berbew | 0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe
Size

224KB
MD5

aac66edb964561cc54f7568b5960f510
SHA1

7daa9e2d7f22a2d87b102b3b11bb778258a68d2d
SHA256

0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906
SHA512

e0a8a5305de0248d3fb8ce5345c3786c00dd23864d8562e5e7e4f1d23bd1fb2a405ece0dda051a2f356492737cd598de594d6b87d19c96c74983d447b179c4be
SSDEEP

3072:qO+7xMSGZU2asH1xAQqmIuYUvIMDrFDHZtOgxBOXXwwfBoD6N3h8N5G2qVUDrFDl:Kk4m4s5tTDUZNSN58VU5tTtf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnghel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aebmjo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 56 IoCs

pid	Process
780	Pidfdofi.exe
2304	Paknelgk.exe
1908	Pcljmdmj.exe
2756	Qcogbdkg.exe
2672	Qndkpmkm.exe
2720	Qpbglhjq.exe
2540	Qcachc32.exe
848	Qnghel32.exe
1952	Apedah32.exe
1832	Aebmjo32.exe
1932	Allefimb.exe
2528	Acfmcc32.exe
892	Afdiondb.exe
2872	Ahbekjcf.exe
804	Aomnhd32.exe
992	Alqnah32.exe
1896	Akcomepg.exe
2052	Abmgjo32.exe
356	Akfkbd32.exe
1976	Aoagccfn.exe
3024	Abpcooea.exe
2104	Bjkhdacm.exe
2488	Bnfddp32.exe
3044	Bdqlajbb.exe
2300	Bgoime32.exe
1048	Bniajoic.exe
2288	Bceibfgj.exe
2688	Bfdenafn.exe
2656	Bqijljfd.exe
1880	Bgcbhd32.exe
2572	Bjbndpmd.exe
2676	Bqlfaj32.exe
3000	Bbmcibjp.exe
2808	Bigkel32.exe
1948	Bkegah32.exe
2060	Cbppnbhm.exe
1856	Cenljmgq.exe
2420	Ckhdggom.exe
2884	Cocphf32.exe
688	Cepipm32.exe
2904	Cileqlmg.exe
2424	Cpfmmf32.exe
1188	Cinafkkd.exe
2940	Ckmnbg32.exe
1480	Cjonncab.exe
3048	Caifjn32.exe
916	Cchbgi32.exe
2324	Cgcnghpl.exe
2264	Clojhf32.exe
2000	Cnmfdb32.exe
1884	Cmpgpond.exe
2804	Cegoqlof.exe
584	Cgfkmgnj.exe
2800	Djdgic32.exe
2308	Danpemej.exe
2028	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2816	0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe
2816	0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe
780	Pidfdofi.exe
780	Pidfdofi.exe
2304	Paknelgk.exe
2304	Paknelgk.exe
1908	Pcljmdmj.exe
1908	Pcljmdmj.exe
2756	Qcogbdkg.exe
2756	Qcogbdkg.exe
2672	Qndkpmkm.exe
2672	Qndkpmkm.exe
2720	Qpbglhjq.exe
2720	Qpbglhjq.exe
2540	Qcachc32.exe
2540	Qcachc32.exe
848	Qnghel32.exe
848	Qnghel32.exe
1952	Apedah32.exe
1952	Apedah32.exe
1832	Aebmjo32.exe
1832	Aebmjo32.exe
1932	Allefimb.exe
1932	Allefimb.exe
2528	Acfmcc32.exe
2528	Acfmcc32.exe
892	Afdiondb.exe
892	Afdiondb.exe
2872	Ahbekjcf.exe
2872	Ahbekjcf.exe
804	Aomnhd32.exe
804	Aomnhd32.exe
992	Alqnah32.exe
992	Alqnah32.exe
1896	Akcomepg.exe
1896	Akcomepg.exe
2052	Abmgjo32.exe
2052	Abmgjo32.exe
356	Akfkbd32.exe
356	Akfkbd32.exe
1976	Aoagccfn.exe
1976	Aoagccfn.exe
3024	Abpcooea.exe
3024	Abpcooea.exe
2104	Bjkhdacm.exe
2104	Bjkhdacm.exe
2488	Bnfddp32.exe
2488	Bnfddp32.exe
3044	Bdqlajbb.exe
3044	Bdqlajbb.exe
2300	Bgoime32.exe
2300	Bgoime32.exe
1048	Bniajoic.exe
1048	Bniajoic.exe
2288	Bceibfgj.exe
2288	Bceibfgj.exe
2688	Bfdenafn.exe
2688	Bfdenafn.exe
2656	Bqijljfd.exe
2656	Bqijljfd.exe
1880	Bgcbhd32.exe
1880	Bgcbhd32.exe
2572	Bjbndpmd.exe
2572	Bjbndpmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bdoaqh32.dll	Aebmjo32.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Akcomepg.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Kaaded32.dll	0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe
File created	C:\Windows\SysWOW64\Hkgoklhk.dll	Pidfdofi.exe
File opened for modification	C:\Windows\SysWOW64\Akfkbd32.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Ahbekjcf.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Abpcooea.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Ckmcef32.dll	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Pmmgmc32.dll	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Qnghel32.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Acfmcc32.exe	Allefimb.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Akcomepg.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Aebmjo32.exe	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Ahbekjcf.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Akcomepg.exe	Alqnah32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Qndkpmkm.exe	Qcogbdkg.exe
File created	C:\Windows\SysWOW64\Dfqnol32.dll	Qpbglhjq.exe
File opened for modification	C:\Windows\SysWOW64\Acfmcc32.exe	Allefimb.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Bjkhdacm.exe	Abpcooea.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Afdiondb.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Qcogbdkg.exe	Pcljmdmj.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Alqnah32.exe	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Paknelgk.exe	Pidfdofi.exe
File opened for modification	C:\Windows\SysWOW64\Afdiondb.exe	Acfmcc32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1780	2028	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alqnah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfmcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnghel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmcef32.dll"	Qndkpmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll"	Alqnah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjkhdacm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alqnah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll"	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnghel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll"	Allefimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	Akcomepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnghel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll"	Afdiondb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 780	2816	0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe	31
PID 2816 wrote to memory of 780	2816	0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe	31
PID 2816 wrote to memory of 780	2816	0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe	31
PID 2816 wrote to memory of 780	2816	0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe	31
PID 780 wrote to memory of 2304	780	Pidfdofi.exe	32
PID 780 wrote to memory of 2304	780	Pidfdofi.exe	32
PID 780 wrote to memory of 2304	780	Pidfdofi.exe	32
PID 780 wrote to memory of 2304	780	Pidfdofi.exe	32
PID 2304 wrote to memory of 1908	2304	Paknelgk.exe	33
PID 2304 wrote to memory of 1908	2304	Paknelgk.exe	33
PID 2304 wrote to memory of 1908	2304	Paknelgk.exe	33
PID 2304 wrote to memory of 1908	2304	Paknelgk.exe	33
PID 1908 wrote to memory of 2756	1908	Pcljmdmj.exe	34
PID 1908 wrote to memory of 2756	1908	Pcljmdmj.exe	34
PID 1908 wrote to memory of 2756	1908	Pcljmdmj.exe	34
PID 1908 wrote to memory of 2756	1908	Pcljmdmj.exe	34
PID 2756 wrote to memory of 2672	2756	Qcogbdkg.exe	35
PID 2756 wrote to memory of 2672	2756	Qcogbdkg.exe	35
PID 2756 wrote to memory of 2672	2756	Qcogbdkg.exe	35
PID 2756 wrote to memory of 2672	2756	Qcogbdkg.exe	35
PID 2672 wrote to memory of 2720	2672	Qndkpmkm.exe	36
PID 2672 wrote to memory of 2720	2672	Qndkpmkm.exe	36
PID 2672 wrote to memory of 2720	2672	Qndkpmkm.exe	36
PID 2672 wrote to memory of 2720	2672	Qndkpmkm.exe	36
PID 2720 wrote to memory of 2540	2720	Qpbglhjq.exe	37
PID 2720 wrote to memory of 2540	2720	Qpbglhjq.exe	37
PID 2720 wrote to memory of 2540	2720	Qpbglhjq.exe	37
PID 2720 wrote to memory of 2540	2720	Qpbglhjq.exe	37
PID 2540 wrote to memory of 848	2540	Qcachc32.exe	38
PID 2540 wrote to memory of 848	2540	Qcachc32.exe	38
PID 2540 wrote to memory of 848	2540	Qcachc32.exe	38
PID 2540 wrote to memory of 848	2540	Qcachc32.exe	38
PID 848 wrote to memory of 1952	848	Qnghel32.exe	39
PID 848 wrote to memory of 1952	848	Qnghel32.exe	39
PID 848 wrote to memory of 1952	848	Qnghel32.exe	39
PID 848 wrote to memory of 1952	848	Qnghel32.exe	39
PID 1952 wrote to memory of 1832	1952	Apedah32.exe	40
PID 1952 wrote to memory of 1832	1952	Apedah32.exe	40
PID 1952 wrote to memory of 1832	1952	Apedah32.exe	40
PID 1952 wrote to memory of 1832	1952	Apedah32.exe	40
PID 1832 wrote to memory of 1932	1832	Aebmjo32.exe	41
PID 1832 wrote to memory of 1932	1832	Aebmjo32.exe	41
PID 1832 wrote to memory of 1932	1832	Aebmjo32.exe	41
PID 1832 wrote to memory of 1932	1832	Aebmjo32.exe	41
PID 1932 wrote to memory of 2528	1932	Allefimb.exe	42
PID 1932 wrote to memory of 2528	1932	Allefimb.exe	42
PID 1932 wrote to memory of 2528	1932	Allefimb.exe	42
PID 1932 wrote to memory of 2528	1932	Allefimb.exe	42
PID 2528 wrote to memory of 892	2528	Acfmcc32.exe	43
PID 2528 wrote to memory of 892	2528	Acfmcc32.exe	43
PID 2528 wrote to memory of 892	2528	Acfmcc32.exe	43
PID 2528 wrote to memory of 892	2528	Acfmcc32.exe	43
PID 892 wrote to memory of 2872	892	Afdiondb.exe	44
PID 892 wrote to memory of 2872	892	Afdiondb.exe	44
PID 892 wrote to memory of 2872	892	Afdiondb.exe	44
PID 892 wrote to memory of 2872	892	Afdiondb.exe	44
PID 2872 wrote to memory of 804	2872	Ahbekjcf.exe	45
PID 2872 wrote to memory of 804	2872	Ahbekjcf.exe	45
PID 2872 wrote to memory of 804	2872	Ahbekjcf.exe	45
PID 2872 wrote to memory of 804	2872	Ahbekjcf.exe	45
PID 804 wrote to memory of 992	804	Aomnhd32.exe	46
PID 804 wrote to memory of 992	804	Aomnhd32.exe	46
PID 804 wrote to memory of 992	804	Aomnhd32.exe	46
PID 804 wrote to memory of 992	804	Aomnhd32.exe	46

C:\Users\Admin\AppData\Local\Temp\0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe
"C:\Users\Admin\AppData\Local\Temp\0712c813b1411d90a009f99b31518d7873ee742ff67feaff990b7294e5429906N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\Pidfdofi.exe
  C:\Windows\system32\Pidfdofi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\Paknelgk.exe
    C:\Windows\system32\Paknelgk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\Pcljmdmj.exe
      C:\Windows\system32\Pcljmdmj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Qnghel32.exe
        
        C:\Windows\system32\Qnghel32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Alqnah32.exe
        
        C:\Windows\system32\Alqnah32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:356
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        57⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 144
        58⤵
        Program crash
        
        PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
224KB

MD5
13eec40f762e1e578572a92b45723980

SHA1
d7fa7000750f1161118fce204023da22794d8227

SHA256
524cb194842a6df3156f29f568e92eb3f42f6ca5766c69b84dee1ad44a78dc21

SHA512
61892aeb56937c93392d22a2089461a58e2e466786dba2ccffdaee3b49dd8711becbd5df106305aac3e6e915833e52853a3184137ef40b7f2e87d15168436cf6

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
224KB

MD5
b96e258c060b6d7f3ce06d1d86ef6ba6

SHA1
f20d87de6286391c5e72690e47064aa4bba4d70f

SHA256
fe68e7a45e4dfc9b28a87f16f808438f25751ffc3b32ccf0078ed921863a36bb

SHA512
1b9a40da3024b76aa589245fb5a3ef139461e630a8d3aaf2d0ac1d9bd6ff679e495a782fb5ea51d07d9617d4a568288a28effcb29318e8c9ac062432a57e662e

Download Submit
C:\Windows\SysWOW64\Acfmcc32.exe

Filesize
224KB

MD5
bcc33d1719a0b34d92968b43cc1dd99a

SHA1
57cf4f92875177d149eb6d6f4f41dc9d51eaf05a

SHA256
4bbbc0b21a46fadef863ca5e3ca63159344ffe892d94b4e28d27f5ab0e02fca7

SHA512
fe13cc9911939b2dd60bb5443dc800e2b165c0a509e9bc4c9058883459b4cff1d97dff9f836b9388589cc8cd40c8c22e7f7e05f6859d4b59d7e17a5e65d85145

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
224KB

MD5
6370c0b9ffaed96329dbbbbb606a5567

SHA1
14beee805affbe8e4bc897d9b7b9b05fe166b727

SHA256
0ddf211a0817c72a257df8f64fd59fd60eb442e9c19f722c401bed521afccde9

SHA512
bba9522109d7cbbbcbc8d8fce442343838d5394c64a7b70fead897202555053079a6c5771275569ee31aa28b67518e88c41e561f6b7812fad4c043a7caf3d94c

Download Submit
C:\Windows\SysWOW64\Akcomepg.exe

Filesize
224KB

MD5
f22da0fe7289a3b1aee0eb5fb4ef77fd

SHA1
4195c314d5b860aef6eae94c0fd51ceafb0d1c2f

SHA256
0d0c56130291e953592b6ef85c1c7a61d7fd2fb3f42024c7e5b1b994ba2662cb

SHA512
1c4a8da89790dab73356af6b2732abb8d05e3aad34c13300f4cbd1cf6265a727dce9510211fde148f7fa0df94450cfb5e443971168d48a862073c53589bd6e2c

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
224KB

MD5
fe6f567e89352376f57ae60d7406d145

SHA1
eddfd97e88781c7fb85662dbcf0bbb514d098407

SHA256
c97318ae254f17f44249758a94f0e153cada356516f033711a7859b88439d15f

SHA512
a72d8d33ac378c689d3760afd2474d2d8592b6b3b918d1dcdf19a649c287b7e9c5b29ab2036c1a2322e8d7417e27920d53358d9bff9f511908ab054d95815b3c

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
224KB

MD5
415edcb5aa6b5ac7927e8eee62a563dd

SHA1
2412e66865afeb8e2f15ecf69529a7b9db2bf1b6

SHA256
c7f480cc059b1b74f58b30d60c996dd7dd8879c2189ac1b8ab0fa5c1991d43e2

SHA512
d16c48395eda8b9e35131f604848d4b2939defcf986f31460769bf049520abb04cf8ad5015ddf78ed1242bcc12eda29f26c865817ff63f3d063c61ca8eef2525

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
224KB

MD5
65d3416ad0d9b79e9817ec2428eed802

SHA1
207c0dd26d6f405a6cccd630f76213ac8345ae88

SHA256
8810bbe08f1728830eb5db74e3cbef39e8fcd55530410cc88835298130a1c03e

SHA512
e33ae58c018f4790a534e415ea4b31af4ad001e0a7cc773a4a118af15e81f346fe0457c9c58ff3de27b54c6a129a4294c982725b575cec7ac40b3fe362684c4f

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
224KB

MD5
e6abafa88cce2f9790ce8064fd5daedc

SHA1
aa39924dd484a1a65d76fe5ad2652419dbd1ffc9

SHA256
29096a47f560c7cb23b878d023883f33af06e580c05a49d75bae0fcc072fe3d3

SHA512
6b4c5bb5ef4d2146ee24ec6c9a0c45f061e3493aac7234b77d40434f4f66a66251e36a5ea6b9a1c01da057d1823be91a556ccc23e6cb6db7c806852b5e1dbc66

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
224KB

MD5
becb3bb21c638d085b366d1b59174fd4

SHA1
ad872c527c226d6d6532ca800b9158b7fc2d99f0

SHA256
542cb18c1e868e53e98646d7fbd6b3b6fc3a3b07b2ab19e90f193ef6956659c8

SHA512
346f68e6f0f88315998d9a0d1938d03db6b956b4ebdf59db0dbc41333987606bddb452b6407c15660d583199481fb1cbedcb56c5d9b59774e2ab82a6543e99c5

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
224KB

MD5
9f305917171938e0c06a019c329a71e7

SHA1
40fdbbdd08dac2a73a81d016f397b781e4d3841b

SHA256
d6a3b297769908ba54d5c8cfd8814f3b873044d226c277c8e22f77e204f0b435

SHA512
e9bffe3e20c720d4ba6183c28392307faf1b7da92e6d1fd6288d87e7ab1a415f0da067382aab24a6d3865dd63ccd1db4cc624aa2d1d3046e1e15a3710744edd1

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
224KB

MD5
1b9b500fc2e0104a14c3f7970fe66658

SHA1
0a25f7e1f410e983a427e7928280a4543cc7d598

SHA256
91538cabed895615adabe355d3752b94d29b562067c80b7a2cf099e6b0fc764d

SHA512
473db8ec2d277f6c360ff4844d48348c3e582677fe96cd8d24a5767cf15806898bbee76d4f94fcffbf811a8aa38eb48c770014cdc0203e007d449fc2c301176f

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
224KB

MD5
960fc5c3d492c4a0293c7ac1629cf92c

SHA1
dca562058a8b8b144c59f5cf1ded2e7ac16ac081

SHA256
c75bf95318d3e4f9f3d9416912e6bfb4df26afbd9da2e585bca9878544c0a86a

SHA512
e2783cbeb256974c917ffac16cb77167eb1374f80d17e5a28335449f97b402f78eeeba2383ed8cdaaa2dd5c25d7f5ad8cd71aabdb58143cd2bd873aa21a44ce8

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
224KB

MD5
388813f634a3069b1fe26bcf091827fc

SHA1
6eabc1c33ccf306c28eaf8ae633dbd8634f6f0fc

SHA256
80a141c1121aefd4c390ef35799742dde1c55324d552b23117e25f1ed0ec9a2a

SHA512
533e7a903f5209f8a532dd1893c1f1b126b1739b10f8bb3723910a1b782c1401ef2e6bc1f2a88e5681db521edd657c064ed68ef9a5bc4e8eac8aec6b6f276dcb

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
224KB

MD5
e90f1cbc138fc59325cc38cd8635d0e1

SHA1
63774acc6ddff140b39d6fc653acddb31161f3f3

SHA256
4666261db4c31cf821eba0db4c4b688b14cec55af2de94ec7db39333a159b00b

SHA512
89fdd5c6ae069c1a7289357feedbf982871156ff08d9c40a4a78e26356304561c69832f51de3016ed0c99ec8489eeeb755cc1bdd7f6d49cedca2ac073a154f80

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
224KB

MD5
5d53ecd2bbed22e2bd8bb7eec08e3744

SHA1
a531a98ba8cdd5479dae76f5d786f9cb6db22efe

SHA256
802178a43e78e1d940e0ed3c652d2612e803893913383fdfd6a498ac5ef7f82a

SHA512
ac65b8ca2a4c83639cd980ea1a45f0ab01fe14d68e5910abe84d83081f3bb46c93c099fc167bb877a3c9985ff867a50317796666fc965efd024ab3e3a5f23eeb

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
224KB

MD5
4fb8abd4de9fc44c90ee770b6b633f23

SHA1
765bf98653f49e34f59522bd06aa9118f50882ae

SHA256
0266562cc088fd31a6efa228e800495c25900c48c2ce7f7ce4500ed6a7892852

SHA512
537a61a10da2b7044e5f21296571719c357904300a2de7d187afdacdaa374c0dd8546e8e80e5c8f194b243f637012e9b22517165b0ef0c99d5746652fa69c176

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
224KB

MD5
f872dcec0e6cc5084541c5cf6cc6f36b

SHA1
8c000bdd35a48816ab83f493d6c858a88444382b

SHA256
03f8fc9db22460fd72019e9f3e66eafe560416bed245dea75661869f9a1c2de6

SHA512
71789a0323bee3cf08ac5c7cd3a354af812accf07171a5abe94be6a556603c79b08c55a6723de9730fd66a43c477616301931108fd187158d6ec5942e2f03fa0

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
224KB

MD5
8560ace87a38153e054469406b68a8b2

SHA1
dac3d786b14921a2f9dd23b22a2e35268ad161e9

SHA256
6189cb49fca41bacac1359ef05f9f70c654c0e64221baaf7c9436a3b8bf7d8c9

SHA512
08450454fa7609af6690de724009c4a3a6a142ad841c63dc57344452fe5aba532c1e2bb8456ae622c3de7adc150d5b6dc21e518722077e89783703af29c6d4b5

Download Submit
C:\Windows\SysWOW64\Bqijljfd.exe

Filesize
224KB

MD5
31020672ccaa3d3a22611b8ce93fdb31

SHA1
94dd0c5d0a1db3f7bab42843f4cb53719073c889

SHA256
544075d9dad1baf78a87a35723497b6d2afb761a674a78878027b3e52cc23bc7

SHA512
3133a782ad325b6e9c4122c85dbfcd28337e8a9eadcf6c64a5e9de6df07a1533c48719c9a5829daf79817c7e168b1c372ab23a520cf8f68f932618e681eaffd7

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
224KB

MD5
767a2e0583be031193d52e082e0a978b

SHA1
c52301b36ff424a5fd5a01fdff03a2372721218a

SHA256
8ae507654f6e38bc26fb88798286ab5b15f387113f3ea676db9150279a0bfaf0

SHA512
7e69bc185cb476e12a5d8af6af4fec69b78f6bf20c08c418712c9be017d39b627965d2e697ff78cc3b7192662e73eac0dd4d5283971e806fb0f1b4d92b41c5ef

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
224KB

MD5
829e7a56a8c0844a99a8b90964160c70

SHA1
b80aa54c3d4580f380288eaa832c733b1a80d9a4

SHA256
ade717353576f6395b05bad22079f78db5e8cde83d0bb172e9cb7aeb22c99f24

SHA512
05b9e687bd0b7b6257552049275d456c75c7a104352bd1c70a59aba4abc22605d76d1dddab1c3c173f9b8bebca3ca4bce7a320f91ae308da65ece0e833a4ecfb

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
224KB

MD5
67e18adafee3139997686b08151cdda6

SHA1
8145c7a89ed3881699f6d6a2c64eca984eb8c395

SHA256
7426f5b1b4a66286e315291ebf2f28794fde93e15b84dd7139bdc8c62f4e6942

SHA512
9de9ddb3931d367a0aee92d99993a1511a1d8af3c61a6906d302dbf23cc1343748d48d4bb777c0d41a0c23a22b883b6de9d48da2e4e0345593e4020c1f8582eb

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
224KB

MD5
42715d8211ffd0cc7ea19fc2375eb35b

SHA1
f9fa5b6a8e8dac6ac004b777eb20399874b05842

SHA256
df283e7a8edc3bada0caa4d4c99ba94d3cc3d71dc9a23d87d88d74a36bddb098

SHA512
85c2931233c049e0aa9b252f1767b2b835bb30959f0527e1412c35c13fc6b2d541644a1c98abb3200890f481654091f6fbb0acc3b267db2d6d483a1e18be2fe2

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
224KB

MD5
b98ed564877936233d24692389c64d12

SHA1
96f53ac61bf19d0e82d5b1b5c4f2a79cdd04704c

SHA256
ac228c1b8390416a8c753fc2c2c4a672a3f53349d89d9384f5314377a111ef48

SHA512
6dc164fbaf35c8b80bbc7f0a0ccdd6477171497586960f40619e28d80b3d9537b2574dfad34f360d2faab1802acc2a9b506b93fcdb72d7f4b1302a338c131484

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
224KB

MD5
23f4c0229fdcb3f367035353caa820b0

SHA1
a78169773d3d30d3bce7565a390cb1f33961e988

SHA256
8aa78c8ded9fd514cc0f0c8537c419b42aab00f67ff6c254d07fd5a1d77a18ed

SHA512
13b4ff8bf54586ae51712a0df36d46716bad0c294247c9e1e27801a345601c72dd5e5f9bedd50ba7fd9415f25ab14cda476b44a6de51c6349049f92d418db531

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
224KB

MD5
76072ec26d8d2e21ae067eee7aacc254

SHA1
b03be3fb3b79d5f2b2f0e3f690e863656941dc5d

SHA256
3739e2fd5dd1f21a926623d1930eb86d558a1df7b13db1e5caa79e574beda1d8

SHA512
1336d07de4f36414c7bd04db2e8af6eb27c5773c6db18e990cd401b5216b93d53615918d75243bef405d616c781ea52092c1673ab69204121236df079db5f7a2

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
224KB

MD5
442eb13b3c27a9add8718d53ab34a11e

SHA1
2c9933a71802389cbed1fedc4b2f20211e45e14a

SHA256
44dceccf342ee3198121f5dacac79f19cbf5bab60f583fe04cb9e91a18cf8d6b

SHA512
1b4b3fb1a24f9089d6326002e6a57cda0c64287f7f8c93da9b38385ea6698a602db6621e4866cf88b4827fe5f58ab82615d147af3ef3f23f58e089d278139154

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
224KB

MD5
fa29525a490f4bea311165356d29e8db

SHA1
76574de7c64949ffb15224dbfc6474e919b41d22

SHA256
0626dced5abd08ea331bdbe134716c31e6315e40818fdb2bb33ab4387bf8d517

SHA512
a2f0557a468dcdedaf6985af243474153873510e50b0890451a7fa8133d785d7aa448a0bd65b8b3d6b48a474fd9d9902988ef3135d392ea8e123752b8310db21

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
224KB

MD5
5dca19ed143fa24ac48cd0ef0d74fc2c

SHA1
5ecb3245dadb333cc8aeb107c986cd329462756c

SHA256
b903934a1e536f1ba07015ecce6ef9482679256bed9f355cbbb57cfe788c55b2

SHA512
285909acfe36806410ccf02c674a90edec80f50ef0c51fe2560f42d2851a2c328e427e245a9b352d2c361397cee0a8baec7c16b6479d185daf5728c691417ba6

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
224KB

MD5
3fefe7c0d6fc14a6945db3c586bdaf2d

SHA1
8a9f14f1de18758491d21e3f4c25cb77b8958a74

SHA256
dfa9f36332660561b7bfdae2aa231b50f0f3e907ec3c6770570f1b8872c80745

SHA512
32c26b8960f873911e3b671026f64a25c2428b6dcac83530038937a82480fdda8b1b5d4fa290da35549d36be8c3f4f4e49758d08756b24f06bd141bdfec23b1a

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
224KB

MD5
e5cf944c5f4b330fd8e6e6668e4e7994

SHA1
624e6e9b6a38ef852f6a819633e57be5cb444fd9

SHA256
e402afcb296f4c628d0bf176033fcfccf0392f2057a3c2199752877f42a5ff75

SHA512
ca2dd070aa0af4c7a2e9dbc8ad3f4c03ed317df7f7077252c287a45dd0d81efe6ca3845a44bf7ab41c4a1ec7156bd504db73acb8b9f1ce09e983d281b551dea5

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
224KB

MD5
877c89cfdd3b79d3234723e04a6d7d85

SHA1
8e40329e1bfb158fe8098cc2e69147f513b70e60

SHA256
bab4a89b2ed2ff20236aaeb4313a8d88479ae7f4f694f1ac4c133edb5f1e14cd

SHA512
9486f6d2b2d9edea55b9e6faab40799d78bd3b98a9962e33ba46dde6c9f9b4e1936d23d6a2ac9e624272b2aefbadeee92049b2cdb1feca8f122816183cfc9dc2

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
224KB

MD5
f3ad5afd5f8a9de734b4e4a6f7b54a12

SHA1
48e4954a402764077c59976888029999e91df85e

SHA256
5185c6f1302a6acae186f9fd28a0575c00a3fe385e13dd34a1678788e440eef8

SHA512
0adff441e366dc40bc87dc21b69b366c008f04905fcece21e8e1714c110fde37a3a75d83e9c7e4c70fd313d11af9a7a13c0dbf75ffdfc3c45ccc60bf0b0beb07

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
224KB

MD5
dce0ca37aaaed6361220ec96faa632b4

SHA1
c629c9355f9e4d6ae343f7811509fb386fddb64b

SHA256
87667e4fb10b5d0bab01215fcd4c7d62d699dcd73bfc5a47001d3a85bf938ef1

SHA512
53a5c5e002889f11ce12d2dce811c62341cd046b7048f9896d45a0eac454e9100b66a9abfd58f92be5f0854fdb22de6d41631165a4af1e59a812117a225f2907

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
224KB

MD5
bfd98bfefda84b707db83fe18d284455

SHA1
e82ae088f678a5845f1bcc8bcc5afc2e2e804361

SHA256
7aaa246de5d175ae3dde1f6e3c9cc7ef95e4f53fb4c502605b71fec04b89bb3b

SHA512
059648d7c217cb51816160180c7d8fa69a3c88ec14eb315a41999cbd62e75b164011e93953162feb024d1a5152fb1ebcec2eb20c32a44dcd8a415153afd939bb

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
224KB

MD5
28dc3d23cc85f9d1032252a00032be9a

SHA1
8afd4e0219492d3f9445ea0f8694c70a0e55caf7

SHA256
b64fc048554abe6dc9525b1eaa80c95b593c361ae79e54312c88a550d10f9590

SHA512
6afd5817c522cb4a9e740c6d6495ed1a95c552bd8f5c059d5733f11cf38a7a5ea06b086fe6e7f332a8fcfff15007ced7264fe6e89f163e7d07556bf694a421ba

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
224KB

MD5
f9611357820fad46c042591884439428

SHA1
ceaa8d7dd0b01ce54578cc7d37b2b35fa3e414fc

SHA256
36a3cd1bb5eb326513283b5076afd2e68f381c67e4ee1eafdee5fe15891d16ba

SHA512
320b1b3caf53b14a1bb3506ed1edf66e17c1271bf17b934c791302daf7d480080d34fc92ee508e93ae93f7fe5e6e476481583cfd7ab2b3400359dc552d2d8d69

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
224KB

MD5
8101eee7013c524a47dcb4987ea8f6f1

SHA1
d5730311b4df9c37610a13f4ddb8ee8141cfdae3

SHA256
2a990dc4a8d3675df05aebddfe5b2bafa732328d9f370bc54ccb0ad3be74aa2b

SHA512
6ffabcf464c0953e1cef06959f9f3b083ad1bfdc68ce8815bf7319c776408a61e7c655f5566b27bc0fe73e8399a92e715c4c102ea3f301f4f2e4b9358c58a08c

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
224KB

MD5
8072e270943ff495a1b9d447fe72c095

SHA1
25c56755353af64d70e3b139ebe33a15dbe7793f

SHA256
bab8b279206e95f616307bc2711d2decdb6c3f4cf62b904d2e184384e0396973

SHA512
85d605c4baf41a6a51d0b0b5e5b27215ea9280c6505ca27bfca10f1be269a5eddd4f27610adea299b3be9eaef2451a5000dba0f7accb134f53c2f43fb8ed5128

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
224KB

MD5
9d0489f428426025b6160f296ac05b43

SHA1
d007311bf1e40204a794d644c3426d1f67043427

SHA256
4ddb3bd52d00444f231e984e6059649b46fb19460caa88354e0e0178dfff31ea

SHA512
332c9e79a66680e01b9c73251385d394eb3548dc47655877c6ac638ac385bb00d1a106c7a6e8e2ca71d23e70549cc4b9144576b092f4a5173b3496b3eda97b0d

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
224KB

MD5
7a48463ab4d3734641f4b5fe138391fb

SHA1
54b2cd0829b730a98dd24e99561491007ca7b11b

SHA256
22cbf5934380c3ab566588759464a3da7d36235f12c7db7dcff7d8b1864d1f4f

SHA512
2d35471ac27bf994fd81cea6d6d3ebeef514f593c16234ae80abb8035f8ac1ae2802d8a5863ac08063b69dfeb1f39a24a1b84487b92c0e8cb1587e86958fbe76

Download Submit
C:\Windows\SysWOW64\Paknelgk.exe

Filesize
224KB

MD5
f4921971c21ac3547094c5365bdbbb74

SHA1
8a67d63d63399119127933714b21c08f84e94bbf

SHA256
292b1c15e03c1dbd15bd0a134c1076e23c2f0a1e0c5dff2582ae1c111a1f4e83

SHA512
e6841f59b6d20fea76151c70b2a31983cab2de6c5feef38e4cfad706677a1a4bbdeae26d3e888bac1f62b6238cd200718ca8a6363d2e6a311860a9cf4a0d10b0

Download Submit
C:\Windows\SysWOW64\Qndkpmkm.exe

Filesize
224KB

MD5
5ad530f50299876c41232533d6d46b57

SHA1
dcc44c8833b61f1a88d8841e23020787626a5092

SHA256
a6aea866c2e6390dbc85daa3d6aa0e57a46c70c455274a384cce254ef4afdf67

SHA512
1efd301e0972b0df73b6e66e72be9d712e5c90bafd93aa2dd1c34a31940056cf959b35a5d5278854ff7895db223fecdca05a809d2b7a01a96cf8082dd39839ff

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
224KB

MD5
333c86ae7d9cbf2b1dd8aa320c7eed7c

SHA1
6c35b5d95017e9849e78a67c061eed5dddb75f0c

SHA256
9391729542b834a9e2dc03054ab9ed021213654289f851553aa5dcfe3102ab29

SHA512
2a2497185eee6a0e87cfe2db267c30bf8d3d6239e7a94548da5cf57d0a93a79175713cfb2899e66ad8dbffb08220eb0fed7adc6b69b480b9ebbebdf9b6cfb167

Download Submit
\Windows\SysWOW64\Aebmjo32.exe

Filesize
224KB

MD5
205e846a130f8e6eef9c1c56a06d7b9d

SHA1
569e2db292d0e3fdcbdf12cb7c6080e715d3c0d1

SHA256
8751ac342ac4113e807a7c026529c6556fb96ca444550342400885f8845e1168

SHA512
e484f3db2b5ddd3cc3964cb80337bb7b46ab7fca8a8e0853bfc8a04eb38265d4251756751bdf2686f73b8003850a9aeea684546eef85fc6e808431872bee3050

Download Submit
\Windows\SysWOW64\Afdiondb.exe

Filesize
224KB

MD5
f95ec7b77ba33f73a3b88abd921355c4

SHA1
0fa160adcd8f98ae8d42ece065d354d66fa40b69

SHA256
5ddabe27520ea6f50e55dc91d6124c23c107c68292aa1d520aa109158cb01ef4

SHA512
c4cc8492d5528de4dd5927b61d9dd24ea283f362957bc8439e4ad23727f9777f64c6d0c75120f77a28db30fa4f27604d1876dc3f0a22985ba5509479a46118a3

Download Submit
\Windows\SysWOW64\Allefimb.exe

Filesize
224KB

MD5
823d14a1c01b9d865b5921f604b7a244

SHA1
e297276c476b2da2728467b0cb88a2eec699df58

SHA256
aa037234c408de1d75ad8e6675b40ce74b682d5db3b46c0eca4d2d971d84b8d5

SHA512
0064bbb9984b0f852a791795888edc3ad59e94579f3c679a97a8615467cbf213b975f7091d3b26ab259d3a8ef4c4f5fe1e08fffd6f60b6eb994366e81391758f

Download Submit
\Windows\SysWOW64\Alqnah32.exe

Filesize
224KB

MD5
6890fec5319a28ef6aaa320e35f09521

SHA1
38a597872e8e75e31cef24b3c2f353f0a0d00ba4

SHA256
847eead2af3f907bd33dbad933629b6fff45bc901c351459a0df5fdc360dd8bb

SHA512
b3b61938ffd2a98b2b054897c05cc643703d704e9a07f8b24e26c6060a5e6e2ae87640ac477f5286528fbfcc5a5449dff6d328fcaf65572b8cc7e6e9b2f576bc

Download Submit
\Windows\SysWOW64\Aomnhd32.exe

Filesize
224KB

MD5
30269b9da790e7c648cdf89fd0c65e64

SHA1
3fdd3327f0ad02969d6f81bb863ea03ec17fd480

SHA256
fb757cf77a995ad42ba806d981ecfb61d7a3532a6927e0d61790d5010635dbd0

SHA512
c416621e87593fa15001bc7c05f56354076896121752e75f108d0e920903eaf3213186353bb76661ec50da4532c16dd6b44e2ee1d7943605bc33ae2e0ee0643e

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
224KB

MD5
d910e9c4d11fe6bf50a4d3cae6b8fa69

SHA1
6b94d94f7ae0445972867c9e450e6ec2b80140be

SHA256
3160c37d2725cb74b8650586c0df78497829486c6021a02fac9d4e49bceff407

SHA512
52ac7e408e74f4175985abd5bb4718d658bf88519f2d5d5877a5839cb44f9edf79e0719abaedeec924c7e2a2a79a7e4c04042b3290d5b557fb5bc71c987a70f4

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
224KB

MD5
7a3013d94d758ce937b9e8bbbb9a8eb4

SHA1
b7622af278dda5246a224f29f1b7ab078dc4c8b8

SHA256
4cbde792c67c6af4c1327f8721b792ddd04e542e6488f811b3384a7c5d5fe81a

SHA512
c1d910a29aada19067ded420757a173b2fa74eacaa13379634d559fe2c44a49c795edc48b447671b5d9209cd6bc66d187196bc5a9045ec7e7b0e684513c094c4

Download Submit
\Windows\SysWOW64\Pidfdofi.exe

Filesize
224KB

MD5
a3cd62bbc0bb2a70f5cb40032fab3d11

SHA1
ffc32c6a54def90db39f4ce76da800c9c433850a

SHA256
9d4bbe78a36c08edc27a4b3f593dab9ae48202b88bd976a797cfc1ceaa623087

SHA512
ebca0db22a45c92ee938ba23441209496f44a05fafb7d3b0564e535e98aaa2bed16fb7ddb15ac09c9712acea661d30b89883095e895232cec42b367dec41e1e2

Download Submit
\Windows\SysWOW64\Qcachc32.exe

Filesize
224KB

MD5
59800b807ac4b37b6975f3f87d72895d

SHA1
40e606653ef8670401ad72ef5c1833eb180360df

SHA256
9999eb2cdcf7a74182d210bbd56363e8a86edff50507c69ef68eaea145d8fa0f

SHA512
d71b1be36ef9340cacf57550d43bcee5672f827edc055f241f974b3546ffc67f9a1cac1fb79bfadd3d5f3549d7ccbf664a4138b99bc95cdcab1af81a54ecc2a9

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
224KB

MD5
eb8ac2d3a291ab762ff67fafbc348cf8

SHA1
72fd58cbe7710e3efef07532673469ea83267141

SHA256
76478057dd65b55369c9302f58b31be38fac79c9d35d30a9dae5d8047f403531

SHA512
418da8e52d47a11a998d4cad72360885e9cbc11f4f00bd517a5e5b1f6c4d6adeddcfe75ff7eaf2784aabf297064d85b7afe9fa7911e90d58787860ce3ac8e58c

Download Submit
\Windows\SysWOW64\Qnghel32.exe

Filesize
224KB

MD5
0b5da096d23fdcb8263867dd30bdcbbb

SHA1
405d1c7bcf816107f9852f21ed013f2f2e791e81

SHA256
d7e0a7c6d5600db19dcbb35a4df2b4064091c0f554289879137c5b7ce47674f6

SHA512
58d31685a9ba707e586801d6fe92d0afea66ad6a6d6fe130293debff2bdb83656444fac92b27439954443639bd382cd54413afcddd321a3e56ceb4e88003c60e

Download Submit
memory/356-258-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/356-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/356-257-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/688-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/780-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/780-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/804-215-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/848-115-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/848-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-188-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/992-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/992-223-0x0000000001F50000-0x0000000001F90000-memory.dmp

Filesize
256KB

Download
memory/1048-334-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1048-335-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1048-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-143-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1832-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-379-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1896-237-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1896-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1896-233-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1908-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-52-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1932-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-157-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1948-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-133-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1976-265-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1976-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-269-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2052-247-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2052-243-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2060-439-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2060-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2104-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2104-291-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2104-290-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2288-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-345-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2288-346-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2300-324-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2300-323-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2300-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-35-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/2304-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-380-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2488-302-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2488-301-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2528-494-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-102-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2572-390-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2572-386-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2656-367-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2656-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-373-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2672-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-80-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2676-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-402-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2676-397-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2688-355-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2720-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-89-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2756-62-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2756-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-366-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2816-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-12-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2816-7-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2816-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-197-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2872-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-473-0x0000000001F40000-0x0000000001F80000-memory.dmp

Filesize
256KB

Download
memory/2884-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-493-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2904-488-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-279-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/3024-280-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/3024-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-312-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/3044-313-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/3044-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads