berbew | f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe
Size

96KB
MD5

e12fa5f7fe7df38eaa10e3a6cee11205
SHA1

8605362d4969dab93825a289fc448e5b93bd7be3
SHA256

f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8
SHA512

19e571b3f4e57cb4418e912d974d9afcd88b7f2ba29d4b0b9f6c3bf9e2f29eda04386a23a0b922ab9406f1dbc147e4e918223b8650a75f1e671c06e635847c9e
SSDEEP

1536:3IQdQND/v3GmwMFCY6PutGbs2Lq7RZObZUUWaegPYAy:3CNDbCUGblqClUUWaeP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qiioon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkfhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppkfhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoagccfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alihaioe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aomnhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anbkipok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 50 IoCs

pid	Process
2028	Qppkfhlc.exe
2212	Qiioon32.exe
2776	Qdncmgbj.exe
2688	Qeppdo32.exe
2584	Alihaioe.exe
2564	Accqnc32.exe
3052	Ajmijmnn.exe
2628	Apgagg32.exe
1640	Afdiondb.exe
1048	Ahbekjcf.exe
1392	Aomnhd32.exe
852	Aakjdo32.exe
2660	Akcomepg.exe
2408	Anbkipok.exe
2040	Agjobffl.exe
2540	Aoagccfn.exe
376	Aqbdkk32.exe
2284	Bhjlli32.exe
1716	Bkhhhd32.exe
1044	Bnfddp32.exe
2896	Bdqlajbb.exe
988	Bccmmf32.exe
1980	Bkjdndjo.exe
2056	Bmlael32.exe
276	Bceibfgj.exe
2708	Bfdenafn.exe
2876	Bnknoogp.exe
2596	Bgcbhd32.exe
2616	Bffbdadk.exe
1096	Bjbndpmd.exe
1444	Bbmcibjp.exe
2068	Bfioia32.exe
1276	Coacbfii.exe
2744	Cbppnbhm.exe
1660	Cfkloq32.exe
2904	Cocphf32.exe
2376	Cnfqccna.exe
2000	Cileqlmg.exe
448	Cebeem32.exe
700	Cgaaah32.exe
952	Cnkjnb32.exe
1952	Ceebklai.exe
2940	Cgcnghpl.exe
2132	Cnmfdb32.exe
2148	Cmpgpond.exe
860	Ccjoli32.exe
1748	Cfhkhd32.exe
2868	Djdgic32.exe
2676	Dmbcen32.exe
2576	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2644	f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe
2644	f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe
2028	Qppkfhlc.exe
2028	Qppkfhlc.exe
2212	Qiioon32.exe
2212	Qiioon32.exe
2776	Qdncmgbj.exe
2776	Qdncmgbj.exe
2688	Qeppdo32.exe
2688	Qeppdo32.exe
2584	Alihaioe.exe
2584	Alihaioe.exe
2564	Accqnc32.exe
2564	Accqnc32.exe
3052	Ajmijmnn.exe
3052	Ajmijmnn.exe
2628	Apgagg32.exe
2628	Apgagg32.exe
1640	Afdiondb.exe
1640	Afdiondb.exe
1048	Ahbekjcf.exe
1048	Ahbekjcf.exe
1392	Aomnhd32.exe
1392	Aomnhd32.exe
852	Aakjdo32.exe
852	Aakjdo32.exe
2660	Akcomepg.exe
2660	Akcomepg.exe
2408	Anbkipok.exe
2408	Anbkipok.exe
2040	Agjobffl.exe
2040	Agjobffl.exe
2540	Aoagccfn.exe
2540	Aoagccfn.exe
376	Aqbdkk32.exe
376	Aqbdkk32.exe
2284	Bhjlli32.exe
2284	Bhjlli32.exe
1716	Bkhhhd32.exe
1716	Bkhhhd32.exe
1044	Bnfddp32.exe
1044	Bnfddp32.exe
2896	Bdqlajbb.exe
2896	Bdqlajbb.exe
988	Bccmmf32.exe
988	Bccmmf32.exe
1980	Bkjdndjo.exe
1980	Bkjdndjo.exe
2056	Bmlael32.exe
2056	Bmlael32.exe
276	Bceibfgj.exe
276	Bceibfgj.exe
2708	Bfdenafn.exe
2708	Bfdenafn.exe
2876	Bnknoogp.exe
2876	Bnknoogp.exe
2596	Bgcbhd32.exe
2596	Bgcbhd32.exe
2616	Bffbdadk.exe
2616	Bffbdadk.exe
1096	Bjbndpmd.exe
1096	Bjbndpmd.exe
1444	Bbmcibjp.exe
1444	Bbmcibjp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aoagccfn.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Aomnhd32.exe	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Anbkipok.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Coacbfii.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Afdiondb.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Bjbndpmd.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Maanne32.dll	Afdiondb.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Cmfaflol.dll	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Aldhcb32.dll	Qiioon32.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Qdncmgbj.exe	Qiioon32.exe
File opened for modification	C:\Windows\SysWOW64\Bhjlli32.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Aomnhd32.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Fnbkfl32.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Bodmepdn.dll	Akcomepg.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Akcomepg.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Komjgdhc.dll	Anbkipok.exe
File opened for modification	C:\Windows\SysWOW64\Aqbdkk32.exe	Aoagccfn.exe
File created	C:\Windows\SysWOW64\Bnfddp32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Qeppdo32.exe	Qdncmgbj.exe
File created	C:\Windows\SysWOW64\Incleo32.dll	Apgagg32.exe
File created	C:\Windows\SysWOW64\Ahbekjcf.exe	Afdiondb.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Qeppdo32.exe	Qdncmgbj.exe
File opened for modification	C:\Windows\SysWOW64\Accqnc32.exe	Alihaioe.exe
File created	C:\Windows\SysWOW64\Qiioon32.exe	Qppkfhlc.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Anbkipok.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2680	2576	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkfhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoagccfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aomnhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anbkipok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdjfk32.dll"	f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll"	Ahbekjcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll"	Qiioon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajmijmnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll"	Aomnhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll"	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoagccfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anbkipok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qppkfhlc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anbkipok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhjlli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceibfgj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2028	2644	f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe	31
PID 2644 wrote to memory of 2028	2644	f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe	31
PID 2644 wrote to memory of 2028	2644	f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe	31
PID 2644 wrote to memory of 2028	2644	f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe	31
PID 2028 wrote to memory of 2212	2028	Qppkfhlc.exe	32
PID 2028 wrote to memory of 2212	2028	Qppkfhlc.exe	32
PID 2028 wrote to memory of 2212	2028	Qppkfhlc.exe	32
PID 2028 wrote to memory of 2212	2028	Qppkfhlc.exe	32
PID 2212 wrote to memory of 2776	2212	Qiioon32.exe	33
PID 2212 wrote to memory of 2776	2212	Qiioon32.exe	33
PID 2212 wrote to memory of 2776	2212	Qiioon32.exe	33
PID 2212 wrote to memory of 2776	2212	Qiioon32.exe	33
PID 2776 wrote to memory of 2688	2776	Qdncmgbj.exe	34
PID 2776 wrote to memory of 2688	2776	Qdncmgbj.exe	34
PID 2776 wrote to memory of 2688	2776	Qdncmgbj.exe	34
PID 2776 wrote to memory of 2688	2776	Qdncmgbj.exe	34
PID 2688 wrote to memory of 2584	2688	Qeppdo32.exe	35
PID 2688 wrote to memory of 2584	2688	Qeppdo32.exe	35
PID 2688 wrote to memory of 2584	2688	Qeppdo32.exe	35
PID 2688 wrote to memory of 2584	2688	Qeppdo32.exe	35
PID 2584 wrote to memory of 2564	2584	Alihaioe.exe	36
PID 2584 wrote to memory of 2564	2584	Alihaioe.exe	36
PID 2584 wrote to memory of 2564	2584	Alihaioe.exe	36
PID 2584 wrote to memory of 2564	2584	Alihaioe.exe	36
PID 2564 wrote to memory of 3052	2564	Accqnc32.exe	37
PID 2564 wrote to memory of 3052	2564	Accqnc32.exe	37
PID 2564 wrote to memory of 3052	2564	Accqnc32.exe	37
PID 2564 wrote to memory of 3052	2564	Accqnc32.exe	37
PID 3052 wrote to memory of 2628	3052	Ajmijmnn.exe	38
PID 3052 wrote to memory of 2628	3052	Ajmijmnn.exe	38
PID 3052 wrote to memory of 2628	3052	Ajmijmnn.exe	38
PID 3052 wrote to memory of 2628	3052	Ajmijmnn.exe	38
PID 2628 wrote to memory of 1640	2628	Apgagg32.exe	39
PID 2628 wrote to memory of 1640	2628	Apgagg32.exe	39
PID 2628 wrote to memory of 1640	2628	Apgagg32.exe	39
PID 2628 wrote to memory of 1640	2628	Apgagg32.exe	39
PID 1640 wrote to memory of 1048	1640	Afdiondb.exe	40
PID 1640 wrote to memory of 1048	1640	Afdiondb.exe	40
PID 1640 wrote to memory of 1048	1640	Afdiondb.exe	40
PID 1640 wrote to memory of 1048	1640	Afdiondb.exe	40
PID 1048 wrote to memory of 1392	1048	Ahbekjcf.exe	41
PID 1048 wrote to memory of 1392	1048	Ahbekjcf.exe	41
PID 1048 wrote to memory of 1392	1048	Ahbekjcf.exe	41
PID 1048 wrote to memory of 1392	1048	Ahbekjcf.exe	41
PID 1392 wrote to memory of 852	1392	Aomnhd32.exe	42
PID 1392 wrote to memory of 852	1392	Aomnhd32.exe	42
PID 1392 wrote to memory of 852	1392	Aomnhd32.exe	42
PID 1392 wrote to memory of 852	1392	Aomnhd32.exe	42
PID 852 wrote to memory of 2660	852	Aakjdo32.exe	43
PID 852 wrote to memory of 2660	852	Aakjdo32.exe	43
PID 852 wrote to memory of 2660	852	Aakjdo32.exe	43
PID 852 wrote to memory of 2660	852	Aakjdo32.exe	43
PID 2660 wrote to memory of 2408	2660	Akcomepg.exe	44
PID 2660 wrote to memory of 2408	2660	Akcomepg.exe	44
PID 2660 wrote to memory of 2408	2660	Akcomepg.exe	44
PID 2660 wrote to memory of 2408	2660	Akcomepg.exe	44
PID 2408 wrote to memory of 2040	2408	Anbkipok.exe	45
PID 2408 wrote to memory of 2040	2408	Anbkipok.exe	45
PID 2408 wrote to memory of 2040	2408	Anbkipok.exe	45
PID 2408 wrote to memory of 2040	2408	Anbkipok.exe	45
PID 2040 wrote to memory of 2540	2040	Agjobffl.exe	46
PID 2040 wrote to memory of 2540	2040	Agjobffl.exe	46
PID 2040 wrote to memory of 2540	2040	Agjobffl.exe	46
PID 2040 wrote to memory of 2540	2040	Agjobffl.exe	46

C:\Users\Admin\AppData\Local\Temp\f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe
"C:\Users\Admin\AppData\Local\Temp\f2879791a64f9799149df23c1483df881b946546872b3a0e7f4877e7139329c8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\Qppkfhlc.exe
  C:\Windows\system32\Qppkfhlc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\Qiioon32.exe
    C:\Windows\system32\Qiioon32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\SysWOW64\Qdncmgbj.exe
      C:\Windows\system32\Qdncmgbj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Aomnhd32.exe
        
        C:\Windows\system32\Aomnhd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Anbkipok.exe
        
        C:\Windows\system32\Anbkipok.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Aoagccfn.exe
        
        C:\Windows\system32\Aoagccfn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Bdqlajbb.exe
        
        C:\Windows\system32\Bdqlajbb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:276
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 144
        52⤵
        Program crash
        
        PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
96KB

MD5
31d2fa12a4a5140f5572ae6c1a42610a

SHA1
e8805c0670be62e2204ca6d17d65cfd92516e415

SHA256
deb78dfeae0bea21f3313d5bff68d1565efeaf2d2e12095b30872d8b0046eec5

SHA512
039dca311e190cb42f8a8777a335797baee447c61657246c0b2e80970b77dca7cec1df55455a74bf74b8f556539816858d85125fc0c638c12712464e637407e6

Download Submit
C:\Windows\SysWOW64\Akcomepg.exe

Filesize
96KB

MD5
3835871179a4cf46e267f47a3bbacd28

SHA1
b26e2bf9e7994b07c67ab4c61c83d37bf18fd1e2

SHA256
9e6793eb0180c6a77dcdd54b40e217c0a6bee643b93db239ddb3c0b66f1e338b

SHA512
00e4481f4e5b7faff248b6b49bbb0cf3484798a2b149b92906bb2ef575f220f308dba8395e8b5733455e83a7865f9524e1691584e2564d072c46910eef7362ff

Download Submit
C:\Windows\SysWOW64\Anbkipok.exe

Filesize
96KB

MD5
837be4a196ca08ee7a1e54514fd0fa32

SHA1
49ad61937dae299b1d23665fdd644ab1836b390c

SHA256
cccd182ca841cd448f22691e68900f3dfb5aadb77ae67e0c89a477d2db33d0ac

SHA512
e3a612fafee5f1698a671b59fcb7fad6501515d746cd38239b4a952d8f31358f831a6ec78c2ecedb42ec52f0036a6276970a7a7cac479c48d232b8da43d5a491

Download Submit
C:\Windows\SysWOW64\Aomnhd32.exe

Filesize
96KB

MD5
f7211dfe86c8746b15b9db22a527f1ed

SHA1
0d263188272f551a6d57d89e16cbda1c9a05131d

SHA256
b93f6152cd61a3514d9ae803394319f160f31fe91f46d341a308b44a8c904aa0

SHA512
d6305a60c3f7cf9e545926859c05d3042635f4a192b1031e9df82a580284c898adc594dfc7edc334faa5a2214d903975b9d3d21e29cb7acb42f202a5053cca8b

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
96KB

MD5
e9441090616dc71c1a490fb4653e5bd8

SHA1
d7566e882659fd66d51b1718e74742b9a583b526

SHA256
693043521f8d6d3a9823342cc729046d6a3d8f7758a7d3e6a4697725f843606f

SHA512
5191f99874037ac2e9ea713f8f8c80d36b0faa164569c4c60011ce164a4f8a9ff2dd3939ca7b4da29864e583f1c3349076101eacc35e70450b32e5e8f7e666ba

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
96KB

MD5
b700c6fdc67c7b28b88415faa3066f71

SHA1
4c90022c62a6bd113361dc8372cee0323feb477f

SHA256
6ab8a2a1828c096cda93f79ac1bf50906cd83374a7052dc7b162634d4431c40a

SHA512
611a38ec698f158eebf97081da06a0300c076fffefcf8c767d0888ba07e09d37bf131a0ce66c9316274c7b9953d251d9f15b9e5996fb8a6615a52ea1edd94d3e

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
96KB

MD5
d2fd4400e1d011f60165d99793f50df2

SHA1
3c0dffca120f3c2baddd7e9056b7849fc7594e6d

SHA256
6c28aac643737ce5aa2bf9c392431faede39cf5460476c2af8cae43bcd984a2a

SHA512
5beccf25fe03fad2ccc44c4def280b5549d9161d91ea1a775b84b03c2fba97a4183fe6e88591662e0105dbccdb7a178f20dab7b6b8e9d65076c2a1b576dd71b1

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
96KB

MD5
68711187dd94d4f6d1d1ea1ebd59f900

SHA1
3f93810dd0fea36ede2081c2c54df895d39b350d

SHA256
c702ed48ef3c7fcfe933c2ee991aef7b6315ad0509ac7c6c4780685c77dc8562

SHA512
582a28a3a7bb493c32a262e9ae60c6181570fcf593568f36ed7c1c09d733a2410fcfa6dc7f2bbb3f5fe6336751c6b56be247ebe9bc1daa8e6cd2759983780f32

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
96KB

MD5
af482aceaac10903b4dbc079d0221cac

SHA1
6ca6a1cb50a5d19e654ecf008257bb28b7df2953

SHA256
d55b63161aea0a6b58d7ddbefb12af1cc9688f378595e1a316b65250d2325404

SHA512
ac3aedb316c62779fafaef0f8ad11397c669c53291d7ba715580b24691a53d645cf970c7865790a6386d5a1a682c77bcd471da62705a289e0bd26e2e0103b31f

Download Submit
C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
96KB

MD5
6842f0d05086cc7e487e84ae357a9abb

SHA1
501430c6089d3000951d19e565ff90453a0f0390

SHA256
1dac5e8f3295fa8a67d541a09e477dc5730b17d20861dc0f5469458869b3d98f

SHA512
9ff36d5b44f2a0e7453db78b5520df8eff4c29b7382385611364b7c58a02c68026db6b639d102be29bec4062094a053b633dbda9231775179fcf286c4526268c

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
96KB

MD5
80f5978aeb80ebda7627bec5d650acd4

SHA1
08c7c3e217b6a8eae146eeb63e1f63131d1f039a

SHA256
5fdfcb775ad739a8557df23c0ec3211413e4d2c6168b5680b241f3e9cd3a4e08

SHA512
fec7f70c7ec77714af0ef381a54a70a3a6794d6e87502d20d3e1f4529d4b105baad9214033c26cdcd7e0802dc238b71633403677b64e10c8b426b53e8b57545b

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
96KB

MD5
344005f46dff27dd288c4e6b39fe981c

SHA1
c1cb928b1e6680ec9a32385e9b926c616f8bfb65

SHA256
0e13f0e292ab93b7dabebf6fd69951de9317f9461e26638a5eebdbab37ce3114

SHA512
debd9c76240c92df43257845c45f63b5695d883ae85d10b6937315c3c644ed90c6751d38f35ab3e1d7b67960388b42ddcd66512e43fe875f6d79cb53a27acb30

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
96KB

MD5
3b0783ee6aba650adcebde3525d7ee80

SHA1
1f7b874b38797844095e0834048be49bafa2a9f4

SHA256
b290d33bb28c8ebd9853d282cf43db6f995f50c9cc685c2f1c4cd622f53d9fee

SHA512
b36bfb3787ec8f8cea745ab03d3ce161933d0bf5f268cea9d005c248236afafe6f9e960f9c61c3edab2df1b067014239a10e93e054160e29e5f62ec027b633ef

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
96KB

MD5
c06615d052ee1d56624735747223a71a

SHA1
2c4cadc26d21316184332627c2bf4c91ed758e74

SHA256
8303c1468ab95992fb8ea683e256582bd851c4006c068ba9e83e1f62148b0313

SHA512
974b5f0d1570e91c205ad630a33a4f084109cd84bd54e633d20b364bb77f29d2ae2ed206c3b393f846c3fbe01e88765d5455042a9c0797e3f724684931715e0b

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
96KB

MD5
2920e3015b89a423c583ae21756d14de

SHA1
c12a8df36ab6cf0e5fcb2bb9dc9ee30205a50905

SHA256
f7022c3f14b6849addead6b888173684a155201bbd100ad768b64f8ae958c478

SHA512
4d546065c51a53ed94eeea9e56a561c1e140076cecd92109b0cf1bf3fd837fbae6d6ee77eaff8c11f27e70ab45c2237e226be59609db64597f28f803d124526a

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
96KB

MD5
ca6ae6a47102d5fe30d923f089f9cc62

SHA1
715057d611b2d13cb4812838a0e48e718cc8f9d3

SHA256
e7d78f413c480cc3c0075dcdec9a4b567b71a89b1a26d1c0b3a554ba1e2b843e

SHA512
69b5853c2171af8cad82f82b243216e4002aa579ed328fe3b4b3119aa3bc8e86d9648e8b492cd5fe86a0537aa1bd912cbdf23a347a1ff85b5a86bff99a2a4057

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
96KB

MD5
469526af7ef15023fafa8966f299ed03

SHA1
69f3d8fa905dd8544cf11bc94bc3a51cf320f8cf

SHA256
f6af5e7c4cfe8b12d014bd5ceb767d50993647e1ff6c288af9d0fd5b6cca45e8

SHA512
6d655c09e053dc77cff19135669c5c55c0e7cf8e5e66c06d874af353b1d47096e502d00121477fb8b47e976d22db9faefc11bee286ee0837c98c749c7cbc3621

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
96KB

MD5
5aba5c523d97689dbeaa69b3cde384eb

SHA1
e73ec8596f3ecc6cd688ee2f62f65a7b6af5cacc

SHA256
bb9916ce3ee7f5a4be9bc544fe9e56083f255af33d333f38bd6e77cb7ba65c56

SHA512
3644e474cab40fde247f7e17cd683612f8cf5dda6c4ef8889655ce37d2d5ad2f5a989698d485f967f031d4a98628a9a534b4c49109bf24a8e776f62b33902482

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
96KB

MD5
bb51c6d9ffd73dfae00a301763da3790

SHA1
d2415f342ef6c4fecacd6e3eb8bda81d76457535

SHA256
c4b11d23c5c19add3096df90af6827329dd3783493257b3123bea4770a0a639e

SHA512
70bf086fb2d00d19323a3b6799d0e10ef8fdd5f880295dd63648caacac0a3a9bb23d0c24abfcb255f4ec737cdc69f72a27703a45623ea3ef86ec1f7ea2abe10c

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
96KB

MD5
20f21de538c0c916c9d3762f63077383

SHA1
d1b2e68ed59e88ff3586a3cde3f7bb6d6a54845c

SHA256
a170968797491dfbebb405d83175c92ba86efffa99824d0af3dfe8d9ba1d8008

SHA512
264d5ff0f14e2ba919760c1def8dfcc1226fef85a2269bcaba90a3fea634866a5f7dd736c6cd18a3cd84a228b051a8d0d8e3527aed1082cd8dd6a0f619528cb6

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
96KB

MD5
ca96b84b1bb7932ffb82d9afd12ac460

SHA1
e3707c9f3bb8eee65fe352df3ea2eed8dc4f884f

SHA256
943ddb982d1def85258f8423dce8c9a07b49f4270dec18a968d0e3356451e4cc

SHA512
237d0db1fdc390c42043afbb289cd685273ae0ff3eadbf8b4c0192e7c72c6d0b6bfe4859713ee72065e1bdef62aed3ef6d76e101f6e9de2b114ce6c89667dff8

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
96KB

MD5
3f33b6cdfe6d69dc61390ff2d777d680

SHA1
5104d0fbafb6b656c7a43d1911c0c24c96190219

SHA256
da8d0e0943928913220c683d9c374d8b292526c0b1cb0a4e188fde0b85d5206b

SHA512
7667ef023a5a7334ce44250c04d1fe45d46421272166adb7183de5ed519291ed0893cd2bf349075023b7fece6468b141ece49aaa4f099be43f6c8871a4718bf3

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
96KB

MD5
514894f44d51cec331c5ac3a0ef3b6ae

SHA1
e90485a8cb9fbaed266e93c2df85c8134c8fa38e

SHA256
ef52ee9ec505e10e5ec7c6d35fd280aa64cabe932a0e0ad36e29dd4e953e0b60

SHA512
0d30026870f4f002dfe147620d0a0e5330eb6cf6c1ba5610cd9d279e6bbd439452e64fd656d11a5a7da3becd2638e3bbed6af6ba3994270388a34f04c34bc7df

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
96KB

MD5
982093f73be2266a4009a1cfae838226

SHA1
1f5ffd40a808e8e71381c1da6596bb8b95675cd3

SHA256
87b715b49adcefab3b36d0df606936b67f9740d3a06870674c57df51b6570fda

SHA512
653e2ce3ccc6c39da3963700c7c941ba372a35c7ac29592e7c795b89eb2f70a1461a506f767d53cb0382a767042b7177f46b75f0ef9f959c46948e6e64236581

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
96KB

MD5
2a5375cedcc2f0c29c760cc0df4c7c44

SHA1
b79b2cbdb98f429c11f3a50509b2e9f0da2f248f

SHA256
bb64a893e04c1583e5e621677268dcfbb9d5c37836917a72915810f09c395059

SHA512
e1fd145560d16b9ec2368be62aee715ea906393a15d85cfc4ab344542fc06b1d573e3fe40903ec78e530805e32d053325eb7dc2d5eeec5ff9b4d8194776a3c06

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
96KB

MD5
f082c8a7ecb8a93d13a966ae093f46fd

SHA1
cc12b4dcb7b31b87a7b26eba76c687f3bc279809

SHA256
58e006f387b494b90471e044a20181d557f3a1d3b4f47a7024717a6e617306ee

SHA512
3030f16e1991e8cc24340006dda65be12fa55cff62b3294ca66b373afb428757388dd1f2a85e3e2bd4974ddb6a887a617b1c5d2ba7ef76cabc3273f206cd8da8

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
96KB

MD5
8fe177c448a7828d342f22f8e23e6ec7

SHA1
06b213317f94f73f6dae3fab20483e1bfbe7c227

SHA256
18d7d7a3c9ea4a65673ae1964299068109a2ee802e9e7bd6e93bf67cb697c79f

SHA512
cc332a268adab09e452c34311129a8588f05eedc6cdd5fed98a5879c0ad81dfa7371d6845985686af6c2188dfcb4d86c4f8bac471e7ad6b868f0ddc4c2dac20e

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
96KB

MD5
4d40d1a90b107de973c5c4c1a608e873

SHA1
7e168aaa9cbab157d1e00fa4e63167414e55dabf

SHA256
c33fdbf76d1a6c7d4b0c2d58aba8fe4276266b546f1fb4be655e802afa1f2c2c

SHA512
bff7285f1ab470dd58cbafd3bdfdea0c0a4f4170a4c1a082c8759874987e75e063ca0f5e107c1128aeb1de479abdc02bbe93a11ce0913bfed3c83d052326beb0

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
96KB

MD5
5205aa9f0841c70a45067b97bcfdc524

SHA1
664f7d9c64f1f3e0681f4f6f9b6ff9651c9f3b93

SHA256
2d0f8f33a49b51303d8d7263d0acf11984c0bc135bbd14bb9fbf290253c5d2aa

SHA512
5357f94a3c793f59e3ec9bd1abf8a48cf0cbd8d0eb26a2faca61b171bd10a4b566c7a31de5a828b497ef72d1b853f0b939397685f6ce8fa9622ee6b32610b24c

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
96KB

MD5
5151465bf5920741548ba854e3207b03

SHA1
83275d981b765571c31c3c23b4c86303ccc6eefa

SHA256
e0c3e93ed83ff9dd473e90408be86591e8495055a20fad639c56dae53884f16a

SHA512
49273fff6d82760c325730a5cc1d943eabe9ad1010ce9cb0a727e00ff1db1435b378526474f52c87452d8e7b7d781c6ba353ff8c4c5badaafc8d5520db844593

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
96KB

MD5
1fab183f66bf300f40e944e6e52cbd30

SHA1
c6839d82db0cad0c4238dfe12bb1556e78f6676b

SHA256
5621d42717768cde6829e6f5632caafe62108b0b3e76131cda6f70484084058f

SHA512
6dcd37c61363082d482887020fed2de323e1858453d4665afde6b79e73e2591cf41d8ede7124f5122576579924b6369cb500997935ef669052a4d36b0e832dff

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
8329087948849e93752e0a90f9ccae1a

SHA1
e9584bb01e10175ff182007211b833b8ed7447eb

SHA256
88edad04c959fa25305edd9f2211c42f4c63d1f70f60dc02f27a3963c6850e15

SHA512
760ea2ca63e5ae9b222b1dd02c74469c2811951d68ee1450623e44faea5001286c9f4f72db7bd5977c5cf40de36bd5a15fc362f61031bcb995cdb4d05e51091a

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
96KB

MD5
31b89daada8ab5c606be34147a771e9e

SHA1
1aa45bcd17f40f3b89d3a036ab2975934ff34de7

SHA256
c551482317ffd7b963101cf036606539d74cdc97dc11e60bbf241622189920c7

SHA512
351a1c9b1791982f24ced1f17e6b131be22ddaf929da025ac3006ee7ce60ecf0b4f36cd02b81f2f3c68e9a1b1a0c02f04b9501a3d6ffb2eebc74eaa35b1b5c86

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
96KB

MD5
f36afe4ec8375b2844c394f6b55da53c

SHA1
f76d3cbb027d7771e522d9d5a5d09c5f7c279e3d

SHA256
4ba0e8e2ef6f900fe4cee381632e1952d784b3badcbf17a8ef638a823aa2a9e9

SHA512
4b32354ebd38a0ee11896583c7b2e5b3327859d07b10e6697be5b19ab927d0916af1e7596111d6bf81b7cb64ebf736ec8596aee2296ecbcf394a1d514f9bf1e4

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
96KB

MD5
5e7ddf92dc054c0054b249414c7f4181

SHA1
8e81a70c818a82324535f99bc5a5120460964255

SHA256
26037580ccb0adf0befc1b1a8934bf82ac7e089f8027b44641f359dd6a77e2f2

SHA512
08e88be824dee54daedd6d5bbe76e23a6dfa110b7b5f8816a4aee07a37e793bbfd9e827500ab760a6cd93c122d1815917f5e9a8bfb23630f919d2b902d49e5b5

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
96KB

MD5
7d192e83e1506a6bf46a69f8312ee0ca

SHA1
27db1a10cdfbd9ce56afc4eefde72229d904530b

SHA256
43c8b4859eafb5ef40c55229baed386abc373e0e81101ee1939c19b0d2f55ea9

SHA512
d7feb0f2b8db79e9e011abeb128c3fe4b439c57fff25b346c518a8d8fd9cffeb5bf3d8a2af17acb3606fdc1305b9406d92991cdce0951c0b35981e3a8be66546

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
96KB

MD5
e3ada0dfb74abf01e836eb6ecf79a009

SHA1
a0f7464d962204f0515d9c10e6d6b01545a666fc

SHA256
d4889debe5d0e5cb1200b91565e0581891e002e26f4b55f24e3e415d7aa897c2

SHA512
1ae2f89b7983446136add77848160db60caa5ce07db1f9d643ff8dd6b674fd91e0a2da67ec3535f499b6d6940e8931855ffeb85abbaca3896a3d4ac7905efd1a

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
96KB

MD5
fb3e96d4ad1ca094fc7abde9728acd53

SHA1
534c595dc44bde402e0035a99c44feb73bedcbc7

SHA256
f8ac500dbeefde706e10602046ae7bb16e923f2fbbea81c0598af932ced0fceb

SHA512
1651963d1b6e15eaea52977a154d43227b9f09e76993c1b12566991f05f5823c9fa85432843a47fb5dce4540c6e4a3be15fc90b8863785cced690950665f98e3

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
cc58339372cc1a83b75c4eb7ca5ce85c

SHA1
958c8aab55a47c3df876d9df71736bcc72ef86a2

SHA256
f5c3a3d5d850163b0368ce3b20e38b60d72ab9c2db995ecc5d0cd90bc6198540

SHA512
73235204f43d06b294dcdab9ee2a109c50899b4ffd8d3ab08729efef3b2cb583237d4c62d984d7567de189189f8140cefe4f19dd611e3a3fd973b488b063af9f

Download Submit
C:\Windows\SysWOW64\Qiioon32.exe

Filesize
96KB

MD5
a7aa6c1cbfabd11bec111d9395d3a455

SHA1
14cec7abe813c47c18d1bf071ec64c59ab973c32

SHA256
a956043f4d8ba26bb30dbe222391e8b13404d4a3258831ab15d43c9884b80775

SHA512
15f82f1a995e279411dde343aea633e6767b94e478695026d3ad9f2b4bfce953939a151a1e87840e15cebfe129c30cba3ab7dbb120274311fed9411e91858423

Download Submit
\Windows\SysWOW64\Accqnc32.exe

Filesize
96KB

MD5
7135909f1b08050a4de54901d21fa4c6

SHA1
563036d613d226d8320da3fd97c5a778f6c92698

SHA256
870586e91aaacb975a8c0c7be8fce4c470475030a554842bb4a35cc10361002f

SHA512
43c6751e0ff628e7d5da767c6c1defcd4163215e7435e7c6b83cdc764f5c85cee3432ef9916bd4f7035780cae6cc4151bf27b1412c4c236e03440c43aa605702

Download Submit
\Windows\SysWOW64\Afdiondb.exe

Filesize
96KB

MD5
fee0d0bfa97f9c3f9a1d59087bbde123

SHA1
ac48d8be0996bc384e110b8917c74041ced31346

SHA256
3bcd0c0a58cbd4f078a20e6a9d515f2ff740c464f4c852b32974ac483a1cdbfb

SHA512
6180a13b22b5da0dda90580dcda840283522851b108af9b9ccc48164bd7b6d6ae8c0dded9ba2f902f357431d07a34e81190b031eb71f23111a11c73328123279

Download Submit
\Windows\SysWOW64\Agjobffl.exe

Filesize
96KB

MD5
8f8f28e77768cd6aa88429d54b0bf8dc

SHA1
3ff8299672af1615aa60cb02cd1bade5b8847ea9

SHA256
8aede9b448a67f91002352a7a12829401e5303d354d5aa910b84ee67c2a20102

SHA512
a8504c10d751dbc731503a00b4273a86fe5d955bfc6712ec498052319f17c78d2ad2744d0234b6defeefb39382a48dbe9adc4fd820f4c8a620ddcad3b2fff995

Download Submit
\Windows\SysWOW64\Ahbekjcf.exe

Filesize
96KB

MD5
4b30acaf3a1f9e7ab9dce07a5da56494

SHA1
6ade9e392087672f7077f9dbf0f4ba6365318aa7

SHA256
2d3d19664a573ab0bcddddbae6860f9c332340c13cb4e61710b073be54a7c39b

SHA512
4248030d907886bb828eda5952db41e039c7d8ae38350616a30444fb6080f2f80b148a54c4635ebe6a2c5f66e04b3f78227e23c616001121e2bf883bf1fc81a1

Download Submit
\Windows\SysWOW64\Ajmijmnn.exe

Filesize
96KB

MD5
a86c25f8e7365cf07aa9a61b2cf994db

SHA1
17ad2e8f33b81745b0c8f9ada15eee924952fb9a

SHA256
e4ec68600b530cfefeda2f32255e4d4cab9be017dc8ae9445e76e7c6ab0096ad

SHA512
3823af4f31ea48f85e69059d27ba8aec68d426cec4f4ffb65ab87f999db787ef77c1a9b9664f0c4086858e6cfe05da99a36885292ea230838e39d5d359e5c4e5

Download Submit
\Windows\SysWOW64\Alihaioe.exe

Filesize
96KB

MD5
ab7eec483027a420ed43140ea239de26

SHA1
46bae4bbf7a8d47d25145d2f1086ddc0fb34d339

SHA256
7161a9071ef80d409b792fd10c1a856b9f25ea503dfb21f8dba70ba29d36e7d8

SHA512
ef08cfe588559ca65f81316dd5d565f7c4117d8e289767e5e5042c0b96e9a021016d97c9f9c382875247ddf16aaa757c037d2787eaf4f5d42fa752d86ec36125

Download Submit
\Windows\SysWOW64\Aoagccfn.exe

Filesize
96KB

MD5
52c8ab37f60b7d3fc87b2a040be7d4d4

SHA1
157bf9d17539eb629eac431f9589d176e839ee1a

SHA256
a08f0b991668ae4b3c6478e18893bff69835cdc98cd7d224bc4bd7df8c0782a2

SHA512
81bdd8f3cc5f08c3a7ca716c01a006116937b5ba3407fa54c5ad54f1f881fe879f62d1257a0ef516a70e7c57bf552448c15f9c8865a0ab337bbdb273ef430e3a

Download Submit
\Windows\SysWOW64\Qdncmgbj.exe

Filesize
96KB

MD5
fafda6ffba0432d59723f8d4410258f5

SHA1
857c4f23ca5b75939ede8aa3c17de616c3cf9d9b

SHA256
11c0a9eda7ce066f768bcb5de491ad0dcab1a9ad3830ac9fe5a82ab1f723f865

SHA512
d24987d135e5985db9c03ee3ef7ad68496cfb23c26f18e8b42006ef8bd1249549c02f8df82818796701d323f7c803860bf4cb038e3c1e1eab40f1c173fc78c2d

Download Submit
\Windows\SysWOW64\Qeppdo32.exe

Filesize
96KB

MD5
da13ae06e97cd2c036bead5d77f9795a

SHA1
330bd03fa4418ccc29e93e4ec5b63b9326c9c02d

SHA256
835a25d4c2f7b86e3bf8e416604337ec180d44fc882963a2d096a699b032b25e

SHA512
de0ebdc02431f6aa43a6dff7553d1e7d07774bc97b220ad0a2e563e3e553426425f89d72edf11858c23623b8097932ef0b8f0da6a62fc6fd39ed75b9738bbfca

Download Submit
\Windows\SysWOW64\Qppkfhlc.exe

Filesize
96KB

MD5
dad3848698a94da90b6144907a4bbf03

SHA1
2f22abb3a3df6fbe819d970bcc21bdfa125f841d

SHA256
ca9395f079126399f25b4d7cff1c36ed92bf7d9c8df2d1b23d1c58181b75da14

SHA512
29f51e9d0251a988664fe11719319d90cf4f4519a59b52c475bd346e78d9ef7db5f17b7eec8bd7f42afaa91df2863a43c226a86544f66cef523e502cc08b53a2

Download Submit
memory/276-312-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/276-616-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/276-311-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/448-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/700-480-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/700-607-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/700-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-174-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/852-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-277-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/988-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-262-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1048-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-148-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1096-365-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/1096-369-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/1096-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-402-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/1392-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-381-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1444-380-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1640-130-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1640-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-611-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-423-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1716-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-250-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1952-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-499-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1980-290-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1980-291-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1980-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-455-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2028-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-347-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2028-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-26-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2040-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-298-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2056-302-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2056-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-35-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2212-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-240-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2376-447-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2376-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-446-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2408-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-196-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2408-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-509-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2540-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-222-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2564-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-89-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2564-422-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2564-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-630-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-80-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2596-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-357-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2616-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-445-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2628-116-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2628-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-346-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2644-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2644-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2660-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-62-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2688-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-323-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2708-318-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2708-595-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-602-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-413-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2744-408-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2776-49-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/2776-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-334-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2876-330-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2876-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-435-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2904-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads