berbew | 87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40

Analysis

max time kernel
87s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe
Size

71KB
MD5

6c5018ec3abee6977d89e379602c96fc
SHA1

323f5e3686e186e976fda72a0665e208d6422dce
SHA256

87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40
SHA512

bb4fbfdca69ce4fe12ebdaa5ec5ae063d02029c0ac43036ce0d613bcf562d99fd1eaf755d307b514e5172323ce7672f07b2f9ef5ce256aaa3f10266b165b77a8
SSDEEP

1536:JFqpoAQFS655nElim6YBdEso3rdvzEKbRQTDbEyRCRRRoR4RkC:JFqndy5ndvxeDEy032yaC

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pplaki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplaki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkaehb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcljmdmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Achjibcl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiioon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abpcooea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 52 IoCs

pid	Process
1052	Pohhna32.exe
2712	Pgcmbcih.exe
2728	Pplaki32.exe
2656	Pkaehb32.exe
2724	Pidfdofi.exe
2800	Pcljmdmj.exe
2652	Pifbjn32.exe
1656	Pleofj32.exe
1668	Qppkfhlc.exe
1632	Qiioon32.exe
1708	Qlgkki32.exe
1640	Qeppdo32.exe
2872	Alihaioe.exe
2200	Accqnc32.exe
1924	Ahpifj32.exe
816	Aaimopli.exe
2044	Ajpepm32.exe
468	Alnalh32.exe
2136	Achjibcl.exe
344	Aakjdo32.exe
1788	Adifpk32.exe
1540	Aoojnc32.exe
3024	Abmgjo32.exe
540	Akfkbd32.exe
2320	Abpcooea.exe
2092	Adnpkjde.exe
2748	Bqeqqk32.exe
2220	Bccmmf32.exe
2552	Bjmeiq32.exe
2544	Bmlael32.exe
3012	Bgaebe32.exe
2340	Bfdenafn.exe
2784	Boljgg32.exe
1716	Bffbdadk.exe
1688	Bqlfaj32.exe
2792	Bbmcibjp.exe
2632	Bmbgfkje.exe
2192	Ckhdggom.exe
2052	Cnfqccna.exe
676	Cileqlmg.exe
780	Cgoelh32.exe
1320	Ckmnbg32.exe
580	Cnkjnb32.exe
1336	Cgcnghpl.exe
3036	Cjakccop.exe
2252	Calcpm32.exe
2952	Ccjoli32.exe
3064	Cgfkmgnj.exe
2732	Cfhkhd32.exe
2804	Dnpciaef.exe
2532	Danpemej.exe
2608	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2616	87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe
2616	87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe
1052	Pohhna32.exe
1052	Pohhna32.exe
2712	Pgcmbcih.exe
2712	Pgcmbcih.exe
2728	Pplaki32.exe
2728	Pplaki32.exe
2656	Pkaehb32.exe
2656	Pkaehb32.exe
2724	Pidfdofi.exe
2724	Pidfdofi.exe
2800	Pcljmdmj.exe
2800	Pcljmdmj.exe
2652	Pifbjn32.exe
2652	Pifbjn32.exe
1656	Pleofj32.exe
1656	Pleofj32.exe
1668	Qppkfhlc.exe
1668	Qppkfhlc.exe
1632	Qiioon32.exe
1632	Qiioon32.exe
1708	Qlgkki32.exe
1708	Qlgkki32.exe
1640	Qeppdo32.exe
1640	Qeppdo32.exe
2872	Alihaioe.exe
2872	Alihaioe.exe
2200	Accqnc32.exe
2200	Accqnc32.exe
1924	Ahpifj32.exe
1924	Ahpifj32.exe
816	Aaimopli.exe
816	Aaimopli.exe
2044	Ajpepm32.exe
2044	Ajpepm32.exe
468	Alnalh32.exe
468	Alnalh32.exe
2136	Achjibcl.exe
2136	Achjibcl.exe
344	Aakjdo32.exe
344	Aakjdo32.exe
1788	Adifpk32.exe
1788	Adifpk32.exe
1540	Aoojnc32.exe
1540	Aoojnc32.exe
3024	Abmgjo32.exe
3024	Abmgjo32.exe
540	Akfkbd32.exe
540	Akfkbd32.exe
2320	Abpcooea.exe
2320	Abpcooea.exe
2092	Adnpkjde.exe
2092	Adnpkjde.exe
2748	Bqeqqk32.exe
2748	Bqeqqk32.exe
2220	Bccmmf32.exe
2220	Bccmmf32.exe
2552	Bjmeiq32.exe
2552	Bjmeiq32.exe
2544	Bmlael32.exe
2544	Bmlael32.exe
3012	Bgaebe32.exe
3012	Bgaebe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eibkmp32.dll	Pcljmdmj.exe
File opened for modification	C:\Windows\SysWOW64\Alihaioe.exe	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Aakjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Abpcooea.exe	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmeiq32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Qlgkki32.exe	Qiioon32.exe
File created	C:\Windows\SysWOW64\Aaimopli.exe	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Ibbklamb.dll	Adifpk32.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Pgcmbcih.exe	Pohhna32.exe
File opened for modification	C:\Windows\SysWOW64\Accqnc32.exe	Alihaioe.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cnfqccna.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Pleofj32.exe	Pifbjn32.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Kbdjfk32.dll	Pleofj32.exe
File created	C:\Windows\SysWOW64\Nmlfpfpl.dll	Accqnc32.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Qiioon32.exe	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Cmfaflol.dll	Qppkfhlc.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Pcljmdmj.exe	Pidfdofi.exe
File created	C:\Windows\SysWOW64\Qeppdo32.exe	Qlgkki32.exe
File created	C:\Windows\SysWOW64\Alihaioe.exe	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Hdaehcom.dll	Aaimopli.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Pleofj32.exe	Pifbjn32.exe
File opened for modification	C:\Windows\SysWOW64\Aakjdo32.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Abpcooea.exe
File created	C:\Windows\SysWOW64\Opobfpee.dll	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfqccna.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Ljamki32.dll	Qlgkki32.exe
File created	C:\Windows\SysWOW64\Dicdjqhf.dll	Qeppdo32.exe
File created	C:\Windows\SysWOW64\Alnalh32.exe	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bmlael32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Gfnafi32.dll	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cnfqccna.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Eanenbmi.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplaki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkaehb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abpcooea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifbjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkfhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcljmdmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pohhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdjfk32.dll"	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmfaflol.dll"	Qppkfhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll"	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Eanenbmi.¾ll"	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll"	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qppkfhlc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®"	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakoaln.dll"	Pplaki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkaehb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfokakc.dll"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pohhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pifbjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll"	Accqnc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1052	2616	87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe	31
PID 2616 wrote to memory of 1052	2616	87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe	31
PID 2616 wrote to memory of 1052	2616	87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe	31
PID 2616 wrote to memory of 1052	2616	87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe	31
PID 1052 wrote to memory of 2712	1052	Pohhna32.exe	32
PID 1052 wrote to memory of 2712	1052	Pohhna32.exe	32
PID 1052 wrote to memory of 2712	1052	Pohhna32.exe	32
PID 1052 wrote to memory of 2712	1052	Pohhna32.exe	32
PID 2712 wrote to memory of 2728	2712	Pgcmbcih.exe	33
PID 2712 wrote to memory of 2728	2712	Pgcmbcih.exe	33
PID 2712 wrote to memory of 2728	2712	Pgcmbcih.exe	33
PID 2712 wrote to memory of 2728	2712	Pgcmbcih.exe	33
PID 2728 wrote to memory of 2656	2728	Pplaki32.exe	34
PID 2728 wrote to memory of 2656	2728	Pplaki32.exe	34
PID 2728 wrote to memory of 2656	2728	Pplaki32.exe	34
PID 2728 wrote to memory of 2656	2728	Pplaki32.exe	34
PID 2656 wrote to memory of 2724	2656	Pkaehb32.exe	35
PID 2656 wrote to memory of 2724	2656	Pkaehb32.exe	35
PID 2656 wrote to memory of 2724	2656	Pkaehb32.exe	35
PID 2656 wrote to memory of 2724	2656	Pkaehb32.exe	35
PID 2724 wrote to memory of 2800	2724	Pidfdofi.exe	36
PID 2724 wrote to memory of 2800	2724	Pidfdofi.exe	36
PID 2724 wrote to memory of 2800	2724	Pidfdofi.exe	36
PID 2724 wrote to memory of 2800	2724	Pidfdofi.exe	36
PID 2800 wrote to memory of 2652	2800	Pcljmdmj.exe	37
PID 2800 wrote to memory of 2652	2800	Pcljmdmj.exe	37
PID 2800 wrote to memory of 2652	2800	Pcljmdmj.exe	37
PID 2800 wrote to memory of 2652	2800	Pcljmdmj.exe	37
PID 2652 wrote to memory of 1656	2652	Pifbjn32.exe	38
PID 2652 wrote to memory of 1656	2652	Pifbjn32.exe	38
PID 2652 wrote to memory of 1656	2652	Pifbjn32.exe	38
PID 2652 wrote to memory of 1656	2652	Pifbjn32.exe	38
PID 1656 wrote to memory of 1668	1656	Pleofj32.exe	39
PID 1656 wrote to memory of 1668	1656	Pleofj32.exe	39
PID 1656 wrote to memory of 1668	1656	Pleofj32.exe	39
PID 1656 wrote to memory of 1668	1656	Pleofj32.exe	39
PID 1668 wrote to memory of 1632	1668	Qppkfhlc.exe	40
PID 1668 wrote to memory of 1632	1668	Qppkfhlc.exe	40
PID 1668 wrote to memory of 1632	1668	Qppkfhlc.exe	40
PID 1668 wrote to memory of 1632	1668	Qppkfhlc.exe	40
PID 1632 wrote to memory of 1708	1632	Qiioon32.exe	41
PID 1632 wrote to memory of 1708	1632	Qiioon32.exe	41
PID 1632 wrote to memory of 1708	1632	Qiioon32.exe	41
PID 1632 wrote to memory of 1708	1632	Qiioon32.exe	41
PID 1708 wrote to memory of 1640	1708	Qlgkki32.exe	42
PID 1708 wrote to memory of 1640	1708	Qlgkki32.exe	42
PID 1708 wrote to memory of 1640	1708	Qlgkki32.exe	42
PID 1708 wrote to memory of 1640	1708	Qlgkki32.exe	42
PID 1640 wrote to memory of 2872	1640	Qeppdo32.exe	43
PID 1640 wrote to memory of 2872	1640	Qeppdo32.exe	43
PID 1640 wrote to memory of 2872	1640	Qeppdo32.exe	43
PID 1640 wrote to memory of 2872	1640	Qeppdo32.exe	43
PID 2872 wrote to memory of 2200	2872	Alihaioe.exe	44
PID 2872 wrote to memory of 2200	2872	Alihaioe.exe	44
PID 2872 wrote to memory of 2200	2872	Alihaioe.exe	44
PID 2872 wrote to memory of 2200	2872	Alihaioe.exe	44
PID 2200 wrote to memory of 1924	2200	Accqnc32.exe	45
PID 2200 wrote to memory of 1924	2200	Accqnc32.exe	45
PID 2200 wrote to memory of 1924	2200	Accqnc32.exe	45
PID 2200 wrote to memory of 1924	2200	Accqnc32.exe	45
PID 1924 wrote to memory of 816	1924	Ahpifj32.exe	46
PID 1924 wrote to memory of 816	1924	Ahpifj32.exe	46
PID 1924 wrote to memory of 816	1924	Ahpifj32.exe	46
PID 1924 wrote to memory of 816	1924	Ahpifj32.exe	46

C:\Users\Admin\AppData\Local\Temp\87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe
"C:\Users\Admin\AppData\Local\Temp\87011174bb8dfd9e2fafaba1e8b200b0344218c533aaa0c0e2c37ceef5c40f40.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\Pohhna32.exe
  C:\Windows\system32\Pohhna32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\Pgcmbcih.exe
    C:\Windows\system32\Pgcmbcih.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Pplaki32.exe
      C:\Windows\system32\Pplaki32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Pkaehb32.exe
        
        C:\Windows\system32\Pkaehb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Pcljmdmj.exe
        
        C:\Windows\system32\Pcljmdmj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Pifbjn32.exe
        
        C:\Windows\system32\Pifbjn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Qppkfhlc.exe
        
        C:\Windows\system32\Qppkfhlc.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Qiioon32.exe
        
        C:\Windows\system32\Qiioon32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:344
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Abpcooea.exe
        
        C:\Windows\system32\Abpcooea.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Bccmmf32.exe
        
        C:\Windows\system32\Bccmmf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
71KB

MD5
df1cfa5961d5a3d0415144ba9bbfcb6d

SHA1
98fcd7379839f6a7da0362a3fc4ac8167c7ed957

SHA256
c22fe392698c74a7c6428fa88d518cb7a7b72f40342c9d00cca633a636df9837

SHA512
19f4945d1b83cfea9f73fac52644ce6e0ce2522c33b37cb8a91ac1795d9f96f5d561c4abf0f87e37a8e20cc2eb4f83bed3c92cd602e2aa65aefad6c268c8ba95

Download Submit
C:\Windows\SysWOW64\Abmgjo32.exe

Filesize
71KB

MD5
599d5b43a3d2556b163f61f85a42ba11

SHA1
017aaee7beeaae611ea1bd95d3a94d5f5c94a1ea

SHA256
8fd94edf33ec3481f6dfbb40eec8f8397c93bc7fe701930929e448893a50d95d

SHA512
cf7ef44b829eaed638671cb33c5cc9abfffe2fa8c6a238decc8d0ec5b350369c5eb634245953ada08452c4bbb24212bbca8e85f6c47fdaea697777e77387ff07

Download Submit
C:\Windows\SysWOW64\Abpcooea.exe

Filesize
71KB

MD5
b713d52912c00ac86792d16c5f6e6cea

SHA1
255cbc7ef547934b3ad7b7bc280f350b88621bc8

SHA256
bdc9086a4407d271f604d0806cb2bac6704761b77f254887ab459989e1c7d7a8

SHA512
2004585dcda3528377497d848d5189f710b627671a7c8802bb05d9666d25edefbd7a0199489c3d3561c8d00d4246a04a75682d99c3883d356581f91032ff5a88

Download Submit
C:\Windows\SysWOW64\Achjibcl.exe

Filesize
71KB

MD5
35339faa803face8f457d4ff1ae34372

SHA1
9fe72ed7012328c2dd77c8af2ebbd9206a8fbd37

SHA256
5c6c10f50f994d467c329a5c7efa8f682618b3a5020e86f242d5cee572a74c8d

SHA512
8058e3902a3c9f62b4927b6cc75f6ecd01c9ef7694d54f53f67bea9e53c46908d3e06d561dee0a840ef333c7f021481b7ed9fbb6aeb28fce520c83eb6932dbfe

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
71KB

MD5
d6f0ee341811c9bc3972208ef3aee215

SHA1
8806e2a6f6cc38d6e5e92d85d21827ea844f1936

SHA256
1cd637b78676a0504156e32e7c72fb9ee53d8a167eeed79a595f8148c334604e

SHA512
f7474cd2cb1071ec7323bca732c2ac331a8318a07b56fef27a2dda5d5f9f650f284de59337222d07b9cc6476bee2233ec587c2292fd49f10f016d5b1f22f7e2d

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
71KB

MD5
0698b1db952e3bfdbddbc730bcd6dcec

SHA1
2850ce76a3148075222b2186654e44b15d30936d

SHA256
5934197c478221a95505dbc108bb09ddd3498ff849215a509a845bfeab4388da

SHA512
dd5034b323d0173dcececbbf707ecf7b514dee05a3d48a8aa0096bee96c390d993cf8c209427851bda5c0cd61492555d4bd01057627feb13ae16fc765bf9092b

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
71KB

MD5
6cb63f825aa76859cbc3095b33b66531

SHA1
210b2de5c166756809fd865e70b4d274602aa3e9

SHA256
f080da44c2d33f50fd02c8d7c7501ecacfe3dda8b3848e4d1c3580fe4b37d42e

SHA512
5c08514e08a0ddcf6ca72005d1a41428fb0346a613e9d3dfdacce03e48ecf5ee3f4cb1d4e0e46c1d0a24f879c2900b3b3db16f2e150fc6446e4e8e71f5455d71

Download Submit
C:\Windows\SysWOW64\Akfkbd32.exe

Filesize
71KB

MD5
7cb155d1dfdac9d93309e36cba4d07af

SHA1
23cfec6fc9104f4e37f887bac2a55a83e21da1bc

SHA256
64eca2243bc0b835de7f05215902a10c6d5bd2e6ef35fe07a46208fc064569b7

SHA512
9a1122d7ada3b78eaf08ee20f463ab64c04151568ae4aaa702e763f8408e2d50b2b7a761054cc15672564d9369fb494dd180d1d109981ba5b2bde5c5cb6f43b7

Download Submit
C:\Windows\SysWOW64\Alnalh32.exe

Filesize
71KB

MD5
f2b7e8d5589ca3b5aaeae60b1e2e136a

SHA1
ee1927d0ccf58586a8dfeeb642d0470c6072b433

SHA256
0ae398b894e3c20d6b095bb0498475b67d84c139cfbea036cc61dfc511ede5c9

SHA512
b0a4f31cfc563b57e0542b52dfe6fde3c7805a55f6b227e88ee68af8fa2da31138a55deecdd050d8205c019ef2513807acaf70d3ac0c2e53ac42f5ea83268d26

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
71KB

MD5
e827f3a2431d73477740fda2c52446cc

SHA1
d572746eeb3e2939c08cd27967cb8b448fb6ad40

SHA256
04aac23c17d1c2ed95dac2638118637493e34eaad83264d1e81c3e947b83c3ba

SHA512
a089ee7ac24a1d1c34d68ab49c74f70fefc8f71ee2bb3d834b75490485cdbd77d6aa7f4619fe07cfb7f0f11e0bbfb0e5d65ce03c893512d53e13bc6c73321f02

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
71KB

MD5
5172aed95ce56acbb1ddf994e0c85c14

SHA1
f051e5b4752668c8f761ea6b1960a348be53ab1d

SHA256
0f67380ea951c610324684ca61531ae643081f2c4551416c6ede1c5a6cf30015

SHA512
b64c7539637ecf14d2115fb6c6a11683dba61dd3e1389be5a05dd5965e25459907be8d6370f720f0739bf1180e2ef08e59146a37b31785e31f5ab616b59a4881

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
71KB

MD5
ea48473fdb864489c288cfbbc6862556

SHA1
45264c80f346ff33e2cafd34a0bb9feb7bc1bef5

SHA256
9e7d4d1421ebf7b695f5b440ca5048d21f9b197134d101119d7721455dc5ff79

SHA512
0a0d30a26d00b44759f3325ecd50643b03a064c2a731a914eb713647d076b23359d2d4cd1a550038ddef6dc322e32ffe6d5dbf82b3deaa702c4a789061946f8e

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
71KB

MD5
a9f49bddc178979c90e49b91637e168c

SHA1
936ddbdc1a06338684ceda364d4492ac7b4877c0

SHA256
53a6de1eb92e23fac5c5321d07c9cdd846835777250618aacdbca7bc3531c0f1

SHA512
b8a93afc376485f5ab750f24c2552d6c87c9cb088b5398ef81bc84d167dccb3be7e9c7073c23e32697aa8391378150cd6add3970a836cd7ec082694f6d052214

Download Submit
C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
71KB

MD5
35394bbffcd366e3e9e061c000e6792f

SHA1
fcef4ad9c0e8d81ee83af1ae26d5e2086476130b

SHA256
09828efc094c0a6f21a1773f851cc1146c77ee9a42fa155833f92e314cb696f1

SHA512
4d0b1e30547652e9b050c644364480319c30a241084ac43b39f214d76c071e4eeea9ad132e9a51aa3b3bd969ee448adc028e3c7804d4488824919d25d34979ee

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
71KB

MD5
edb9ba7ee1e746df40c98e0ca1d209bf

SHA1
211dba2fa2fe08e32095a28c527757d2df840726

SHA256
7e70700edd34968ab06b87559ec0ed099b756ce5a777ae3dfdb44f4cbda34d38

SHA512
c21a3a55e68dd3539b16f8f781af45f2ba647d53be66caeeef0da0786e31d061a697a64caacf2463f5de09a98f6c628937ec895e214c51b0d44504026a2bdb39

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
71KB

MD5
174e121e0631a639bd6a2cbd4c1a4783

SHA1
a0a3b3247b5ffd8ffa96af4fa4de483dc34eb090

SHA256
4a23ebd1e840a6b0e6fb692c5b4ae3a19d6b342b8062c52ac593e91376aa6f46

SHA512
4a1b0bab3120a4f60358d571232aac1c8113ecf9ad9b6cf437fb776f7e9460a0b8a19a67b2ceb1d46d8f7321df7cb4bd3d2d9a3efc7dc92727735944664f0911

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
71KB

MD5
8b02ccb2a1b105db3438679a949ea8dc

SHA1
4f82896fdd0f676dc0860754caa933e85a96fcb6

SHA256
ccff5d7f35830ec5ec932e5110a8a675ae8241c7bad14cd35cadcf5930c2bd79

SHA512
6916fe0518ef629e2dc2d5a90c989786d70fcdb73606a8b5379961c1c47ddcfb0136061194b1fe9f3aee133c803c2eba3c6678983bd347c00b4755944753285a

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
71KB

MD5
4c3940f0e1cabb14e5f2a6b5a0cef428

SHA1
d5e9ad3a62b037b1c188b2a425fc3111ad5a7649

SHA256
3438d789204e3fdafc5a5a57c3389865c31968d9b1728733b87e55a34f228a5c

SHA512
b42ac3dd17096b484e60b8de68df3808a8311bd46d417afc3c8fb0fe1583c15e9bd5ecfb73854e609cfff936aad879b4f51e7f152dd813eb5c96380203725273

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
71KB

MD5
8be3ada04d290f2521dd801d7a00d98b

SHA1
eac4e16e0f7ab69faa7da720b0fbc59e29bb561b

SHA256
676a9ee3c61bd17bf87671e21ba853afa0c6c4ba44d805576bd9b045311ce71f

SHA512
0a24011bb27d8a5b9b29af6c85e2804e07b31fcdf35c947202e330028745522c774617695fe8d468c8667a1b8c1e33c24ab126f76c0d6ec5e7b4a94e8aec70ef

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
71KB

MD5
b44e5a7e56089afd71dab84c34899b3e

SHA1
47f9717fe494cf95f47d93398a2f5cf6361b2475

SHA256
56f0ed4399d4ede90715032a93004df0ce32e471860366e4d9ac6532efc2b3a1

SHA512
6b54144b0f64a334a63c96a38f4d3633b0838c9dc7e4c7340c90b6951d1ba8568e343e586353a5855e0c94f15244957bb699325c0d55aad2a23438f8a3208948

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
71KB

MD5
735aeda8521c06f14c5f1efb4d0f47cd

SHA1
07d3bb1181f4e9fa7403df26243eecd1fbd3dbeb

SHA256
4eff0e5c0334a12d8da2d3541653732b5fe36cd8c6d8574b2553057ec4b67389

SHA512
8d32d5d26902124c1a24962d2b43b65c336f5f696d476dfe947a09f216c1af63b84dad7d7243c824733d1415ce3346a4336b883957ecc6f1857cc92bc3b4a4b7

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
71KB

MD5
27c43c5e16c110a5f8343f79607f2da1

SHA1
07d6301321a32bdfd3484c59b1441b750b051722

SHA256
6db53df662547d96e657372cabe78606c083368c9bf0312c548e7960c7d2fecb

SHA512
2bad3766f92a93f13f404ab77918456c6c3b9909db22d447ac06561b5650a1949144b624f514d6d038a29302ab52fc6dc2298e7e0ae1e721f242956c354d0b65

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
71KB

MD5
4cb15acf028f7a3ee29640e48b27168a

SHA1
923c6bc5667db5b686780a53a36bc8b33ab65519

SHA256
93e5841e99d677fc3cc340e4691ba0d2f3dee6e605075a1cab2b78601e1a71a9

SHA512
1b45afdd774d787566ece012dec6ba87d1ab9469c1665a72f6002bceecedaeca0a59e8703dede58859eb5edee6c07d24de49c47a6206796312c42a60b319490b

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
71KB

MD5
75cb27ba35992374970bb79a64181bc3

SHA1
4fc266f3a0b0edaa51da3b67560f0271cab75d9c

SHA256
0b8da10bf35d9c71bbef74fb6f2331a69e51cac029d9c28dc844c63e08f4bc7c

SHA512
07fdbb40c64fde8dceee35d1d99335fc591fd0b43375138e5a7a3ba63636cb4f44f882e2cab7d4c5bb61b736aa230b9d9ce053160cb143a1fd902e60fbb89f8e

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
71KB

MD5
c290109ddb273918e545ca37f8d1c19f

SHA1
0a220e55638bd611f7c29ede7a88cc0723057f53

SHA256
4e56aa88fd6487136d9db57ff8be4c5559c03114d5281875383908cb6f8ae3b3

SHA512
94636a5dd1aeb6b83488da1d8abdeaa846f669d8839660f5dbd76367765e6e36d753e1c8435c7f17c5eb3d02a575d88623a7ef0db393c9c9e15b5dcde89b8535

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
71KB

MD5
ac2cee0f44f0846e963ced138f164e75

SHA1
4df63b020e5f715b28b01bf400c7c2079e1ff1c4

SHA256
08aa3725ee86da3b21a965993e42de2acdde97a15ccd2dc407a9bed6bdd70b1b

SHA512
c14fdfb72b3ecaa6549e8fd9ad7ee7efbdec0d6610395e997b8554752895973395c3c27a7d494ceb7dfdd154985e7c206529bb5cca2cad7950d3894ed3dc2897

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
71KB

MD5
1c8408cd91e99cf72e050d0d43ced52e

SHA1
5c1e4379bfd2ffb51021e43be788b4799bf9c94c

SHA256
630316bd8199b623ce5e4bb38b8b09f5e53feeda170cccea6d68cfb3935d96bf

SHA512
96c9b8dcbb05db9a41767d498c8e928e8fb23f633fdd797d24ba91b6dc6d0dfe72603f78d938ae2be935f179de9631b270f45e229a771d4ed5229a785f56bcd7

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
71KB

MD5
b130bb4d980aaa2dcd25fecb3b140062

SHA1
b44c689d0f6ddde7028c56554510dd2ed9bda0f4

SHA256
6ff580c623e163e9725c77e1195fe67f3d830694702597c2d5676a7a0995e126

SHA512
21955425b0fc815ad974659a30721070b7c776414c509b402f75a61cee03b05abc019b30a450165c421ad14c59f6ee8a732c79492db68e513f2a325efb61e8e0

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
71KB

MD5
75230ade198f9bdee7c713c50765a171

SHA1
007a6052aa58fe5b88097f0040d4d44851f8f401

SHA256
a8370db9bcdfbc73ecf09a9cbfa9e0628985efc27757b1970dbfaa952e0091d4

SHA512
6b526f5d62074d88ab119dcd6dc87315c95884b667e91486fd8cf7f8c2e4ce4ed3dab5ab102e82ed9d24f3a523a98f33a01f1c9459340481315709d06df37cea

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
71KB

MD5
762aad844cde390104d91d2a7784a936

SHA1
ed31f4b9adf86906600983a2b914d1f3c63dbef3

SHA256
15da3aded7eb36c8dceed3a60fc95ab9e70ae4b04bb444d9e935511e097f46c2

SHA512
5817c1eb90a97571230fae8f7a12bbdf662888a517b621c64a3ec798c59fdd07979fd1382f11470995feb4316304b3049732539f1337e9184d7d635265c55066

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
71KB

MD5
c58ea5288d96d26b18ce6090c5f038e9

SHA1
3ecd8cace1a79dc27a0e33f3cba059fba09e0c22

SHA256
032e81f3ae1deedf7f9226a58dffd1416783d4e9053ff3893b792ae41d44e6a6

SHA512
196a7814b3e500a33989a5326f5a89c6a35d59c57e799853c9e81f1e2adb4473050e523bf526757423e699deff4e6ff5262ba268210b70ee1fd25665151c8996

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
71KB

MD5
74dcceacd879a9a5ea21af547da5fee7

SHA1
21ec1f1cf1ab1e7671f8ae1fd21da80fe1e83d85

SHA256
a495b3f7c2a9dcc2b84900ad2cc91f17449d8e70557ff72a56cfb274afd1043a

SHA512
51769a3ca1a0149f6b8089ecf12a611247c001759727987e282cd1ba467242b90308fafcf0f42b95182cb691231e9e6a8adc0fda8ecc5dbf8b1306b202c3d3fe

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
71KB

MD5
71261a1484d25b96861451f2e4521fa1

SHA1
a88c9b22152495216da0400216e796061e2309b5

SHA256
b35eec388b65f600464d5f50edbbe607a09821b5968006b80fabf64d6893c69c

SHA512
b322c39b3141466578ce4474b0b44dc119e4139fc669f645358e505eff4ad217bfb2941c5e09c8f49a9f16058e8c9fd2715ac345a2ee6c0fed4f3872814080e3

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
71KB

MD5
1c8eea1e82b28ea35eb4116690af1ac5

SHA1
4cceb0b325381f58ad122682227ff1168afec112

SHA256
6dbd3049510ff5fcfc99be90398c163232331690f97d5436eb1c48dac61c2b34

SHA512
ab375b1153d725241ae13330e026c164d16d9e771f9a182865439c9a76bdd2aab34295f47104fb75c82d8987f3754f5e3ceadf68525a6cb60ebede2ed6f0617c

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
71KB

MD5
62a0ad9e8db745356994317e29724b9f

SHA1
26878bcefe6eaef2f97a9f00db247e6979cdff5b

SHA256
db69f3e3a1a93218abd7b85151caccab7fecca43e7430f99aefa85598ea2c776

SHA512
664d6de13d25f4b2b2e9524cfeaf54517f2ab62219f490003967680d74d984c7144c3d4210588051ed2cc3b78959c4b11f644283d57eb8242800a2045be584b0

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
71KB

MD5
bf111fdde890fc023e707743ca6baa71

SHA1
8b53b47c3fd7f29f05cc2443de8a533bc02cc9a4

SHA256
7fb37eef413f37812f12cacc2dd3e35fa619bf416ed2c329447a40a7283e16ff

SHA512
3a22a2ad1c677bd01d4947bd0907bbb4c65e022642f69eb3d82fb85792c11bb15db7f083611a40415a9bc68e3fbb152b846bb6dd8d61bbe0ce87507a1c54a36a

Download Submit
C:\Windows\SysWOW64\Kaaded32.dll

Filesize
7KB

MD5
a18ab4ea3920cc159d6a2b23931ca17e

SHA1
aa1db364caeb050442314c0ff32af7d626b3ec18

SHA256
b1745f9b6b4a49b402348ba67a8a3f311089f35ef11e2644eb48b716c380016e

SHA512
540ce2517fe0ea72c7f7557fc8cd910ec0c94087c111685d8ebdeeea2c90c52683e27d560ad577936ace002f613e6b5752f5ef0ab20a4d390e2dd8965af6b924

Download Submit
C:\Windows\SysWOW64\Pohhna32.exe

Filesize
71KB

MD5
2c3b7e89875bfc725f5c61903a2d1102

SHA1
aa86a995e6349a42553f2a433767431862e2ddd4

SHA256
237a5b93e14f2a3b642f0c7144a4808accd63ecfd6136fa0783c001d7fdcd97c

SHA512
9c95b8abf2082386aafb4b1a0d44074f23bb94f3fb4e40a7518ebfcd056bd8ae4004d4acbccabc00e1430a12e98df0154ce9ef5408c55c1c102fb06f709afb68

Download Submit
\Windows\SysWOW64\Aaimopli.exe

Filesize
71KB

MD5
b5735fb17492bbd560dcfd5b1f1563dc

SHA1
d99569ddd8a78f2a83bf27322b5f882feca74de3

SHA256
5ff3cba3db2a0712eed0580583c46107b4aa26d4bb4642c028e4adee0cdd579f

SHA512
3ed515093d2c715f0dc23fae0197ff3c04aef572f4d2603cf735555eed919cffd86ee951fd38b555f1e9b0bd10ae5c7c93e129ddc0e2a93970171346a6e25aea

Download Submit
\Windows\SysWOW64\Accqnc32.exe

Filesize
71KB

MD5
00113f0b66fdd4f45af08d57037af9f8

SHA1
bd777db04e54188b9a47e6b122475641f391803c

SHA256
f598e518435afdb8e50be3280de5ebb063e00b4c69b27f0314696e5f0b8adf97

SHA512
53b2eea869d028469f9686a3494e84650a9646420b664c7273574438bb7e0d1d8a3c61b33fc6cdd52efb6928789c988f37c5b879328965c15b745e85bfc98077

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
71KB

MD5
735f4925c4bb7ccc63ccce04cdbb6094

SHA1
9e731383865739b891e435eb79f0946ac3568810

SHA256
cfcaa4ee4b7bef5212acfcc69f9460f4cd057029697c8be521bba7f876970937

SHA512
a1d9c806bad05c0c3bb5fed3433467194b7d305c8a048613d5a76737f40b5f27eca970183dafe409c4c858fa2acff2822f9b2a8fcfd626c77cef55620e7d4306

Download Submit
\Windows\SysWOW64\Alihaioe.exe

Filesize
71KB

MD5
9c497202b31e50c5e692776a2bc3c564

SHA1
c6b651fa57cecfb04e9e43ec88e26d6a6834b9d4

SHA256
5182185dad293bec18357e3cdcae8cec5f36a043099c7f5f334347f34314c530

SHA512
a16abe3db55d4fce9f3d0cab2317fa7afa3887d28f68e08c6ff7131b22e2e5c9b3c5a648f7c2cf56583bfc56022a168d800676d688b69c7e110defcb19a4ff08

Download Submit
\Windows\SysWOW64\Pcljmdmj.exe

Filesize
71KB

MD5
aad6507bd0fbc40622a2061759d0a45c

SHA1
54d9ef64d9757b4c7cc908d64a512f9913933a13

SHA256
9eab99461a91f19cb959af2d778a28b25dd6d799b1488848ebf126d6d6b05285

SHA512
94f6a27be1bf2780efbbe341c65f5c2a00ba7b5323c539a5d01c3f304b89f4a783d292effb78a4f026d5aeacfb6366edba815343ceaf7e4ad2e12ce3792dbffc

Download Submit
\Windows\SysWOW64\Pgcmbcih.exe

Filesize
71KB

MD5
20df4ee854f95272f40aea28168b7f30

SHA1
8f244cb34352367d40982de7d0b89e710054b128

SHA256
7037ad5c749b598bc0e78d790debf145d892b0cd2da8ae3d0a5f2afce39218c6

SHA512
fd1a4182ede2ea1970dc1cac35aacf117f30bdcf5dd02d4508ddf9042bd80f250fbec37e6d632c77018e89a895695063cbe041c8a8a72859e06a5cdccab7c23c

Download Submit
\Windows\SysWOW64\Pidfdofi.exe

Filesize
71KB

MD5
b57bdda93b98a808707f70e62231cef9

SHA1
58a0f4e61567c61844a59c8b6e0f68be0bceecb0

SHA256
ea510dc1e16d73a961cb7b3c742e78a9c11d0a8b5bbbe2cd3c433b723276923e

SHA512
d0a466a9bcc80a04c03dc1a4eabcfe5e7ee950ca4ab88279f7458b592f0d431b82317d0566d49a2d987b82881ff5792f4f7ee1975c67a9e903fc0bb65a570a38

Download Submit
\Windows\SysWOW64\Pifbjn32.exe

Filesize
71KB

MD5
f3c1aa390aa209e4412770620d30c25b

SHA1
033cef3fabe41779a76db37f2a47d27f6dab43e3

SHA256
4c4eed69d17509cd5e83ba9386804eed806f88e978ce104d756c725730ae7a4a

SHA512
d7d51977cbf255da19535535f6c639fbc19f7a7c05ac8f5438d1df4e8dcea8c12114eeb179ae890bc810dcf64c4e3472d000b6b382163a79b9b8d958a68e6fd6

Download Submit
\Windows\SysWOW64\Pkaehb32.exe

Filesize
71KB

MD5
1bdf88039f0500345c6db9112a38b924

SHA1
256fa4a731072bf8095b8d235367b2d3a4bd5c6d

SHA256
7e198cd6667a14358d4b4ba2f6c93e673cf98a67135e757b9b6bc201a1858755

SHA512
7eb5f5150652b4575b6c85ece4c4b3a3c2310d694644748140dc8f75338a0c1acd1f2d2a51dbf9763a4c63a6aeeefe4f967503195fc28c7465c864e291909813

Download Submit
\Windows\SysWOW64\Pleofj32.exe

Filesize
71KB

MD5
7ecf6c5d6db9f25205d0c902bfc02b1f

SHA1
e5949a5c8f61ec22804fe78999d225b7bce8a13b

SHA256
b0c9df9ac41ba473edba7f533555f4aa53efde44da1438b26863da3b2b23eaa4

SHA512
d924c97f52b076c3afc32e13088df157a09dee56261842c019ecbc953a656cccef612fc7ccd52c6072696f3bce93d0b9ed96d43f9f721e668562b0c135d11211

Download Submit
\Windows\SysWOW64\Pplaki32.exe

Filesize
71KB

MD5
3e6cc431d3e5539994128ebcf962fc5f

SHA1
f266035a5918a80250603fa94d070e6c9640179c

SHA256
6bdd2146da2bbd9e25ad7aaa9b2043f64d8a192cf8339d082e9f382885418f99

SHA512
6f4bcb8dddcbdf459e4b6e8d2824ab8e0cf4c60dc1ebbc23bdd7dce4b890a7e4a57cf81a3beb734f0559a6556f0ad6dad131b36ca4792b2202759c7b280574ec

Download Submit
\Windows\SysWOW64\Qeppdo32.exe

Filesize
71KB

MD5
5f03647d2bfc8e503949f8925a6120e3

SHA1
753da96419cbe07037db1ae3deca8506cc9395c1

SHA256
cc206e4b6cdc10ea7fb25cd1621c1f5c59296664b130b633f983e2edae11b334

SHA512
1e6d12c09645f91fe88353c0a380c2ef81d96f4d168eca27dbf2068404036595bee93514edcbd97aee9b0c18ab7886c2c88d1118cb5856fce04d0bf4c44b0ba2

Download Submit
\Windows\SysWOW64\Qiioon32.exe

Filesize
71KB

MD5
e12c93d90452e4c5e990690f38c50704

SHA1
aeac03ca74ef042feb15a47eb50ca0bafca7755d

SHA256
61608b5b6433db73b70cd03115b92e89891d5b81abb698cbcd72277755a608a0

SHA512
5b1ec20ee7e1d75d3e92827ee7f0aa8785ce25c2b21ee68c0579185477101f75294056aee2a72678e0d80eb6b5f9813a0ed9107507ebbc9d64825affc0575429

Download Submit
\Windows\SysWOW64\Qlgkki32.exe

Filesize
71KB

MD5
cc01f7628a7ed553515d6768a14f9187

SHA1
6dc4bf32af040f207583a3ec1d86f448a3a97a10

SHA256
a5356d8531839620b4d4506f747b45d64ffc69a6231109cbe2f2726962140067

SHA512
198465bd70ab5054326530acda9427c5ce2b6355c598553a89fe196290b8381d545c5c3f1ee406f6c4f7752a794e4d66b51db4e09ac80ee271c65d03c84a8d53

Download Submit
\Windows\SysWOW64\Qppkfhlc.exe

Filesize
71KB

MD5
5b0be5061a4ad516dcc2fbb5345f3320

SHA1
910b78cbaee5aa85e89fd63d281f6c6122579644

SHA256
08d02b507c6cc044daef52e45b9d642dc38156e0c6c655a28b240cab51e5dc76

SHA512
838a8a116115fa1968c46e19ca636fab0fc6a75988599509cf76d57dee9b707980811c0f2ed00b811a0958c4e07aa8035c7d1fbe06c46789e30354b6dc6f77ec

Download Submit
memory/344-260-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/344-254-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/468-235-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/540-301-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/676-480-0x0000000000310000-0x0000000000349000-memory.dmp

Filesize
228KB

Download
memory/676-473-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/676-481-0x0000000000310000-0x0000000000349000-memory.dmp

Filesize
228KB

Download
memory/780-482-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/780-492-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/1052-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1052-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1052-21-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1052-28-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1052-392-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1320-501-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1540-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1540-283-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/1540-284-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/1632-502-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1640-164-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-116-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1656-475-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1656-108-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1668-491-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1668-134-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/1668-122-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1688-415-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1688-425-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/1708-158-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1708-149-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1708-503-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1716-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1716-419-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1716-414-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1788-273-0x0000000000350000-0x0000000000389000-memory.dmp

Filesize
228KB

Download
memory/1788-269-0x0000000000350000-0x0000000000389000-memory.dmp

Filesize
228KB

Download
memory/1924-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1924-210-0x00000000002F0000-0x0000000000329000-memory.dmp

Filesize
228KB

Download
memory/2044-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2052-461-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2092-326-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2092-325-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2092-316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2136-250-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2136-244-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2200-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2220-347-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/2320-308-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2320-310-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/2320-315-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/2340-391-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2544-369-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2544-363-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2552-358-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2552-348-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2552-357-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2616-12-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2616-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2616-13-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2616-371-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2632-448-0x00000000002A0000-0x00000000002D9000-memory.dmp

Filesize
228KB

Download
memory/2632-438-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-94-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-106-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2652-460-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2656-426-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2656-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2656-430-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2712-382-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-447-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2724-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-76-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2728-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2728-41-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2728-53-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2748-337-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2748-327-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2748-336-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2784-403-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2784-402-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2784-396-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2792-432-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2800-449-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2872-184-0x0000000000310000-0x0000000000349000-memory.dmp

Filesize
228KB

Download
memory/2872-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-381-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/3012-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-380-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/3024-294-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/3024-295-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/3024-285-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads