berbew | f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-02-2025 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe
Size

66KB
MD5

c1e5f9a5b92cd1b50168f7b0b44b26b2
SHA1

47873be1e2b26437da5b6dbc60c5c500b90ca3b5
SHA256

f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441
SHA512

1252be91d87a53d76c5e8df4b8051e576e351b672748c4bd9e9544b512990c85bfcf10d85480209a46ce70775819af426443a66f356d815179f29dd090078ae6
SSDEEP

1536:hPBlnLL6FiLwd/3a8U6Boly05wSmMlGXORQGR:hPBlCFi8J3a8U6Wly05ZdeG

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjiljf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceickb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcjgnbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liblfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcjoci32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjiljf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clfhml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpoejbhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kjkbpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmklak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlgkbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pildgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jndflk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qpaohjkk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kolhdbjh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maiqfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmbje32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beldao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcckibfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbagpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbdipa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmklak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhcebj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpaohjkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciglaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabaec32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ankedf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alaccj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Alaccj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbnam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ailqfooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbikig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cniajdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdepmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bacefpbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcjgnbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpanne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anmbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmggllha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmbnam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ninhamne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llcehg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liblfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Naimepkp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naimepkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbdipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpoejbhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmpakm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjbjjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kelmbifm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmggllha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikig32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcehg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 54 IoCs

pid	Process
2776	Jcoanb32.exe
2700	Jndflk32.exe
2712	Jcckibfg.exe
2788	Kolhdbjh.exe
984	Kpoejbhe.exe
2092	Kelmbifm.exe
2168	Kndbko32.exe
2488	Kjkbpp32.exe
2312	Kmklak32.exe
2764	Liblfl32.exe
2220	Llcehg32.exe
1760	Lpanne32.exe
1316	Lhlbbg32.exe
2576	Lbagpp32.exe
1360	Mdepmh32.exe
912	Maiqfl32.exe
1568	Mmpakm32.exe
1348	Mmbnam32.exe
2328	Mcofid32.exe
1388	Mlgkbi32.exe
1260	Nmggllha.exe
1516	Ninhamne.exe
1292	Naimepkp.exe
1028	Nhcebj32.exe
2248	Nchipb32.exe
1712	Pildgl32.exe
2692	Pbdipa32.exe
2804	Pjbjjc32.exe
2696	Qcjoci32.exe
2148	Qpaohjkk.exe
2004	Qijdqp32.exe
1800	Ailqfooi.exe
1844	Ankedf32.exe
2356	Anmbje32.exe
2260	Alaccj32.exe
2296	Bldpiifb.exe
716	Beldao32.exe
2404	Bjiljf32.exe
1148	Bacefpbg.exe
696	Bfpmog32.exe
236	Bmjekahk.exe
1868	Blobmm32.exe
3016	Bbikig32.exe
1776	Ceickb32.exe
2624	Chhpgn32.exe
800	Cobhdhha.exe
2364	Ciglaa32.exe
2212	Clfhml32.exe
872	Cabaec32.exe
2792	Cdamao32.exe
2104	Ckkenikc.exe
3064	Cniajdkg.exe
580	Cdcjgnbc.exe
1212	Coindgbi.exe

Loads dropped DLL 64 IoCs

pid	Process
2948	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe
2948	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe
2776	Jcoanb32.exe
2776	Jcoanb32.exe
2700	Jndflk32.exe
2700	Jndflk32.exe
2712	Jcckibfg.exe
2712	Jcckibfg.exe
2788	Kolhdbjh.exe
2788	Kolhdbjh.exe
984	Kpoejbhe.exe
984	Kpoejbhe.exe
2092	Kelmbifm.exe
2092	Kelmbifm.exe
2168	Kndbko32.exe
2168	Kndbko32.exe
2488	Kjkbpp32.exe
2488	Kjkbpp32.exe
2312	Kmklak32.exe
2312	Kmklak32.exe
2764	Liblfl32.exe
2764	Liblfl32.exe
2220	Llcehg32.exe
2220	Llcehg32.exe
1760	Lpanne32.exe
1760	Lpanne32.exe
1316	Lhlbbg32.exe
1316	Lhlbbg32.exe
2576	Lbagpp32.exe
2576	Lbagpp32.exe
1360	Mdepmh32.exe
1360	Mdepmh32.exe
912	Maiqfl32.exe
912	Maiqfl32.exe
1568	Mmpakm32.exe
1568	Mmpakm32.exe
1348	Mmbnam32.exe
1348	Mmbnam32.exe
2328	Mcofid32.exe
2328	Mcofid32.exe
1388	Mlgkbi32.exe
1388	Mlgkbi32.exe
1260	Nmggllha.exe
1260	Nmggllha.exe
1516	Ninhamne.exe
1516	Ninhamne.exe
1292	Naimepkp.exe
1292	Naimepkp.exe
1028	Nhcebj32.exe
1028	Nhcebj32.exe
2248	Nchipb32.exe
2248	Nchipb32.exe
1712	Pildgl32.exe
1712	Pildgl32.exe
2692	Pbdipa32.exe
2692	Pbdipa32.exe
2804	Pjbjjc32.exe
2804	Pjbjjc32.exe
2696	Qcjoci32.exe
2696	Qcjoci32.exe
2148	Qpaohjkk.exe
2148	Qpaohjkk.exe
2004	Qijdqp32.exe
2004	Qijdqp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ceickb32.exe	Bbikig32.exe
File created	C:\Windows\SysWOW64\Hjlkkhne.dll	Ciglaa32.exe
File opened for modification	C:\Windows\SysWOW64\Jcoanb32.exe	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe
File created	C:\Windows\SysWOW64\Dflpeo32.dll	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe
File opened for modification	C:\Windows\SysWOW64\Lhlbbg32.exe	Lpanne32.exe
File created	C:\Windows\SysWOW64\Maiqfl32.exe	Mdepmh32.exe
File created	C:\Windows\SysWOW64\Nokalbod.dll	Mmbnam32.exe
File opened for modification	C:\Windows\SysWOW64\Mlgkbi32.exe	Mcofid32.exe
File created	C:\Windows\SysWOW64\Ckkenikc.exe	Cdamao32.exe
File created	C:\Windows\SysWOW64\Naimepkp.exe	Ninhamne.exe
File opened for modification	C:\Windows\SysWOW64\Nchipb32.exe	Nhcebj32.exe
File created	C:\Windows\SysWOW64\Mhcqcl32.dll	Nchipb32.exe
File created	C:\Windows\SysWOW64\Bacefpbg.exe	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Bongfjgo.dll	Bbikig32.exe
File created	C:\Windows\SysWOW64\Fbnqjk32.dll	Kelmbifm.exe
File created	C:\Windows\SysWOW64\Qpaohjkk.exe	Qcjoci32.exe
File created	C:\Windows\SysWOW64\Ailqfooi.exe	Qijdqp32.exe
File opened for modification	C:\Windows\SysWOW64\Ailqfooi.exe	Qijdqp32.exe
File created	C:\Windows\SysWOW64\Qjqnkk32.dll	Anmbje32.exe
File created	C:\Windows\SysWOW64\Cdamao32.exe	Cabaec32.exe
File opened for modification	C:\Windows\SysWOW64\Kpoejbhe.exe	Kolhdbjh.exe
File created	C:\Windows\SysWOW64\Onchdkoc.dll	Mcofid32.exe
File created	C:\Windows\SysWOW64\Nhcebj32.exe	Naimepkp.exe
File opened for modification	C:\Windows\SysWOW64\Bfpmog32.exe	Bacefpbg.exe
File created	C:\Windows\SysWOW64\Pbdipa32.exe	Pildgl32.exe
File created	C:\Windows\SysWOW64\Eonkgg32.dll	Bldpiifb.exe
File opened for modification	C:\Windows\SysWOW64\Bjiljf32.exe	Beldao32.exe
File opened for modification	C:\Windows\SysWOW64\Ciglaa32.exe	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Ankedf32.exe	Ailqfooi.exe
File opened for modification	C:\Windows\SysWOW64\Ankedf32.exe	Ailqfooi.exe
File opened for modification	C:\Windows\SysWOW64\Alaccj32.exe	Anmbje32.exe
File created	C:\Windows\SysWOW64\Clfhml32.exe	Ciglaa32.exe
File opened for modification	C:\Windows\SysWOW64\Qijdqp32.exe	Qpaohjkk.exe
File created	C:\Windows\SysWOW64\Bldpiifb.exe	Alaccj32.exe
File created	C:\Windows\SysWOW64\Jcckibfg.exe	Jndflk32.exe
File opened for modification	C:\Windows\SysWOW64\Llcehg32.exe	Liblfl32.exe
File opened for modification	C:\Windows\SysWOW64\Lbagpp32.exe	Lhlbbg32.exe
File created	C:\Windows\SysWOW64\Dnmcjanc.dll	Maiqfl32.exe
File opened for modification	C:\Windows\SysWOW64\Pjbjjc32.exe	Pbdipa32.exe
File created	C:\Windows\SysWOW64\Qijdqp32.exe	Qpaohjkk.exe
File created	C:\Windows\SysWOW64\Qamnbhdj.dll	Bfpmog32.exe
File created	C:\Windows\SysWOW64\Eajkip32.dll	Ceickb32.exe
File created	C:\Windows\SysWOW64\Mcofid32.exe	Mmbnam32.exe
File created	C:\Windows\SysWOW64\Faiglonh.dll	Nhcebj32.exe
File created	C:\Windows\SysWOW64\Eoadpbdp.dll	Pildgl32.exe
File created	C:\Windows\SysWOW64\Okfimp32.dll	Qcjoci32.exe
File created	C:\Windows\SysWOW64\Cobhdhha.exe	Chhpgn32.exe
File created	C:\Windows\SysWOW64\Niienepq.dll	Cabaec32.exe
File created	C:\Windows\SysWOW64\Fnoopd32.dll	Jcckibfg.exe
File opened for modification	C:\Windows\SysWOW64\Kelmbifm.exe	Kpoejbhe.exe
File created	C:\Windows\SysWOW64\Hqmnfa32.dll	Kpoejbhe.exe
File created	C:\Windows\SysWOW64\Pdleiobf.dll	Liblfl32.exe
File created	C:\Windows\SysWOW64\Alaccj32.exe	Anmbje32.exe
File created	C:\Windows\SysWOW64\Mdepmh32.exe	Lbagpp32.exe
File created	C:\Windows\SysWOW64\Pipfnehe.dll	Lbagpp32.exe
File created	C:\Windows\SysWOW64\Flhbop32.dll	Bacefpbg.exe
File created	C:\Windows\SysWOW64\Cniajdkg.exe	Ckkenikc.exe
File opened for modification	C:\Windows\SysWOW64\Cniajdkg.exe	Ckkenikc.exe
File created	C:\Windows\SysWOW64\Liblfl32.exe	Kmklak32.exe
File opened for modification	C:\Windows\SysWOW64\Maiqfl32.exe	Mdepmh32.exe
File opened for modification	C:\Windows\SysWOW64\Nhcebj32.exe	Naimepkp.exe
File opened for modification	C:\Windows\SysWOW64\Qpaohjkk.exe	Qcjoci32.exe
File created	C:\Windows\SysWOW64\Dmknff32.dll	Ankedf32.exe
File opened for modification	C:\Windows\SysWOW64\Clfhml32.exe	Ciglaa32.exe

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhlbbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpaohjkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjiljf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceickb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcoanb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcofid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbdipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ailqfooi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfpmog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cniajdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmggllha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naimepkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pildgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clfhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbnam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nchipb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldpiifb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciglaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbagpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcjoci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcehg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjekahk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ankedf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alaccj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beldao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhpgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjkbpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmklak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maiqfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckkenikc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kolhdbjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdepmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmbje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpanne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liblfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kelmbifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kndbko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cobhdhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninhamne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdamao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jndflk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpoejbhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgkbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhcebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcckibfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpakm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacefpbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcjgnbc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llcehg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfnehe.dll"	Lbagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcqcl32.dll"	Nchipb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qpaohjkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcofid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjbjjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokegi32.dll"	Cobhdhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kndbko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjlmef.dll"	Kmklak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciglaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Cdcjgnbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ninhamne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkckf32.dll"	Naimepkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmknff32.dll"	Ankedf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmpebb32.dll"	Kndbko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpanne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdepmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhcebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcjoci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olilod32.dll"	Ailqfooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfpmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcoanb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcckibfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kolhdbjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kjkbpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkaejba.dll"	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajkip32.dll"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jndflk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Naimepkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pildgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmklak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlgkbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkjpb32.dll"	Nmggllha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dflpeo32.dll"	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kndbko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokalbod.dll"	Mmbnam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Naimepkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niienepq.dll"	Cabaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhfbabeh.dll"	Jcoanb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlgkbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpoejbhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonkgg32.dll"	Bldpiifb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdmjne.dll"	Beldao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bacefpbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcjoci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ankedf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckkenikc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnmcjanc.dll"	Maiqfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflpan32.dll"	Mlgkbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoadpbdp.dll"	Pildgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmjekahk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Llcehg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpanne32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2776	2948	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe	30
PID 2948 wrote to memory of 2776	2948	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe	30
PID 2948 wrote to memory of 2776	2948	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe	30
PID 2948 wrote to memory of 2776	2948	f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe	30
PID 2776 wrote to memory of 2700	2776	Jcoanb32.exe	31
PID 2776 wrote to memory of 2700	2776	Jcoanb32.exe	31
PID 2776 wrote to memory of 2700	2776	Jcoanb32.exe	31
PID 2776 wrote to memory of 2700	2776	Jcoanb32.exe	31
PID 2700 wrote to memory of 2712	2700	Jndflk32.exe	32
PID 2700 wrote to memory of 2712	2700	Jndflk32.exe	32
PID 2700 wrote to memory of 2712	2700	Jndflk32.exe	32
PID 2700 wrote to memory of 2712	2700	Jndflk32.exe	32
PID 2712 wrote to memory of 2788	2712	Jcckibfg.exe	33
PID 2712 wrote to memory of 2788	2712	Jcckibfg.exe	33
PID 2712 wrote to memory of 2788	2712	Jcckibfg.exe	33
PID 2712 wrote to memory of 2788	2712	Jcckibfg.exe	33
PID 2788 wrote to memory of 984	2788	Kolhdbjh.exe	34
PID 2788 wrote to memory of 984	2788	Kolhdbjh.exe	34
PID 2788 wrote to memory of 984	2788	Kolhdbjh.exe	34
PID 2788 wrote to memory of 984	2788	Kolhdbjh.exe	34
PID 984 wrote to memory of 2092	984	Kpoejbhe.exe	35
PID 984 wrote to memory of 2092	984	Kpoejbhe.exe	35
PID 984 wrote to memory of 2092	984	Kpoejbhe.exe	35
PID 984 wrote to memory of 2092	984	Kpoejbhe.exe	35
PID 2092 wrote to memory of 2168	2092	Kelmbifm.exe	36
PID 2092 wrote to memory of 2168	2092	Kelmbifm.exe	36
PID 2092 wrote to memory of 2168	2092	Kelmbifm.exe	36
PID 2092 wrote to memory of 2168	2092	Kelmbifm.exe	36
PID 2168 wrote to memory of 2488	2168	Kndbko32.exe	37
PID 2168 wrote to memory of 2488	2168	Kndbko32.exe	37
PID 2168 wrote to memory of 2488	2168	Kndbko32.exe	37
PID 2168 wrote to memory of 2488	2168	Kndbko32.exe	37
PID 2488 wrote to memory of 2312	2488	Kjkbpp32.exe	38
PID 2488 wrote to memory of 2312	2488	Kjkbpp32.exe	38
PID 2488 wrote to memory of 2312	2488	Kjkbpp32.exe	38
PID 2488 wrote to memory of 2312	2488	Kjkbpp32.exe	38
PID 2312 wrote to memory of 2764	2312	Kmklak32.exe	39
PID 2312 wrote to memory of 2764	2312	Kmklak32.exe	39
PID 2312 wrote to memory of 2764	2312	Kmklak32.exe	39
PID 2312 wrote to memory of 2764	2312	Kmklak32.exe	39
PID 2764 wrote to memory of 2220	2764	Liblfl32.exe	40
PID 2764 wrote to memory of 2220	2764	Liblfl32.exe	40
PID 2764 wrote to memory of 2220	2764	Liblfl32.exe	40
PID 2764 wrote to memory of 2220	2764	Liblfl32.exe	40
PID 2220 wrote to memory of 1760	2220	Llcehg32.exe	41
PID 2220 wrote to memory of 1760	2220	Llcehg32.exe	41
PID 2220 wrote to memory of 1760	2220	Llcehg32.exe	41
PID 2220 wrote to memory of 1760	2220	Llcehg32.exe	41
PID 1760 wrote to memory of 1316	1760	Lpanne32.exe	42
PID 1760 wrote to memory of 1316	1760	Lpanne32.exe	42
PID 1760 wrote to memory of 1316	1760	Lpanne32.exe	42
PID 1760 wrote to memory of 1316	1760	Lpanne32.exe	42
PID 1316 wrote to memory of 2576	1316	Lhlbbg32.exe	43
PID 1316 wrote to memory of 2576	1316	Lhlbbg32.exe	43
PID 1316 wrote to memory of 2576	1316	Lhlbbg32.exe	43
PID 1316 wrote to memory of 2576	1316	Lhlbbg32.exe	43
PID 2576 wrote to memory of 1360	2576	Lbagpp32.exe	44
PID 2576 wrote to memory of 1360	2576	Lbagpp32.exe	44
PID 2576 wrote to memory of 1360	2576	Lbagpp32.exe	44
PID 2576 wrote to memory of 1360	2576	Lbagpp32.exe	44
PID 1360 wrote to memory of 912	1360	Mdepmh32.exe	45
PID 1360 wrote to memory of 912	1360	Mdepmh32.exe	45
PID 1360 wrote to memory of 912	1360	Mdepmh32.exe	45
PID 1360 wrote to memory of 912	1360	Mdepmh32.exe	45

C:\Users\Admin\AppData\Local\Temp\f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe
"C:\Users\Admin\AppData\Local\Temp\f9474b0e1da5c2e8dea522875df5a7974ba25a81fddd93694b78e0c3f614d441.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\Jcoanb32.exe
  C:\Windows\system32\Jcoanb32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\Jndflk32.exe
    C:\Windows\system32\Jndflk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\Jcckibfg.exe
      C:\Windows\system32\Jcckibfg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\SysWOW64\Kolhdbjh.exe
        
        C:\Windows\system32\Kolhdbjh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\Kpoejbhe.exe
        
        C:\Windows\system32\Kpoejbhe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Kelmbifm.exe
        
        C:\Windows\system32\Kelmbifm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Kndbko32.exe
        
        C:\Windows\system32\Kndbko32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Kjkbpp32.exe
        
        C:\Windows\system32\Kjkbpp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Kmklak32.exe
        
        C:\Windows\system32\Kmklak32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Liblfl32.exe
        
        C:\Windows\system32\Liblfl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Llcehg32.exe
        
        C:\Windows\system32\Llcehg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Lpanne32.exe
        
        C:\Windows\system32\Lpanne32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Lhlbbg32.exe
        
        C:\Windows\system32\Lhlbbg32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Lbagpp32.exe
        
        C:\Windows\system32\Lbagpp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Mdepmh32.exe
        
        C:\Windows\system32\Mdepmh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Maiqfl32.exe
        
        C:\Windows\system32\Maiqfl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Mmpakm32.exe
        
        C:\Windows\system32\Mmpakm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\Mmbnam32.exe
        
        C:\Windows\system32\Mmbnam32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Mcofid32.exe
        
        C:\Windows\system32\Mcofid32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Mlgkbi32.exe
        
        C:\Windows\system32\Mlgkbi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Nmggllha.exe
        
        C:\Windows\system32\Nmggllha.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Ninhamne.exe
        
        C:\Windows\system32\Ninhamne.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Naimepkp.exe
        
        C:\Windows\system32\Naimepkp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Nhcebj32.exe
        
        C:\Windows\system32\Nhcebj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Nchipb32.exe
        
        C:\Windows\system32\Nchipb32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Pildgl32.exe
        
        C:\Windows\system32\Pildgl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Pbdipa32.exe
        
        C:\Windows\system32\Pbdipa32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Pjbjjc32.exe
        
        C:\Windows\system32\Pjbjjc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Qcjoci32.exe
        
        C:\Windows\system32\Qcjoci32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Qpaohjkk.exe
        
        C:\Windows\system32\Qpaohjkk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Qijdqp32.exe
        
        C:\Windows\system32\Qijdqp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Ailqfooi.exe
        
        C:\Windows\system32\Ailqfooi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Ankedf32.exe
        
        C:\Windows\system32\Ankedf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Anmbje32.exe
        
        C:\Windows\system32\Anmbje32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Alaccj32.exe
        
        C:\Windows\system32\Alaccj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Bldpiifb.exe
        
        C:\Windows\system32\Bldpiifb.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Beldao32.exe
        
        C:\Windows\system32\Beldao32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Bjiljf32.exe
        
        C:\Windows\system32\Bjiljf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Bacefpbg.exe
        
        C:\Windows\system32\Bacefpbg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Bfpmog32.exe
        
        C:\Windows\system32\Bfpmog32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Bmjekahk.exe
        
        C:\Windows\system32\Bmjekahk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:236
        
        C:\Windows\SysWOW64\Blobmm32.exe
        
        C:\Windows\system32\Blobmm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Bbikig32.exe
        
        C:\Windows\system32\Bbikig32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\Ceickb32.exe
        
        C:\Windows\system32\Ceickb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Chhpgn32.exe
        
        C:\Windows\system32\Chhpgn32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Cobhdhha.exe
        
        C:\Windows\system32\Cobhdhha.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Ciglaa32.exe
        
        C:\Windows\system32\Ciglaa32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Clfhml32.exe
        
        C:\Windows\system32\Clfhml32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Cabaec32.exe
        
        C:\Windows\system32\Cabaec32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Cdamao32.exe
        
        C:\Windows\system32\Cdamao32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Ckkenikc.exe
        
        C:\Windows\system32\Ckkenikc.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Cniajdkg.exe
        
        C:\Windows\system32\Cniajdkg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Cdcjgnbc.exe
        
        C:\Windows\system32\Cdcjgnbc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ailqfooi.exe

Filesize
66KB

MD5
6303c6016db922d71f7354ad698a1309

SHA1
5a4fef693292e359bc173c83d56ee391008c540d

SHA256
6bea167978f7fc5d5b789aac37669a471a874cfe81c30b8b846010645130e1a3

SHA512
7231f09cf4aef2f28ea949d2e9bafc9451d14d5ad70a60c300be0a5886b2710a8f574e46d9758395b1de2f0f0889a6f93c4a7875787b996cadde9bf20665017d

Download Submit
C:\Windows\SysWOW64\Alaccj32.exe

Filesize
66KB

MD5
19a1dcdbe2dd026cace181db657d65d4

SHA1
978b138b6be8a6e3963783c2c0c92de3541d01b9

SHA256
a145f37991b512cbdad88b70e7f4b80a91685d2315a6bec89ba6b98cd92b4de4

SHA512
890ab21fb2a535cd79b7c591e53362afe6578a2ad40a07549880ccf75d3279ac61cc7c8c73ae4884ccd7120004b4ee0f3912c7c46337991c7942164e099a77ae

Download Submit
C:\Windows\SysWOW64\Ankedf32.exe

Filesize
66KB

MD5
d2671017987148a31831787bb8e07927

SHA1
c265f6d68c468317abb2d635b21a29e7dd0bce9e

SHA256
f95cd610b54bac65c8dc803817028702e0daf3b4a0750fab43f487b89170fc19

SHA512
b13ee056f4e92edd0d0bcb15bc779a37103e57910be292a64a8b389b49a944c53f621cf53fdcef1fe1793992079cf4b9b2cce2671ee09bd2a9e2bb5244393cf1

Download Submit
C:\Windows\SysWOW64\Anmbje32.exe

Filesize
66KB

MD5
5367d51b3a456408e3a1d6abd993c026

SHA1
c5d021c79012f8d31c09ca851f90c94fc70e5d7a

SHA256
e74003a37d4bcece06f105c523b2ff9bf115a3f91a61ea7d4dd03cec1a15804c

SHA512
fa6bb94de6aa6d2a32931e4133fb2f7fed86da500b05d9972f655a5cfa065e268c0b685d1a7c96f4bb457656c075a21bf1643aa402456c04b69df6ba126baaae

Download Submit
C:\Windows\SysWOW64\Bacefpbg.exe

Filesize
66KB

MD5
c75aa3abe5cc5d43b9a09d98c8a4510f

SHA1
0d1ce6dfd860d91d401ec7428f92f2844d709cc6

SHA256
f0b9d5bdb555de0836c86d06002d0e9d328332c5a6b859b8e02e7bdd5b8bc44e

SHA512
0bb8c9d0fc9cf0a8011f42e25eb9c395b92cccbe2fc9d2bd21a47207ad675948d2f3b2cb499eb241e9c2349a2d71d6daa1379f40da492b623d114d74029540ce

Download Submit
C:\Windows\SysWOW64\Bbikig32.exe

Filesize
66KB

MD5
252ad80c4b3beda54939761baa044696

SHA1
911238b7cb0d0ff86d4402d17efbabec9ab2fb79

SHA256
e1a6c23fb1c749c46bd1a033274b84cf6dad42f70269723db18bb8a4f75cc126

SHA512
1467769cd65196a41deed3ce5196feca10bdd100bd403f1c6f5a4d11f95d7c5de53461963f796caee7c08213caee304a3731dd851649629a26a50319cd02eab0

Download Submit
C:\Windows\SysWOW64\Beldao32.exe

Filesize
66KB

MD5
1f90b7de0d8157610aebc607d23c101e

SHA1
d387bef8890943e79d93a68360b716c84415703b

SHA256
0b761d509b0cff68ab972d3dc2dd73cde1051a3291ad690f3adc0d491084961e

SHA512
780949fb80f74f92b2a6e110c1fdceb41897d787649170851000419814177a719990268f7114e568bb6b7522442dc504775eb8a345a03acd3fcbb8139f0b5242

Download Submit
C:\Windows\SysWOW64\Bfpmog32.exe

Filesize
66KB

MD5
0e9acfa0abba690d19345d8d7c3e7bd3

SHA1
8d49dba196b384339d7daf4e974e633a433f13f8

SHA256
08cf25db7df6dbf7bca0268a86c5e1fe6ead2171b16cd7cd187b753276e2b49e

SHA512
ed78e88e16430d9c9662687c180987d9332a0d412c9fc6b3a42c8cb9cd267e336b89781a357a89241e2fa6dc3251711f8029356f57427ea30a22a4cd471a55f2

Download Submit
C:\Windows\SysWOW64\Bjiljf32.exe

Filesize
66KB

MD5
93aad7ce8d1f6d1da4734b2b2ac0e6e5

SHA1
236729169ff907f2c034e603728ce9cc28f112ff

SHA256
83d2833ed788246cda747c176c86874d7e36bc6c169bc337fc2548daaee54853

SHA512
eb2ce5df3a817d488f3ed664f686d65564ea7a9441601c7b4d263b100213e64577b1505ccdcbb920a9ed1ec15e6fe550bd650f748c56217a1a7edea5acc20954

Download Submit
C:\Windows\SysWOW64\Bldpiifb.exe

Filesize
66KB

MD5
ba442bf97cde6a1cd26b3d077d2159a9

SHA1
03de697b8dcc4bbae88fb6930040dac7a7028aae

SHA256
7902e71b1582dcd4a2ac9aac8a58464c69e964e2d064dafe61d9c8eac1b6cc8f

SHA512
151573422603f5b46fdebc7a210709dc5eff390e8074571e34163b9af7c19ed779f02745cd8041f0a0f1e5dd1c1024585099bd7359a5f1c387cf3722ba86365f

Download Submit
C:\Windows\SysWOW64\Blobmm32.exe

Filesize
66KB

MD5
e70a8c5d6079fbe1c64d2d3c6022a4db

SHA1
1dd3b3ed72d80b4dd9647a0bf360f792df7e8edd

SHA256
0298daf7d57846d267ca3e8d0c2b3b15468ab6cb93846a45d7c29db7d7da6fe3

SHA512
a6e071b66a0191298e83aae2d01189ca85ccdb8c86ad99698cf578abda1be6c51af0b0b7fd3d2ade4612f98dee5b8e331a15015e0c9b99025fbbeb6e4ace1064

Download Submit
C:\Windows\SysWOW64\Bmjekahk.exe

Filesize
66KB

MD5
0c6c581ebb1cbf5014637e8fdb61a8ca

SHA1
f22900c80b8ed037e7ce96b61158e58175be1657

SHA256
f49909bffb6bbeaf5969d50ea394ca0478c0257408d21cef78921f4f32cf0a10

SHA512
8bddf80cd2a8eeb4e120808046170a75a5d39686759fbd6674dab30d7976ed348cf89475784701e5ba3988e9e4f1685b355b995d6f760776299f53db40713501

Download Submit
C:\Windows\SysWOW64\Cabaec32.exe

Filesize
66KB

MD5
2449a49c28eb0be999b12490a770379d

SHA1
aa1d3c5c88dc46b086897537ac1a9de9560d83ea

SHA256
89d9ac1eb25d1e391fad418b94e2934717bbd2aaea59701eb4f026cea61e7091

SHA512
43bb3d305358dd4f336bf65efb7fb91e8c7f3f04fd41d0f1f959e359caa976e267e360cd413d15d673cc4c657611306526bd99494028053354c2479607865877

Download Submit
C:\Windows\SysWOW64\Cdamao32.exe

Filesize
66KB

MD5
9e0f798ef165b43cfaa8d856ccf5291f

SHA1
3172692d2c9cb0592b1d5c445eb036ecc47f115c

SHA256
27662e0b9645c32d8135728bb6c898164e41fca5be4712595bef05535a16cab9

SHA512
1d6c50d29641744288910bc27b0628f5cbb430212247e5be8596e555cd20223864ec411e109f7121e3bc17bcb4153d4b5feddb19168e3b8e248ac1fa3400727d

Download Submit
C:\Windows\SysWOW64\Cdcjgnbc.exe

Filesize
66KB

MD5
106ba282809594400a9335a179246966

SHA1
0d0e18b1c908a32ac3c4809916805a2383a364ce

SHA256
225bfd08f43963013fcb269f1f81bf2f9d4757117b478ed581678a9433675ff2

SHA512
ce69727c247e10c4ec036ebddffd30a7fb0b41f903f920c88d681d841d47ae4c178599aee03819ce306bd9aa6e05c305364afa7d6e0a41ea428dfdea113a89f8

Download Submit
C:\Windows\SysWOW64\Ceickb32.exe

Filesize
66KB

MD5
9255072918512db942c76c46fc430ba1

SHA1
639b82cfae304fe7f49856f1268f568bb7a01a20

SHA256
93ef7196127aadd52f144c77f2b1230844cd59d7521e1284c5066702e5afd283

SHA512
2de361aff2a6b59b5097c13ede21d429eba1300509de3c1016f9ef00682fd4e5138872fdb82572a0c858dfe857bd8c812a50a846d58653bb0e10dd488dba61ac

Download Submit
C:\Windows\SysWOW64\Chhpgn32.exe

Filesize
66KB

MD5
e189a9fd5aa39aa5d982ea78166b0945

SHA1
03e30f25451acab05daf900e9574f36016f7723a

SHA256
78b947354838d58a3faf63d3e96fc2db63b903d23dbdfc4021c2914f0f516c3f

SHA512
f8a2098e7a169097dc10294bff227b824e0aaf7eede4bbba612137e459ef56c04e01551403bf1e292bfbbe126aa3341193bbe9de63e94e9788b7921031623700

Download Submit
C:\Windows\SysWOW64\Ciglaa32.exe

Filesize
66KB

MD5
7ebfb1f717160f66efc43c2db9241db0

SHA1
b564929ff5a69c9375e0379de04af242d3585221

SHA256
37c75bf64f50c8740387c6f20bfeded3a01f2af519c1166e48b35f40e269ff0e

SHA512
aa5a0c176007ddc6e09bb47ef2f5a2a92d35e6d4fbe31425b726b18d4f3380a2d6a6743e07ba1fa4fc444b102dcf575114f06272f5d2481817db56964d65be49

Download Submit
C:\Windows\SysWOW64\Ckkenikc.exe

Filesize
66KB

MD5
4674f6437d8214de364e27d8df8ab152

SHA1
e0f2e8fb68a156d5e26cf824eb9ba5f601d67385

SHA256
1cba728166af98ecd4951c8ee8a4940e0032246f062893a2f93c8d95a92a8aee

SHA512
57b09fbaa8d9b54559956be50ab0bbc13f149b0c28463952be6c4776a4119dd27d3e47c9dfbacdfea2a8d3ebfee667cac484c429f097ce613f2dba59a9df7f2f

Download Submit
C:\Windows\SysWOW64\Clfhml32.exe

Filesize
66KB

MD5
1cdcc57569d158b67de60cb32038a264

SHA1
eb8ce6201a6cf95bb60642db08f28b64348a02de

SHA256
1ee9241a83610266357fe5ae7ac93fe01ba5705cf347e24c261b237785766437

SHA512
9fbe35db749d1ebde9dbfcb21bb8c9f36f6fe00b5eb0093490d26a45cf5c77f30852991b2edde233ca9017bfbfc6f4032262b2d5cbb8c572bff0887985d7c76f

Download Submit
C:\Windows\SysWOW64\Cniajdkg.exe

Filesize
66KB

MD5
5babcf2159a9b34a0f3f5ec530b7355b

SHA1
b8ee40083b4270dec260ed6d0d0a954e2d68c8f6

SHA256
e1d3c00fad289d241f8ee32dd8779fb92ab7b14fcc25d916a4874427d9174930

SHA512
17f71d0a992528166aba9421fad256707c843845232bfa717f361d56c65f1a297eb33b2c841a0e2a23f3b7e5ec870b6b6386bfeb119f0ba11fa10d4fdef73ed1

Download Submit
C:\Windows\SysWOW64\Cobhdhha.exe

Filesize
66KB

MD5
0e6a742724304c2a68d5f7c29c382a2d

SHA1
21326096260b3b7d91e71b8f2dfbb1598e53b012

SHA256
0ee5c312cc385f6d951a107e76b647afdb6f7dc25309d31e8018143320933e31

SHA512
bf5bc4c4cab4bda1eac9e7ce5c23016e124b9e82daca917c3a7daad5adaf8dd12b1d03a0433e9b2faed9f7ff24d299bed12f73d67dcf00b628196700c8b9d0c9

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
66KB

MD5
7121ef395d5dda7bddeefc7534bffd0f

SHA1
ba87fb7f38510decccb52910e9d1ffd081c44bc9

SHA256
37633b0402e5e6c782736768576e3d75db4b9841147eb5ffab8a0d6b77998171

SHA512
0be42c7ef8939c92c2ff603d8263c4a03b7bf75ec3ed0cfcaa182a95f945bd7756027277a12197835d6378a5b6c0480403c4273037858561181d8a2f0790f75c

Download Submit
C:\Windows\SysWOW64\Fcijnhod.dll

Filesize
7KB

MD5
eba9ffa0db2d11511aa1d22802e267fc

SHA1
5207b487fba7668b2660bfd90d37954a35b7b87f

SHA256
40b51efa84abe2dd0555f7b81cece0c61bd0a358ca53fc2572dcdb16d9f77435

SHA512
39997474301914677477297219aa0ec6578d36b98508d9813531221f3895781b067750c91876ae3ea54c058dded0f3a3528263cdb14b8b5c75ba73ea8fae88b0

Download Submit
C:\Windows\SysWOW64\Jcoanb32.exe

Filesize
66KB

MD5
4a94c635eac775dd2c26d9f3e0108b16

SHA1
40eac5c2326f9dbf7565ceb42baaeebda36e0d2f

SHA256
321a6d7c8566c34eca63a44d9905ad768d7e942302489724382bb4ef4547e17c

SHA512
026d9864e0695000c736e673f43ba0cdd47cfc136de5737a13c4e00cee5a1f4324e0400d4c2c0abfd9937b55d6f99b01a6bba20ecb746e9475ec4de342be96cb

Download Submit
C:\Windows\SysWOW64\Jndflk32.exe

Filesize
66KB

MD5
48d43f460ab8a65c299ced857a84a3ee

SHA1
4de1f4b2beb8ad8b8598b8c40d9ac1695d47ce91

SHA256
09be338a099a7a31e7ee10d1010d02f3125f856c2899b017bb48c2df54009091

SHA512
91cb1404f60dbd4aed7f85733eb17b8659947881b52af2d373eb65cbb09265751ca075075f3b1fd2b4a06ff0ab6c1412f5e82cd7530bcc705ef78b76fa1632b5

Download Submit
C:\Windows\SysWOW64\Lhlbbg32.exe

Filesize
66KB

MD5
7435f6a0b604333564ab181d5c4533dd

SHA1
1aeb0030c6ca264ac44f98f786a3f7d77daeb308

SHA256
cd49cf4b7eaa0ed6ccaa7d250a2b33aa1f37e156c555e8e10f151ab4d715117b

SHA512
4039366e617a8d5b134245d8e0f07c77ca36b17778971aaf2bca47204f193268fb1d90e52cb77ca271ca7180e3a1597560e245a6586608f679507e8052088473

Download Submit
C:\Windows\SysWOW64\Mcofid32.exe

Filesize
66KB

MD5
3c712dd25d671925e122520c6be0748d

SHA1
17dc858febf076ab8fc54c44864fc2dce548865e

SHA256
5ca1738af712d36a88101f83476325773cc9849b1bb90616640ac92d1d7817a5

SHA512
d871a6fa67fcf2b2bababe9011be2724309e7d604eebb6006f816d74e83d71401f8cd78860908d32a9f0ec83ab9cb3e5bc2f1557ba9666c7ce9a86616fc6d2db

Download Submit
C:\Windows\SysWOW64\Mlgkbi32.exe

Filesize
66KB

MD5
310a2d651754c2882f6f23a29d78e849

SHA1
d32d2944e3f8560852f237fd1e149541d6e66723

SHA256
05c623b3cf8ff4c319bb8e53796dd3d3c1b9c3af0f360f1ba3ca8152a0b12a80

SHA512
3fad6fbb122c49b0353df05b7e33a0c26cb80df2b4f3670400d5b1e2374b1daf713ab77dae0b5df32ed88bda46ba7f21fea550bff466c5f653777a02094f2052

Download Submit
C:\Windows\SysWOW64\Mmbnam32.exe

Filesize
66KB

MD5
fc69cbd219667a2774287a0af526a318

SHA1
46f6a8acd239855a4cf6226b8b466e09e62049da

SHA256
186fcd1ec5b935a72adab830e01f93409332aa8ba92d966ce2756b9c9cf9a39a

SHA512
780f24af278f81c912fd7e08f8e56c0fa8fcb85f8df9a4facdcd5bef240188b82f65e8be3705dbe3abb12a3252290c48c523ef01c260c61345ff747d588353fc

Download Submit
C:\Windows\SysWOW64\Mmpakm32.exe

Filesize
66KB

MD5
bf2d40908ee7a55c3a6cb972f988ac03

SHA1
08efc5f31cb03e091706b469cf7e636eeb8bf792

SHA256
a8c8d90381c3ccd8122cd93048a4d53ed3f7ba88c21ebd9b62d9249744258e9b

SHA512
e9851a059db9675e6dd708a60d592ef225d124bfd08769459e0765235cebaa88f8ba506bed0f08841f457174782b15493cfd00ee75a932c6966a70f8b15af71d

Download Submit
C:\Windows\SysWOW64\Naimepkp.exe

Filesize
66KB

MD5
4eefd7adb0139f4a7a4ba39283404eea

SHA1
a1f1ce48eb431e237781e5a62979e15178a3f1de

SHA256
9b782df1061cf3511f8d8277ebcc5c3f21d734f0e43304780e0131b29913ad01

SHA512
80cecd6b3608816e705b57688bb0763b16ad53a90f2ba9ed62625841dbb033beca2d00d7ae300e82aaf22547f814ddc942a9844497861a05c6e5b0580c8f24f6

Download Submit
C:\Windows\SysWOW64\Nchipb32.exe

Filesize
66KB

MD5
7f218f2175ed0738e5a831a0fbb22a07

SHA1
0e8908d1d21b0fc5625e6ab8ea71e8ce975d6704

SHA256
dd91afd48ef77071e063f293abb67505e12faf8893b42307c8a16711800398c9

SHA512
69d9463417d7a6ad1a433cb1cb7cdd61a6768071335820d3d2a3f7e278cf85fefd1925b85c56553ffb5dc4d733a2e311678c884f09f1243e2a4528294a9aaa93

Download Submit
C:\Windows\SysWOW64\Nhcebj32.exe

Filesize
66KB

MD5
d470e341bfc30676854f293691c546ab

SHA1
58aa7d165eccba036ff5e410529b3d953188bafa

SHA256
c0c4c3ec28c7a3ce0edbbc34f913bdb3b5026e227a1ed6179b53ea1b50b19496

SHA512
2a5f24fd950f7e215d0abaddaec350e7744a19ff5d9be81b264304fa2cb2d92b410ea447455c34a370e89a181bbbaa55a748d38f2fba5cdb40467b35adf04724

Download Submit
C:\Windows\SysWOW64\Ninhamne.exe

Filesize
66KB

MD5
649e770e4dc62457605b94abcdbfc711

SHA1
149c85b910169bc4876de90a37915c3c4054081e

SHA256
0e4dba41c9da2a51cbcb121b3ac797032c4c5fde5eb1dfc18b0be381cbf80d95

SHA512
ad3f21c449edcee8655ae850e9ee85aa8ae5b3d27dff16578aecddf79f0fd5b3c576bbb9765539bb855dd2685f5578450e81f631de941548694b136fa6627414

Download Submit
C:\Windows\SysWOW64\Nmggllha.exe

Filesize
66KB

MD5
b9d3f01dd8ac76f6f01693f3f6ada794

SHA1
95425ba12710a2861e3031ca42b1456b849e91f5

SHA256
1c3a43fcad04045e235de6e4b54950874e68a1a631b26b4da943f46f0b6cfb76

SHA512
ec17c0c7c9cc898da399bac23475747b55e11cb35200db7a4067fdc1c7eeed06052f68f724d5cd49104188a7078b736d604b3180f9a614031a4c2c9e65124522

Download Submit
C:\Windows\SysWOW64\Pbdipa32.exe

Filesize
66KB

MD5
f205f014455157ea9ede3707bba3788b

SHA1
07695b5446809a188a145ad548c1cbab75040abb

SHA256
c56c7cbd186a3ece278b1a5ab684abc7bf00fb72d68bd4355ec9b2ade767a817

SHA512
7d7767a7cfcd543570a317f0f4293355ea59bda5d2dfae655370141d5f69a08a99c318bdef63e8cf0447e8d9109e7b316b4610d6cb2c97447382f7557f8500d0

Download Submit
C:\Windows\SysWOW64\Pildgl32.exe

Filesize
66KB

MD5
ec21041954f3b05f2dcf8784528db29e

SHA1
7bedd674e271bc10e9ea5f8626ff476f22d14085

SHA256
bc8fffeb59248044c40bf8b801336e9e1ebed0312ee5085cd19b248a174b21b7

SHA512
f844da03da5cf90441afacbf935cceaf388fe9910746f5ffa63766c7221bb190f403384ceee35c3ea14e1ca8ba6086fd9d22f57dc8e3afa11eac703ec2a95d66

Download Submit
C:\Windows\SysWOW64\Pjbjjc32.exe

Filesize
66KB

MD5
22e03d742fd93665b5d57c4d2158024a

SHA1
c81b6108b3a06ce805a27c33ccf64d9f79f0a250

SHA256
0fef9bfdf933a88707f2fcfbf26d2cfd4277d17fc6a15b20fe6abaa36bc55cbd

SHA512
d7a8d4d34b5fc445429fce6cdf8d669ebef0169e21714d347f805a1fc7cbb833872403b922fbda6ae93a1530393de62c04ee6fad6fc9042a59da30015af7f494

Download Submit
C:\Windows\SysWOW64\Qcjoci32.exe

Filesize
66KB

MD5
a6b9491f096f131b09d66db42d33fc61

SHA1
0e1d9e11b99a9494ea47554134634dbf9ad9fee5

SHA256
1ebe0a24f677914b32d6151d86b4aacf5003a3ce2c952f136b4d198965436478

SHA512
05b079f5c92b63655c45f0361db2bb215921b67f7bc9dc3abfae0c09a7094a060f505abfd8536035ac356ad4c65883045036bc8c996b6004449e67fd0eea73af

Download Submit
C:\Windows\SysWOW64\Qijdqp32.exe

Filesize
66KB

MD5
853a381156deb28ec568da82f185ad04

SHA1
7209a340dcfc06b6c78a36d8850329fdaac28944

SHA256
000f6eb046d99227a07de543930b7ca90c4999e4c4505ebfac8dc8c83cda3b6d

SHA512
6b046fc8a1c18e133009b6bb7b6b790b36d6d737e71bb0780cb07ef2ab316b1a509ebec77a6f1458e854cdbf000dc4f633a3e296de8cccf872a3c79ea4ffd2ab

Download Submit
C:\Windows\SysWOW64\Qpaohjkk.exe

Filesize
66KB

MD5
83cd5f7d10a4005dd43b161ccc06c064

SHA1
de33b2c7134771f26df9846369b6243150e24e6b

SHA256
7bd4fb4f9f5ebc934ccbbf3081a36cd24c7af181e71b47df604a8881209a3fd7

SHA512
d8b5b9b314292dde7d43fddca753191652aae98ae765dc8b55637705d3e70fe8d3da0ce37f570a46114b238d0a363df9bf38be70bf3c824def050881e816ad64

Download Submit
\Windows\SysWOW64\Jcckibfg.exe

Filesize
66KB

MD5
531a40e582c1a7bd72e599ec1a486122

SHA1
cbcd46e5a46cf9f2f89e244941052fd058f5f020

SHA256
f0aeb1d486f48f5071653b1bbcff7c36c9db3428043658c776f0f47682b5d42b

SHA512
e67a870e163a538df63028202bf2478a276f8114a4c018e51e37e9ddadcb18f0dfaca43fed51220e9196921888dabefc75cc78e47979cd646d6ee799d62c305f

Download Submit
\Windows\SysWOW64\Kelmbifm.exe

Filesize
66KB

MD5
046c58678fc42431ca982bbd18c8c5ec

SHA1
fc134b25eb1e31e0b704754a7a8bdd1cd1dd65cb

SHA256
e2159532b6e22248076c03035116842f6c454cd0d1c39fdb109c36c07b45db92

SHA512
97e67c606e2869b17127d6e5a63b9d3b6f121b3c068cd6348df96d0e28268c0995a5b23de4b14b6c930b70484bcef479b26610df6b4cca4d5dc78825b3c8ea4d

Download Submit
\Windows\SysWOW64\Kjkbpp32.exe

Filesize
66KB

MD5
9f1424dcb424d941e2486e4fd46b25c6

SHA1
f0c0ea642c0aa0e5976fc8488801f4c9ca3373bc

SHA256
953cd53eaafb4b48da44a983f3c779964808637063c78aae384c17e155930ae9

SHA512
70cd6f2983d61ae57c8e188b09734b7307a9e3892d7dad8f06a28f46e75a49cea89225d6a322def31e8484e043530dddda1cd8107226b9945c8eebdb56223e4c

Download Submit
\Windows\SysWOW64\Kmklak32.exe

Filesize
66KB

MD5
217c06dc6bdb92356cc9fa3b8c4244af

SHA1
d6bcb7d9cff2587c3cfe22d3c84845e629de0ee8

SHA256
1e6e66a5ba561424b55b3a52931ef24de6952884527989cc037e78355fc8c49d

SHA512
11c7fc3a2bcc7097e98292ed2c9c8adaa3aa3ba7afa377893e6138daafeee73b816aeaf5a2596fd5289144ced3aebadd0e9025257e79765b6e33a1ef2e85e07c

Download Submit
\Windows\SysWOW64\Kndbko32.exe

Filesize
66KB

MD5
940c71512c333c274c796d56849d3caf

SHA1
27733bdfff3211085b7cf50c98b36d5dde0a2b59

SHA256
05773f8492b35b31bbc49e19b20ad600592e88edc0c97e9dcffb4f17334fc114

SHA512
e5e886c2250f76144e4168ed58258aef66c406a3421ca731d778a7543a49f641e50e687b1276b1ed1bfa157f8b7fa6ff9ca3e99b070f883107376c54a0f9c8a2

Download Submit
\Windows\SysWOW64\Kolhdbjh.exe

Filesize
66KB

MD5
3e09b3418247be1e389b9f809d398bc2

SHA1
feac20d47789ad9d6176cc147ca5601cab8ed151

SHA256
73801dc6053f8a40b2d24159f253472502c8ec2512adeb5f21d1c9516d82a037

SHA512
5b6f26d685e803caeaf6d03be224e2742c646eb1016c25f5888c41bbb5e1dff90eb6e1ace8cdce082e9bc8d0e66ab640981e1aff182fa177f40dcb4ad18faeb4

Download Submit
\Windows\SysWOW64\Kpoejbhe.exe

Filesize
66KB

MD5
88e8875480410081061c78c27cc0e00d

SHA1
f576e05334e32231c3157b93977d66424d2158cb

SHA256
3f4e5f845089da3d2e711a423bb6eb65581336b868803b71d7835eb995cb09ac

SHA512
eaf3331cf39f8fac422ab1002108bb0bd9f2fb37993baefd3917eb8b9c5c7f35c3a9f89c9caf7431bb649d8bf93eb2a04b39c689fa17068ee9cb1ed9a17e9e1c

Download Submit
\Windows\SysWOW64\Lbagpp32.exe

Filesize
66KB

MD5
ea9abfab6f865af393c55f7c12dcd4c8

SHA1
5e802af33a9333b9ebdce613e54c52cbf16e067f

SHA256
f178704891342154db4029ce5266c3cb1e0705aee1255e785fbd185312fc0fd0

SHA512
83f3d742e64b50089f26e63c21659fcf4b8adab4f8e4e10cf40bf49c5e9c18fd871d03f8db6f39f012c30db5dc3f23b6c34aa2e437036cc5aa801213e2723341

Download Submit
\Windows\SysWOW64\Liblfl32.exe

Filesize
66KB

MD5
49496c13c3a40e5d4fe666de29bca1e1

SHA1
2afc09142675c5c37ad856e13af7eef4d5e6b578

SHA256
22166fea339cee908f46c88aa00ccdeb7f4f1ffa9031beb778223ec3a653f848

SHA512
e5716eb208ea4acb0498e9338d941d0a97013fefd9ba857f5e36fa994e428d224a4704818fa5628c55719fb416332b0e8b59a2d53e75b44aebd46d702ea7a4c2

Download Submit
\Windows\SysWOW64\Llcehg32.exe

Filesize
66KB

MD5
f44d6827b602f9cb18922a01e3254500

SHA1
353ad8794e128310ef2efd7a85ddd79040105709

SHA256
3e9df4a89269757d2167ec72ee22e77c6390f9f39ab56be9ba485dd93c709faf

SHA512
61e542129bfa1da0812444073bfedac87cf4b8275d8f5ab8557b41fbd93cd7228fa3e697c4a72aaf43e62c253c55c79f723eaf6f93d3f2760efc33096b8bbf94

Download Submit
\Windows\SysWOW64\Lpanne32.exe

Filesize
66KB

MD5
0200f8f44df50fedfd7e05f3fabb9874

SHA1
8b61a74e57f3f60f60406a61c4625282932de89f

SHA256
4ca3d0df6fa3d08bb5e5c9fd042e9f5f471856256fce4401a66918d542938d2d

SHA512
282abfc235e4efca17d4d1fc76feb43fc2f772c60f4ab4117abbffcfa23ee035bcd7298a357f91fa152d22decaa645550e72fb28b9c83b90f2f5ff509df6ae66

Download Submit
\Windows\SysWOW64\Maiqfl32.exe

Filesize
66KB

MD5
f14604b0fa9d8c8377d4ac025c29b71f

SHA1
78176cc1940378ef3428ae761479289d2c979e74

SHA256
3b41d8b866372daf9e43abe4f0a8501c34d63bb56d10f470d7588a557383da74

SHA512
4b168f4c911ab84ff1491283e1994fabb461209ae217c928220203b5eafd57777e4fd1ca5a737356e8f4c16e2703aac531e620c181e5cca79ada7eff5aec44ff

Download Submit
\Windows\SysWOW64\Mdepmh32.exe

Filesize
66KB

MD5
609cc1ed461f08705e8a61d59bfa1b9c

SHA1
354449d74b6b0b68b1a4c89ad602288b186d435a

SHA256
7c607753f3b1410b09ebb0850840ca8e2815460952bce78b7fe4ecc9dd396202

SHA512
fe0d1fde8f2d33ca0132d36205d8026ede486cee48f568e5e3792b4c76c4e32954a96b80cc03d1c8f3e58c82c4de6cb81817e4f496d03001f66e5e0de713006a

Download Submit
memory/236-497-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/236-492-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/236-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-482-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/696-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-450-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/716-451-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/912-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-225-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/984-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-308-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1028-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-307-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1148-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-276-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/1260-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-296-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1292-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-297-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1316-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-247-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1348-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-212-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1360-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-263-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/1516-285-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/1516-286-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/1568-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-330-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1712-329-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1712-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-175-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1760-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-407-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/1844-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-387-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2092-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-91-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2148-376-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2148-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-439-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2168-104-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2168-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-318-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2248-319-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2260-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-438-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2296-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-135-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2328-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-461-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2488-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-118-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2576-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-198-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2692-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-342-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2692-337-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2696-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-364-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2696-366-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/2700-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-40-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2700-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-54-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2712-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-145-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2776-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-26-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2788-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-64-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2788-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-350-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/2804-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-354-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2948-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-341-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2948-12-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2948-11-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads