berbew | 3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/01/2025, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe
Size

96KB
MD5

1341e299c19fec6fbca9f798ea436250
SHA1

9a4e12076c504d7e1b1dae188a80bd5a552fb052
SHA256

3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754
SHA512

14a417e5c4cef6725abe682e8afc6a7f8e00c6924affa4af4b38aa2650d0c5fe3d28a9e41a1b403974fbb9f5d610a9b1431637339a8b792b4398c654fe6d7af7
SSDEEP

1536:+6KN54eWrFsN3nawDiEWXDtBxdLYfBreyE5JulyOiF2LT7RZObZUUWaegPYAy:+6e4PG3ntiEWXJF0U/2TClUUWaev

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adifpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcooea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akcomepg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aojabdlf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 49 IoCs

pid	Process
2952	Ahpifj32.exe
380	Aojabdlf.exe
1700	Ajpepm32.exe
2788	Ahbekjcf.exe
2768	Akabgebj.exe
2728	Achjibcl.exe
2540	Adifpk32.exe
3056	Ahebaiac.exe
1088	Akcomepg.exe
1028	Anbkipok.exe
1264	Abmgjo32.exe
2376	Adlcfjgh.exe
2024	Agjobffl.exe
1816	Aoagccfn.exe
1984	Abpcooea.exe
2144	Aqbdkk32.exe
664	Bgllgedi.exe
1376	Bkhhhd32.exe
2416	Bnfddp32.exe
820	Bqeqqk32.exe
2276	Bdqlajbb.exe
864	Bkjdndjo.exe
2260	Bmlael32.exe
2228	Bdcifi32.exe
2212	Bgaebe32.exe
3024	Bfdenafn.exe
2756	Bchfhfeh.exe
2676	Bffbdadk.exe
2572	Bieopm32.exe
2772	Boogmgkl.exe
2328	Bbmcibjp.exe
1108	Bjdkjpkb.exe
580	Bmbgfkje.exe
2060	Bkegah32.exe
2052	Ccmpce32.exe
1760	Ciihklpj.exe
980	Cocphf32.exe
272	Cnfqccna.exe
1360	Cepipm32.exe
1660	Cgoelh32.exe
2436	Cpfmmf32.exe
1188	Ckmnbg32.exe
2248	Cbffoabe.exe
928	Ceebklai.exe
2236	Clojhf32.exe
2188	Cjakccop.exe
1696	Cegoqlof.exe
3068	Cfhkhd32.exe
3020	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2832	3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe
2832	3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe
2952	Ahpifj32.exe
2952	Ahpifj32.exe
380	Aojabdlf.exe
380	Aojabdlf.exe
1700	Ajpepm32.exe
1700	Ajpepm32.exe
2788	Ahbekjcf.exe
2788	Ahbekjcf.exe
2768	Akabgebj.exe
2768	Akabgebj.exe
2728	Achjibcl.exe
2728	Achjibcl.exe
2540	Adifpk32.exe
2540	Adifpk32.exe
3056	Ahebaiac.exe
3056	Ahebaiac.exe
1088	Akcomepg.exe
1088	Akcomepg.exe
1028	Anbkipok.exe
1028	Anbkipok.exe
1264	Abmgjo32.exe
1264	Abmgjo32.exe
2376	Adlcfjgh.exe
2376	Adlcfjgh.exe
2024	Agjobffl.exe
2024	Agjobffl.exe
1816	Aoagccfn.exe
1816	Aoagccfn.exe
1984	Abpcooea.exe
1984	Abpcooea.exe
2144	Aqbdkk32.exe
2144	Aqbdkk32.exe
664	Bgllgedi.exe
664	Bgllgedi.exe
1376	Bkhhhd32.exe
1376	Bkhhhd32.exe
2416	Bnfddp32.exe
2416	Bnfddp32.exe
820	Bqeqqk32.exe
820	Bqeqqk32.exe
2276	Bdqlajbb.exe
2276	Bdqlajbb.exe
864	Bkjdndjo.exe
864	Bkjdndjo.exe
2260	Bmlael32.exe
2260	Bmlael32.exe
2228	Bdcifi32.exe
2228	Bdcifi32.exe
2212	Bgaebe32.exe
2212	Bgaebe32.exe
3024	Bfdenafn.exe
3024	Bfdenafn.exe
2756	Bchfhfeh.exe
2756	Bchfhfeh.exe
2676	Bffbdadk.exe
2676	Bffbdadk.exe
2572	Bieopm32.exe
2572	Bieopm32.exe
2772	Boogmgkl.exe
2772	Boogmgkl.exe
2328	Bbmcibjp.exe
2328	Bbmcibjp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Efeckm32.dll	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Aqbdkk32.exe	Abpcooea.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Ahbekjcf.exe	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Ahebaiac.exe	Adifpk32.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Ahebaiac.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Akcomepg.exe	Ahebaiac.exe
File created	C:\Windows\SysWOW64\Anbkipok.exe	Akcomepg.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Ajpepm32.exe	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Adlcfjgh.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Akabgebj.exe	Ahbekjcf.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Akabgebj.exe
File opened for modification	C:\Windows\SysWOW64\Achjibcl.exe	Akabgebj.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Dqaegjop.dll	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Hdaehcom.dll	Aojabdlf.exe
File created	C:\Windows\SysWOW64\Jjmeignj.dll	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Aojabdlf.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Aoagccfn.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cjakccop.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2816	3020	WerFault.exe	79

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aojabdlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkknbejg.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akabgebj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Aojabdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aojabdlf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 2952	2832	3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe	31
PID 2832 wrote to memory of 2952	2832	3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe	31
PID 2832 wrote to memory of 2952	2832	3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe	31
PID 2832 wrote to memory of 2952	2832	3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe	31
PID 2952 wrote to memory of 380	2952	Ahpifj32.exe	32
PID 2952 wrote to memory of 380	2952	Ahpifj32.exe	32
PID 2952 wrote to memory of 380	2952	Ahpifj32.exe	32
PID 2952 wrote to memory of 380	2952	Ahpifj32.exe	32
PID 380 wrote to memory of 1700	380	Aojabdlf.exe	33
PID 380 wrote to memory of 1700	380	Aojabdlf.exe	33
PID 380 wrote to memory of 1700	380	Aojabdlf.exe	33
PID 380 wrote to memory of 1700	380	Aojabdlf.exe	33
PID 1700 wrote to memory of 2788	1700	Ajpepm32.exe	34
PID 1700 wrote to memory of 2788	1700	Ajpepm32.exe	34
PID 1700 wrote to memory of 2788	1700	Ajpepm32.exe	34
PID 1700 wrote to memory of 2788	1700	Ajpepm32.exe	34
PID 2788 wrote to memory of 2768	2788	Ahbekjcf.exe	35
PID 2788 wrote to memory of 2768	2788	Ahbekjcf.exe	35
PID 2788 wrote to memory of 2768	2788	Ahbekjcf.exe	35
PID 2788 wrote to memory of 2768	2788	Ahbekjcf.exe	35
PID 2768 wrote to memory of 2728	2768	Akabgebj.exe	36
PID 2768 wrote to memory of 2728	2768	Akabgebj.exe	36
PID 2768 wrote to memory of 2728	2768	Akabgebj.exe	36
PID 2768 wrote to memory of 2728	2768	Akabgebj.exe	36
PID 2728 wrote to memory of 2540	2728	Achjibcl.exe	37
PID 2728 wrote to memory of 2540	2728	Achjibcl.exe	37
PID 2728 wrote to memory of 2540	2728	Achjibcl.exe	37
PID 2728 wrote to memory of 2540	2728	Achjibcl.exe	37
PID 2540 wrote to memory of 3056	2540	Adifpk32.exe	38
PID 2540 wrote to memory of 3056	2540	Adifpk32.exe	38
PID 2540 wrote to memory of 3056	2540	Adifpk32.exe	38
PID 2540 wrote to memory of 3056	2540	Adifpk32.exe	38
PID 3056 wrote to memory of 1088	3056	Ahebaiac.exe	39
PID 3056 wrote to memory of 1088	3056	Ahebaiac.exe	39
PID 3056 wrote to memory of 1088	3056	Ahebaiac.exe	39
PID 3056 wrote to memory of 1088	3056	Ahebaiac.exe	39
PID 1088 wrote to memory of 1028	1088	Akcomepg.exe	40
PID 1088 wrote to memory of 1028	1088	Akcomepg.exe	40
PID 1088 wrote to memory of 1028	1088	Akcomepg.exe	40
PID 1088 wrote to memory of 1028	1088	Akcomepg.exe	40
PID 1028 wrote to memory of 1264	1028	Anbkipok.exe	41
PID 1028 wrote to memory of 1264	1028	Anbkipok.exe	41
PID 1028 wrote to memory of 1264	1028	Anbkipok.exe	41
PID 1028 wrote to memory of 1264	1028	Anbkipok.exe	41
PID 1264 wrote to memory of 2376	1264	Abmgjo32.exe	42
PID 1264 wrote to memory of 2376	1264	Abmgjo32.exe	42
PID 1264 wrote to memory of 2376	1264	Abmgjo32.exe	42
PID 1264 wrote to memory of 2376	1264	Abmgjo32.exe	42
PID 2376 wrote to memory of 2024	2376	Adlcfjgh.exe	43
PID 2376 wrote to memory of 2024	2376	Adlcfjgh.exe	43
PID 2376 wrote to memory of 2024	2376	Adlcfjgh.exe	43
PID 2376 wrote to memory of 2024	2376	Adlcfjgh.exe	43
PID 2024 wrote to memory of 1816	2024	Agjobffl.exe	44
PID 2024 wrote to memory of 1816	2024	Agjobffl.exe	44
PID 2024 wrote to memory of 1816	2024	Agjobffl.exe	44
PID 2024 wrote to memory of 1816	2024	Agjobffl.exe	44
PID 1816 wrote to memory of 1984	1816	Aoagccfn.exe	45
PID 1816 wrote to memory of 1984	1816	Aoagccfn.exe	45
PID 1816 wrote to memory of 1984	1816	Aoagccfn.exe	45
PID 1816 wrote to memory of 1984	1816	Aoagccfn.exe	45
PID 1984 wrote to memory of 2144	1984	Abpcooea.exe	46
PID 1984 wrote to memory of 2144	1984	Abpcooea.exe	46
PID 1984 wrote to memory of 2144	1984	Abpcooea.exe	46
PID 1984 wrote to memory of 2144	1984	Abpcooea.exe	46

C:\Users\Admin\AppData\Local\Temp\3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe
"C:\Users\Admin\AppData\Local\Temp\3f3bc7de7cd18d91b7839e24e0acc941e8f87dd392357564f898bfa6ed67b754N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\Ahpifj32.exe
  C:\Windows\system32\Ahpifj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\Aojabdlf.exe
    C:\Windows\system32\Aojabdlf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\SysWOW64\Ajpepm32.exe
      C:\Windows\system32\Ajpepm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:272
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 144
        51⤵
        Program crash
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
96KB

MD5
d4f0e3a6842c99a7cb75dcdcc4ce551e

SHA1
da75b75738b9b35cc869a891733efa9bfa6adc99

SHA256
e650599eec5b6b03735101af52f480ee34eeab46ae8d942f1a661ad2704e3640

SHA512
6234a37939bbb1853f0b24020dda903667f156f7a7eb6ffa191cb6fab009342d1c7b15da4f643234b62c718d1fe771de0e925d903be40ba8c35c2a39a173f1df

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
96KB

MD5
4046f81a198f30a9cd29f0d51ee00ec5

SHA1
bdb13b8a390b5d62d0184481c032b8d2611215a1

SHA256
1b7bc977f59fcfc00c57b40e205e71e2f2246c873468f98c28ba9ea39a4e8438

SHA512
07839700747448b273af3027d9db0e2ca99fd8c7843f74142249dd7fdce97a0ef8f59382ec6d5508295a453436fec30daf3f5b202f24a11cbb0778c717f23bfc

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
96KB

MD5
05dd783f7bea1229b06ae35c8f66f64f

SHA1
3eaa3389aca4b2f0f7b9e06e484faff3094b36bb

SHA256
03d1847e3da13e381ea6b81f35e2e05108ba75a0f0122269a1d848828a533548

SHA512
d83705e4e9acf17506bf36f7a3e43a18f630ef3ee4f3d0c6a22f814c780ac2c57df59524bd97ec93a07054e25ed69363d03612b7990be16b6d383d355d6e9a30

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
96KB

MD5
14bbbd2c7789477609cc0411ae1bb9de

SHA1
a2af90799314ee473994dcbbf93bfa2687108f7a

SHA256
bbb9a413cb410d2e5b987a42e7e985992971ef26726cc7563ffcd36b079950a1

SHA512
f74eeb3b4de93602744712892961e6ddb3c45b2bb17149deec760253f79c8964ca8b1180c1ca6a9ffbf87d2bd348dc756c7c16d0d56691a02dc9a6323cdf1bfe

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
96KB

MD5
0d001de8b8a8ab1a9831014f1c1613cc

SHA1
ca468b111a78ee20386d2bf8b6580ebee1acdd60

SHA256
275bf57d1554cdc916bbb70bd440409782b88ecad8c088578235be9eb8218dcc

SHA512
64205ae3b11d097ae2260e3fa488e97dacd35a4de742d1418834ad5a63b1d730b438bb6b5bf1914210287cad50ccd4e63b958fa475595fb97a01b38076908833

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
96KB

MD5
2eba0f4e6a238f15ad655ce6618dd6e7

SHA1
a447bcd6e27bbbc0476fd1888196e499931fd3d0

SHA256
78127fac9f0732dde8b9dceff285f112181ffaa530198efc03baf97bb77c8a0f

SHA512
902dff418c89c255fe4b50c138eaeb2dfcd5d74a67f81eb9f3b81828355389367b2446cb81f6a4cda1dbc812a27cde55b8fee8619401696884016b6a7f073fa0

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
96KB

MD5
cedbc53f14d407480503ae767fdf9d97

SHA1
b7863d853987b0dc988093b2d148f732c1edf49a

SHA256
bfb209213b6a4a887340ef35076c57ae0d6ae5cfa9e1e161ba8da423ac4e1dae

SHA512
2ba93ed8d01530b6b530955f1976edf4ae0ba8c57db7ef4414a6febfe8fe11d919c3d69c52fd7f35557e258f9db4f4d77decfe81712315e018c1db3030bd9b75

Download Submit
C:\Windows\SysWOW64\Akcomepg.exe

Filesize
96KB

MD5
8b28ace858e50a847ed38393d7374895

SHA1
8a276f5ad480158eb3d6dfbd0d8e5614ac1bba78

SHA256
718004b803f85bb18bd47e78b6fa91d672faf8453e6a9d5f5c64626f22c519cd

SHA512
df981ca40ce550c4bac4b35253fd35f03ba42a59ac860dccb06d9dc4b51c51ebdb509269af521b52eddb553831636f6b1e72c6ce0c3a5c10393c7719f13433ac

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
96KB

MD5
d6aa908e2ebdd78ddce8d10c368e04f5

SHA1
6c836e530fc9d8eb5959d1aeeaa4089bb1dfeb29

SHA256
0885bc6ee4e4633a2bc3d88333d54ba6af9f4d6f4d7fc160778921b0f1123458

SHA512
2fe5465e441d7964a8672afd92a9f20488d11406c170b9710b1322f992961918f4ecf4b47e0389142600b43e517958d3b89d3f542c93fd2d6e71e6bd1773e3ae

Download Submit
C:\Windows\SysWOW64\Aojabdlf.exe

Filesize
96KB

MD5
9f4fe71456d9a0326dd7c061628e1193

SHA1
c775d5e3318e854956c8afd2e9803f4f4e4b4112

SHA256
52fcf9f487507e1fdedcad9a8139a51053674dbb792615cc0099cd7953d7455d

SHA512
a6260610fa517388750a69e1ad27d908bd4eafb28dc43084108adad5f31512b5a478ba2390de3d3416f7e81dfdea48fb2bb48de018d72734eb627d7373f6fd5c

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
96KB

MD5
59529d219e2bd5af00e40b32d70dbccc

SHA1
607ecd4b1da7272387b148f5f1df63ef6c0163f7

SHA256
3d6bfd705f178c7b8b3180d07ebdd91bff43a8cd915f162dc8e41de5c89d4cfe

SHA512
2eea3dfa75a1bf21eb38af459005e7abd67f85bbcc43f80f7f0e8c6e4d2b27c243e7fa35959781dfb1110d31bd7a6ae6adcba31125e250e0ab1677919fbc0b65

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
96KB

MD5
814cee813e80e6dde47b8eaacb8177cd

SHA1
7f3244eb06b548843e0df1d09f97529c34e24d48

SHA256
2c6b0e0542ce04206242ee824f8de56b58968e12d7b6db22928efb6eab0bf8e5

SHA512
778366680d172b74aa8d6e7e401913a0498b7808e03b47e86036882c169fec61ffd7cd559932a9c1c0a05db95d8d56af68e0012cd5d0f9e26ab4fc49f9b600e9

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
96KB

MD5
547414f69b7deca519227a008cc9f17d

SHA1
bc2138223c60524633fd8a32b4ee69788d41075a

SHA256
e1ed7040ed020d4bc01779544a61aabc4446c912ae15070bd5fda8755978c976

SHA512
b54ebd14c30ec04813dc6b1bc935a0f39d1f9e435b2c3f5ccd9702d65d21d966c203150bc5e0489fe02a5cbba8cda3fd94d80ba9fecbd7ada6f86f127b4d0b79

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
96KB

MD5
d265f42dfaba3fb4fcf6dc3bfe933143

SHA1
61b66feee3ef7936ef581fa9aedd0d2e6f61642b

SHA256
8e9aad770c4f3e9766dd55abe27d64c7ba136f640fcc17972d058729ac4f435a

SHA512
5b9356e4bee62796c42a5cd01cf0eacf9b70e12cfb6abb3b81272f93211e2561ceb06ef4df781eee760d3953bdf63c95fff220f441f9c1e36de35ad691420043

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
96KB

MD5
3e2ec7ebdd04c205fd1c97a1d3c8dbb0

SHA1
a9e8259f62c4cfcb9dd7f423495aa21cd123616f

SHA256
50579d31d6e9614d221fd2cbfba687ae9fc1daa384e04994aa0ff78b6aef1ae7

SHA512
3622c60c08abe4a617e17e6142ceab25353d663712b2ee78662a941da007f9ca964fc1d3ccb8684f70f533c4aaba32979b5a29d16e0aa42c44dbf0724e7d9ac7

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
96KB

MD5
cf3af52ad81a474bcf3dea55bbc55ef8

SHA1
6661fb405b87fdbec7ea8b10440ac70e58ec8c0a

SHA256
7b1d15b9375fbf0273a1d0cfca2d4654d2389452e9f7721940a69a308188650d

SHA512
69aa431a5d1a92d7b06111f1d6816563d89a5e8977892aaf6906485b246940c7e26ff4ad3af6864f14ffb08659c05387d0809156f7866476be4bc22b9e213b77

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
96KB

MD5
a9da2b37c0dac6020a761afa55e7d018

SHA1
bdfa7e04107570276557726433c6fa2ca477220a

SHA256
2bf2cf43763f484bc1610403f6ddfb92610588d01e8e620a5bcafb1a7c8debc2

SHA512
d3a7954d0cc60259f479d5b896e35a2424286a6f8441c88f254f2cca251695afab22dbb4788c97eba8158b453814578bb24b772522519750500cd3fae3827ab3

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
96KB

MD5
5617e81d57e0ed51255b2de25205d0c3

SHA1
e44565adeca5af9c4d9f95f19c7a68224a9ea7bd

SHA256
060d6f9d26ca55de86bce2819ec8e39c7e17c27d6e89e4b67c4872563c7a8dbe

SHA512
c414257ee83aff7fdf0ad223b8faf7ea8b7e575f8b816565518c0ebdf6c4de40afcdc2a6a7934e6c956d425d489eec95100606b7ba11229633c3dd0bb78f3350

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
96KB

MD5
cb65c45bb3e321270f8c77c1bf0c6fcb

SHA1
42fb509e7032374ea1b6bd643813367d68c26d94

SHA256
d36ddcc5aa89e42f3a4b8190ab0466d8e878520b343fe0dd2dd82027f47815bf

SHA512
58a36acfa9da3e0022cff2461b47dd96b5826f435b620c6bdd614bf27c2a9c32c3b64dfeb0ae7fb868c1201d716c547155712292647446ee496ddb596ab65b7b

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
96KB

MD5
194cceaa72f08a1c191b29b92f7f507a

SHA1
cff0135f98128f92600942b7cc319ab1cc35368f

SHA256
fb4e7f00f48e35da8ee59342263a3e3378447cbc90266ca5dd8120ed7a7e534c

SHA512
da1bc7bb24d97e1cd53521fb931de195c22f8cbc39b92a49f84c88b6363483da6fec9be40f5976d533270534f2b2fd860d50ec47953c4b4b19b95ccfdb041760

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
96KB

MD5
bc9c79ebc0dc3c7d82a4113dde11caaf

SHA1
b074ab59e97b44bde32ab3700bbdefb20a168b39

SHA256
02e345b345a5f5a03800d08c9bf3c034043f7118d9a486b4d2bb1a6c4d2533ad

SHA512
11fde7bead380ed04674b5889de0ed2cd9db256d1cd35d5938f31ecd65f07896609c003e40900159e820c96fca5f663fa4e52cc68428f27291e362f9b4cdde0b

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
96KB

MD5
16a1a2ac5d765f9e91dcd962ad5513e3

SHA1
2d7118a4f82f820b7a4d1aa47033bdd0e5070e0b

SHA256
b9a6f180a22365c3d64bdd8085492408bd44b5157e08d84ee61d8670bda3d729

SHA512
73bc4f0032afb5d77d7fd408e966452571ee967018def57dfd09c36640c8be2110eed3a5129833dffa0f788fdb2b4f88114c1a9aca1e6c84889c53d54bb037f7

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
96KB

MD5
38d5787863ba4b43991edb384141c1d1

SHA1
9f6eff83ed3d0f7bba88afaf22436e9e1b5b44c6

SHA256
9f0a93447be5dd08732d83fc1522a0511d438f0fa1e1f772f02bf97fa101e7c2

SHA512
ab22be780ecb2c7fd79c1db2bb6e4ca91f60e19ab8cfabf5264f16cefc0cf47f87f2a1e9bf8e4c491c930cdb481bf7c93739b4033d4c8284230b8d14b0a591eb

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
96KB

MD5
f93d41a7827cade43ec022caceb7b52b

SHA1
9113a4c076721cfeca15936c7f424fa251d94b9c

SHA256
a1c9917e24d460a7410ee28b915871797cef1cf5e2596ca5203afa8c6e10c94b

SHA512
9180aaf37ec5104cb3c0d6f53ee1fafa3c5d9155e51234d4e835af0f379711728530a3ddfb456202b849143516e929b7e9e82b626998e9341b29957d8507ccc8

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
96KB

MD5
a6ad457792d65d9c5babe67b2347d497

SHA1
3ee104e2645cb36d036dd7a51f327413d16eb743

SHA256
6c4ef7b619a9f6f08899bd96b0d4ec65326d822be3ebca913f1d67d29c86885e

SHA512
d2fe78cb37d26a046c7c4fb03eeceaa0dc0d3486245d5949db485c24efb061f7cf49a9eab4550ff76ba0cc8cb317c4d349ac2c3f60755187c7f1dee519db350f

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
96KB

MD5
03bc60d2812eecae06f4a483829fc0a9

SHA1
e6e24bf169c9eb8c558efa260168eb9137ecae6c

SHA256
183589329d231e2309284ec2b6d523a208e7d3c892a61a170320b0fcd745b60c

SHA512
7a09025dcab4633539b447427bb05f38efc500296df33bdcf22835199780f5c1d45d516fb074528096c18e1e8756cba5dad25007984a8934db7f8f49edbe39ec

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
96KB

MD5
a15660880003909253d0985e0abe9fef

SHA1
ac746f591ee206a34b2a90633cc686823b21aa29

SHA256
c16ad5bd466abde9df0e9e8606d349a2e2c4c6ff3b9fc52c7463d064a839d702

SHA512
e854dc5c485c6b9f48cb388cbec8b862d118d2b2cbd6abeaa953c42fd452f38af208a0592aadeb476c5dbcb648597f6beaa641bea426f4c5d667cb566ec52431

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
96KB

MD5
723fca2274baf3380d6f573bafabe8ed

SHA1
3e6eb62c03e6dc113f05c5020e55bc9c0ea20593

SHA256
b572fcfb06e67801a006c0d528ec5a16d84ae9e799009febc9df48193641270c

SHA512
f583b9e399864660a6fc67be2388ac9d88999af6393e3bf0d580f4aafc09f4eb434a713d6028fb08ba07af9482429f9f4121dbcbecae46bdabf75c07c870a084

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
96KB

MD5
5712e1f67700c2d77b4957cc897749b7

SHA1
dfee0ae30f5bbc595b646d04d8c115af3d6b3bf1

SHA256
c9ca548fca175b46419200b14cfde36906a2d352e27eebc9a820072d6a4bca51

SHA512
7abd53d4a87e53b81ba36c6d227c91905d59d0fdea55b39ea9575a80be64b303080a0ebcca2669bb58696f3e608551cdba75ea0a934a99bfee6acb74bef0109c

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
96KB

MD5
789b1bb54f2c1bbb1b50a15e5e6c776f

SHA1
cbddca14b69c7b3863ce145e898b6ea061f0d64e

SHA256
2d755a366591b948daa300f0bd8a4106a552f3ae0048edb2b23fd0be3a47e523

SHA512
886cd797d2e5a7486407efd7ee559f66b5320c45deadcf5563eabb44c80e542e00d2e18791cdf592454118ea025cf06ae67890d819db8093fb8b229b0573bbaf

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
96KB

MD5
fc74d890ba224b4d47b9bf787a62acdd

SHA1
ba24f0d6d2bc2ebb7dce6d8c10d94da6c161134e

SHA256
7a8d3d2019444995e92ff577b97fd0770d0c55174d2222fe8c9f26e227f2bf1c

SHA512
dfc2bb4bbf5e8476b0795b1942e5e5115c4ed895ab2dfc2e045c47cbf54c32ca21da8e903292c041e8cb582640c4327715f44c0304f4a532fabae5ea59d6ac4f

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
96KB

MD5
3f8fca5a228f6a1178fcf9e90bd9dba9

SHA1
4a129f4d9a038f81e097e84ef68b37172677d1ba

SHA256
7e2a13667dbd4be71f3d39d7bac0300e7996545d70dca1f8a08143d7be4b366a

SHA512
8d7bc9808ea01e0d35dcf325dea884f642cad00c318343490209b6554a407c4c6d591fdfba1736daa6b8fb151e249d721839c6fdbc97f055a40f241ddfc07ad2

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
96KB

MD5
cbfbe9a6d4c0e95620ef743393715e28

SHA1
2193c90d3bb46f4126389f80cd50fd7ef145897b

SHA256
5120d9c58e8b516f3a4fb7d11c92023519f43c87945916ea8acaac547b96f505

SHA512
fc41763a69df120507f11233e7d84cb208016c02fee183764c3182c2a5237403d6b08fed9b88aa3ac2ae24743d04186e392dcf4aa873a5ac5bb2a78dfd51d47b

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
96KB

MD5
90cdbe312eb81b574db08f358008f6d2

SHA1
de36a5ee0a3b04a2abd7814407c9f21ef8da0ae3

SHA256
2cab1e8e0c882dd0c7887681950cf53c986fa5ca1538b662cc67929e83ef04d0

SHA512
1779b8e7395cedadd4497f1a4b2b2f4d89447f732e750f870c7ba0ea12cda97db9271705a9d7320502fa098500e129edda37b72029c2976b40ecac15eb9f5333

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
96KB

MD5
ad8108ae0f83b02970f64bb651fe5394

SHA1
5396fd57d0b67df5838d3d55a559e1de8609dc9f

SHA256
cce8a7b41ecb5944d181dced9fb573e1d6acdc792921db91713054fb29da9a6e

SHA512
503e28af3d34c58f38bba3fb3bef8eb28cb69320426d8d3717333e9ee19f7186d3a52bcc5e22090f2590b43c4feea84f0ce57d14bae1ceaefecc52a001921d0d

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
96KB

MD5
f7179c93f88e3abbb123d116eb90b86d

SHA1
5de33b4be955113cd38deb22ee79641825fffa4e

SHA256
4e583cb55a7cdf19ce3ea919e7bde836b727841f154da7ff30bd2d94dd896351

SHA512
ee4f0fdac3785e049ec60c6e47d0607ff103843b3eed57bb53309455b7e3370ffc2d77f94f96bc10715cf903b474038bb0ddf1b847a0e1fd286581428de76594

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
96KB

MD5
dcca904abdbeeb29175e2ff84f5cb1b9

SHA1
3cf886d9e940ba1b10495f6d86d9dab58ce8d532

SHA256
6f2e999bb68083891303fcef005a45f6fcee14c0b193031b106e45c0a51e837f

SHA512
864fd8f317ae3732ee5347b7848afe02334a6edd5d3f4526a75f51cb347a81897ef3bb8d81702c94fe65fb9274ecc952b6666986d8a2cfead7179f2ed6d5184a

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
96KB

MD5
946aacb7354c95cc1d26f9900cdd9638

SHA1
787426328023e5d2a29f85973d24a68dba909500

SHA256
39353ac8bafa52927c8beb4e58fcc614f14ef8fe73e7bd30fca6b48ed1b233df

SHA512
a4ae79e4dd46529663f6565c38757446c054c54b142cd2e83af612cf0520766427fdc6b39fe388a371ca0d56d97f840329494c6d9b511cb8aa826d776b37fd7f

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
96KB

MD5
29738aed9deb96e732b6b77324aded87

SHA1
6b2a1cf97ce31dbde73d20f0d655a4acd1da6fe9

SHA256
be5a30ffc8af63b73b761b6e1e9b8c172765176da338e8affca3cdd43bc0ab2a

SHA512
6687d57de2d963b5425da9946951bab8ddd8510d46ce5cf97dfb0dd993c28015e2b495275ab89a72213c3b8f00c715e167bc1d6bf2d74e5caff8cf05d58c90d2

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
96KB

MD5
65780af8c6b7ce71e6f6982664b694de

SHA1
aacbbf6a3983b7196858b99edcf99a8a175c0048

SHA256
1d22efbfed8f42394cf4e02be260c79dc91813b303851b4505eab20d372f4838

SHA512
b63261bd5c312c99ebd0b5118637582256ee68de8c7df3a4c82c982d1c801282eb537a60b4cfe35e39f1822b41b7228a53ea0bbe04acc75b89080bf387a3ba4a

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
caef42f311843dcc1caeeb7758c138e1

SHA1
6f0e428fde808146c059723390f8d11574009d02

SHA256
0f5cc720321a164938029cc932fe0aeca8d334374fbdc47c95c24952f2fe7925

SHA512
f0e9aab3ea0096e763880c35e1c57cde0e47d727e508007f1b2a20a849cbb12afc0dff4a36b7b98909a67dc442158093fc5eab708f86b7fab5b457a2725a2a86

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
96KB

MD5
6f85b24fdd88960bb5b6ee2c7501e8c9

SHA1
ca98509a59ffc1e047140153c84ac04e341af0ba

SHA256
19b0c5df714416b72bec245123c0f318c228691d552a23e20c4d7e9f8755d2f3

SHA512
4cb38423c1065abc60b96156b41deba9b656ad29a7320c85382b5188cc4182af27ffca70f1e2eb2c985126fe8defd90c2ce3407d620c59652fc86650ba0d2b4e

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
96KB

MD5
1142292d83cb34b52cf3c7e2576e77b9

SHA1
545bd77ba7caa2063129a43b5fc15d48df1ea053

SHA256
73d7a9a48393b3e4c417ece5f49836c6961803feee41f676f8c7825488ffa400

SHA512
20f8680f18d474305aa4f5ea9397a045dfb78ac02b60a2fbb69eddfb5cb49e67b8e4a64b37deb08d8d387d7f6dda731f67868bb8bf963b18085f01202a5a6596

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
51d679f24ef815be395d61285c26fad4

SHA1
f1901fbeebfc8861c4e6f5dd1f4cb859e6a00247

SHA256
eda1a6cc91a8e0cc3688ad2753053d121283a0a430cf5bb7bc2dd8628d05da68

SHA512
3d31937035a8eeaf6c060e56ae97e4669f7347e44bcf9bf43851c3b7ba8e034ac31b47ceba9d2074f7d3b7584de80bf883ef75d022afab1a7e357c80522a3bfa

Download Submit
\Windows\SysWOW64\Agjobffl.exe

Filesize
96KB

MD5
8fe2300b28ba4975392086ed323b5753

SHA1
9fa635d28ccf71f668139885a2a8772e1bb4afbd

SHA256
3617f18fd7361fe1defca85c427ae44a89e69e972369aae122d6fac8b7be7c3e

SHA512
8edbba2a6bbf2295d626a506637bacf26ec9b4c7570b352bc040ba94b8ca0c69637487961a62c7dbc813ae50f2583cd434069989fcfbcb4cd8b1945fa9b5f603

Download Submit
\Windows\SysWOW64\Ahbekjcf.exe

Filesize
96KB

MD5
bc2d825a897064b41a0c679f6958b688

SHA1
7b89cb5c6e457c4445d5a373eb38948d19f13ac2

SHA256
9a911d387bd0826161ab423afd2372e47b41739d6d96907ccbc28ed4c8a23dc6

SHA512
ff8ee3a66ae6c5f651b7ee93f8e07c361ad4b1358f3853d8995206ecffea24f48a9f5e1a5f646966be1825225aab9d1031437823235c21b6e9e42b7aba006c0d

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
96KB

MD5
d2117d3e2ad4c2119746960a35f9c7df

SHA1
7c4c5737912c52e859b98c6dfda04856a9c103bd

SHA256
b3898d8b82b2326ee91ff7aca9765a255d7d11a2ae5de3a6523f027d9318efa1

SHA512
18f65a79e10ff50d3af89cc631e2388a4343cf48c26386cba07d6418e2f739fc6a64d971930a5b767efdba13a2b86c47741d6a558b43a210a00481108e62ee3d

Download Submit
\Windows\SysWOW64\Akabgebj.exe

Filesize
96KB

MD5
8c9de40fd1d3430e1b5ae57bdc5388ce

SHA1
6d1ebd60069000e8e0ff5ee26e60cfe094624524

SHA256
30fda15880d8cc50c3e1b8a96d989eea6effea21853a43fb0fef7ad74b35aa34

SHA512
c93733e30bac9f5c87f9f8f824b72281efd320cdfd725d3421d9c12657632136fe2dc7fbb64ed6b877ab691a343633671e6991f3a720107a62fe1df58915f603

Download Submit
\Windows\SysWOW64\Anbkipok.exe

Filesize
96KB

MD5
907541881d82767de27435d34f5d0918

SHA1
a87e77c5e0bcd40ebedf6a1185535ccebe82a159

SHA256
0a4c9ea82150296502c70f72db03cdde2780316f5ef2140798493f697a5f5ebf

SHA512
20c82dec52991dc4644f7cbe14e84011ddbae736d926e69de46a9a714b05038dbd18866aa9f64f2ea48f4f3f7a0d99f5aabd4dd928b1f098156316e80649c984

Download Submit
memory/272-449-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/272-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-34-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/580-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/664-228-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/820-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-259-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/864-628-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-279-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/864-275-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/928-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-438-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/980-437-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/980-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-607-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-492-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1188-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-154-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1264-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-466-0x0000000001F70000-0x0000000001FA3000-memory.dmp

Filesize
204KB

Download
memory/1660-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-53-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1700-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-193-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1816-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-211-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2024-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-180-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2052-416-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2052-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-405-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2144-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-220-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2144-535-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2188-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-533-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2212-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-306-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2212-311-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2228-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-300-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2228-620-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-522-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2248-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-290-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2260-614-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-289-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2260-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-266-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2276-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-613-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-374-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2376-167-0x0000000000320000-0x0000000000353000-memory.dmp

Filesize
204KB

Download
memory/2376-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-246-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2416-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-480-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2436-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-481-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2540-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-605-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-354-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2676-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-88-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2728-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-331-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2756-332-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2768-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-75-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2772-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-62-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2832-12-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2832-11-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2832-342-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2832-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-322-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3024-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-317-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3056-115-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3056-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads