berbew | 1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe
Size

60KB
MD5

59612b1887dc69aa8a4149a5b60a7b5c
SHA1

d119e6ce26025abbef539bd9fd1dfbac99349709
SHA256

1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095
SHA512

5fcc71c357c8a04b389fb9116238f79c439416468ce172841aadc8e6cf1f67b5bb51dbe5e3174c7b92fb360e81a6d0ec62568f10869be2c1dc2071d9b1474e00
SSDEEP

1536:D0D5gERLFt8pJMw6BAnKW2FGw86OlG6SR6XPQ+qB86l1rs:43vt8p1WWX96OlG6S6oTB86l1rs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qiioon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiioon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjjag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 50 IoCs

pid	Process
3008	Pdjjag32.exe
2172	Pkcbnanl.exe
1292	Qcogbdkg.exe
2808	Qiioon32.exe
2376	Qdncmgbj.exe
2556	Qeppdo32.exe
2552	Apedah32.exe
2992	Accqnc32.exe
1660	Ahpifj32.exe
1680	Aojabdlf.exe
1760	Ahbekjcf.exe
1428	Aomnhd32.exe
2728	Adifpk32.exe
1884	Ahebaiac.exe
2032	Adlcfjgh.exe
672	Aoagccfn.exe
1336	Aqbdkk32.exe
2304	Bnfddp32.exe
904	Bqeqqk32.exe
536	Bgoime32.exe
888	Bjmeiq32.exe
1628	Bdcifi32.exe
1588	Bgaebe32.exe
2500	Bjpaop32.exe
3064	Bmnnkl32.exe
2664	Bgcbhd32.exe
2688	Bqlfaj32.exe
2900	Bcjcme32.exe
2672	Bjdkjpkb.exe
2548	Bkegah32.exe
660	Cfkloq32.exe
2364	Cmedlk32.exe
1644	Cnfqccna.exe
1932	Cfmhdpnc.exe
1944	Ckjamgmk.exe
628	Cnimiblo.exe
2732	Cbdiia32.exe
2428	Ckmnbg32.exe
2960	Cnkjnb32.exe
448	Caifjn32.exe
1356	Cchbgi32.exe
1840	Clojhf32.exe
1652	Cjakccop.exe
2284	Cmpgpond.exe
872	Calcpm32.exe
1496	Ccjoli32.exe
2964	Cfhkhd32.exe
1712	Djdgic32.exe
2200	Danpemej.exe
2208	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2084	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe
2084	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe
3008	Pdjjag32.exe
3008	Pdjjag32.exe
2172	Pkcbnanl.exe
2172	Pkcbnanl.exe
1292	Qcogbdkg.exe
1292	Qcogbdkg.exe
2808	Qiioon32.exe
2808	Qiioon32.exe
2376	Qdncmgbj.exe
2376	Qdncmgbj.exe
2556	Qeppdo32.exe
2556	Qeppdo32.exe
2552	Apedah32.exe
2552	Apedah32.exe
2992	Accqnc32.exe
2992	Accqnc32.exe
1660	Ahpifj32.exe
1660	Ahpifj32.exe
1680	Aojabdlf.exe
1680	Aojabdlf.exe
1760	Ahbekjcf.exe
1760	Ahbekjcf.exe
1428	Aomnhd32.exe
1428	Aomnhd32.exe
2728	Adifpk32.exe
2728	Adifpk32.exe
1884	Ahebaiac.exe
1884	Ahebaiac.exe
2032	Adlcfjgh.exe
2032	Adlcfjgh.exe
672	Aoagccfn.exe
672	Aoagccfn.exe
1336	Aqbdkk32.exe
1336	Aqbdkk32.exe
2304	Bnfddp32.exe
2304	Bnfddp32.exe
904	Bqeqqk32.exe
904	Bqeqqk32.exe
536	Bgoime32.exe
536	Bgoime32.exe
888	Bjmeiq32.exe
888	Bjmeiq32.exe
1628	Bdcifi32.exe
1628	Bdcifi32.exe
1588	Bgaebe32.exe
1588	Bgaebe32.exe
2500	Bjpaop32.exe
2500	Bjpaop32.exe
3064	Bmnnkl32.exe
3064	Bmnnkl32.exe
2664	Bgcbhd32.exe
2664	Bgcbhd32.exe
2688	Bqlfaj32.exe
2688	Bqlfaj32.exe
2900	Bcjcme32.exe
2900	Bcjcme32.exe
2672	Bjdkjpkb.exe
2672	Bjdkjpkb.exe
2548	Bkegah32.exe
2548	Bkegah32.exe
660	Cfkloq32.exe
660	Cfkloq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pkcbnanl.exe	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Qdncmgbj.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Qiioon32.exe	Qcogbdkg.exe
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Accqnc32.exe
File created	C:\Windows\SysWOW64\Pmmgmc32.dll	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Hcopgk32.dll	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Ahbekjcf.exe	Aojabdlf.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Kqcjjk32.dll	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Aojabdlf.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Adifpk32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Qdncmgbj.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Pkcbnanl.exe	Pdjjag32.exe
File created	C:\Windows\SysWOW64\Peblpbgn.dll	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Qeppdo32.exe	Qdncmgbj.exe
File opened for modification	C:\Windows\SysWOW64\Aomnhd32.exe	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Adifpk32.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Ljamki32.dll	Qdncmgbj.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Egfokakc.dll	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Pdjjag32.exe	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	Bqeqqk32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bqeqqk32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Accqnc32.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Qcogbdkg.exe	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Cmfaflol.dll	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Ckjamgmk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2692	2208	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpeed32.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcjjk32.dll"	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll"	Aojabdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 3008	2084	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe	31
PID 2084 wrote to memory of 3008	2084	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe	31
PID 2084 wrote to memory of 3008	2084	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe	31
PID 2084 wrote to memory of 3008	2084	1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe	31
PID 3008 wrote to memory of 2172	3008	Pdjjag32.exe	32
PID 3008 wrote to memory of 2172	3008	Pdjjag32.exe	32
PID 3008 wrote to memory of 2172	3008	Pdjjag32.exe	32
PID 3008 wrote to memory of 2172	3008	Pdjjag32.exe	32
PID 2172 wrote to memory of 1292	2172	Pkcbnanl.exe	33
PID 2172 wrote to memory of 1292	2172	Pkcbnanl.exe	33
PID 2172 wrote to memory of 1292	2172	Pkcbnanl.exe	33
PID 2172 wrote to memory of 1292	2172	Pkcbnanl.exe	33
PID 1292 wrote to memory of 2808	1292	Qcogbdkg.exe	34
PID 1292 wrote to memory of 2808	1292	Qcogbdkg.exe	34
PID 1292 wrote to memory of 2808	1292	Qcogbdkg.exe	34
PID 1292 wrote to memory of 2808	1292	Qcogbdkg.exe	34
PID 2808 wrote to memory of 2376	2808	Qiioon32.exe	35
PID 2808 wrote to memory of 2376	2808	Qiioon32.exe	35
PID 2808 wrote to memory of 2376	2808	Qiioon32.exe	35
PID 2808 wrote to memory of 2376	2808	Qiioon32.exe	35
PID 2376 wrote to memory of 2556	2376	Qdncmgbj.exe	36
PID 2376 wrote to memory of 2556	2376	Qdncmgbj.exe	36
PID 2376 wrote to memory of 2556	2376	Qdncmgbj.exe	36
PID 2376 wrote to memory of 2556	2376	Qdncmgbj.exe	36
PID 2556 wrote to memory of 2552	2556	Qeppdo32.exe	37
PID 2556 wrote to memory of 2552	2556	Qeppdo32.exe	37
PID 2556 wrote to memory of 2552	2556	Qeppdo32.exe	37
PID 2556 wrote to memory of 2552	2556	Qeppdo32.exe	37
PID 2552 wrote to memory of 2992	2552	Apedah32.exe	38
PID 2552 wrote to memory of 2992	2552	Apedah32.exe	38
PID 2552 wrote to memory of 2992	2552	Apedah32.exe	38
PID 2552 wrote to memory of 2992	2552	Apedah32.exe	38
PID 2992 wrote to memory of 1660	2992	Accqnc32.exe	39
PID 2992 wrote to memory of 1660	2992	Accqnc32.exe	39
PID 2992 wrote to memory of 1660	2992	Accqnc32.exe	39
PID 2992 wrote to memory of 1660	2992	Accqnc32.exe	39
PID 1660 wrote to memory of 1680	1660	Ahpifj32.exe	40
PID 1660 wrote to memory of 1680	1660	Ahpifj32.exe	40
PID 1660 wrote to memory of 1680	1660	Ahpifj32.exe	40
PID 1660 wrote to memory of 1680	1660	Ahpifj32.exe	40
PID 1680 wrote to memory of 1760	1680	Aojabdlf.exe	41
PID 1680 wrote to memory of 1760	1680	Aojabdlf.exe	41
PID 1680 wrote to memory of 1760	1680	Aojabdlf.exe	41
PID 1680 wrote to memory of 1760	1680	Aojabdlf.exe	41
PID 1760 wrote to memory of 1428	1760	Ahbekjcf.exe	42
PID 1760 wrote to memory of 1428	1760	Ahbekjcf.exe	42
PID 1760 wrote to memory of 1428	1760	Ahbekjcf.exe	42
PID 1760 wrote to memory of 1428	1760	Ahbekjcf.exe	42
PID 1428 wrote to memory of 2728	1428	Aomnhd32.exe	43
PID 1428 wrote to memory of 2728	1428	Aomnhd32.exe	43
PID 1428 wrote to memory of 2728	1428	Aomnhd32.exe	43
PID 1428 wrote to memory of 2728	1428	Aomnhd32.exe	43
PID 2728 wrote to memory of 1884	2728	Adifpk32.exe	44
PID 2728 wrote to memory of 1884	2728	Adifpk32.exe	44
PID 2728 wrote to memory of 1884	2728	Adifpk32.exe	44
PID 2728 wrote to memory of 1884	2728	Adifpk32.exe	44
PID 1884 wrote to memory of 2032	1884	Ahebaiac.exe	45
PID 1884 wrote to memory of 2032	1884	Ahebaiac.exe	45
PID 1884 wrote to memory of 2032	1884	Ahebaiac.exe	45
PID 1884 wrote to memory of 2032	1884	Ahebaiac.exe	45
PID 2032 wrote to memory of 672	2032	Adlcfjgh.exe	46
PID 2032 wrote to memory of 672	2032	Adlcfjgh.exe	46
PID 2032 wrote to memory of 672	2032	Adlcfjgh.exe	46
PID 2032 wrote to memory of 672	2032	Adlcfjgh.exe	46

C:\Users\Admin\AppData\Local\Temp\1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe
"C:\Users\Admin\AppData\Local\Temp\1ce2faf7b39e6e537ab66720df148581b852d24c42cb6beb40587adebe504095.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\Pdjjag32.exe
  C:\Windows\system32\Pdjjag32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\Pkcbnanl.exe
    C:\Windows\system32\Pkcbnanl.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\Qcogbdkg.exe
      C:\Windows\system32\Qcogbdkg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\SysWOW64\Qiioon32.exe
        
        C:\Windows\system32\Qiioon32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Aojabdlf.exe
        
        C:\Windows\system32\Aojabdlf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 144
        52⤵
        Program crash
        
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
60KB

MD5
fee3a1b27f0054e86cd3755205e95b4d

SHA1
0d1df913ca3ebbaad7e698926a3a0981a51039e3

SHA256
ca4121b6bde886e0b4be3bb02f8ee19fa0bb1e9bb272869900e3667b57ce2712

SHA512
ac614e3215ee5cd2cc60824e77e37fc30cf1b16ef43a4426021325920e511096598adc4e4484e885c7a60b923e0e3496b94beb2281220b725855b3c8ba77623f

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
60KB

MD5
f92ddbfbb51f5e9b2d4dbdaccdb0029d

SHA1
45a389f8ef237501a022e013e8610532176a8c23

SHA256
23cc5f00b28a8ac427c131b259f66d658a5ffb1e5773d3e86ad87b1022ff95fd

SHA512
a5df4b578405ee267e460da027444104ff4be45688151eecd5b78e5f2bd1649723ec17927f7e6e1597760d06d2ea32ae28c3f8824b1db74ac43025dda7222ea1

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
60KB

MD5
eccc124dfd3279efbe61458cf5150eea

SHA1
b64f95474dbcba4bf7aeafa39ab0b14a25ccf9f3

SHA256
c4a28c970502cc38a17c21cb7f58c3d79ef75fdbb0d84b5dbc063baf5e9b0570

SHA512
2baef2d4053eec8a3b720d4449fca9a2bc69815ca292ea2683e5f7d3a5c0a3714e6762796bbf421f54cfe9c0101959dc88f3045bf5522ae4d938245d0be652b9

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
60KB

MD5
7365435cd2039ca0911361583b1819da

SHA1
9f43d5b0f13c3787f9ecbdc9e06f8036e77e3432

SHA256
2e69b41150c602abf90b4ab2ea3f04231c63fdbc7cbbab4859431a41d137148d

SHA512
c05007e0e41d8f17dcf9beda1e119dadc7067b2f8772cab93cdd0372394266fdf9c96beb16ec450c1bdaa671a2f6a895e11c7c5f74d31dfd11f1c747d6df6339

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
60KB

MD5
c2fcc7698cc5d19a1c06bed6c9bea16e

SHA1
043804df096882c906fa67be3b768949b32aedcd

SHA256
d0976d578a6196468787e4abdd33fb52ab5a224c4795ebdc38ba9e4e00c670e6

SHA512
3ed6fed178ce235d3435c93716e24e1d3197fb0656da846c87f286c1804155dcccafed619e16a265b4a0c426dca011e4c93664884ef9e81b284c394625d77900

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
60KB

MD5
0c48e7f9f6f32cc4b26aaebd67817343

SHA1
4c0a981c6c660b8569b9dd596e377c8560935d9b

SHA256
d03e6c41894ffb78ba957c53e96fa4ca31ba66852a0f246363dcf824eb6563d9

SHA512
3943a19a57a2c463a2d1b518215aa7210a717fa70ccf60f24c931745f946a198ee7fd6195a9594704afbdf22876d597d0a643246e0106848944f524e72f3c691

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
60KB

MD5
0e7354bb49f038e1bf39c7cf9e7375c0

SHA1
d4bef78ad8ff8c901b1c18c6043017a19b480675

SHA256
e4d6871cb0eb995bf1aae79cec9c6341bb567dc651b199749f863019f012a12e

SHA512
ab46d312431695ab6f37676b4666c44793ad98f97bf2a7eb9c038577533d38d9d3e12563493044cec328e8d9e57a9cd721bd2747ce73157b5672f665e8a5e2f6

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
60KB

MD5
179ac9f791602b525468285a5ddb1397

SHA1
0038daf0b7546dcd271c20aba6f2bf931a19f468

SHA256
81d7545027bcb24d2ad4da7c2861a75b74dbad793d7e95748ee5519eb0a56ec0

SHA512
017d2056212600fe1dd0dc6fcae5cd9886bc2420229d66bc06192c92210326447264de31f6ae8ef1245644e1bce2eff052fcfe9aae7901af676829842b139f14

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
60KB

MD5
250a939ff4c786168489c7b27975a1da

SHA1
281b4a742ee34a4c70f1c528ac52dd4fc73b8a84

SHA256
15e25465e43d750c2d89857645e86998b08e6c113293340b3bd6c0570f84278b

SHA512
dab9f31a12ee886d428ff4924b2c32843f9dfbe6262250a54bb3617dbfe35c983e1d1de196377ddb9512537ec9bbdfd4f9fc106a999aa02f2e02d48131bae64d

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
60KB

MD5
97de67c0a0d2394e755e303265b9341a

SHA1
95f0eba703f48300bf1d33c3f923ac7c71eb044d

SHA256
2445eedf9a7c44aa2ec3f2eed8af755a4a0e8a7ca950edc0bfdaefb1bc24a02d

SHA512
bfe39f2d45519e5d850cc50d3fd4b11594bb7bd009039cc9bb3b602ff54503fbcb9645eb0940f06358545d08f150c103b9f66ba1278dea24569e5edb07c79286

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
60KB

MD5
f5bc07cf0e2cdeee2adf799775f981e8

SHA1
5a4910c5678f03956c6e75fdb4440c5754fdf211

SHA256
b5acde4336885b87aa005929173c8a5fade982591ad97939828d78606127ccf9

SHA512
21d75601824777b819a811c127230d151fde950a85e28fb818bce04c9f7e11c4e9d01119e980543ad0819bbb9dc847a3c9da1895746edd7cfffae011ce19929e

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
60KB

MD5
b1c1ca9749f47b37adbcfd3f79e9b23e

SHA1
63fc644f953a2d1a3ac1626aa8914cc97134b480

SHA256
da0f87e311bde23bb0129b0d19fac399213a332b45a120e421d5afbb3b5957f4

SHA512
5223eedc5b13c9069c73b3e2cc924dbfff3a3ee2929a8d506b6384af228bc358b5a87dac858dcb51e967ac6658b1410afe3d8608569c54a938aa70f14f4df951

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
60KB

MD5
962b0e1cfa70310ba4ff6379ec698d4e

SHA1
5e77aff97773e7b29c3cb43ae0bf8c4a8a69de41

SHA256
429ed7b7321abe92a862ec96eac7885b158ffa7c40800913487b9c4fbba30b0c

SHA512
e756b1769f69fd6be38bbb02646aefef8bc2079197c8ed56c15322e21ec96517d743b3a885e7c5cdb4dd075351a8affe27dde59727a7c45cfd7ca9babcc652a3

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
60KB

MD5
ee0c597620f0befb2209b256f211640b

SHA1
afbcace58a0d6d198286f5afdadefe9a0e41c444

SHA256
924633a3c227cc74dec734ae973f0f81788bf39c09f91cc420c91a18ecb5a6e4

SHA512
18971decd9955ab81fe04ba657d3f461bc3aea9a58a9f84ce726a5433cfd6249fe61c304d1ad64240fa2fab9f194601d5ded219d572b160035fd4dc911dbbb0d

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
60KB

MD5
1daa3c10769c232e88096a72cccd0930

SHA1
4d2341fe91ae90e02fb0fd7d916ffa8440aec3da

SHA256
2478c0e666ea8b55653aa2a66ff04e2d53f988ae9b37d0c67cb3fab7a1efb0b3

SHA512
05dc72a8b54b96329e60f6b0a293a6b3e93506a09e0603fa1d8ca7b600100d7ab871c333c0afb94582562e44283b7b09e52c8812abf259dc5879bfbd7dd04b9e

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
60KB

MD5
b639a18b1c07f9a1352070e67cae38fd

SHA1
94075966e06068f48c9ede0a5df809250750bf6a

SHA256
2cf8a23b1467ac1914c3bb28725983597c99d49769287bcde3a99a32910ffa8a

SHA512
fff34ea59fd2f0161c15d77a66d2f4def72e564f78e8fdd0afd4335a1652d1b29a0e136802ad178b2b35be4f7627482692a48a4317e8c0ef6cb40eff92a8dcf3

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
60KB

MD5
818cfad642a015e8673538485d2cae6f

SHA1
2fb17076d3a2132298aa2383a7bc1a4330cc1ae4

SHA256
a60d3b051bfe7dbefee43c35541be19e4fe3e95cc39872a548ef657494207ada

SHA512
c5b2de4265cc5debe3973916ca2309f888d0e1f8669f4d62401c4a1f8986592ce04df96fe54116bb593dae756badabfb929aa6ae1b115a9e2c9165a90e6328a7

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
60KB

MD5
0ab73b58b1ceeeb65ee7fd84de30ea74

SHA1
fa457ccf4344c19f81ae13ca0eae38b2c91fdf2b

SHA256
78b4925b989059c6e923e3c30a44074748d22143a715e722beb20f5834138422

SHA512
e2f5034145404ff74532a1f57c4422065be0b3d24a812f8ac5f77702301f39f18aadae7b3395ed33f8a735ebf253fcab50546d11a7ba71bf2182e3fd9c23a43d

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
60KB

MD5
357ed35ae39f8a371f9d2774a1adba29

SHA1
8b4b00cad49101f65defcf9b0e607c3135057a44

SHA256
496b44933e9181f47fbd672ac0864e1e9958099ef521c935f47c8a8b131f30b0

SHA512
22d04c05ff38e5a2c323de3726eddfe3972b4d688e0dac7957e3c5f8ef482f4a3b71c4d7377536a8326e2d65a7afef3c1f98c9a81ab9cb13fef77f7da16daddd

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
60KB

MD5
8831b2681c956d4c235ea43d1128309a

SHA1
89155295ce6b38071898047d234bd084ec5d6889

SHA256
7fe4d0e5e2aef75553bc363250be527ebf4792ed78988c22561da3ec25f0c94f

SHA512
9da9705ba037ca4eb20219b1f772546866036cfe92e81fb9881a0d08a140ba99223db4beb7ce615cec2a8aade47f1a1f0067d11cd37e1e2e3bce289d979b57a9

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
60KB

MD5
b6bb5d15fe32aad3033bc8f403ec0994

SHA1
6af8491d3e10ea5cebb9a1bff1127c740dbcc47f

SHA256
cb89e2d4baea1e31e32bcc7fcdbc05f4c5156d8ee3a648f4bcaa9d840d7d0a56

SHA512
4242406201a30b4cfc0297b64f528a91d2c9681231d4a148e0df61c7e3ae0e9bb5038606e3cf5b62b830a848398666e7525b08563e9721ddb90f1474c5d14f50

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
60KB

MD5
ef458f6aa5265b06180599421fa8374e

SHA1
cf87bd9cc7010d4642f89aa2de1b7b4d4698945c

SHA256
89e4ca8b06c667baa4edf9acd73f402b861407e86fe027b093403dab354776f0

SHA512
437c2ae6ca66fca6f26d5c3de5a84ebd8dfc29f8ff45104d7489977e223dfe1e9af57228ac807f63c79fcf434abfbb622af9e7044480e9bfaa9a355ce0d8e770

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
60KB

MD5
198377f901ddd4f33448fa3dee6912a8

SHA1
07500a531d661c331dc1ca6ecb0e98f1485ad941

SHA256
e47370d0f003fd3b7ed8dc0fd4590e76beaf569f0c3f053ac4fd6c78a8a152c3

SHA512
2d410ec5ac983f4e706b2287ffa1cb1b05f6b53fcb20834202ad3dced185998181f91b12a8b044297642c189744eedbecb1421b29383b2bcb4e54bd2946494c7

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
60KB

MD5
146a39dac2d2b778f5bfa0bc3fbc7315

SHA1
e6fa650b91c94ac2b05ad769cdbf78b63332c859

SHA256
358f525af7238a516664ba77ab45cc70befac0a07a1a44caef44d5068b13fe74

SHA512
687b24b3f6aefba6502d7e0fe0c7981514e90eba4dc3336289aa12533ccd8e380f1b38c3e7a4f4b76122805447ac94e6def2f7dc83d8998ef23f29f10db895da

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
60KB

MD5
a183d6800ee06ce93de6a12772c2b9a7

SHA1
0a29e2e0f8513ec08c61ac93818e7c1762012086

SHA256
78d1cf9199cecf2762feb23afb76fe2542e1236eb85b48a0c177d65bb86680dc

SHA512
5b6963e0eef921a4b9d2b47bd9a92105cd908ab65433fd26892c6035da4e484b39a0497d642b9191e4836970ea59c9228e94fdc00bb23dbac4a587ddee23ae84

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
60KB

MD5
1703bb35af3879862c6afcc35561a327

SHA1
1a59d1d1c0bca8355beb6d4bc84eedc9794a178a

SHA256
78edd263bad5d5d65a047230d05484205849cc0a81a931ead0c24613689b6e60

SHA512
ef8391e44149235765be2ebb084ca0719a8b7795b5f563724ffe5c32af96bf5548c4c01ae8af8805c809ac79df7545b05cdb87256c604874ea43eb9f470dcc26

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
60KB

MD5
de3b2e569ed6e432b46c2cbbda2c31b3

SHA1
8b26777ca2c7547288dd5db4523dddc00a59a5b5

SHA256
31b6d0c7896316574af089e79d21a45aa3767cac142fce06e1a304d3cc7225a6

SHA512
63732faa48e655519e88586f2aea3fb31fcb9e40501742323ef977328dad3ef2427778fe74787c2cac16c5a9679eae7a354e97b8d29b69ac577bc168e5a4d873

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
60KB

MD5
77c0ac0432c8d13cea635580be1fec6d

SHA1
5a2ef31048e052711cfc2234ed4fca5c49806715

SHA256
9d8b50ca65a6fa7cb104320fefd698ec9ddd5c567071c8f8740e6d94b567b747

SHA512
140d687f88cb8dd18d7e09534a68c82409f368eeaacfca66e5d6d682bae9f643528e27c805722a265f10fb47ed04e7a0fa94f2e74e15a1f94fa150c44045cf7b

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
60KB

MD5
205d98d7223cdcc4d2bcae12f11b2792

SHA1
2f56bf526fd55c38d3fce762997021e7b6e576cc

SHA256
2f08dee4857a47cadb47ff8d53f0124d0aa0b644bffadc994eed924b3d423164

SHA512
30d185142fd48dd91fe6c93ccad0c54f31d2b04e1db97dab9d58351db131113019a9886e38cc51569185fdc91318b48b50a75302557fd63c00eb30e5b2f7cdcb

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
60KB

MD5
1fff8df972541e8f1c0f101cb795b986

SHA1
ca78b7f312f546c710ae08e7f7af4fe96c88a400

SHA256
80ed0c74f6cfc78c8635c58da862a6c97fb0448bc08ca9d25b5b883ab2489332

SHA512
42fb38c5f863c32143079dd711b47890f322c2e6552f7c590cf88aa60c12a2b13cc030bd922474d7c6d13704b324e04e04966cb1419a5bd5182a4324a17366e0

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
60KB

MD5
cabc3baa85db4d92f03ff05a47953b24

SHA1
be1835ebc5d045b333a3d1dc31c5b74028c258ce

SHA256
ed6b6a8f6e45f5013cc0f478de413eca9db952dbf71da36d5795a123f767b668

SHA512
69f5790b5be81120c6e73214ea0380cb773afa108a32491da96e0f270079d53214cd4853c798aebf322f4f2c4fb8984a8571feef575098dd9e1b1ed1179e5c1f

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
60KB

MD5
a42540c66b5b7487b0fdcc62f8007f55

SHA1
7c6c3f63a9bd97d31899b5edce20f3a407154613

SHA256
4cd66341e88a347c561afeb82573c126dc02e65253cf641c574905ff621175eb

SHA512
d61845f87b0b7023bdc701ae66e4001fc885accb0aa25c8d17246828c51ebd5689b5aa530f2eb816f2016a0759c2bf28a40f1f990e09bfc9132e49c26c69e619

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
60KB

MD5
6bd5aaad43f0cae5f8c829c837f1a62b

SHA1
6784c2596e967b8f5c009d81312c42995887cb27

SHA256
9112af178cf7b094bd5ac6f1b90be48400b6d12decc6a80e902d1e09aa2c4df4

SHA512
9f16435c98c693737cc07f9619de4b5cdeaebe23b15791d7838d994acefb4201bbb8771db14134748bbd7b0c64f8119bd8a951bd5cd84677e90152e806b1bf7a

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
60KB

MD5
c9df411a8802f24e6daef4588b4ffe99

SHA1
b60400b5c2667269576ed2ce44a42727fe9f9637

SHA256
0ebbf5c916794e7340f260269fa65db19d9e98fdc05baeb8b9bb583e38ae301c

SHA512
3c40858116609f053a91e8732fad281696d449133a83c33597a17eef92493ff386e42d72a2555d98f8f5f4dacfb21f0e7aa3a1622fc1e3daf9daa1e418e5c096

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
60KB

MD5
8ef98111c035d4de03c74fd325f5c044

SHA1
2c6d3944aaabccfa98aedff9f017b68f647e37a1

SHA256
0d5f014c483279f6eb0c119928c47d47ffa5a072cfe30b51a6c961f81a6d9025

SHA512
4bff914ca8d42568cbaa7e9e2127402f9547456dbc47081db2323b10a3d0c7e4770ae5c0c68275ca281f447db886b57e4546e2caaa6b1d8486e98e91e0c0754a

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
60KB

MD5
bf511c2dac96022124acd89144c13674

SHA1
90d5cad810c5ffc4a0e08aab1b070890cd15f013

SHA256
e0b2ee032c0143882292e20825a6234800092fe00dc64602225aa2af5165325a

SHA512
c8d442a929ebf81df3a14bbfa611a645a205351d0540969b7740d69ec09b0dc85cb7395c856888882c56eb7552ad07dc665b51f7333f2565e7f8550391817d82

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
60KB

MD5
76e04a051005c3616444e0d39bb8a7ec

SHA1
6fa60f2e9e11cad8261a632815116123197adcc8

SHA256
a5de718bb593465f776f6a36e15fe3846c7d9ecde9ebbb972ca0c73ce0e2c954

SHA512
47dbd428d06fd6a5564c44028de446a2a5dcc1c15c7c63ae24ea65aea6167af38481fef92b14f784c0c972e30923dc0c207229c8c98123fd3ffc54029d5ed68b

Download Submit
C:\Windows\SysWOW64\Qeppdo32.exe

Filesize
60KB

MD5
7635083ba3eccfb483918b206258c5cd

SHA1
1d5352dd2f08e2a12c1f6ed3ae7bb1b8d23bcb01

SHA256
9cf2b640918c347ce6fdf8a9028c8e214dd7f639a90744993a583e4e0b9c6ac7

SHA512
3946b8a839e8d5f49db54ca56ee293d6d8d99d7f8f528a4b1a22938f95dc7954592686e452b13cda5a346aae3b19bd94249ee4a0cb25a2932961bd340b7981ca

Download Submit
C:\Windows\SysWOW64\Qiioon32.exe

Filesize
60KB

MD5
591746336580050d814c81737e5ef3fe

SHA1
f8df0f18e4bd6e0369de7d5d36779dd8d2606cde

SHA256
b1d5daaf85cf9275d6f6dba48d83db8c07a2c8d2c23da9e9268f7486ae7ceb1c

SHA512
fa5e783223d997149f24c37031db61f44c4cb455d27419f64b85373f8625befc126da69b8dfd86b0604f59316a188f1c1749df8c4efc419e82686cef6f94241a

Download Submit
\Windows\SysWOW64\Accqnc32.exe

Filesize
60KB

MD5
cb81eb4055a38c6558998a3ea495e650

SHA1
b5e88d1cc2d4e63bdffcff023144fb1bac788e86

SHA256
1b4d8397ca3d1613a2b5349fe129b159d2ecb9eb7c5bf8d5b30394b1b068e12a

SHA512
554eaeb7c97aa60c4d752c733261def50e3751f5a781314338bb65d521654d951447743894f8c6c41208527ca64491ae0309f31b25ebcfa26918f8bb64a2065b

Download Submit
\Windows\SysWOW64\Adifpk32.exe

Filesize
60KB

MD5
fd916f7493236d5ee305486688affae6

SHA1
9682698785965911c78fca4f1aa7e595e90a9591

SHA256
aa411da404aaabcba2b866545a707e9a8f8dfc4daefcdd97a740cd7c93758e2d

SHA512
10e4c48378067370c9279adabd78618a5e83321c98f10fb069f8af85e509842394873633062b102f473eba0856dc8dec7ae41e5e71b4d29fd1b9cc01864542dd

Download Submit
\Windows\SysWOW64\Adlcfjgh.exe

Filesize
60KB

MD5
b814669218cc40485f3dc59a510898e9

SHA1
27c980a3eb830967ed26afe18119ac2466f1b86f

SHA256
f9d51b9e93bc60678e8ba012d2d76c15a4721f4262c7793fc7f96ff9c266d6b8

SHA512
d7bd1dd06696a52b8e6f7484d44c63c19279b11522f805a92cd678d0e0da337780af0e672b4bab0963bcce77bd9bc6d40a925aa58d6cefaf7f466ba6a26985ae

Download Submit
\Windows\SysWOW64\Ahbekjcf.exe

Filesize
60KB

MD5
2254bd5ff0b93a2f865a77a91d6edd88

SHA1
8dcfea0352610dda86db0ff06a88029dea104a9d

SHA256
955d08ad336c076ed7e579ec1048fbbcdd0a6f23f5c01c57f934f717f6047f03

SHA512
2eca68b670b07034e7ff02bf33e383acf4df65e030b01669073a473f63c797641e9d25838ce447333fd43f4075565b04b2265660eb640ae52164566cb0b29224

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
60KB

MD5
3bc74922f2c33f36806156929391468f

SHA1
d970070ee9b2672844302630caa1f38a397b3c15

SHA256
900a2094e7c37d2e2add33813bac0b729f4fde227ca732f2a835fe2de96f3c68

SHA512
56bd9e3701fe5f8db4efb0e231c165b808b50d50a40853228645c89f060da011157f572de9f56fee586e18b5ba289f21c7730b8b462a25d405f5e4d18a5fd85e

Download Submit
\Windows\SysWOW64\Aojabdlf.exe

Filesize
60KB

MD5
08724f207c2567d9f07cd1125c037ac8

SHA1
95e1de5f5e650faa40a3ad1fbf2c04d50f827095

SHA256
4de553c128753b0e4d0a552e549e1e7a9f8b9a2819147f8c07479de23bd9f535

SHA512
9e5785e9c9212f2e41b8a83daddf3c53626883606bcf9cd5c3720a0f476d3c85853022a4b797b520844b46e0d12d0982ae66a72a9c4782e11721a63812b86a47

Download Submit
\Windows\SysWOW64\Aomnhd32.exe

Filesize
60KB

MD5
666b774cd580d01b0e86c9efa6df7004

SHA1
e08a7b0853e30dde398c0451f007a3a5db8f6203

SHA256
086f959b47d93d87eaaf220c06b211ea09189068ff3d826e7061428f342b4495

SHA512
b084ad4d1c98f115efc0d298909dcec8bb1213914b627c0d28cb796b45594f7d43c4206e3a557e550b2ab4412d28c7ac4a2e6eb4c097a017e4c91824ccf9bd87

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
60KB

MD5
1e9a1a74c47d9d9bef80e17b0a5ba1ff

SHA1
dea449b6e962279c10104d33a9ac32c542fd5a0f

SHA256
32f05f60ee1c76f4a44a617308fd221ca1a6c9cf1f4b387579356c2d59d7a0ad

SHA512
9dbb9315655b21c359ac6ae092046fcd021d83c3f7a33996eb018372152091a7579785e01e32cbbabc6eb63974bed8def24d22b3a8844e5a2dbe4fce4594e738

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
60KB

MD5
8758a0ecc87235a6524f1f20c1d42316

SHA1
77154dcb260efdb4709ba2628580ec59afed6ac3

SHA256
ae8b2bdb2506f5b7602ddb14141dff351c2ceac937702ca63527ad8cd5ad77b5

SHA512
fd20989195768e890698d6c65186b5802f92157075557d4c982a90fea06cd811926198db9ebee5a69c8845f98177052e1d4f4a090f5e441a0e4ebe29f2a9aeca

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
60KB

MD5
a65f72e9bd96d4ceb90f3fc84a978afc

SHA1
5d2336c026b9873bf19cefb21e14d33b0a91e46d

SHA256
dd1e280fdaa0781f1235cc936aa99f615e59d407cec16fb72b7bdf69bb1ee02f

SHA512
6d13c7d14f29333b35cc463e9edeb2c63fa71f170fdbb15783534441e3ba7781bfef6961316d5ac4b78be23eb749e91bb84a56cc5fd88e742789408cefc9ed4e

Download Submit
\Windows\SysWOW64\Qdncmgbj.exe

Filesize
60KB

MD5
49209f4f76e364fe2a749cd24709548c

SHA1
c5ad3958bc35c47938fa70836bd6f455796aa29b

SHA256
6d4457a36e6e3566b58f5c2167c698e13c8323e6d9132fc8ee49fa61b52d5112

SHA512
fe02606d9d0692de19a1908e042e2918d41204926499c8437e0d6a349129ae03a5889a9a11b9648f7f0499f28dc94465539a436a1b044932c9c10bbef218c25d

Download Submit
memory/536-313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/536-281-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/536-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/536-314-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/628-451-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/628-444-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/660-390-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/660-433-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/660-427-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/672-274-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/672-241-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/672-234-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/888-326-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/904-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1292-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1336-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1428-230-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1428-173-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1428-233-0x0000000001F30000-0x0000000001F66000-memory.dmp

Filesize
216KB

Download
memory/1428-231-0x0000000001F30000-0x0000000001F66000-memory.dmp

Filesize
216KB

Download
memory/1428-185-0x0000000001F30000-0x0000000001F66000-memory.dmp

Filesize
216KB

Download
memory/1628-300-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/1628-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1628-294-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-455-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1644-411-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1660-186-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1660-187-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1660-139-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1660-138-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1660-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1680-151-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1680-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1760-209-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1760-158-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1760-213-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/1884-214-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1884-210-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1884-202-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1932-422-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1932-429-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1944-445-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1944-443-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2032-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-13-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2084-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2084-12-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2172-40-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2172-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2304-262-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2304-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2304-293-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2364-407-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2364-439-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2376-82-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2500-357-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2500-320-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2500-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2500-325-0x00000000002E0000-0x0000000000316000-memory.dmp

Filesize
216KB

Download
memory/2548-420-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2548-386-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2548-421-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2548-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2552-157-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2552-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2556-142-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2556-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2556-141-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2556-92-0x00000000005D0000-0x0000000000606000-memory.dmp

Filesize
216KB

Download
memory/2664-344-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2664-338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-379-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2672-375-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2672-369-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2688-348-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2728-240-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2808-110-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2808-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2808-63-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2900-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2900-364-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2900-368-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2900-400-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2900-399-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2992-120-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2992-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2992-171-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2992-170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3008-26-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3008-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-327-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3064-334-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads