to memory of 2248	2392	Ajpepm32.exe	45
PID 2392 wrote to memory of 2248	2392	Ajpepm32.exe	45
PID 2392 wrote to memory of 2248	2392	Ajpepm32.exe	45
PID 2248 wrote to memory of 1600	2248	Achjibcl.exe	46
PID 2248 wrote to memory of 1600	2248	Achjibcl.exe	46
PID 2248 wrote to memory of 1600	2248	Achjibcl.exe	46
PID 2248 wrote to memory of 1600	2248	Achjibcl.exe	46

C:\Users\Admin\AppData\Local\Temp\e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe
"C:\Users\Admin\AppData\Local\Temp\e6ab7935affa9ef194967c7aeaf4ffbaf8363692932c2d943f6b3095837cb85e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\Pdeqfhjd.exe
  C:\Windows\system32\Pdeqfhjd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\Pojecajj.exe
    C:\Windows\system32\Pojecajj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\Pdgmlhha.exe
      C:\Windows\system32\Pdgmlhha.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\Pkaehb32.exe
        
        C:\Windows\system32\Pkaehb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Qjklenpa.exe
        
        C:\Windows\system32\Qjklenpa.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        50⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 144
        51⤵
        Program crash
        
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abpcooea.exe

Filesize
67KB

MD5
cccb2885e79be5e272269998aba6aa33

SHA1
cdbcf86846c67263eb98bc3742532127e333bc4d

SHA256
3ca17a71bd6670a509cf2a76c1938d275efaca192ac9fa216b5ab8ee26ec1fd6

SHA512
524065b10ba2d6127291b73807733e231feb5b6f409fc7ee9a59df0428ad4e21bcc6f1c1e644509009f9a9e1822d9f2237f4d35428e527138a709aaab61ed7a4

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
67KB

MD5
346c8bec254ce2ec3792a0b6d79a4900

SHA1
0fd0b722ebfd1fe7e601c2f419c93f4f4acd07c3

SHA256
c15644cd0c43f4670811e4b3d0f19560e41725be074fe5922500fe0c0d1c106c

SHA512
bd0d9d37ed45c004638f2a6e6d237ddae76ed2f9c9bffeea4a7bfe718b4da55a11afeb281b2fbc64bfbc90eade0782a536ed0c1e207964ff773858535a024754

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
67KB

MD5
9220f3fdfeb16a154d199a7780358a58

SHA1
ed73212c5630c7c5cf07e5c103db6846b6cef47e

SHA256
bdc73f06bdb194e2ed28d38bde542d3081fd7d1770dd5aea2ef4a9883ebad2c7

SHA512
3687c1985ae427c143bd82e4bc1bab97f7b2ba47d97e93d01d4faa9b5ea8486f08d2674c165348c807fda3e2f2eade51368db194e333d5859c45038aa327f3e1

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
67KB

MD5
5c806ee8b73d96cab29d7c6cde30dcb9

SHA1
fc0f0481297b7ee7750c9a42eea16a513764adcf

SHA256
67074025605498dacfbdc50aa1d862cf34d4807bc033a6f7e60f59a2d35fc71f

SHA512
c3a3102b5bcd388386d121ded69df8821d37f2c597f8c385a216ccb9d4709421ffd5c8ffd636edda6061057ada43ef7ed8cb755dc4c8024365d80c5757c1d382

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
67KB

MD5
47ee4513dd6c6426db1a81894b014a73

SHA1
32a77bde77540fa2ecc81c9f746605425788f013

SHA256
19ae62d2afa2a087495d5d07035494735030ca2d2619dd12ff1e33ec8c1ec49c

SHA512
9306e339e3b30a87176a3d347bfc10952df23b10f7b60a136aa9b8ea80a7857e8622075de2dc49f39b4ed893cc43aa37506eff1cf83b718125749aad67322b5e

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
67KB

MD5
ccfd6d082591ef29ecff8998c04cf355

SHA1
d4a18a1565014cd986fa9d53dfd04da2d0034e33

SHA256
be6d0f93cf9c5c878215358dede164a9cf591f80831658cec72bbb03d60fcef7

SHA512
d2118b5d1274dcca55fbdf8e70b34ef498791f5e197bb8024f03f76be46eb9645f5c7b42c1908fdbc25cb61ef5af3e85f7ff48c61b49fec393f8252347a05a9f

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
67KB

MD5
84e2c662407917ba46362410470c8630

SHA1
cbd0e52ee3090881a241db2030d99babb8c12ad5

SHA256
2a25c95ded9b75ecd6a4ed61b23bd6751606ea3a52c05ffd681e882888577a9c

SHA512
6e7622a39107e643739d65f76bb5c9500b69939dda7a5bf319321207687479b3440e287c96db570f254d8360d70c63494e6d975ed5a30a05e4df15374d6b707b

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
67KB

MD5
132ea3b68766efea36afa3d1f740fdb6

SHA1
44a42dc9f7a17942de99df189e06ba5ee22ef731

SHA256
3e856987ea0e60324b37e5fe5d556fd7d691f50ff151e3190cbf55fc672d624b

SHA512
03cf719a850dcf876ed7396ea453ac1be862740a3919c5ce79f553885f2bff6b90896a8bbb6a5f38cbc0f54e36e2da95c64aee46a88f4b415b1cb9c4e5dd0a9e

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
67KB

MD5
47abba0cc38007d842d2add2e998a2ff

SHA1
1d19186711474b7ab0ea7b24783a72d821e60d78

SHA256
bbc730655e54ae8fba97b468d3ac92022e05e5d246af72d33769326b21290f70

SHA512
cd4978b424c913561bfb580bf6338c6adaa1e359894bb7e509134c20bd5bad97c728dcf5e5ff56957f48cc92591238f38f19c5aa338f3563247a703e7bd93eff

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
67KB

MD5
01562d5c02a306a0f942c41fcc6f420e

SHA1
788266d5da57de5859986b076ffad5c136b29983

SHA256
d97d068100f1d3588f78e341014ef2d3fa8dec4bf708cb02aa58bddde27df703

SHA512
80dc5b49ebb6af64fb36864ac813aa5bdd0280cd8205e0360fd39a42e011a3c63bb797bfe4b3ba46d5a108ac64602465b9a26095ec464af841ff2996b91a8df9

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
67KB

MD5
993b52e50ad12754b9d4115db888b432

SHA1
2a2dc634375d5bb0a1ae9da62cad3b8eaf8162c4

SHA256
01c3b8e5979ad0c6c03a22e0b172993d2535fd8d7ab31586ca5a10a2c1e85a2b

SHA512
81171a4d2ad57caa5cfd8915fbab97dfb6f2ef721a66610c6e124c1a8c354f30e896e8d8073b388956605c06d21bc027fcecf49527094fd671c5fce44023427a

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
67KB

MD5
cbd0ad1e7aa48933b76d4bae929f967f

SHA1
fa0d009485d7dc545730d3cc5bd85d4b1fab7619

SHA256
b6576a3a3e7d7a6288876fafa802c51f08995d060348bdf6e6336e39c1b28032

SHA512
23eeaac939709d13cb7bcf7cb4d893100ccea4ce4e9f25c0d38bbbf4d51ce4de385ff08f166a69da8c57e582fe568b31267d473f540fa5feeccacbd9601a52da

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
67KB

MD5
0175494ae0f3dcf5a3cc0dd521194329

SHA1
fb071f84ef5b7db81e4cfdd9f2853ec305e69d69

SHA256
3ea6ab10820ab9bf81b695764666e3f79935ac0bbab243ace556de4d34eea6e8

SHA512
8a64caef4e2650f51b80eba0e94af79082160c4a121aa4ab2a93018b81e9a6ef92dd0830d0fa9854a091a4310d26d59dc32cf12a7f728e173264f2cfce1b3b1a

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
67KB

MD5
120cd8b133a07850d2fb8fa5ee00ee2e

SHA1
98f7f2af74bebe8621a2897ae83857a7d3b5acf5

SHA256
52732cb493bbf1f6d656c23000c70ed5791247feae66fea5da0492d92d011315

SHA512
c7d1b3d33a2609713a02d7cce8a3243ff9bcebb244f34b5847323ba7bb3244bba5aedd00e61f54439f522bddbac14232381980cec19c17e9ce94f14b08da3fed

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
67KB

MD5
bed7a9c8d6f64df547784322118b4da7

SHA1
2e1adbf94bb09571b3e069462ce50cca1ea46b6e

SHA256
79e2c4441c302233034cb60bddc83602a1bc8ec9e136c420258c30088b82f00d

SHA512
e78107d0e4337340276daffda38ceb27f402bd83b6ad03513476cddd09239f2e19f911eda19ebb4cd3f7c4be097e064ac3710b1d741890708ef651217b8c2d60

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
67KB

MD5
ab816a21084db87cfed3e85ab2127d7b

SHA1
4de8c8aff08a0f3950e498a5e847c34a18a22a77

SHA256
579315dfb0c52a574aecd05924a7f3ab5fe9622069ccc8f03f3a6c325c98c6d3

SHA512
6a86d73337763fc3a0339774074456570243bd97cea7aff9f623803df3c1d4a5b71bada3e1d38164ebadc3eae8696de73c64c680e64704dd03288d05ed9a3837

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
67KB

MD5
eae70c1f119616fe9a17805238ff9bfb

SHA1
7ffc268c087ebfc9dfeb40a557939952834b46e3

SHA256
a7a01585f227e9fbf14b389e66fedb98a3c2fce344b2c611c2ab067478b2d84e

SHA512
20e22a254081153c6b2c7fe64271796b17e93ef19e338047035ee492a88b3395165f81603f635ee5a7c1263f7aed9ab3c7f5bbadf789001f11cfb44537f44ac8

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
67KB

MD5
7afcdec6e5f2e1f815256739f44fe929

SHA1
c89f7d4bfd3da6b4f3e9494aa375d970351fc618

SHA256
2b6c838cee3b4d7dd072bacfc9258dc16db27b3968e03db9e73400517b6250ed

SHA512
404d499742375bb8484a50bbcbc22074018f494bb810750e537b190c0e56122ba966130e0b3c8be975ced9403fac5efeeb59d505fd3c5e904b812b6ac43cf734

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
67KB

MD5
bf75610ed1b4d6f29366350166502384

SHA1
00a8a48f5e3bcc13acd4da0654f6b896280ca1eb

SHA256
f62205d9f24cf7b9c67e67f752e817715a01c4d98bdbbe158ac232ee5deb9989

SHA512
f8e47461174454d7b650e40f638e96edb463b8e695fd069d0c60aa3fd6590f05e7ff69dba9aa67de3bebdb400c96fa1d2db4d27faa65c8b4407e14718ed0b019

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
67KB

MD5
7996b7bc0e71c5f17753b29c7ae65a43

SHA1
d6a5e5abe7ec21e685ab91bca2d9fdd3390853d5

SHA256
a825e391e8d0ddb7f3792902992f261c9232e5d20c63ca92d8dca908975f2ea5

SHA512
44818b99c195e22013a8d58787ea39aa03a21e88d60569f2f55eaa5f957fbd8de53654ff5f3449afe3f279cece851eaca2419da5f047b8cd57b070512b355aac

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
67KB

MD5
c16c42b8385d003ac435d27cee3f0b7c

SHA1
d71ac2a81373db94e002695912fe5a1297e0874f

SHA256
75ca05a8134f30d6d403bdf1e2e78a2c0a6488838577a4f470e9947ff9325d16

SHA512
a803e6fdaa7efe1a1cc74838df58d3fe3b9834a8cc8b0cd282a99b66c6e284d2e67da030ea0d4df1bf40629a5f848ef8f2634d741d5056195db178892be6f65b

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
67KB

MD5
7ceff0e59176b51070faec1954e2ce52

SHA1
ce613ad85e29a9ee5255b935fa02ef33b5eae56e

SHA256
3ecbb087aae1333aaa3bab42197e9300ec8c20c7cde55e900bc64862eafe5146

SHA512
e87ca112ee2bd460359096c95ffdaa95fbe8528b7edb6ce91b86fbe85e216fd710a9de8ef955172554ce839716a8c4cf4b4f4bdfeba0a9a488094939953def86

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
67KB

MD5
7ee1ef40694c2ab9b2b708366c8b08e8

SHA1
e123f5315050461ee67fa91fa5a641826d5e3e7e

SHA256
e8b915e6eea366cd10b64b2d2f2ef22cab7278680624c051cee6a869635a8c07

SHA512
320331c16a1bdc900e3046300bbacdb6042935738ff8b6e1db7a2f10fde3c02c74cd40477fb27b3882115c40c18c00225466e8b3650b142a756f062c572c508c

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
67KB

MD5
ebf338620e4afab98bbdcf0e520bf131

SHA1
15576da88f9c49a3eaee08fb163442c99bd49021

SHA256
c18c0c3a954c0e8d5c7dc1b56918ae4b7c28be343f09850ee02ff12f245ae7f9

SHA512
aeb0e74dc0d7a9ebc5acd0a5238589aade9ebc6ce64c0ef7227d6fc9b04b33e1055a045643a79f7141aebe48c63bde91bb3a2ff15c99f0ade2d080345a767e99

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
67KB

MD5
d9ab5e0e5d721bfb303da0c2045de5ec

SHA1
ce82ccaad70980729ab7853ba87fc514281c0fcb

SHA256
7b94dc9ca90c28651bb2fa2ebefff3080f5e30c67ac8e9045855d62e7e11b15f

SHA512
646b619698f491ecab0622b5f6e7d8d6b4f1615106bdf087c153f67d2f8559b555dfa77747852bae36db0cae2e6bda34d182ba05fa38a35d8381af30b5ea39c4

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
67KB

MD5
f3bb993f3f81a3173a509fe76f975f00

SHA1
11482f5b7969b6214a091dde97d6687d1ab7bb24

SHA256
aa75c1d5bf991504036f464e60e5d7d64370445c71eec347a5ce3ab95d3617ca

SHA512
0abc38b303f40a5c519f94e33d6e8543f0123eae274d4e203a8217b155102c8ce5a353e2b4cfee86a3da62ddfd5fe1860067e13ce4de83d592521a51d2cbb206

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
67KB

MD5
a641b1f992565d213d7c41e3085863ba

SHA1
cba135e015e56ed95139b92be124caeb5a852330

SHA256
c49bd5fa88fcd941eb13d8be9ab2282c944cf2aae4fa3df011ffc282f131e913

SHA512
2bbdacb0399ea7a32d878c940d508316f75d00585d641fd9be8feda401b053577280db520f800f9af8332570bb7df726974abe3249bfaaa3c82771a6a85946dc

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
67KB

MD5
e45834c9a217dbed96aa92c634ac1dd9

SHA1
d7d685545332ec48499e7d31fe62834f1eb3737d

SHA256
040b193e1cbc04ce1b04bbff99ff82d94b8458bc3c477688e3f504be7fb8e1f0

SHA512
0ad892368c32c2a90da020c55814d0bcff144695dcac9bb4d2319d3801785e3d2127ac93e398e1282f6a5b538844dc2f9a6b7ab36c5c4a48a7d6c7ac1985d257

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
67KB

MD5
07946ea0c4db198dd46335eefbfbfcc3

SHA1
061a781129c31c49739accdc6f38f8ee61af1947

SHA256
bd924d670ce00b771257ed6ea1e1c6f54eb79f2482526abcb9c10950ff21e318

SHA512
20507600521341686f421e833977a5b79b9fe8ea0085e50daf7801c4c973ab97e5cf20336f9da31d2a7134d0715deaae05711e8f187be1492435fb2e8f073743

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
67KB

MD5
d5010aca0a629e2400bd5fd6c620101e

SHA1
ba41c3ce2be106934c6c890f02ade6416ac60626

SHA256
b0b4b630aea1306537f381ad5128398e7ff3441871917d0f8dbbcecf9a5e6569

SHA512
5d8ab3a8654a4b0ac6ebd68ab912c5d07c866f981c3a5da4b95982e58fb067472f77660cf22cccf675bebab5edad7b2baf1c36a74e7e7823faa1be7435c275b8

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
67KB

MD5
119698dea28f1c40b7ccb5b5a27b3659

SHA1
765fc82fe90cc20ae282074602433d22e4adfc66

SHA256
8b835b64d6957bb2c0b033dc9e1a4dfa9eb6952bfad5d688361008d7a8931f4f

SHA512
89bbf47392cc0f27b1bd2dc0c4a687f1d0e50f98fa0acfb2a92977c6001fdbb0c61e3f00ba2aa6e63594810944bd5c800c1e9e67918b7edeb107fd60ba8c3f77

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
67KB

MD5
c362306fe70ed22a9043c60b8b85611e

SHA1
964dc378f89666e6767c76913ed9d0c99ecccee5

SHA256
0e35c7ec81a163daf74fb056c790d62366185510a87e1519889739841b3b2baa

SHA512
9e23b375de6e7dc478e78ec59e628f6cbca4035b84f631c80288bb9d8eea7f1224e5ace07cda7dd50ab132c0bcc6d62758c7b28d245047bd6f86cced2033eb1b

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
67KB

MD5
e86b4cb3aea9fe2a29e7e2ed77e814a7

SHA1
b3a08efb70eb66473fcb34bebfc3705249515f9d

SHA256
58e55d2a6e323b396b366be01c9a9ace8ef1917d0cb2448baa928fa83139a23e

SHA512
fe9dc47f9bcdc64c7bccc2890a9a4989ae24dfc1f3032037291236efef3ce0658d9fd8f13a6872defdd44f0e2e4fcddbeaf2507e19e182b352ef13ed4cf9f14e

Download Submit
C:\Windows\SysWOW64\Pdeqfhjd.exe

Filesize
67KB

MD5
2fc84b577b7564621c92a2711691026c

SHA1
6179b51228ad42b0cba4e3ffd6ccd3eaeecb1617

SHA256
aa64d7dd4c221e2e1af38edf23cb37ae6f4c8ef351bb1a73af7aabbe3d57b0ab

SHA512
9ffaafab0d9131decec699399cf1561108cb8247f6e550ad77e0bdf2fdeb311a49e4e77b28e3f8deedeb937dd551e7ee9b5916c4d093e8c3a8879f0868d4195f

Download Submit
C:\Windows\SysWOW64\Pkaehb32.exe

Filesize
67KB

MD5
4a79a6e5922c25e360a965eabfad0fd4

SHA1
8f581d776baf6671c917770f31da4446899a6e82

SHA256
0d8f32f201a94af098c7b512e494166c95009c7a4ef5fc56278c606d0c49f78d

SHA512
c503fa4c9646e1781b3a3c9afa524090d38b2900e0b2bb7f35dc3c6aabffdfd2fd06825cecd4ec9acf6dd46d43e2c3f01b9ba32f38c8300d7651996e65192550

Download Submit
C:\Windows\SysWOW64\Pkcbnanl.exe

Filesize
67KB

MD5
5450d75eb89161a3a50a50bfc579516a

SHA1
4d33793e38723f7ec69d11368a03b9fb9a422f85

SHA256
121a32d354ecd9ff4e328e8b79d9822f6ede643baec37c3f63d0af3a5421274f

SHA512
45684ba6529eb9f7f84c3e9f662c77a2d9b84b060286a0fd9f6a80a02cca66f1ac9d071c128074f98b426a6c5dbb89365428f2935bd5f0313cc8c6bbf7551f58

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
67KB

MD5
252602e8b4f8fe46ced96843f6ff7212

SHA1
931b721fd7cce6562cd0ccc05e3fb5c8487d251e

SHA256
0afd0e8954323d0ba61020dd696c1feb9d92a7e05a3ab401f923a76ac23218d7

SHA512
411d9576160952e5d696ee52b1f7a3e6f0524366734a4134b511de0b30c893319d8d6166f96d8c8dd03bc05a337ecaf4e6fca8bff31223082fe186a5c90f2690

Download Submit
\Windows\SysWOW64\Aaimopli.exe

Filesize
67KB

MD5
80948385fe37e551e34830c6aaddb425

SHA1
2e45e189949957331606fb78b87dd30285301cf3

SHA256
f368afd37c237271081878c34f5d1e1741798a2b7d59195f06ef9e8d39f8cbdb

SHA512
d3a1e7b8bf6f0ff2303b516e2fcb3927cf871721e2796a87933e983c3739752530ece9a5334145c51e5d5bcae4fc001648ceb063276d9cd3ce5740e3b3acafab

Download Submit
\Windows\SysWOW64\Achjibcl.exe

Filesize
67KB

MD5
4e40194f44832888678bb93461bcf780

SHA1
749fe788e07137a8bfe09b56e81eeb5281a9fe82

SHA256
202f7c54ec43ce69a175377eb94a478daa3bad8a2e4008ae9153157ff715796a

SHA512
7e821d8c8fe01bca504471838ec9facc3e95fefe3f2ab67866c623b755c7de8cec4d7aacf1f519597e96a90e33ce38b9e130903b7ae043fd4872e0d0f4e79268

Download Submit
\Windows\SysWOW64\Ahebaiac.exe

Filesize
67KB

MD5
74285a0f4596837e405e05f64dd2a63a

SHA1
382afc48c6a646bfeff91edc1ad9fdc1065372a9

SHA256
d86ea88c2ae563ef0daf63e392597c6b032ffedaf96eaf55472d5b5ecf76fbac

SHA512
bc2c9daa499924ce33bcd3b5889d960853ad98b894795a411c592e458b4dd8b91ee7a43ad588c2f77e2d0b03b8e0a28f0208f787d4dc90c2eb274f1afcd4147a

Download Submit
\Windows\SysWOW64\Ajpepm32.exe

Filesize
67KB

MD5
fee5b5f06cdc4d8ca6064e80c27f121f

SHA1
f67e44f8fbc3fbe7f065b3fd13278c5212f76b0c

SHA256
2e26a248d42c07883d22b57efdebf0a8ca9a0094359434753e0c95927b7dd178

SHA512
ab0b6e15f2b6fded0131f67514fec515949c5ecafcab0131e252a34235ceda3c8678e8c233398e56988f4cc62a8e039a040002ac8b85142b0e39bee8d51442e6

Download Submit
\Windows\SysWOW64\Allefimb.exe

Filesize
67KB

MD5
eddb413405cbd4d533e666ae18770709

SHA1
825df5bae5c5ac30247272e2a20fbaa7edb54d7a

SHA256
0472b393a04066ca8bd7f1137918de6f55d071d6e579685725af741e0f158b1c

SHA512
ddddd3ac00991bf3ad3195625e1660863bdc5d89501114aafe3467c3ca49d061b40fa0d7f1920761e4b1e2e3090d3abd6a76528d1169c4b6a3f20b9ef455a4d3

Download Submit
\Windows\SysWOW64\Aohdmdoh.exe

Filesize
67KB

MD5
2d428c7239103e16c7cada2cf7856a1f

SHA1
8b2584f0a08560bb9b0e8c2b1de941e31c8887a7

SHA256
295b5f4d3dfb973d2b5e6fb502006a415881788c882762c08752d678d587a084

SHA512
1fe8032830ebda87e16db0fde31d71aee9f9b8485c066f767ad074bcb811c7f9eb52fe06cf272098addcd48f2c51a95ca3e2df6e93784c9dd47f170681f41565

Download Submit
\Windows\SysWOW64\Pdgmlhha.exe

Filesize
67KB

MD5
06a527c5f9e0fc2cf75659b31655fc67

SHA1
51bc2c05cb9e973a733418ca0f3e66b83bea1c11

SHA256
d46b8f50a06dbf66bd41c26ca4ce7159239200c14570b86568af4d9a32b6d496

SHA512
76f21703454b05ec363d16982e90ff7172bbdbeca480af9a64a0f077d0e056a3f4c5927ea1ce7816e7b9bd5098f70bd438f3bfb144e7373ce90286f46e7ca01e

Download Submit
\Windows\SysWOW64\Pdjjag32.exe

Filesize
67KB

MD5
161375e0d2f3ca5c83556151f76174ac

SHA1
10640c37b1fe3a210266532fb9c673187ce92b83

SHA256
d2803ddf91d8339365b0c5a31b1133330eba5f28655bacfac443ca58aa058c4b

SHA512
41c0ddb41384a27ea100f997f909f024bdad7e13be71955cf2794c6a7f116aa2ee81b7ef3420b114b0c689c084121d00d149ee0d61477ef9921d68f35e09ec9e

Download Submit
\Windows\SysWOW64\Qcachc32.exe

Filesize
67KB

MD5
f78b8e3d66d37d490e233d320b06df83

SHA1
bd5170f2f16d6b9bb1068db451ea16c796947f92

SHA256
aa262b6df2359e082648cd49275d69abac12e4e024187a5fe9932415748fefa4

SHA512
806d5d718c26a867595ebf315df3c9b57dee79f7f51b97da7dd2c0514a9d5d20076c50800466f22631b82ad1f9d8faf0c0c1cddba877dce85b01abd4061f2c87

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
67KB

MD5
9d92ae11a3bc44c8a1634005996b3bee

SHA1
30b86a1e35077de6aef2a9d7db98a576c28e5812

SHA256
4a8d69756534a57707cc8287386d81e5d3613b95315ef12cf753cff133c85f29

SHA512
5afdc9a00f3542b09400e9fd1d5bb5aa5736ab72466a542387e9507476905ba88d7e0e202d97824e1a5b8b3259cb5d63da358a49dc1a8daa98ffbfdd44cc17d7

Download Submit
\Windows\SysWOW64\Qjklenpa.exe

Filesize
67KB

MD5
6e7936c48fe6783bff1be73a5cc1f465

SHA1
f9ded16882ec826edaf34b088d8a238fd81bb2b1

SHA256
e248af42d390fae1f9a13fc2624a41097201a4c781255f058eecd1e9a5ac467b

SHA512
3bcf3f10d00082ef7e16c9513db9b7228c5a76c2007c374284ff2ebfaeb25276e40fd1df4044626fb176f2740975317c4806e6b28dad32b7c7b08315f0c344e1

Download Submit
\Windows\SysWOW64\Qndkpmkm.exe

Filesize
67KB

MD5
2cf7e8029d7b10effb79156fb374242a

SHA1
34b443365104f494dd87c50f39085d61e4b7a0a2

SHA256
f6bb9155c81ce7ac3565a94ca474ca6c676aad5073ddce821d120840f4a6c685

SHA512
6608e45594684d05c7c24f977938924c00efc7afac7f0559e02ee19aa122f16f69fb08d8d10270163673ac4d67deea51a13a4b5e532ea6d0c7e87f770d0f0728

Download Submit
memory/572-315-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/572-276-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/572-273-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/620-171-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/620-112-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/620-121-0x0000000001F30000-0x0000000001F6B000-memory.dmp

Filesize
236KB

Download
memory/680-187-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/680-180-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/872-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/872-200-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/872-157-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/872-204-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/872-156-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/900-291-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/900-252-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1280-201-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/1280-246-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1280-251-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/1280-257-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/1280-190-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1496-212-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1496-159-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1516-272-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1516-303-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1516-259-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1572-343-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1572-310-0x0000000000310000-0x000000000034B000-memory.dmp

Filesize
236KB

Download
memory/1572-304-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1572-314-0x0000000000310000-0x000000000034B000-memory.dmp

Filesize
236KB

Download
memory/1600-235-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1600-242-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/1600-281-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1640-413-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1640-420-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/1716-182-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1716-173-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1716-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1740-287-0x00000000002F0000-0x000000000032B000-memory.dmp

Filesize
236KB

Download
memory/1740-324-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1964-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2016-393-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2016-400-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2044-360-0x0000000001F70000-0x0000000001FAB000-memory.dmp

Filesize
236KB

Download
memory/2044-354-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2044-359-0x0000000001F70000-0x0000000001FAB000-memory.dmp

Filesize
236KB

Download
memory/2172-18-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2172-53-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2236-325-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2236-332-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2236-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2236-371-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2248-234-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2248-225-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2248-275-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2248-274-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2392-258-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2392-214-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/2392-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2452-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2452-52-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2452-12-0x00000000005D0000-0x000000000060B000-memory.dmp

Filesize
236KB

Download
memory/2552-372-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2552-409-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2552-379-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/2564-392-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2564-355-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2564-348-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2580-370-0x00000000005D0000-0x000000000060B000-memory.dmp

Filesize
236KB

Download
memory/2580-398-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2628-151-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2628-110-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2628-149-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2636-33-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2636-26-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2636-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2636-82-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2724-140-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2724-92-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2724-83-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2828-344-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2828-383-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2828-377-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2840-105-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2840-62-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/2840-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2928-128-0x00000000002F0000-0x000000000032B000-memory.dmp

Filesize
236KB

Download
memory/2928-119-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2928-80-0x00000000002F0000-0x000000000032B000-memory.dmp

Filesize
236KB

Download
memory/2928-126-0x00000000002F0000-0x000000000032B000-memory.dmp

Filesize
236KB

Download
memory/3064-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3064-337-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/3064-336-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/3064-331-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3064-302-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/3064-301-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/3068-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads