berbew | 8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe
Size

232KB
MD5

194e82832d5bbb026b4932bea9c0c73d
SHA1

8456fb63d1896033cc499b204edf1f080fd90b69
SHA256

8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8
SHA512

f5d854a6f980b21e5f149eb2cbcdde20c70a962cd11bddeb4a083654c4c9c5e1474978e3eec85e400cacba8253b5e7a9f2d46374a58063ae00d53668a61cdcaa
SSDEEP

3072:gAPY9Lm4bbXgU7usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121TzlbNRfzPl:gCYIu7n6s21L7/s50z/Wa3/PNlPl

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qiioon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahgofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgjccb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 33 IoCs

pid	Process
2088	Qgjccb32.exe
2956	Qiioon32.exe
2704	Qjklenpa.exe
2876	Accqnc32.exe
2432	Apgagg32.exe
2616	Aaimopli.exe
1096	Adifpk32.exe
1804	Akcomepg.exe
2096	Ahgofi32.exe
1128	Aoagccfn.exe
1328	Bgllgedi.exe
1300	Bnfddp32.exe
2648	Bjmeiq32.exe
2380	Bqgmfkhg.exe
2040	Bqijljfd.exe
2996	Bieopm32.exe
956	Bbmcibjp.exe
1472	Bigkel32.exe
908	Ccmpce32.exe
1824	Cbppnbhm.exe
1528	Ciihklpj.exe
2144	Cmedlk32.exe
2080	Cfmhdpnc.exe
3028	Cepipm32.exe
900	Cpfmmf32.exe
2272	Cbdiia32.exe
2832	Cgaaah32.exe
2884	Cnkjnb32.exe
2728	Caifjn32.exe
2580	Ceebklai.exe
2140	Cegoqlof.exe
2792	Cgfkmgnj.exe
2324	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1484	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe
1484	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe
2088	Qgjccb32.exe
2088	Qgjccb32.exe
2956	Qiioon32.exe
2956	Qiioon32.exe
2704	Qjklenpa.exe
2704	Qjklenpa.exe
2876	Accqnc32.exe
2876	Accqnc32.exe
2432	Apgagg32.exe
2432	Apgagg32.exe
2616	Aaimopli.exe
2616	Aaimopli.exe
1096	Adifpk32.exe
1096	Adifpk32.exe
1804	Akcomepg.exe
1804	Akcomepg.exe
2096	Ahgofi32.exe
2096	Ahgofi32.exe
1128	Aoagccfn.exe
1128	Aoagccfn.exe
1328	Bgllgedi.exe
1328	Bgllgedi.exe
1300	Bnfddp32.exe
1300	Bnfddp32.exe
2648	Bjmeiq32.exe
2648	Bjmeiq32.exe
2380	Bqgmfkhg.exe
2380	Bqgmfkhg.exe
2040	Bqijljfd.exe
2040	Bqijljfd.exe
2996	Bieopm32.exe
2996	Bieopm32.exe
956	Bbmcibjp.exe
956	Bbmcibjp.exe
1472	Bigkel32.exe
1472	Bigkel32.exe
908	Ccmpce32.exe
908	Ccmpce32.exe
1824	Cbppnbhm.exe
1824	Cbppnbhm.exe
1528	Ciihklpj.exe
1528	Ciihklpj.exe
2144	Cmedlk32.exe
2144	Cmedlk32.exe
2080	Cfmhdpnc.exe
2080	Cfmhdpnc.exe
3028	Cepipm32.exe
3028	Cepipm32.exe
900	Cpfmmf32.exe
900	Cpfmmf32.exe
2272	Cbdiia32.exe
2272	Cbdiia32.exe
2832	Cgaaah32.exe
2832	Cgaaah32.exe
2884	Cnkjnb32.exe
2884	Cnkjnb32.exe
2728	Caifjn32.exe
2728	Caifjn32.exe
2580	Ceebklai.exe
2580	Ceebklai.exe
2140	Cegoqlof.exe
2140	Cegoqlof.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Accqnc32.exe	Qjklenpa.exe
File opened for modification	C:\Windows\SysWOW64\Apgagg32.exe	Accqnc32.exe
File created	C:\Windows\SysWOW64\Aaimopli.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Incjbkig.dll	Accqnc32.exe
File created	C:\Windows\SysWOW64\Aoagccfn.exe	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Qgjccb32.exe	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Akcomepg.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cceell32.dll	Qiioon32.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Akcomepg.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Dqaegjop.dll	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bieopm32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bigkel32.exe
File created	C:\Windows\SysWOW64\Olpecfkn.dll	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe
File created	C:\Windows\SysWOW64\Qjklenpa.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Hcopgk32.dll	Qjklenpa.exe
File created	C:\Windows\SysWOW64\Akcomepg.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Bgllgedi.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Bgllgedi.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Egfokakc.dll	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Qjklenpa.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Accqnc32.exe	Qjklenpa.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dfkhndca.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dfkhndca.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2620	2324	WerFault.exe	63

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjklenpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoobfoke.dll"	Akcomepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjklenpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll"	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll"	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Qjklenpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2088	1484	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe	31
PID 1484 wrote to memory of 2088	1484	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe	31
PID 1484 wrote to memory of 2088	1484	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe	31
PID 1484 wrote to memory of 2088	1484	8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe	31
PID 2088 wrote to memory of 2956	2088	Qgjccb32.exe	32
PID 2088 wrote to memory of 2956	2088	Qgjccb32.exe	32
PID 2088 wrote to memory of 2956	2088	Qgjccb32.exe	32
PID 2088 wrote to memory of 2956	2088	Qgjccb32.exe	32
PID 2956 wrote to memory of 2704	2956	Qiioon32.exe	33
PID 2956 wrote to memory of 2704	2956	Qiioon32.exe	33
PID 2956 wrote to memory of 2704	2956	Qiioon32.exe	33
PID 2956 wrote to memory of 2704	2956	Qiioon32.exe	33
PID 2704 wrote to memory of 2876	2704	Qjklenpa.exe	34
PID 2704 wrote to memory of 2876	2704	Qjklenpa.exe	34
PID 2704 wrote to memory of 2876	2704	Qjklenpa.exe	34
PID 2704 wrote to memory of 2876	2704	Qjklenpa.exe	34
PID 2876 wrote to memory of 2432	2876	Accqnc32.exe	35
PID 2876 wrote to memory of 2432	2876	Accqnc32.exe	35
PID 2876 wrote to memory of 2432	2876	Accqnc32.exe	35
PID 2876 wrote to memory of 2432	2876	Accqnc32.exe	35
PID 2432 wrote to memory of 2616	2432	Apgagg32.exe	36
PID 2432 wrote to memory of 2616	2432	Apgagg32.exe	36
PID 2432 wrote to memory of 2616	2432	Apgagg32.exe	36
PID 2432 wrote to memory of 2616	2432	Apgagg32.exe	36
PID 2616 wrote to memory of 1096	2616	Aaimopli.exe	37
PID 2616 wrote to memory of 1096	2616	Aaimopli.exe	37
PID 2616 wrote to memory of 1096	2616	Aaimopli.exe	37
PID 2616 wrote to memory of 1096	2616	Aaimopli.exe	37
PID 1096 wrote to memory of 1804	1096	Adifpk32.exe	38
PID 1096 wrote to memory of 1804	1096	Adifpk32.exe	38
PID 1096 wrote to memory of 1804	1096	Adifpk32.exe	38
PID 1096 wrote to memory of 1804	1096	Adifpk32.exe	38
PID 1804 wrote to memory of 2096	1804	Akcomepg.exe	39
PID 1804 wrote to memory of 2096	1804	Akcomepg.exe	39
PID 1804 wrote to memory of 2096	1804	Akcomepg.exe	39
PID 1804 wrote to memory of 2096	1804	Akcomepg.exe	39
PID 2096 wrote to memory of 1128	2096	Ahgofi32.exe	40
PID 2096 wrote to memory of 1128	2096	Ahgofi32.exe	40
PID 2096 wrote to memory of 1128	2096	Ahgofi32.exe	40
PID 2096 wrote to memory of 1128	2096	Ahgofi32.exe	40
PID 1128 wrote to memory of 1328	1128	Aoagccfn.exe	41
PID 1128 wrote to memory of 1328	1128	Aoagccfn.exe	41
PID 1128 wrote to memory of 1328	1128	Aoagccfn.exe	41
PID 1128 wrote to memory of 1328	1128	Aoagccfn.exe	41
PID 1328 wrote to memory of 1300	1328	Bgllgedi.exe	42
PID 1328 wrote to memory of 1300	1328	Bgllgedi.exe	42
PID 1328 wrote to memory of 1300	1328	Bgllgedi.exe	42
PID 1328 wrote to memory of 1300	1328	Bgllgedi.exe	42
PID 1300 wrote to memory of 2648	1300	Bnfddp32.exe	43
PID 1300 wrote to memory of 2648	1300	Bnfddp32.exe	43
PID 1300 wrote to memory of 2648	1300	Bnfddp32.exe	43
PID 1300 wrote to memory of 2648	1300	Bnfddp32.exe	43
PID 2648 wrote to memory of 2380	2648	Bjmeiq32.exe	44
PID 2648 wrote to memory of 2380	2648	Bjmeiq32.exe	44
PID 2648 wrote to memory of 2380	2648	Bjmeiq32.exe	44
PID 2648 wrote to memory of 2380	2648	Bjmeiq32.exe	44
PID 2380 wrote to memory of 2040	2380	Bqgmfkhg.exe	45
PID 2380 wrote to memory of 2040	2380	Bqgmfkhg.exe	45
PID 2380 wrote to memory of 2040	2380	Bqgmfkhg.exe	45
PID 2380 wrote to memory of 2040	2380	Bqgmfkhg.exe	45
PID 2040 wrote to memory of 2996	2040	Bqijljfd.exe	46
PID 2040 wrote to memory of 2996	2040	Bqijljfd.exe	46
PID 2040 wrote to memory of 2996	2040	Bqijljfd.exe	46
PID 2040 wrote to memory of 2996	2040	Bqijljfd.exe	46

C:\Users\Admin\AppData\Local\Temp\8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe
"C:\Users\Admin\AppData\Local\Temp\8ee2312572cd1bb554d542e2245a58bfb785cc077fa26b28c11b3b6f82262ed8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\Qgjccb32.exe
  C:\Windows\system32\Qgjccb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\SysWOW64\Qiioon32.exe
    C:\Windows\system32\Qiioon32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\Qjklenpa.exe
      C:\Windows\system32\Qjklenpa.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 144
        35⤵
        Program crash
        
        PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
232KB

MD5
e146268452fbb550ead1e0ed677f1cbf

SHA1
9a0fca3dc36267860e43cc09da26d23062cb43cc

SHA256
e172ddb34600a97f61826757aa8d5625e089abff19c8bcd57d1c8f94e7a09125

SHA512
014e7331a85bc43c48d32e0c08193794ad00e2a7b5c819fea93686a60ec93be250dc04e1a3d5931d1442aba65040f2f44a423dcd5828f8dc7b868de0c5576f87

Download Submit
C:\Windows\SysWOW64\Accqnc32.exe

Filesize
232KB

MD5
3c13dff933b8e648b8bee20d7a8368bc

SHA1
581a5a54002bb19e448d06deec4649f0684e191c

SHA256
2d6751105b8d68fade018934d6a80db5c6b2c037c18630fe6ba2ea192646f69e

SHA512
a4bfffb82c8e558432b5ac4094c8ce0c1fe30e6c1fe1116832929fb005d747c2a8e73ccd5b32fcab821dfad353bad52034d036af638707671e47bd4106f02105

Download Submit
C:\Windows\SysWOW64\Aoagccfn.exe

Filesize
232KB

MD5
42d1b626fca02a77b80895f4f7f3e955

SHA1
5530b9ce54f22165e6040f738bf492d5ee5e2de3

SHA256
673369d4072f70a0b11c9d735eec77519a9f86b62feedcf09dabab5027d89c61

SHA512
cfde26b1b7227db5f3ef44c387975d48ad775b7733d74e61c1e58eb3a45f44339b962d4840496ef79e9babcd6229fb07311b2f1cca86cc6cdc13dd385f737c71

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
232KB

MD5
0d599f04429a7b969186953452ae4d84

SHA1
f799f6c618603125f40684dcefe055f8de8274b1

SHA256
e364091414985fccc56710add57dbb05cb68f31bbaa469f0ac3f9ea7c0b914f7

SHA512
f81a5f4c7cffd48d3aa2c84f639d7aae2f338b36610d7095c4339fee80ef7692df1c7c583ade50a1f76311a6b1e0bffd9e3b629c04b148e4047c43ee9fe0f6a0

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
232KB

MD5
c81b3ea7ce5acd0e5f708fc944f07062

SHA1
4665d967357ee3472bc1a65989b9f56cbeeb16e7

SHA256
231ecb37adf8695c6c56c2ba276fac31d9b62572abcdcb43cda1c0411a7be92d

SHA512
39d0edb4e329d6d84cfd794e8b225fc32aa37ac424c3efbb65394ce526bfd1fe70778d2f10b94fc5fd082a0567ff271852e45425d235880f6b3b15e0a222d795

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
232KB

MD5
f745fcaa87cc5537aaadb59fc9bab489

SHA1
a79065e23b259dc2a42c1a241ebf8066bce473d4

SHA256
38b342ada3d02d6e8c9ee3f729a4bcfea9fdcecd1e3b996bb3509d3c2ce68a56

SHA512
71a8bca0e5fab4705a9b4adc14fd93366a320723f127e2fd647a779f5290ee1559847bcd6d67e519870df6d763ac506e82d78d58df8e5c246b760ec8326aa608

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
232KB

MD5
72a4a4c45e5ad677b359526c86e9883e

SHA1
aa47d131b9b46e069eb9476da05ef37ac8d32b8c

SHA256
c2f9f90d03f8b96e1838a6425186e35fb290313c6c51f20a07db031627b87a9b

SHA512
0d6d483244fbc6c0cea8b94e1ee1324382640a406044564d38d0290de6ac8fa13c2fa954193dc8d30a7bdd6d35d3a4cb8905e93656ba722f9b3c558d6d09f306

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
232KB

MD5
d299b3aaa53b3c88a07cded363bb7487

SHA1
63b8e0bd423d5ec8cdf6dfe6a1899fcdfa7f1556

SHA256
760e7594ffd6daac271aa2e9f24fbb19deaa538c87d20e817dbf08850d0a8b1a

SHA512
52e7b1f109ee6a27da7defa63c35bb80776ad6fc8c34ad2ca88c75b02fd3a56ad0e5f01e5f08bac10e27da61da7ad110957f6aef1e975209af2803bf6f63a922

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
232KB

MD5
ae9268bc12630f4469e70a6b3d01b39e

SHA1
d6b469b8057734d1dd08e26f242aaa3bfdb0f664

SHA256
20978a36d9263a4a0a66b004909c1a5dd91444059f5af1d60749cbd9078063c7

SHA512
b48b0b762747e550d5a3403f3276b6602a71a31633ee905bd8cc01a08a0cb2a055bd245500a8d70e49ada4ef0a61da82c966507fb63c8b332fb0348274675c43

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
232KB

MD5
ca9c0cf25407c81890588dcacf63f81d

SHA1
527084c142d3122b37f7d6d00f16f7b479793b24

SHA256
7e4de8ef3b99d881c50b6202fb2156fb341587fadfe3da928dd20e55643c135c

SHA512
2b2462df6a1e4440faa118f1912d6b65ef532225e18fd48736c82ff4daf9d83af34fef943c59dedd423ba2466deb2c544acc9e19842e8b8304c8e9440d4716c8

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
232KB

MD5
06ba8558b48fcf31e1cefe6114970604

SHA1
e72f9715ace842eaa32dcdf0f860c96eaffd4edd

SHA256
67ae0367e6e62695d60cf892238d9a1d3a03bd4105e21db9a9ce84dbfebee59d

SHA512
d5a350ff32be048db14abba809e19e8a3e7eeabd4b5820e01ae87e3d1c7effb9c52c542b0b489f4ba81e6e1d098595bb74cea0104782cd4e0ab73117f4b5bdca

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
232KB

MD5
3efd62cca63339b5aca4a737afe3e04c

SHA1
512827d3628c4eac83d443117daa7175eb07b40d

SHA256
dcd692bb9ed1d06dde9ae1294e9b40c19536b7c2d9b33d0a6ecff5031b827f2a

SHA512
e4d64b3f020efacfc79328c17a31430bbb8702c296ddc9340a9b9de43a981a31cd0189084095751d05d7f79c88b480b5cce3ae09311982b090e9d475bbd986cc

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
232KB

MD5
3cf84413d0239ceab286e63d6fda94e8

SHA1
dba3a295f04bb45e36214429dcea8bab8166b212

SHA256
6bf2bfb03d8e584f18b636b1748b1d447665c82941d6d70db4f80696fad94129

SHA512
4c448b0aa96418592bb8314a3e32efb5a3ee1586f0b3a893903ccc553cd80f2665464b360c99a10d4a93caff4b5dda0ddabe3f0c7f43327329ba8b9ff8b12193

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
232KB

MD5
73cb05765c9b74d3333f23a8abf4cb22

SHA1
bbebe20caf67e5f0e9afe05cdbaad05a0dd08557

SHA256
056beeebc6bd65c3652ce07e40cc259d31955d2b0b36d44f0992b4a7dce78e13

SHA512
5a08bc853d349f13957bcea48506dc19ff4c3a99d12ed3c9ae4770f72124ca7757257427c3bd89a2040044a7a03cb894e5903a8b4220c643c44c18ae974f1bc0

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
232KB

MD5
3c34aad87290ee0f729b826eb295c623

SHA1
49742fa3aba3eb168633b1dfa1c216b92a3b06a7

SHA256
1ecf9caa96a1171c721d70476e4f47ee1c487623602d018a18b16b7a08361ce9

SHA512
b25d8a550739af442efa09bede0a3032637324632c72d1dd75dc5b210a66ca0ac8ab16f28474338d23013581151979ec06cbc04d11b46406d89c881be1e32804

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
232KB

MD5
2b7b00ef05cf3d94cf2a67d7a67cefe1

SHA1
2c58c36f66f991f896b682ee773352b19588e513

SHA256
2639cbc3bb22174618ff68930e26bb8963ddeb3de23524cf94db518d7ce35979

SHA512
4164bd9256c5a122e1859d8f19a0cc70ba1c0a78765440eb74150fda1a6a73ccc65e105fa7afcbe27e05f0146ed5eb810bbf286aecb1b456e0e738071c798ed2

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
232KB

MD5
3a7852a5c651468a9b04515371e37893

SHA1
41a77c2ec7cd6c33ba6c8a3ad9af41e57a11bed5

SHA256
633ac23a82ed428a4d9b4408757b37915090cc41b903c09fe2775f6f3add9b9a

SHA512
df44b67570acfdaa69186a7f9df4c7c20a0ef6a40a7440209a1175148d50199f6c6e224883994c8deba1a825c9299f0bdfe36cf8ba2f0dbc9bd7cb6a76e5511a

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
232KB

MD5
c3c38bed9b06c0a3b75a6493767516c9

SHA1
659423256008e00d1345ae707074223567f82f67

SHA256
89c2917cf88cfba5ad4080b8f2959a373a6c3c60a662e762c0ee5defbf104926

SHA512
78cc1490b7593aa90ea5a9c109ea7e4c6f4848e6a8df7b690d16ebf11560383835ab65c0189be778a77fa2a23de3083ed267087bf3b1c42248fbdab27789b7c1

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
232KB

MD5
799a26cf949f8be0a645d98eaa4e9069

SHA1
fcbc4a76be8b16226f9e037a118091892651bfee

SHA256
d703b653aeb400bf37018ade00cd6e745327cb4b0d4fcd196ace96ead88f551d

SHA512
4da247cb7997de22485c783eff7101cb3546bd7023af203e7af3368d60e928d3f2a46f2aecb1982fe1ab67a9a7e31ecc1071f9a0ce09aaf44736d947b506d2c4

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
232KB

MD5
576a9dcc4bf5eecd1a74a3b88b854a70

SHA1
b6beb1a9c57432acf33144d2b8f2004096b86fed

SHA256
a760266af888883df1ae08c0bbed60d6abc79b01a17d74b502e03750bc4643f2

SHA512
e9c93afe4279fd8dddf1afc32cab31ef94b65fc6312e30301d1c81b3b6a3e6d7b2ef41f67197d679ff733aa40dd16fc1bc6ced19d369f985baf483feb836f107

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
232KB

MD5
52049ab78937fa8a7019f13793cbedc3

SHA1
f295f097ca0d4a228bd21417aa38544445875cdc

SHA256
10b6a549497dee2bd9f30cdb133af15045fe13683c6c6022be449ad7b39a070d

SHA512
44395b9c06a1b1265931a26e2bf205f401f7a691516586797428c56a3764edb9d14e99fbe9299ac1175fe5ac79c537de3b2e147f6bc496c6a44ac4aa19dfbfa6

Download Submit
C:\Windows\SysWOW64\Qgjccb32.exe

Filesize
232KB

MD5
4b7545bde0d1c37392c16c73e21d77f5

SHA1
e2381d7350a912b76a21ddc8aa6f6d704ca5122d

SHA256
ab7ed501a6e5ac19361805e72ef3e1c46f9d38b67c34237814d2c0f9ea206ad7

SHA512
9e296966b10f0bfb49c2755c1995366810021bf689d11076ab58a5bb977b3adc9d891eb776b1df18978da2428c61026ffc7b36befd0b59eb2d00173e34de6c88

Download Submit
C:\Windows\SysWOW64\Qiioon32.exe

Filesize
232KB

MD5
ff4a8316cdabb7669936899c0efc4c0c

SHA1
450a6c5a7d99b5ded21e74c6076f0662fd606b1e

SHA256
8e68c13d85e681b539b3f8cb8353b74ff2eb5e0d4c82123ef603cd94a54f1f19

SHA512
6458d2f62c49c74bfa264c08409a2af5b42404874a0580ec8a4af9e04ace2b22a84d46b37af3d210843080c4ecf5989ffa6b2b46fafcab50942c1a52f082cd9a

Download Submit
\Windows\SysWOW64\Adifpk32.exe

Filesize
232KB

MD5
96f5b9e15f01964d96868c4d3625f247

SHA1
cbb7c56924b8125b399e27cea6055f614fe4bb63

SHA256
f815753f43b47032c3c6e2f0e2f026928af305a298e8ee2665516e97908d2be0

SHA512
54c3f33275aee9b41c69c14891706246fad596e5eb04e219f4d0ea9675458271860bfe24355fdc0a8bf32d583a6fc87f75bf459a874959a449c0a968bbe50158

Download Submit
\Windows\SysWOW64\Ahgofi32.exe

Filesize
232KB

MD5
916858b73fc8b34ff93019232e9a20d1

SHA1
b96014bdf2e7e151736c8dd3d41f50f463c8bdbc

SHA256
1620f192f5b622f34a943dfb0bc1020c6eb28a98c2ddb031b8ca5c2d68b0ed00

SHA512
3760529ff7fe8455be550a3be58fd581296a1ba1ae6e4d07a3c1eec6e39a9e8042a4d47f25487b5590557102feb4876e1a1a391f23c453c1185da81470f5dce2

Download Submit
\Windows\SysWOW64\Akcomepg.exe

Filesize
232KB

MD5
2d71c72913fca0dfd8cfc711d9783eaf

SHA1
765172f205702e0013fd0b9cbf799bb26a1d7eef

SHA256
67f8f65e22901f3fdd211cfad62991f8879a9a24e6c900cabbbbb8e5e5d2ae78

SHA512
b74a3bc690396f80778b9b36d0b36fe543f1edfb3dd1caaba57047c4524b5ce6df0ad0e64ff727a53d9eead8a6f3f5f44e98a0d45f0c691ee86038df68384a86

Download Submit
\Windows\SysWOW64\Apgagg32.exe

Filesize
232KB

MD5
312fd41a18cd2feb2830ed79a8aaf4be

SHA1
087c33a88f5d7b6e605ab79d0ce0de85a0509cae

SHA256
cfec85fd9d7d16d2feb75e73c1f912dfc00f54ab7bd965e7ee328f93207c546e

SHA512
dad47b6d0af6e171851679f98c8e2e553966184a13bca46026f3e6edbe203193012bd096cd136cb5fd522bf9cf4c26570d70e809b9851effd3edbc458809a718

Download Submit
\Windows\SysWOW64\Bgllgedi.exe

Filesize
232KB

MD5
0cd4d0b61a643337e3dfa860743309fe

SHA1
44ced531c1cb8964aaf38482b31d00c9bfb15e16

SHA256
6ac8d22440712defc4f4fa08aa498a67899fd26470c1256220a8f9d3922371fb

SHA512
7c68d540c6b0bd210860de88109b9ebeac55b99f1a70fac5b05c165af234a66a01413be19307fd6189c1299ffd457ced38e2bf4add3d2a98f56514ca7fac9718

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
232KB

MD5
ca0f11adea6de4d0d411bbc9f10982d6

SHA1
3848ed7ca3ea7631e6fd5fc63cf298e338806b65

SHA256
ab9203a981fceab9f5b03e42076f142eb467ce9fe349886dd19663a4289ed090

SHA512
9c532d3bc4e3d841be2441f0f45e1526953daf0fb03fcf992aa258d438ec5756f58cd1b4d3fab69211825a6c055f9ac3aedae16a60711a0253a44fa71de6b52e

Download Submit
\Windows\SysWOW64\Bjmeiq32.exe

Filesize
232KB

MD5
2f07025b33c074b2d98eecd73a500181

SHA1
6f99117b20a34c09eda2bda852d522752b939ffd

SHA256
a558f70b9eb5129c93693bc503a1635dba69c63e58786495683039f12dbcee45

SHA512
d39be1b3fea2a95e7e10406bf09cd0d81fc83053e35cb5d31737095ca19405a4a59b4e4f93e98aca9369ac767b2caae5f1fc7a0bf3216cf8a846779b9d07a91f

Download Submit
\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
232KB

MD5
980f2bc880076b0d1cca929bad3080fa

SHA1
7de7a16125da3594fadb25347a9227daf76effd2

SHA256
15b9ab2e7b4c92df5516dcbd64fb46bd15efe5ce37d7eb66fcd7d28ca76cbe20

SHA512
480eeab7e64653865231d3a607f88cfa994149acb70056641f1c9015799233957183b8f43910500cfdeb1e156d5cd209242368bcbb6e2fd48286e2f38d505c38

Download Submit
\Windows\SysWOW64\Bqijljfd.exe

Filesize
232KB

MD5
5118677c713edcd40c6e7c166e66a397

SHA1
66da0257d768d1418771fce0fb31ecd8d282babf

SHA256
c650c979c517ff20597c88a19b57e680846f868a0d809b22da47ddd670d8dbbd

SHA512
acd376c604d6bbd072d2661e35a661ebb14dd97d0fda7fdb63f49b253fb60628c2678f170d96717447715692cac399ecbad0c538acd76425559707337ca9b894

Download Submit
\Windows\SysWOW64\Qjklenpa.exe

Filesize
232KB

MD5
80875c72c478d98f443aa818696ac2a2

SHA1
5e0637927b837e6cfd4cb441476bff40fa0bedf5

SHA256
6e1ef0834248fa3023e91fa8a16183dc0b0d721e7a72c2584fdb8000d0a3a77d

SHA512
a506bd6d4347ffc139ad016623390ad4c8e2b9495f0bfa245af537c64f0e47000637cfc2aa1a6570275f9600005af21314b28fd8b450619e6acb8bceabd106c4

Download Submit
memory/900-319-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/900-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/908-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-456-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-242-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/956-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-109-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1096-104-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1096-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-145-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1128-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-445-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-178-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/1328-164-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1328-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-249-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1484-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1484-350-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1484-18-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1484-17-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1484-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-447-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-118-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1824-270-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1824-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-220-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2080-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2080-299-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2080-452-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-385-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2140-381-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2140-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-286-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/2272-326-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2272-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-402-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-206-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2380-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-81-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2432-399-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2432-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2580-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2580-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-403-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-90-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2616-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-188-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2648-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-53-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2704-373-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2728-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-361-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2792-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-397-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2792-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-338-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2832-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-339-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2876-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-386-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2876-67-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2876-396-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2884-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-39-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2956-40-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2956-367-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2956-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-229-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/3028-309-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/3028-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads