berbew | 4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe
Size

96KB
MD5

de558d23228d655930e0ffe0a2879ed8
SHA1

58a063ca2dcbf19763b2f6e8a687a46b7510c2c8
SHA256

4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19
SHA512

4b0038a7e042497c3c53bae1076991026854572c6814731e4d952e29c3a3707917a278efda7991edad5dc204b14c31ec10a62c83644b1d6b2e95a7fb752488a2
SSDEEP

1536:3eV6c/pDaMQH/ZoU2+kD7SS2yz7/wHsgALylJGRQ+gR5R45WtqV9R2R462izMg3W:o3/M1/eLX2yz7YHyy2e+gHrtG9MW3+3W

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiioon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafdjmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppnnai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andgop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andgop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkmlmbcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Allefimb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjkhdacm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bqgmfkhg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 57 IoCs

pid	Process
2496	Pepcelel.exe
1956	Pljlbf32.exe
2636	Pkmlmbcd.exe
2688	Pafdjmkq.exe
2564	Pojecajj.exe
2644	Pidfdofi.exe
2604	Ppnnai32.exe
1976	Pcljmdmj.exe
2600	Pkcbnanl.exe
1980	Qdlggg32.exe
1380	Qkfocaki.exe
1332	Qiioon32.exe
756	Qdncmgbj.exe
2716	Qcachc32.exe
2152	Alihaioe.exe
1516	Aebmjo32.exe
2620	Ahpifj32.exe
1384	Allefimb.exe
1308	Acfmcc32.exe
1368	Ahbekjcf.exe
888	Akabgebj.exe
2884	Afffenbp.exe
2980	Adifpk32.exe
2252	Aficjnpm.exe
892	Adlcfjgh.exe
2320	Agjobffl.exe
2728	Andgop32.exe
2824	Bjkhdacm.exe
2648	Bbbpenco.exe
2768	Bjmeiq32.exe
2544	Bqgmfkhg.exe
2580	Bdcifi32.exe
2340	Bgaebe32.exe
2784	Bchfhfeh.exe
1056	Bjbndpmd.exe
1700	Boogmgkl.exe
760	Bbmcibjp.exe
1908	Bkegah32.exe
2880	Coacbfii.exe
2052	Ciihklpj.exe
2928	Cocphf32.exe
1356	Cnfqccna.exe
872	Cnimiblo.exe
1820	Cbdiia32.exe
1524	Cagienkb.exe
1852	Cbffoabe.exe
3036	Caifjn32.exe
328	Clojhf32.exe
2464	Cjakccop.exe
2732	Cnmfdb32.exe
2808	Cmpgpond.exe
2336	Cegoqlof.exe
2532	Ccjoli32.exe
1944	Cgfkmgnj.exe
1800	Dnpciaef.exe
812	Dmbcen32.exe
1312	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2616	4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe
2616	4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe
2496	Pepcelel.exe
2496	Pepcelel.exe
1956	Pljlbf32.exe
1956	Pljlbf32.exe
2636	Pkmlmbcd.exe
2636	Pkmlmbcd.exe
2688	Pafdjmkq.exe
2688	Pafdjmkq.exe
2564	Pojecajj.exe
2564	Pojecajj.exe
2644	Pidfdofi.exe
2644	Pidfdofi.exe
2604	Ppnnai32.exe
2604	Ppnnai32.exe
1976	Pcljmdmj.exe
1976	Pcljmdmj.exe
2600	Pkcbnanl.exe
2600	Pkcbnanl.exe
1980	Qdlggg32.exe
1980	Qdlggg32.exe
1380	Qkfocaki.exe
1380	Qkfocaki.exe
1332	Qiioon32.exe
1332	Qiioon32.exe
756	Qdncmgbj.exe
756	Qdncmgbj.exe
2716	Qcachc32.exe
2716	Qcachc32.exe
2152	Alihaioe.exe
2152	Alihaioe.exe
1516	Aebmjo32.exe
1516	Aebmjo32.exe
2620	Ahpifj32.exe
2620	Ahpifj32.exe
1384	Allefimb.exe
1384	Allefimb.exe
1308	Acfmcc32.exe
1308	Acfmcc32.exe
1368	Ahbekjcf.exe
1368	Ahbekjcf.exe
888	Akabgebj.exe
888	Akabgebj.exe
2884	Afffenbp.exe
2884	Afffenbp.exe
2980	Adifpk32.exe
2980	Adifpk32.exe
2252	Aficjnpm.exe
2252	Aficjnpm.exe
892	Adlcfjgh.exe
892	Adlcfjgh.exe
2320	Agjobffl.exe
2320	Agjobffl.exe
2728	Andgop32.exe
2728	Andgop32.exe
2824	Bjkhdacm.exe
2824	Bjkhdacm.exe
2648	Bbbpenco.exe
2648	Bbbpenco.exe
2768	Bjmeiq32.exe
2768	Bjmeiq32.exe
2544	Bqgmfkhg.exe
2544	Bqgmfkhg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Egfokakc.dll	Afffenbp.exe
File created	C:\Windows\SysWOW64\Kaaded32.dll	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Alihaioe.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Aacinhhc.dll	Allefimb.exe
File opened for modification	C:\Windows\SysWOW64\Adifpk32.exe	Afffenbp.exe
File created	C:\Windows\SysWOW64\Allefimb.exe	Ahpifj32.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Pepcelel.exe	4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe
File opened for modification	C:\Windows\SysWOW64\Pafdjmkq.exe	Pkmlmbcd.exe
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Qdncmgbj.exe	Qiioon32.exe
File opened for modification	C:\Windows\SysWOW64\Allefimb.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Ahbekjcf.exe	Acfmcc32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cmfaflol.dll	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Alihaioe.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Aebmjo32.exe
File created	C:\Windows\SysWOW64\Fiqhbk32.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Pafdjmkq.exe	Pkmlmbcd.exe
File opened for modification	C:\Windows\SysWOW64\Qiioon32.exe	Qkfocaki.exe
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cnfqccna.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Ahbekjcf.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Bbbpenco.exe	Bjkhdacm.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Ppnnai32.exe	Pidfdofi.exe
File opened for modification	C:\Windows\SysWOW64\Bjkhdacm.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Adifpk32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bjbndpmd.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Qiioon32.exe	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Ahbekjcf.exe	Acfmcc32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Coacbfii.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Bjkhdacm.exe	Andgop32.exe
File created	C:\Windows\SysWOW64\Kfcgie32.dll	Andgop32.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Pcljmdmj.exe	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Qkfocaki.exe	Qdlggg32.exe
File opened for modification	C:\Windows\SysWOW64\Ppnnai32.exe	Pidfdofi.exe
File opened for modification	C:\Windows\SysWOW64\Afffenbp.exe	Akabgebj.exe
File created	C:\Windows\SysWOW64\Jmclfnqb.dll	Agjobffl.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Delgfamk.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andgop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahbekjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkhdacm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allefimb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afffenbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdncmgbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfmcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmlmbcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pljlbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pepcelel.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll"	Pkmlmbcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfaflol.dll"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qiioon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qdncmgbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqnol32.dll"	Qdncmgbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agjobffl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdgghho.dll"	Pljlbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qiioon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll"	Afffenbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll"	Andgop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioba32.dll"	4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcljmdmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll"	Ahbekjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2496	2616	4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe	31
PID 2616 wrote to memory of 2496	2616	4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe	31
PID 2616 wrote to memory of 2496	2616	4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe	31
PID 2616 wrote to memory of 2496	2616	4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe	31
PID 2496 wrote to memory of 1956	2496	Pepcelel.exe	32
PID 2496 wrote to memory of 1956	2496	Pepcelel.exe	32
PID 2496 wrote to memory of 1956	2496	Pepcelel.exe	32
PID 2496 wrote to memory of 1956	2496	Pepcelel.exe	32
PID 1956 wrote to memory of 2636	1956	Pljlbf32.exe	33
PID 1956 wrote to memory of 2636	1956	Pljlbf32.exe	33
PID 1956 wrote to memory of 2636	1956	Pljlbf32.exe	33
PID 1956 wrote to memory of 2636	1956	Pljlbf32.exe	33
PID 2636 wrote to memory of 2688	2636	Pkmlmbcd.exe	34
PID 2636 wrote to memory of 2688	2636	Pkmlmbcd.exe	34
PID 2636 wrote to memory of 2688	2636	Pkmlmbcd.exe	34
PID 2636 wrote to memory of 2688	2636	Pkmlmbcd.exe	34
PID 2688 wrote to memory of 2564	2688	Pafdjmkq.exe	35
PID 2688 wrote to memory of 2564	2688	Pafdjmkq.exe	35
PID 2688 wrote to memory of 2564	2688	Pafdjmkq.exe	35
PID 2688 wrote to memory of 2564	2688	Pafdjmkq.exe	35
PID 2564 wrote to memory of 2644	2564	Pojecajj.exe	36
PID 2564 wrote to memory of 2644	2564	Pojecajj.exe	36
PID 2564 wrote to memory of 2644	2564	Pojecajj.exe	36
PID 2564 wrote to memory of 2644	2564	Pojecajj.exe	36
PID 2644 wrote to memory of 2604	2644	Pidfdofi.exe	37
PID 2644 wrote to memory of 2604	2644	Pidfdofi.exe	37
PID 2644 wrote to memory of 2604	2644	Pidfdofi.exe	37
PID 2644 wrote to memory of 2604	2644	Pidfdofi.exe	37
PID 2604 wrote to memory of 1976	2604	Ppnnai32.exe	38
PID 2604 wrote to memory of 1976	2604	Ppnnai32.exe	38
PID 2604 wrote to memory of 1976	2604	Ppnnai32.exe	38
PID 2604 wrote to memory of 1976	2604	Ppnnai32.exe	38
PID 1976 wrote to memory of 2600	1976	Pcljmdmj.exe	39
PID 1976 wrote to memory of 2600	1976	Pcljmdmj.exe	39
PID 1976 wrote to memory of 2600	1976	Pcljmdmj.exe	39
PID 1976 wrote to memory of 2600	1976	Pcljmdmj.exe	39
PID 2600 wrote to memory of 1980	2600	Pkcbnanl.exe	40
PID 2600 wrote to memory of 1980	2600	Pkcbnanl.exe	40
PID 2600 wrote to memory of 1980	2600	Pkcbnanl.exe	40
PID 2600 wrote to memory of 1980	2600	Pkcbnanl.exe	40
PID 1980 wrote to memory of 1380	1980	Qdlggg32.exe	41
PID 1980 wrote to memory of 1380	1980	Qdlggg32.exe	41
PID 1980 wrote to memory of 1380	1980	Qdlggg32.exe	41
PID 1980 wrote to memory of 1380	1980	Qdlggg32.exe	41
PID 1380 wrote to memory of 1332	1380	Qkfocaki.exe	42
PID 1380 wrote to memory of 1332	1380	Qkfocaki.exe	42
PID 1380 wrote to memory of 1332	1380	Qkfocaki.exe	42
PID 1380 wrote to memory of 1332	1380	Qkfocaki.exe	42
PID 1332 wrote to memory of 756	1332	Qiioon32.exe	43
PID 1332 wrote to memory of 756	1332	Qiioon32.exe	43
PID 1332 wrote to memory of 756	1332	Qiioon32.exe	43
PID 1332 wrote to memory of 756	1332	Qiioon32.exe	43
PID 756 wrote to memory of 2716	756	Qdncmgbj.exe	44
PID 756 wrote to memory of 2716	756	Qdncmgbj.exe	44
PID 756 wrote to memory of 2716	756	Qdncmgbj.exe	44
PID 756 wrote to memory of 2716	756	Qdncmgbj.exe	44
PID 2716 wrote to memory of 2152	2716	Qcachc32.exe	45
PID 2716 wrote to memory of 2152	2716	Qcachc32.exe	45
PID 2716 wrote to memory of 2152	2716	Qcachc32.exe	45
PID 2716 wrote to memory of 2152	2716	Qcachc32.exe	45
PID 2152 wrote to memory of 1516	2152	Alihaioe.exe	46
PID 2152 wrote to memory of 1516	2152	Alihaioe.exe	46
PID 2152 wrote to memory of 1516	2152	Alihaioe.exe	46
PID 2152 wrote to memory of 1516	2152	Alihaioe.exe	46

C:\Users\Admin\AppData\Local\Temp\4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe
"C:\Users\Admin\AppData\Local\Temp\4d2cf51884082189d825220385b77f746e35c9a470a460fe013af19cb6093b19.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\Pepcelel.exe
  C:\Windows\system32\Pepcelel.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\Pljlbf32.exe
    C:\Windows\system32\Pljlbf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SysWOW64\Pkmlmbcd.exe
      C:\Windows\system32\Pkmlmbcd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\Pafdjmkq.exe
        
        C:\Windows\system32\Pafdjmkq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Qiioon32.exe
        
        C:\Windows\system32\Qiioon32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Qdncmgbj.exe
        
        C:\Windows\system32\Qdncmgbj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Allefimb.exe
        
        C:\Windows\system32\Allefimb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\Ahbekjcf.exe
        
        C:\Windows\system32\Ahbekjcf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Afffenbp.exe
        
        C:\Windows\system32\Afffenbp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Andgop32.exe
        
        C:\Windows\system32\Andgop32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Bjkhdacm.exe
        
        C:\Windows\system32\Bjkhdacm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        58⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acfmcc32.exe

Filesize
96KB

MD5
5360007c9d74ee49c874907cab1e5280

SHA1
cdd9eea6e319eba3a460a82870e1d56b879342c1

SHA256
5045cacd26dce63725f66ef9c9b78ef7d88b238fdfb2d9b6a241bfd3ad77fa50

SHA512
e7c0871b462ee0ba992ebc2450e7d6faff0f174f2d8a4ef9c8da3e8248cfe589f288a8cdaf49bf5ee8c623eb238f799b38be272bdc77548f3552080d68f7068d

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
96KB

MD5
7fc01e6e77d5c430e5e941b7ccbc540d

SHA1
232b94878b85fd974d81ba97ed4099dd8a323d24

SHA256
dc373e74c5dc51ee15f011ed8ed32b20736dc7667cdf0d6273e7f225752013e5

SHA512
ff80b834531ee48a67e9d8be1abe0918c46ff615df0f2330175a4381c3f6bcf73a071ea8e1ea53f83ee4f8e17d0a1c79e3d7e92316d7c1d29d61462875a0a037

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
96KB

MD5
17e0c6953b5e1249b0a5f29fcb6dab7d

SHA1
9c30af30235579c7fcd52d9c3112282621972e3e

SHA256
328fc5e1468278bd8e043a50685dcf4cb970e2e86324a8189f38547b770b6b4f

SHA512
2daaf2a6c43d1756fdccaebf8b4da439c52565c0f7620db8e76dedca5805fbd3d118dffbb075c4cff70f81e19f436acf1e5d2ca0893b9dc5d2a3b5ecfa824120

Download Submit
C:\Windows\SysWOW64\Afffenbp.exe

Filesize
96KB

MD5
671afed7fa78f993b5c8a5b4832b6899

SHA1
0b0325ede3c367deaabe1fb911866d3b07dc4f34

SHA256
19dc93e8f480cb7f048fe4c8a5a52f624155263d291e51e48f9983b1b98a63aa

SHA512
d21086f107641075f91b396fe400f2fd6c1e6aa9c6013e23762bf1e73dc000fe774e19c2ad2a19878db365316f3f4da9a82913a4160a72da19062e64dd6d1fac

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
96KB

MD5
bbf94fa81f4826241b675c86f8277b04

SHA1
9aa3aafe7796aaee446f91273d315079c8ad11bc

SHA256
3d341d9b40508a2cb5fb0cc306c3de47c74fd4576afd1a7fa7409f871576b317

SHA512
f6799286ce46a3aa0f7f42e3640bf8e3daa1d0f4a03e0e324294d3237a7226c80bca3db55733e2f8017a5c49073290582407577f18143edc88fe3d5205c18253

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
96KB

MD5
95cc4f0629b562b1d97a754d9ee63431

SHA1
63d148e04e169d1558c5e2660b011bdb72a7d83a

SHA256
953919492f799fd2917e774da9b5d63956332d14d2514a56e5b14e74d88db821

SHA512
1acaa507246b383d5ab8ef0fdb624c2a3f9db803a911027fdbfdd5983dbe8a51e507aec715f869e96125ce28a753ee75189dfb1e5ef40fa63fe84f7f4c98d8ad

Download Submit
C:\Windows\SysWOW64\Ahbekjcf.exe

Filesize
96KB

MD5
be8d5bf6b1f18ebe046780e31c4e7146

SHA1
4544ea29138c4fcb787b6b73ae3522dc2cee2281

SHA256
ac7e49cb843d4c9b0edbd258998411be84c9d181ee32ca1ed41b5bc2f4f25070

SHA512
3ee5f6672a97e8531fc7d3ee8c027d3b67531512f31a719a8ba9789c95fe47eb6eb4472af9c5d5c3f45b432d2444907c547af53d77041067894fbf23f40333f1

Download Submit
C:\Windows\SysWOW64\Ahpifj32.exe

Filesize
96KB

MD5
76212a76c674b594b71cd352dc801966

SHA1
8e3fd454a8b49760914b791da828bc2773db6452

SHA256
6f7881d9c8caf0b11db30d774486538a024e2aa0eba572d8333de536f072a346

SHA512
fd89fe793dcdfbc9de93f321efa92cebf56afe2fde7012a17c5158c89472ea662ecd5886b553eba649ff7f61d8476efa1959143cf3372ddb5a982eed8b614351

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
96KB

MD5
57d9addee9ba3a28c0e1b968f8e9f3ec

SHA1
fdfcb17e0e419ea06ed35a9215a9d352658d930a

SHA256
261b0f17cc20441c219b1af7f3271652426461a16f74d78ab4020435ec2c0571

SHA512
0fdf551e5fa320633ad4f6b86c110bffc74eb1974cd1e3be98bad8567f4dc70157a58d0d1d7d28ea7b0969bc9a08adf6fb8ca45d4d0a878d13fecfabca8ffc50

Download Submit
C:\Windows\SysWOW64\Allefimb.exe

Filesize
96KB

MD5
1c8109545cf31a83621a4039c4c6ea05

SHA1
9efa9da5f1bc6e02df3a9731ab3187b1d525dbb1

SHA256
def70d5c55bb2b4f1b340d7ea27f8201b426990f747ba92b577254124f5fa70e

SHA512
428210839e89c5277f2e4230e75b77a9110585ad670ebc449070115cb9ce4f51bcd1eb20e2d221b4a0ee5078b07f413559bb8fa1afd99ba794b742a51c346c49

Download Submit
C:\Windows\SysWOW64\Andgop32.exe

Filesize
96KB

MD5
f73904d82b27272669c259fc1d682100

SHA1
5a39e6245703d89f55f968a55db4b7b5cfa0ff7f

SHA256
93902ccfe4bde7a56d5ca928643504107e93ce3ebf614e09c0fe9fa883e6c899

SHA512
2f80efa54638478a20870ec223e5a3c75fb5fc6a79d6e25b954343ac24813977c8fa6bea1257e229d03cbbd7d1b4ed204c2ed7ee53007fe9423047d414cba970

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
96KB

MD5
ce153a04e58c0bd7bdcdede0f5bad6ab

SHA1
aad6c0285c1b03a0695339d32e3946797d294ec3

SHA256
74e57ad8ea782de86abd8207153fc3b68f94f8f609d572fd2da3b6f29e2a8635

SHA512
529d643184219316bd73e911bcdfa39e190b15194dde02992ab52c00992a61e61f79dce3d12e76b7dd9d05ea2db205ef9d4307229d7dbc7a1d7319969a0e38b3

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
96KB

MD5
0624a1936f4279d2c42b812e4e14af5b

SHA1
7de38fb3468f2f36e59ba4aafd7c61abe0086cfe

SHA256
40188a31c64dfe1cb1c73ec92fd62ed773efa2dd2bebab31d9baddf39e1ed983

SHA512
9d586dc219989bd2955b91abc937dd6d09a95befa22f3708cc83d860fc4c28882e3ce47875f522a09d59194f8d447dea9d034efb900d25152c7d021c6193281f

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
96KB

MD5
53895ae5d60f08277059d271602c739e

SHA1
4a7252d1ef39cbcbc46e5cf14cbb21ce467880b0

SHA256
b61cc2b8e11832e790a5bf75e71a75058be69cb17b311dc3bc1ee2ce2585dc1c

SHA512
fda10c718c5461e6770d901355ba5630acec6a63b904b790f45acca3bad945dd25d694e0b7c04b38e4158711f71e6bdb4c19b59fa2c33b31ca3a4c17af3c217b

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
96KB

MD5
bf203fcbd3121203f1b52c7ee96a050a

SHA1
fc3e34c6c7748ed3fc422481b149e4421500b0dc

SHA256
7b5c571bd67e7515646450b83e47fce71b67030da5a740b0f004097900795667

SHA512
b16b2f0616b18f59ce5915d50b04dae7d84648e0c402f8a072bebaddde688786dc7208f7557fe36a7a4945f3e4f69faf20c0ec2184a55ad0db983afc4f196bce

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
96KB

MD5
c10e8b820316bc1d8fa7f0a8722eef9e

SHA1
0e75fc0e64941981d6d5c7908f36f16b8200d376

SHA256
1a8a82a6e37c927a661d50c78c0265df6c2bbd87de5c65e07386174768c49e11

SHA512
5a8a79cb5f5dc7cf4a6f6a6b6fc0837aaf7675ae290f3c75dbe329683865ffd453ce817dcbc4634aba1e19de13908e53e6fe190cc16d965d401196be19bbfca9

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
96KB

MD5
7de419bd0917109b30f2f61a0ba90401

SHA1
44405388961f5cf8c62f7581a6040f6a824427d1

SHA256
d604e400bf889e766b22af50b0437b84724278464ef040c8a17042775034b55e

SHA512
9bf9c883bfc479e36c60ceb6db41cf38569e66a3e3f0af3810d3219bead1b4280ced77a877385d359b6d227d73abce6af5bd22f183051dee486712252c897f75

Download Submit
C:\Windows\SysWOW64\Bjkhdacm.exe

Filesize
96KB

MD5
619b50fe93d82b8f4db0be3c6c9bb194

SHA1
cffb20dc0f6635da4828b9f94f4c54b9a38a126e

SHA256
0fa14ff3cca2e05c249fc34bbd6f1808c14c1d0368277191b52412c18f3414fd

SHA512
6b5935cec3de5fe14b7b7ad228c0812c9f89007a0fd729f4dd517eea86014acccbc6ffad5e1b05c54ed50f58cfbdffa7caf108e4df6842e989b71722486057a6

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
96KB

MD5
06ce527579dbeb16d3c4450acdcda03a

SHA1
161b4118e0dfdac7fd8760dbea53b7d0e70e8a69

SHA256
834b71d85b6f7400b49316580496a51d793179c06614286114df189e1a9c8b3e

SHA512
0f0d30c6a3c163a0f80e7024ee32613658b581b152ccdf1d03a53ddc1ad70798c518a5c74cc301d048c2ff1335f8a9af88ae2106c791a7cceb3810b6e4a1e274

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
96KB

MD5
fd19038745f3226ababce896a30111dc

SHA1
5e7111c02711bfee8bc7ba54bd2385ad38a6b16d

SHA256
55dfb415fbb17ca892b5158865b272dba28d303e63c0072c65b09e8d94459f56

SHA512
6f575a76c800ed5321857f46eea07a0f429d240933de73857f95ffbaca36de28094c2c45230bfc2498c5f347857c8514cf0e9543f8aab4d5daa2ce221d462d44

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
96KB

MD5
65867270d515a8bb8b76958c4ced4840

SHA1
6a9fd64aa79094e0ca6658ec13137c60a083778e

SHA256
c679deafd8589b42bd9f86e3236ed81c44c2889a884298a667fd4d6627fd8e1e

SHA512
60c75969c7f6840d4c373de485c21db2cbe72f4b4c22a9366aac2f3597a05abdaa41c5d9c560207a25c581e4aba99932849f4d2894c36b4d4946ae8c35107703

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
96KB

MD5
73e8154bc72e8a3d436ab0ec6cd7d9bf

SHA1
24a79be487e9dec7ef061dd40418d3534ad4ada5

SHA256
8c6e14542e8a88ac468cb60101db7b7490cca35605c2ea0d068045542df584af

SHA512
f5bbdb4cabcb5989eaee8e729cef8cbbf82bca8831c94269b56210999ded7a7b1e945b89ef11be4b371ce4e4ecaa09f81707af6737d4d9f623c5744b2002456e

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
96KB

MD5
45f6800e02a42cdefabc87405592f4ec

SHA1
26b7628bcf7713145853c6ce935285a4fcc9e6c4

SHA256
6a9c9ccc796704145f5f4d828ae0b3469626fd19c9a07982416b9817132d5a6b

SHA512
bdbadb08eea8004f43f9381b84e470b77e5fa7132d88bb2561febf84f36144c828097b58b51f14ccfd6c98a2d4c5f54c1edf5f8baa0e0c658ce8af2d0235ceba

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
96KB

MD5
338ab218ea8bca00004e604ae7cba587

SHA1
6deab2857cd0059e45919367b9be82f4af43540f

SHA256
fde9d5860b7bdea2677765698276e379796256c05bfa372de5186022b2e6e5bc

SHA512
0687796b2325be7fb4e4bdf12b5d053ce3f931fc9348ecd642a3cee9f7d73ab431b81449695f8111e622d8b8e0bacea0c0b99984239e4f8fe086ea138dbb4a76

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
96KB

MD5
40d3c0b98b95f2a26aca1d5e4919b76d

SHA1
a83bee62becfbcd599a81467389b2a72939a3f16

SHA256
84002eb07427abbf58e0341cf3ba87220f2af092b2e05eda38ed2c43472646ff

SHA512
509253132273049b9dd8ce0ed859fb4761b1069eaaf7503e40d14ab02810ca84d31ad12b118892d26ef60db3cdd6fd56ce534d63a7910ce021affe386b592511

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
96KB

MD5
cdbb391f770d85358ee7653cc14ae727

SHA1
647f41c2d055e58ba7bebe591dc07d54beccab1f

SHA256
33ff5f03f052dd9e301564f0d35bdf38476cbec29f863233803c69c876a098f7

SHA512
43fb3265c75e6e1f90cc8cf8f7adeed264671f9a55dce36f4fede131507d04635d98ffecc47f1a070152a535d0ac5d9426537625db8b09494714dae9668ef070

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
96KB

MD5
da5e99aa63c04fd65875d9ed23da8fc6

SHA1
fb27a66842f896bbb09de38f2ca9ac52b0c73c91

SHA256
4916fea68abeb8368beae5c907af171853298e7e97a30921c39d104d35e52e0c

SHA512
7a15943658d92848ddcbae836849c2998202e1e6023d0a69d0f40e91237077d4321c6d64410d5fcf28f00756287a401a15e249b1e6d47ffda05dfb4b2b7e20bc

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
96KB

MD5
948134d9a7e06a7b6edeab136642dcc3

SHA1
5a4d21e5b8a9adf9a247c87a216bb5d3637a06aa

SHA256
32b9ba10d3b3c683054c8d6f3ed060cbec8fbdb51bca9094091401fbf126c19b

SHA512
d01ea360932325b3800d61bdacfcbce28ac25e550da0f9255b41b444b9e94b0a962a97a721422c5932bc195e2b407b0fdc05f7b55ab2571f15da30b2af02be2e

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
96KB

MD5
6e0ad307b31e65bc79dc9973661010be

SHA1
2b7c8db7bc5dbeabe2a3b246090e35c1e24c14df

SHA256
72a91d391b7ed7dc2a09526103937ed50ae64c8cb60ac287418bbcb961aa3ecf

SHA512
833911c77797645d71584b2bc444b5c47d139f1838d1a738f057adb352e603302c715f7821906cd3139717f03ed7ab5c813b94333417c954b363efd260c06ee2

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
96KB

MD5
b4f001085bd19df449f4274d03bbf6cb

SHA1
b8706a319e973de02fda60a92ce40a7b58b7fe73

SHA256
531b48ade30e900a462676b3a098581daab4204ca7d98dd7f0196327217dae61

SHA512
55b9b38cf9a971ab4be9ec92ec0c64c2d5dfca70ae456e129bbf14fb1145d8e116c9c025c8630de318a7caa54181c3a4ae72b2cfc2654ea7d9b2f1a6683f8089

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
96KB

MD5
86f2209b1585e35c0547a93a9d8f9586

SHA1
c6fb6f30ebe1f367b2944f47d2b02cf2d2aa185e

SHA256
e7b18d9f1c3625ad595683c8a82ffafaf17eee6ab9ff53af217d0115f0e5beb1

SHA512
4b10bb84a70d578958ff4934fb9a57fd32a7a0f4cdf1dcecd83b34881053cae2440cfba9e08ab21270598eb931d1e3781bbc292d6f81d88bfb9ac7a9cb6dbd6a

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
96KB

MD5
3bdba954565a1ff92c4e28439f5e8126

SHA1
06420f76715b73d3c9c4272aad0522181cdbb53b

SHA256
20fdfa4fd550983b3a256fa2a6aae9edbd505133ab23e97617f677c3e4826943

SHA512
aafb6db86f8c85a7ca5f9208eecd4486be61101f5977679e5fd5d6bb2bb86fb1e73c783f9b56002200542ba069889aa81606a7f0d12aa9fd2fb17936babb3eff

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
96KB

MD5
89843e92d0da7a697364e25c44fd55d2

SHA1
4d30d11017247468848468fa4af6e02ced4de688

SHA256
56fcf9bde9c4584b8d502260eebecc1af326291677aa2854f34e80950c3b1c3c

SHA512
23e785e15fc1ad254167bb8083b7826dc5a76180a57073f0b566637c9f63c7c75275ef5477b3c79a8d752187e9ebf193b92d190605b5022c3c117e35bd7e42bc

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
96KB

MD5
87a761812a14996b7396d0d6f4bf4794

SHA1
6bcda5148f7f2e289921eabc8f0a1ce6b9a4811b

SHA256
7d103367592cb8fa08da1eb15c9293c61e7c87afc68b151391370a3b9c4e13ac

SHA512
591b96b04540c9d1b8a5162642534d3863db779c4591cb6e704a8f00ffdea998707f6ac0f32564f5fff7bd8bc5a5e114478a51fc1401c0c208b0d5ae449f28ee

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
96KB

MD5
62338fec11da9ef5b2ad7fd420576af3

SHA1
844f079765c1aecb2b8310fb5938fc3e4d400e70

SHA256
11ed19742857143defe9a21aaffd1e35bd7595ab1aa50b017178233470a2e6a9

SHA512
9add4f3f5aeb5d668c5d0dd73f40e772de1ea39f4b9f4c374c95f1fb02b273116ae874f6386ad48ee3f5530568eaa7b28ac935727c4fbd25ae8d60a7099013dc

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
96KB

MD5
c8dfb9ef0ffb0476353bb0f9a8d27fb4

SHA1
c5ce6b214ed14197bf3431fcb3d8e2cb7496db87

SHA256
c9580550f607d462c38572bbb79993f8a1b7b2847da28aeb1930fa74298c0c0e

SHA512
a6b892ce6850eebb3a4661797e7d8fd26240d1961e32ca713db27f0f63447e827a87647412d1a2285cd033e8c0058964742bc7a7a05579de7c9175a5b28fbdd9

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
96KB

MD5
d318b29d545c3207db8628497b99b720

SHA1
23690e736fc6f2dbd7152bcd563e35bf00755302

SHA256
22a525ffb0f0fb7e4d11961f5fb7013f1fedae09c951bc6c8a7cec96b545dd5c

SHA512
73e77b22011b5ae53adb30cd56bdd3e7c9e0d8316d99eafe1b52e9e8a8ae0a1b7595dabc11e75b4980ef566715fcab1c091e561b5eef6372a99c16551a8b1a09

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
96KB

MD5
8c164e8d464a54d94f4da9438a3f3231

SHA1
c18c747313febdce56e5621f279ea5f97210aa09

SHA256
f4f5f0ac8018adb44fb5ff83fb4c45db96c198768dbc68306e006ab616e922e3

SHA512
52c045e8bb08fccf6d1463fd391e2b85380fb96d27b1f3aba2cb35a46be253f47a71a735459e9e35ce4c1c20715f454712a34f8bf80d8cad2c81a99a037d272a

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
96KB

MD5
1f388d9e49cd628d28625073bde867cb

SHA1
8c68dbd6f149eee46bfda8e1b53db04df62c0eb2

SHA256
8f41c45e899c93575732c027f5750dbc9d02394b147ecd67f9ab6dd0fc4413cd

SHA512
5d52a903e8a64b9d5e9b4e9649a68b4c5e8e1fca2b7a558f8dd456d962fdf891412bda52c379c8693621a6bbbc68db35dd848df824fea255157fe715b5bfaa2e

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
96KB

MD5
08502073ddeef65c75fc23b823e30bb1

SHA1
7eea6e61836dd94c342cbe65077ee1f3076eab1e

SHA256
29a1d43f7ec82fa06d20ed56fbedfd189684ea62c8086ba56cd19961cff22e87

SHA512
b82260d058917453b12f8498d173001b8cd8d8be31cf97576a51e16b743b5e988a2d4a8755892e4e0df6d98e0d6294c1726c7065e41e2a59665af91a5cb1a6f9

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
f43e8a119549e7ecc95503e1cf8d3a05

SHA1
71802d4562488ced360b2062598f91e17cad5613

SHA256
efcc791248aec670f1cd1254ab7b0a0bc60f556c01f04a595fb907f0a70356ea

SHA512
70eb1ddc167c535e629bcf91f9c137ea6b976b98211cb4f3bfa344b016447011baa43f980dc7a37f49a185f709a8cf90a293e5082237dbf91b177930b983d471

Download Submit
C:\Windows\SysWOW64\Kmgbdm32.dll

Filesize
7KB

MD5
c9c5d627b908e730c9b788e350e5e1c3

SHA1
e52a7932653dfd70419af476c7f77e5da4182f11

SHA256
39896e33fe8e9ed6cef8ab303306d1267932c76d89fa201d24cf4489dd3b46e9

SHA512
a12673c13716ed36ec83b824c278c9f0555f373788415e1091ff576d0ac3191b88861d5eceb919535eaf949242bbc3d4494c5722351f795fdae5cb9a99d8c7ed

Download Submit
C:\Windows\SysWOW64\Pkmlmbcd.exe

Filesize
96KB

MD5
30bb3952864f9b34f37b1988cf6c6ff2

SHA1
ddc9c2c04534fadd42b012c2014f085d74ca2895

SHA256
177697562294037cb0e8d35e844df825711a5acaf28b892876ced115b4d84e7c

SHA512
48b63db7231ac497bc7b99b58f3239786c3549ee75a7b4d172faa89bf7ed72da83325a8d43eb02d1fde74a28b6d5b835579372d9d01a91741f411cf04a242605

Download Submit
C:\Windows\SysWOW64\Pljlbf32.exe

Filesize
96KB

MD5
db213a9807b7142f7b9760a9dfa8d2f5

SHA1
f478a7e16c4f9b4c3cb235e80aab655c0cc93956

SHA256
0dbb66b0871d115779ba38e593ce039c54efffb76a5c72bbf72d2ea6fa8cb267

SHA512
7fb206363872418fe90a2d7db52e1efa9c40dce5fbe02791e79447258b073d2e5f41220cb225a58c01dddf4c071279be796efbda102df1641da8c1cd566e6298

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
96KB

MD5
68d364f2242553620eac9044ea4cd24c

SHA1
05d96f71d0090ae326610633d9c043c9c8230c93

SHA256
b8ea5f17f33a46e6ec2c92c3fba5ea3fa0c19bd56e1da962f3e2fbb1754eb3fa

SHA512
c8a3f3a875061e9e8665cf52ab86c9c95f9f3a92c37e1e74b31befdd26ae69a73b838d89c2087400b5896434bbd5c6d757e536c279a00209ad732b20c105372b

Download Submit
C:\Windows\SysWOW64\Ppnnai32.exe

Filesize
96KB

MD5
8a07ca8a0e62f3a3c010b56eee7080af

SHA1
5f2602f277a30e5c8d758977211f38f0e1da98a7

SHA256
74a26698336c274907bb5dbfe8edb6528be6f4957051f3e8ccec6351c7a28630

SHA512
9fc5e626c29df9dce8e0622bcc7eb23d7de6a05dbab1f718aec6b36f64a29b1721c2ac9a8bc607aa03a78726f8f6c3d067c48b00b28099e663799a1f32d4ca36

Download Submit
C:\Windows\SysWOW64\Qkfocaki.exe

Filesize
96KB

MD5
da221848e9d8d44bf7a2269101af14e7

SHA1
b7d1120f45d0f3e875aec2989d729a3a80c90228

SHA256
31e0eaa63c3e307d40167ac360bbf10469cff77e7281e401be2bdbc5d40bbf32

SHA512
3c0f4399657ab20e7b46951a358db510dbf12433a2aa47f6429b64dab7caf1e8c21433152a4a6b49594bf54d311d34630562222da5a60ef513f965891bd9934e

Download Submit
\Windows\SysWOW64\Aebmjo32.exe

Filesize
96KB

MD5
30d2194774959314e8c875954c9c1a0b

SHA1
30fe07b3fc89b6487192be21894e4efd69b56269

SHA256
930c169263c242c1eeb68ff8ff61f0d75bbdedf3073562c6c9831d63f898b080

SHA512
a52c816864c17a42b2549ad3580ea3f821f61bf00f7a6fde9be0c083d510fc552ff6fbc7cda1f3b970970b4c4b977e650dac650a9aaf14e76b99244d2cdff4ec

Download Submit
\Windows\SysWOW64\Alihaioe.exe

Filesize
96KB

MD5
1326809b79183b083e931f4634bc9bfb

SHA1
82de0865fbf945831955d794aed269ecdfa8d8e2

SHA256
2edec45005e2911a638bb5ff9e87fc318065a339aa6c06d37594195ed6fa155a

SHA512
8147ca48f3b3ba732eaa6b8272b9ccc01a260bf842dc6b71a4712c7844fae833c5b8b00cff7802d3b7093998434a619013284634dee204716a87cbb0ccd936e5

Download Submit
\Windows\SysWOW64\Pafdjmkq.exe

Filesize
96KB

MD5
b0ef9386bfcbbe89ef7f2780bbac4634

SHA1
96b7e8d2b85166bb04c8ea172aecc91eb1426fa7

SHA256
aa47a67494972204adfc39db9d4d130e0f6b6dd313b6626e2fb16a29f3c6b329

SHA512
ed07e1823d61114f917b6b4f98ed55d7871e8c2d15884e5a6e3e7789298a5cc4daf790fba00af1d803acb413a9b447e0bca92dc75b448cf1f7095c32b856a06f

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
96KB

MD5
898771c58b66643c6dddcbee1497abc0

SHA1
004dc7816141537bb9edf09e73a5e9cd78bcab6d

SHA256
44ff28e8db1d1864cfc71c413351448513a4b9db0fc05876c80d341ca512d05e

SHA512
d26f4e84dea19856846f3d39ee482db623558d1f407ee6c4cffe2d971f4c9aac811e261f8bf217395e927c17a1d73119d57b84d9364d32ca61c669e382312a55

Download Submit
\Windows\SysWOW64\Pepcelel.exe

Filesize
96KB

MD5
cc8078802a3938079c9e95381dcd4663

SHA1
dbf344d47c05fb1ead21ad8b9230003d5ce47835

SHA256
401ae59675e4f6837b2a2cfd194f6b9923cf089550db47e6ab0bfb3aa2851711

SHA512
c1631e4495488e8903be0a3ac30f8632690c71b21e1b0ca0c25b161e068fb0bace8527806e3fe7790e4d98b2aa70732de29d6a158cac1871cde29e2cac895480

Download Submit
\Windows\SysWOW64\Pidfdofi.exe

Filesize
96KB

MD5
970e730167418a768b51089be0d2334f

SHA1
fddfa5a380b2bf60303b6ba3eb274861c94f558a

SHA256
f68de79d0331ef2d670bf5a6678fbce06f39f30f29be83431a2764d2f3957b8e

SHA512
8e66bb8e4a2fedadae779be5144a0d7a80707290b6c024d810f322c92be2e6c8d04c34675eda9078c785f548cbb9854d065fe36887433d85846a7c765a5bfcb3

Download Submit
\Windows\SysWOW64\Pkcbnanl.exe

Filesize
96KB

MD5
64e84d32bfba72b1006678ab880d6b6a

SHA1
141e9c399da3dd62d04a344632638aaf2e16caea

SHA256
e5d2b04b71538dd03bb4a7570d33c4ef69051f57f7d701c55ba4b2691b2ff650

SHA512
ce1718dcbb943ba67fb098ee7451dc0198c2a1aa26dce94e015cb1425eeca169ae9a84fe5fd4f7fd6afce56514304b03b32647bd977baec20859e89016643fa7

Download Submit
\Windows\SysWOW64\Qcachc32.exe

Filesize
96KB

MD5
15fc5062780ba0e71f4df4ae33d3a3b6

SHA1
c779da589c06a4941188ebddbbb7fd0ce461a919

SHA256
85b135d7770d75fcebea1b40c9c1b9717cfdd08891375725acd0c8ab7cece429

SHA512
f861c41fe60c31886d6ff7fd484ca12e5cb1f387a400d14afd1118c9bba7f62f103195b03fa74a9f96f86785a9e6ec48801d8da73e1763abb2d02ac9eca94681

Download Submit
\Windows\SysWOW64\Qdlggg32.exe

Filesize
96KB

MD5
db6d17f7868eb258e23cdb4550dc0059

SHA1
4c0d02368bcbdcd6f176323020beb90481db5050

SHA256
8a55bc06514fe05e0da30edee33f323cf55c14ed591cf81c8f59b268a4e186f2

SHA512
844e3a46efe7d727a14adbc4f0ef78cbe86f19cadec85387d90ec7fe456e73708d9562ad0c39e472520f417ad98454fa69163baacd7ef4f9de018da1b5b3d481

Download Submit
\Windows\SysWOW64\Qdncmgbj.exe

Filesize
96KB

MD5
532d433f4eddc6b42505eab20d35c99b

SHA1
a79493749fdab7a941072382d8d0e0fd3437f657

SHA256
bf72d593b4b5a7ada1734fb6ef3bedd783682f98848a389b2dd8cc9b83dc43c5

SHA512
e07a21f44494230935297c9e69ae20064efd5207b096c2ba925c05b67425a545b8aabd731078188df89d89dbdaa8f9ec0e764678371cb52c2aef644bf39553f9

Download Submit
\Windows\SysWOW64\Qiioon32.exe

Filesize
96KB

MD5
971132724a06737d951d8776d3a7a3a6

SHA1
f4bfc9d793cb4505ac695e2bebe0e97fcaa0455c

SHA256
e5646d228d73276fcc49456dc53ec9b555ac8b98cfc4725f7c67d6ef5605d5da

SHA512
14dc6d1a20b764e659c7216f16977a2e241fdb1dc6d6bfcc9f87b1bf3de7c59ab26908aba81b3ed1da21da0bd62d3bb5e78b0bf8209c13c1b1a043a7e26b4034

Download Submit
memory/756-506-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/756-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/756-178-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/760-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/760-444-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/760-443-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/872-511-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/872-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/872-510-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/888-272-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/888-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/888-271-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/892-314-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/892-313-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/892-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1056-422-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1056-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1308-250-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1308-246-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1332-504-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1332-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-489-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-498-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1368-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1368-261-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1368-257-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1380-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1380-488-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1380-486-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1384-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1384-240-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/1384-236-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/1700-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1908-445-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1956-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1976-110-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1980-477-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2052-465-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2052-474-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2052-475-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2152-206-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2152-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2252-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2320-324-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2320-325-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2320-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2544-373-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-74-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2564-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-390-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2600-464-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2600-125-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2600-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2604-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-12-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2620-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-51-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2636-401-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2636-391-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2644-87-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2644-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2648-358-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2648-357-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2648-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2688-402-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2688-58-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2716-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2716-196-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2728-335-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2728-336-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2728-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2768-368-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2768-369-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2784-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-337-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-347-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2824-346-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2880-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-283-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2884-282-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2884-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-487-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2928-476-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2980-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2980-294-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2980-293-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads