berbew | 5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031db

Analysis

max time kernel
87s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe
Size

67KB
MD5

c8a93772297fe23569f67cf5d29532b0
SHA1

a28a9c1d751ab9821567d31c2b210e2916a81af9
SHA256

5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031db
SHA512

0595224aab31143ce5a862c61cfac30b7179a9d142b53699d657e388810a496cb69e52528fd6c03bb421ff05e250d4899fc803b371918f2f8e2e55d623d204b9
SSDEEP

1536:EKRTxLVj2dKSAhyS4Aie3lmHjIFwYd2UNhUhpR9mMeHUGt/RQrR/Rj:bHPGUhOpR9mMgt/erVx

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdeqfhjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmpbdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgjccb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akcomepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpbdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiioon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdeqfhjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pifbjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pifbjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akabgebj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcachc32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 55 IoCs

pid	Process
2164	Pebpkk32.exe
2460	Pdeqfhjd.exe
2676	Pgcmbcih.exe
2732	Pmmeon32.exe
2692	Phcilf32.exe
864	Pmpbdm32.exe
2604	Pdjjag32.exe
1976	Pifbjn32.exe
1868	Pleofj32.exe
1972	Qgjccb32.exe
1984	Qiioon32.exe
708	Qcachc32.exe
1908	Qeppdo32.exe
2764	Alihaioe.exe
2148	Aohdmdoh.exe
2416	Ajmijmnn.exe
788	Apgagg32.exe
1864	Aaimopli.exe
1320	Ajpepm32.exe
560	Akabgebj.exe
2132	Aakjdo32.exe
2216	Adifpk32.exe
540	Akcomepg.exe
2104	Aoojnc32.exe
2964	Aficjnpm.exe
2624	Agjobffl.exe
2672	Adnpkjde.exe
2372	Bqeqqk32.exe
2576	Bgoime32.exe
2588	Bkjdndjo.exe
2652	Bqgmfkhg.exe
2600	Bfdenafn.exe
1480	Bjpaop32.exe
1632	Boljgg32.exe
1564	Bgcbhd32.exe
484	Bqlfaj32.exe
2796	Bcjcme32.exe
2856	Bmbgfkje.exe
2988	Bkegah32.exe
1628	Cenljmgq.exe
2020	Cmedlk32.exe
872	Cgoelh32.exe
1368	Cpfmmf32.exe
1536	Cinafkkd.exe
2380	Cjonncab.exe
2252	Caifjn32.exe
1280	Ceebklai.exe
2844	Cchbgi32.exe
2088	Clojhf32.exe
2912	Cjakccop.exe
2668	Cmpgpond.exe
596	Cgfkmgnj.exe
1616	Djdgic32.exe
2000	Dnpciaef.exe
1268	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2452	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe
2452	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe
2164	Pebpkk32.exe
2164	Pebpkk32.exe
2460	Pdeqfhjd.exe
2460	Pdeqfhjd.exe
2676	Pgcmbcih.exe
2676	Pgcmbcih.exe
2732	Pmmeon32.exe
2732	Pmmeon32.exe
2692	Phcilf32.exe
2692	Phcilf32.exe
864	Pmpbdm32.exe
864	Pmpbdm32.exe
2604	Pdjjag32.exe
2604	Pdjjag32.exe
1976	Pifbjn32.exe
1976	Pifbjn32.exe
1868	Pleofj32.exe
1868	Pleofj32.exe
1972	Qgjccb32.exe
1972	Qgjccb32.exe
1984	Qiioon32.exe
1984	Qiioon32.exe
708	Qcachc32.exe
708	Qcachc32.exe
1908	Qeppdo32.exe
1908	Qeppdo32.exe
2764	Alihaioe.exe
2764	Alihaioe.exe
2148	Aohdmdoh.exe
2148	Aohdmdoh.exe
2416	Ajmijmnn.exe
2416	Ajmijmnn.exe
788	Apgagg32.exe
788	Apgagg32.exe
1864	Aaimopli.exe
1864	Aaimopli.exe
1320	Ajpepm32.exe
1320	Ajpepm32.exe
560	Akabgebj.exe
560	Akabgebj.exe
2132	Aakjdo32.exe
2132	Aakjdo32.exe
2216	Adifpk32.exe
2216	Adifpk32.exe
540	Akcomepg.exe
540	Akcomepg.exe
2104	Aoojnc32.exe
2104	Aoojnc32.exe
2964	Aficjnpm.exe
2964	Aficjnpm.exe
2624	Agjobffl.exe
2624	Agjobffl.exe
2672	Adnpkjde.exe
2672	Adnpkjde.exe
2372	Bqeqqk32.exe
2372	Bqeqqk32.exe
2576	Bgoime32.exe
2576	Bgoime32.exe
2588	Bkjdndjo.exe
2588	Bkjdndjo.exe
2652	Bqgmfkhg.exe
2652	Bqgmfkhg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pdjjag32.exe	Pmpbdm32.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Pgcmbcih.exe	Pdeqfhjd.exe
File created	C:\Windows\SysWOW64\Aqcifjof.dll	Pmmeon32.exe
File created	C:\Windows\SysWOW64\Ajpepm32.exe	Aaimopli.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Ajmijmnn.exe	Aohdmdoh.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Apgagg32.exe
File created	C:\Windows\SysWOW64\Aoojnc32.exe	Akcomepg.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bqeqqk32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Qqmfpqmc.dll	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe
File opened for modification	C:\Windows\SysWOW64\Akabgebj.exe	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Qiioon32.exe	Qgjccb32.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Pebpkk32.exe	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Komjgdhc.dll	Aficjnpm.exe
File opened for modification	C:\Windows\SysWOW64\Qcachc32.exe	Qiioon32.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Pmpbdm32.exe	Phcilf32.exe
File created	C:\Windows\SysWOW64\Nlbjim32.dll	Pifbjn32.exe
File created	C:\Windows\SysWOW64\Adpqglen.dll	Ajpepm32.exe
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Ngciog32.dll	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Phcilf32.exe	Pmmeon32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Aakjdo32.exe	Akabgebj.exe
File opened for modification	C:\Windows\SysWOW64\Akcomepg.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Qeppdo32.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Akabgebj.exe	Ajpepm32.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Qiioon32.exe	Qgjccb32.exe
File created	C:\Windows\SysWOW64\Ljamki32.dll	Qcachc32.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Aoojnc32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeon32.exe	Pgcmbcih.exe
File created	C:\Windows\SysWOW64\Qgjccb32.exe	Pleofj32.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Pdjjag32.exe	Pmpbdm32.exe
File created	C:\Windows\SysWOW64\Qcachc32.exe	Qiioon32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Delgfamk.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgcmbcih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpbdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifbjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pleofj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdeqfhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeppdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiioon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akcomepg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjjag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pebpkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aohdmdoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcilf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajmijmnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll"	Akabgebj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®"	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdjjag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll"	Pleofj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll"	Qeppdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoloenf.dll"	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qiioon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll"	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdeqfhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgcmbcih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll"	Akcomepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imafcg32.dll"	Alihaioe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajmijmnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdeqfhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pleofj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qeppdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngciog32.dll"	Pgcmbcih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aohdmdoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll"	Phcilf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmpbdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Delgfamk.¾ll"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bqeqqk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2164	2452	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe	31
PID 2452 wrote to memory of 2164	2452	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe	31
PID 2452 wrote to memory of 2164	2452	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe	31
PID 2452 wrote to memory of 2164	2452	5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe	31
PID 2164 wrote to memory of 2460	2164	Pebpkk32.exe	32
PID 2164 wrote to memory of 2460	2164	Pebpkk32.exe	32
PID 2164 wrote to memory of 2460	2164	Pebpkk32.exe	32
PID 2164 wrote to memory of 2460	2164	Pebpkk32.exe	32
PID 2460 wrote to memory of 2676	2460	Pdeqfhjd.exe	33
PID 2460 wrote to memory of 2676	2460	Pdeqfhjd.exe	33
PID 2460 wrote to memory of 2676	2460	Pdeqfhjd.exe	33
PID 2460 wrote to memory of 2676	2460	Pdeqfhjd.exe	33
PID 2676 wrote to memory of 2732	2676	Pgcmbcih.exe	34
PID 2676 wrote to memory of 2732	2676	Pgcmbcih.exe	34
PID 2676 wrote to memory of 2732	2676	Pgcmbcih.exe	34
PID 2676 wrote to memory of 2732	2676	Pgcmbcih.exe	34
PID 2732 wrote to memory of 2692	2732	Pmmeon32.exe	35
PID 2732 wrote to memory of 2692	2732	Pmmeon32.exe	35
PID 2732 wrote to memory of 2692	2732	Pmmeon32.exe	35
PID 2732 wrote to memory of 2692	2732	Pmmeon32.exe	35
PID 2692 wrote to memory of 864	2692	Phcilf32.exe	36
PID 2692 wrote to memory of 864	2692	Phcilf32.exe	36
PID 2692 wrote to memory of 864	2692	Phcilf32.exe	36
PID 2692 wrote to memory of 864	2692	Phcilf32.exe	36
PID 864 wrote to memory of 2604	864	Pmpbdm32.exe	37
PID 864 wrote to memory of 2604	864	Pmpbdm32.exe	37
PID 864 wrote to memory of 2604	864	Pmpbdm32.exe	37
PID 864 wrote to memory of 2604	864	Pmpbdm32.exe	37
PID 2604 wrote to memory of 1976	2604	Pdjjag32.exe	38
PID 2604 wrote to memory of 1976	2604	Pdjjag32.exe	38
PID 2604 wrote to memory of 1976	2604	Pdjjag32.exe	38
PID 2604 wrote to memory of 1976	2604	Pdjjag32.exe	38
PID 1976 wrote to memory of 1868	1976	Pifbjn32.exe	39
PID 1976 wrote to memory of 1868	1976	Pifbjn32.exe	39
PID 1976 wrote to memory of 1868	1976	Pifbjn32.exe	39
PID 1976 wrote to memory of 1868	1976	Pifbjn32.exe	39
PID 1868 wrote to memory of 1972	1868	Pleofj32.exe	40
PID 1868 wrote to memory of 1972	1868	Pleofj32.exe	40
PID 1868 wrote to memory of 1972	1868	Pleofj32.exe	40
PID 1868 wrote to memory of 1972	1868	Pleofj32.exe	40
PID 1972 wrote to memory of 1984	1972	Qgjccb32.exe	41
PID 1972 wrote to memory of 1984	1972	Qgjccb32.exe	41
PID 1972 wrote to memory of 1984	1972	Qgjccb32.exe	41
PID 1972 wrote to memory of 1984	1972	Qgjccb32.exe	41
PID 1984 wrote to memory of 708	1984	Qiioon32.exe	42
PID 1984 wrote to memory of 708	1984	Qiioon32.exe	42
PID 1984 wrote to memory of 708	1984	Qiioon32.exe	42
PID 1984 wrote to memory of 708	1984	Qiioon32.exe	42
PID 708 wrote to memory of 1908	708	Qcachc32.exe	43
PID 708 wrote to memory of 1908	708	Qcachc32.exe	43
PID 708 wrote to memory of 1908	708	Qcachc32.exe	43
PID 708 wrote to memory of 1908	708	Qcachc32.exe	43
PID 1908 wrote to memory of 2764	1908	Qeppdo32.exe	44
PID 1908 wrote to memory of 2764	1908	Qeppdo32.exe	44
PID 1908 wrote to memory of 2764	1908	Qeppdo32.exe	44
PID 1908 wrote to memory of 2764	1908	Qeppdo32.exe	44
PID 2764 wrote to memory of 2148	2764	Alihaioe.exe	45
PID 2764 wrote to memory of 2148	2764	Alihaioe.exe	45
PID 2764 wrote to memory of 2148	2764	Alihaioe.exe	45
PID 2764 wrote to memory of 2148	2764	Alihaioe.exe	45
PID 2148 wrote to memory of 2416	2148	Aohdmdoh.exe	46
PID 2148 wrote to memory of 2416	2148	Aohdmdoh.exe	46
PID 2148 wrote to memory of 2416	2148	Aohdmdoh.exe	46
PID 2148 wrote to memory of 2416	2148	Aohdmdoh.exe	46

C:\Users\Admin\AppData\Local\Temp\5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe
"C:\Users\Admin\AppData\Local\Temp\5fa44a12118ea879d1a143965f700d507be36bd25b44415ca83a9cc80db031dbN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\Pebpkk32.exe
  C:\Windows\system32\Pebpkk32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\Pdeqfhjd.exe
    C:\Windows\system32\Pdeqfhjd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\Pgcmbcih.exe
      C:\Windows\system32\Pgcmbcih.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\Pmmeon32.exe
        
        C:\Windows\system32\Pmmeon32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\Phcilf32.exe
        
        C:\Windows\system32\Phcilf32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Pmpbdm32.exe
        
        C:\Windows\system32\Pmpbdm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Pdjjag32.exe
        
        C:\Windows\system32\Pdjjag32.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Pifbjn32.exe
        
        C:\Windows\system32\Pifbjn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Pleofj32.exe
        
        C:\Windows\system32\Pleofj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Qiioon32.exe
        
        C:\Windows\system32\Qiioon32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Qeppdo32.exe
        
        C:\Windows\system32\Qeppdo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Aohdmdoh.exe
        
        C:\Windows\system32\Aohdmdoh.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Ajmijmnn.exe
        
        C:\Windows\system32\Ajmijmnn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Akcomepg.exe
        
        C:\Windows\system32\Akcomepg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Bqgmfkhg.exe
        
        C:\Windows\system32\Bqgmfkhg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:596
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        56⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
67KB

MD5
d7ef49c4549a34cc0992fd6993bb6f90

SHA1
d7579a6a0007a6c3ef05c7c931e86e2ddbc9e5e2

SHA256
35b5aec3e5f080e167f69f5c0763034a7866f2b663489f59cba2cdcc6397cdac

SHA512
7cb3dbbc47f59262242575f6cf925f135fdd64ea76a6ad5aa061827845259ffe8d7eb7fe061ed0cd9f293a1935ba4c89b1a2cbd523429cbd46cfab9bff35c545

Download Submit
C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
67KB

MD5
f5b6829ef4d901f82925ab75807c977c

SHA1
5fa838caa3a4ebc93953fb86e4ad74e3ab493bc9

SHA256
d3c97e30a6ca317f386241974ad748feb4bf482c4018ba971bd2e8a25d13b3da

SHA512
4cb997dba0a89d7cee2e4be2e8ef69b2a716910934bb8ceb31080bc24c3433472e70aabc8339513e78f58ca3f5165ca394d81d623e12c895cc7b5f6abbfe742a

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
67KB

MD5
a85f17430249e137b70ffcec48c70630

SHA1
5a9e4e39adfa6ef7244ef737ce03f4d2991a32d8

SHA256
816b44725b459f562fb3c4f072f609cb0ad711a061803d829b1c33fab00cb05d

SHA512
febd4c934e03f009a4f1c05a411e9e07753bac3b8c0073133e10a8fcd9ee68c3868692b40f96a046553b2adf7de56a6bb87f6e796df37b77fd870e796079e0bc

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
67KB

MD5
be9044a8c4df00f4da27a34300309b73

SHA1
206563fb063b4238e45b200ca8bd73e965f05f3c

SHA256
a66649fc28067947ca8bfab5b9aa4ddf54d6671660fb841079d619e61063e033

SHA512
fde07e9e83714f717bab207017f7e593603338b091850a86497b01f769ccf3942951f45d94f33dc4c4c411f346c2545adc482896cc15c67f874d45ba043b360a

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
67KB

MD5
8009ac8cbf7cf73baba5fe4d37b92ee4

SHA1
d327f184d329fc26f829f5923d4ef000de4b81cd

SHA256
eca3becd5beafd6149827ca433a99cb4c10f6721d1c342f5e894e4222af8e74b

SHA512
2924e77e9de20b95c64b96f6f5670fa8c1af2a342f8bd1b1ec00349e0fe4cb57ff13a00737ce91b4ad22687edd84d471ee13c22c8bf3a99adedec219bbfee9f7

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
67KB

MD5
7b655c974a3c5bff5b642cb047007d78

SHA1
7bee4ee521775d5ea1446963bc4a4d487cbdf7b1

SHA256
96f9907cae15c304c7276cc6a207b23728057b0a5456a5426347b7932eef1838

SHA512
cde112f13757ee76a987ed539375b9b54744c683264c24dc86d08dc68d35d1de374e5e7c310e939244b7e1d20797935d3dc758a78b9ad54f6dbb8769a69f565f

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
67KB

MD5
94b9ec41223eb9ecc5a54fea9f2f7506

SHA1
07313c6f5eaef4fe36fc995df8e3f18f74be5cf5

SHA256
6efd40a4a23033e9a50b10f00690e669e787611fca60a1d987b7dfd07ebdaec6

SHA512
967cda42864289f56bc3ebbea010aec87daa23ceaf7992cf2eca084e8be94bcb4341d30abb00fcb8e68ddcc32f96b88b590be00aaed6f0f8dc02cdb0a3a952d4

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
67KB

MD5
b587e128695ac283f6f62530540c59d1

SHA1
963d054a4b7f54728c8987e51e88bb813568ca99

SHA256
ed78c2d52e0196e100aec8bf7c6c0a51501cc869d96d0e4734e45454c167bc31

SHA512
e31dc9ffc9df98bcf0f74fba4454d1358a4bb8b16fdc6e99725d035a7508b331a590fa744e7ba44a4b3e4a00f05dd3fb5cdd3bf30477e9f984483021d204d9e0

Download Submit
C:\Windows\SysWOW64\Akcomepg.exe

Filesize
67KB

MD5
45aae67ddfcde3e6764bf12c669550fe

SHA1
31a21eafa8a0680db2f500bd59460b6ad7be1b35

SHA256
b1ffc46b07e85a63bea57092d42ab2f2d39d8d45ceef72c4f1d2fc3a09251e2e

SHA512
89c549d6103a1470a1576e3bbacbfcc59bb72ae12b7cba67c5cd0666fe885454130d1d629b4e8658fe1b2160d4998816e077457db0c7af6b8b71f4d7b52524fa

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
67KB

MD5
371c7382c9e2d0fc64b941f3a84cdc45

SHA1
9de55b21709297cdf56a3fcafe1e2d1dd968e587

SHA256
7c342d7ccf1d70b2b2fdb366872e24e2985acdd03a3bee1ee37d3eba9d95c9c9

SHA512
ddf45bc7cfe3bb7a3c1307b3a218a0e398405922fffd052a5fdec45f79e1e1cbc8d5068f8267acc3671984289d29dd9f5ca84e240eb45c208b2e9190c8437af6

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
67KB

MD5
df49a11c955528229dbc11e180fcd26f

SHA1
91c3f4a5c85f3ac997509e91d81bbf3a5a1a9ed1

SHA256
1588213925562fc4e914cf9da6e16238314d1c2ad3b832a80d98f25399c9b9e5

SHA512
4c6837c2c44aec0fd9beadf11d39174cc7e559c1a7a75a751f15b37665f62f7eb661b0dcf992d2871d26a0a7c48e6b863f9993ddbacf236084f1fa77e96b8f3f

Download Submit
C:\Windows\SysWOW64\Aqcifjof.dll

Filesize
7KB

MD5
f38911df9182ce50d9c1f8412c721a83

SHA1
357200f30fe4a3051884264e91d75b97eff5f235

SHA256
b87a0b33ef9f979490b124b0ced44af406f6c270c81c71139407a6240461aab6

SHA512
76a8e8bdd2e465c95745b70dad9c67f27b27d71bd4afd3d79496375c2c36de109093c2c8065c87fbf76d60bb4d3960009ac2a63efca652fcdbc779474d09b461

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
67KB

MD5
2d4da6ad8d376825e1a231576d69c61d

SHA1
e4672e7bc1d94c08336293a8746342e06191cebe

SHA256
78ec741f1efa5bd887d6434192bb47824b46a61720ab367e6f9380f13a9c995c

SHA512
e9a4c88ca4bf1c81a3adc621f92be116f602b0d7a8b82423d9fe44ffce609fbd5a946c1bf758e339ed3220af05d5ab8d938bc991d4c2a7624f2fe267bb51256b

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
67KB

MD5
d5bdfbee6e59a42430a7772819896885

SHA1
30fa833d42998de2f2e3eb9ad4cf654a680a3d67

SHA256
0b50b3d96499a97d5f8bf49e186684e28a8a8bb2ecac733536aeb5578698c074

SHA512
66b970c05b85752791deb2943373700d15e2a629087e0fa0525d0d469a6907c398cc73f79f29b3b62303150ddfac4053441cdadd300c64f168cece9d8517e9b3

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
67KB

MD5
a7888791da5a0e122865e7af254b9fa7

SHA1
2906a286d1fcd8ee786396ea2fd7809ed206976b

SHA256
98450b6bc4935aefa7ff08a0f81e38b261506be22c778582d144a345c29de7c1

SHA512
1c358138e307f3970ba8af5c70291d5e53ded1876a24c377063b06399603b44f1325efeee6077efbebfa420c1a686502745bdc2356a236084b614687d81071ba

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
67KB

MD5
5cfe56c59e4d0eb884c60fc87e3efd43

SHA1
8eeba8135654d53d09b228618ec2688708a9c340

SHA256
8291ea1463e89401dc82d626b63191e9cf3ddec9f8eb90d393ce6bbc87e4a5a5

SHA512
32a40418506c7e3912eb1150e68ef1c75a07ae69516ef56f2f1de5487dca3ab1a41b3feedb79a2eeb4e98ae16c59485bfdf84af5c564119ba6129d6ffecfb72c

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
67KB

MD5
27820cdf5023b5c1db3a15f6a206ca0b

SHA1
14257ea73e73a47f03bc7bd5dd0eefaebd03e5a3

SHA256
cf9ce5287ba46c1a4ed79821dfa21febb31446b15d31833c94660811b3c5eebf

SHA512
80316d975c0a55a5f4e89f5353e474c92e1149f0fd3cffcc905422654c43589fc3e56462c4e306c729d546d536521df877e8fa91a56d8d462e6d9663bbacd2db

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
67KB

MD5
079b8c169499043ca165de8417f611e8

SHA1
34aa20aa96cc311552c8c0982386be0bfd5e807a

SHA256
ab0dee5d7d3f6bc1a38ad256675600d6efe3d21a2656d572ce318de4ef18c9ce

SHA512
70b5a69132043e146ad0a9fa87613e8156cb85e3fd461d5bc4ed8018a12a8a8ae16579eddd75c78c3c9def53f3658d2ad935c9d89f3382ea0728e31a1ad82137

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
67KB

MD5
a37a7a3bb1c4b9c2418fde15f80bf560

SHA1
27ceac0f92c28edd41d59a8f14594d7fdc69e4ee

SHA256
e846fc724ce18cdb441ddd08b21583652395202c12b19adf69eaa0d6913c8620

SHA512
ba2b68fb9f84be9736e0e48fa0419b478d14bb51a2158be761729c54f2fabacf1aa4f75726df8e4df204c5fa63b295e7f731aaf5055dad542adc6513f8500539

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
67KB

MD5
f73a1e4752ddc84665814401b8fa240c

SHA1
a7b844a3d95f7a6f2cc94e8b4ca451c54561c8df

SHA256
5d24285ae6db9590f29e3b8a1092e66f5868078e67011c97f43b21b6ddbc0c51

SHA512
d2dc208ccff93b35503e012ece30c3f03d29edb076354dc8dbf09648046a00f621f21be5f58d3404441a1a671867b02851d38292a14ab946faf990aa79256e36

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
67KB

MD5
225f5ca2e1fabc538bcaef1dccb3b1f4

SHA1
9076fc3db9be2bcefa598463a922718882efba61

SHA256
5e386b22b3ede0ed471622d3b3cf47f0e3c2b6a1978b01d1a38e92b119428c1e

SHA512
3edf3d029ceae268deee0559d61fb39244d356ed19ccd887c8ff296493606e3363d96b677438c44529c1366016ca306c3b4e3a091721a7a67d6472e11be458d9

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
67KB

MD5
629bb54a885cfa4c0e9c51362681c7be

SHA1
5ca91766b6a7f6343468e4a6f93768ebd3390a29

SHA256
4deb671f9a31edba00821a6e334a0dcb7a794f77f6b93a7a171e3b0b985c83b7

SHA512
06a3bd60854203a831a548632fff5c95341d44646072ff37f111ba68a62d85437e79b1950412bcdf13b1e1f512b676b5c0298a6ad3df4bd46d72f6a1fb1221a6

Download Submit
C:\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
67KB

MD5
e01f49b927686cba6a985a099717bda7

SHA1
b2cfe35e3cd5d64e733cffaf9b5c5bf2bf801f28

SHA256
3431e7c24e5b565672f6fb5e75e31377a747ed302216d8db3db01d14ba6cc86e

SHA512
c259ba13a660e5423f77abf841373e5b0157046f4edb6c2a243999cfbf64b6be2fb38637dfca4d9ebe28305cc32714281c5d9318c0074badbd66e679d02976fe

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
67KB

MD5
57097dc5c8a7b6312194047949a0f987

SHA1
3c272495199e4b5669171cee539e93cb73893a33

SHA256
e3aba7e9620fcce5552d1a7112940ce15966ec7823642bb78ad6278b69698707

SHA512
0e26307bc27c684c7535a495269a5487565205aca4e42dc85fbce707f231a91a7bef1562d0a9c8f5b51452533217661bf5b64aff64cb952f7035da3f4024b104

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
67KB

MD5
2c1088dfc43e5b4282cd2291a9d6255f

SHA1
8031bd2d8327e33290cd87147c47b1ed1beb27ae

SHA256
bdeadb18a6512058ee8f335d9bf699edb05c3e1c1ab18262b7720933b2c2c2d7

SHA512
fad86c3ccdaf1ee0607a1d5a2aaafba36ec8ad4f503a22be6d5eef2e3475a1ae30243fb7c7d83d677f0c6f9f8376f5860fd3af1f6dd6a8fe0203ce85d8992443

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
67KB

MD5
ee09b68fb66b2432279c6389d9d183ab

SHA1
491a4dab8e1a717e17b2d9ec632bc47e5aeb8a97

SHA256
8cffaf0ddbf105d9e701909645470562ff0b26a71be412aa51268007775a994f

SHA512
c66ab3e9a1c4649e8cbbb32bbc9311b36ef7d9247d8144af2864207aa101e01d9a0b44d95f9d09efd82909a31dd2f786bcca4573b14e6773c32a648582acde49

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
67KB

MD5
c3a0717b124b36db89029a1af086b3d3

SHA1
95348cd9165af21b5ffedd2e2be4cc6176c6bfb7

SHA256
eb7cd3482824f4ea52a61ccc2b378d939e2ab6a87d7cd3b9f692e45e9bcdc3f9

SHA512
4978a7320126034985854ac38a12b04a4ce67453bf78f6ac6ad5206d7d6257c31692cadfec40cac51485328440a8d6ea94488e6bd2cb78a27a5058a3d4b61a89

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
67KB

MD5
4a1ac776b328a9d0ff5911a4939eef1c

SHA1
28aa6b117ed46790d6203982ea411e22f08fc3c3

SHA256
cbccaf5fb7f4ac341dcabd456eb7bc43042a04e0cbfbbdee80f4984a56b92a04

SHA512
12fba5e508aab3f31c208c8062ad4e054cb18cdae2f8590a43d847819261feede50090925f862cd8b4d0ebb2bc4c8cdac5307235153631f9953f9d0c1576f12d

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
67KB

MD5
5567eff7792f7ff15c1ee0f8b87e4fcc

SHA1
92e323c40d710f964cb0e2a0d411b898fa588464

SHA256
a4991feaa4ecaf784b59f6db8ea111cdd956599798e07213d14e13354b2f1ad3

SHA512
a37e9072dbfafc4180431eb950a26349de85e6e6952bf31c557c417ef2258cae21ebc1cabad404d6ba31af5538838bea03ecf34563ec688d3f280d52b653f8f1

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
67KB

MD5
2b6416c5d39b0f6dc2419342348e342f

SHA1
07a5377fbf56a2cb6a260061f831addebd163820

SHA256
1d47003bc195456294638582cb3d2000cb759029ae48ab0a9ccc5143edbf4f57

SHA512
7971bfad504c37c7c4f632c9efc463da8cbd903ea47ef1db052d1e0ba4a6dec8eab40fda7a2b1025c2f58e075ae84ce32c3cfc4d21cf647e07fab28dbea2927c

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
67KB

MD5
8bc76d365b05bdfcfca30e9dcd43cfb4

SHA1
942fd3f4f501eb7c18c9431a36cb7947c870e76e

SHA256
148e08392c9b156a983219b5de783d1e3bf3f5a5fe2d8e86a76d157585bb8df9

SHA512
b1c961ee21d81f671ffda8ed006fde79fbc3d0a6abdbc9d2973e9d87a405f2e01c032007a8cfcb283b8c93aa54e5d5bc4a256bbaa085601d227ad74c7b22fe58

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
67KB

MD5
930997548d1b98a761e6a9662df11649

SHA1
5b5cf058a4cb265bc85218987218ef6637b9870e

SHA256
cc8db753795ccbe1e505cd630dba9dc1c272f998fc11c5102ac4ac5f3831227d

SHA512
555301c282d1dc9373ca81d6508adf3e9021c188b8e5ed8dede3b4f530115e816d87e3efc2854b8a5f5f9c1afc06aedf3b7eee519353b6f9d5a390f4b30dce12

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
67KB

MD5
cdca87c55fd4f746f783ee888fc0dab1

SHA1
a4d55f766664f3f3398029439258e8fe0e994a81

SHA256
bf5dc56951284c6def7e4d666dd14d1bcfe674f997e4a6c3778c13a872a84329

SHA512
b5eaee6580241319867c05b715f2c3d5b77fa3886f4dafb4068b964b97a8fcfafb901cc560a558a68075291dd06fb83b1442e0bede5901261b8c97906b3d5641

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
67KB

MD5
7060871c52e9f7b1b4f21fa4f077fe24

SHA1
fd946ad8ccd228b10aa3b35de9e472baeaf55208

SHA256
55def47387eb3403702ab6c63be5b86f7b810432d3e34b05fcc9bbb2bcc8529b

SHA512
ef85d87c0db84e8292a15bebdc4545fc43e97f0ecd2cc9b3e3dcaddc4b4b6b8d53a2e10dc958ff16589767cd1304db54bafd989f6d02c10d6f228c960fb9c945

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
67KB

MD5
d624898a5711568485ebe12efc625abd

SHA1
033e71e948ae5cfc50bd64274068fa140eaad707

SHA256
e49458af7789f6e70135322839179624a4898e796ba3692aeefc9ab44ea06ee5

SHA512
4c5d89bea6afb5295db62732e8d52ca027feda749bb6db0567b1ab4230631c64a9263785905e2658d8aade548565700fc09b9a07c0b3ca1aef839966dd8cb07d

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
67KB

MD5
17f012b4c4275ffc63326cc6b1e79b70

SHA1
ee9732ff74ae2e848eefc352d5602c1be79e7a90

SHA256
2916b6460480fdf51f8816b25a757ffdb32069ebc1216aadf911d5e1b884cfc1

SHA512
03e5732d9d8fc10aa269368e899bf6af8be146fb5a6b5ab77061eaf8bd44a8a6bede873593db4b8af51e7aa47c2ca26a1c0abaacdf7b004b33b12f45fc4131b1

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
67KB

MD5
442058d974b35b04e2516657d8b2a2fc

SHA1
b3e449f836d885cf605120066440477b36725ab3

SHA256
e17f9b7782826dda37a73f55b38779881df55f7127eafa91cb030f7521ad5d2e

SHA512
4349a37ec38cad065deebaa3c63ea806592edb6753dcdf61418e5ba84d98414c0f90c55ea273056cfdcba9f0131ee943fc6bc2fc5db7c3d48c0556ab898dc279

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
67KB

MD5
c695cf93f97270a4b26f9d03ec7da960

SHA1
a28700cdbcfe43cb038927949553b7f5ba4b9190

SHA256
c0e4044118ab794dcb22ebb933a15f4632620a96bd6de22f9886f9cef0b6b9bb

SHA512
db7726d4ded1a821421268a150a03aee65e12d57204a6b8dd8a14e9118a447ed07eef9fa29dc8c4d62c4ca2fa18c767955ff31e0148cb252f17c52af0ed2e6a4

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
67KB

MD5
b0964b915080f40a38c35560116d5b1d

SHA1
8f2dc6c613764d928956ebb742d83780cdf6b878

SHA256
a45d7ce98b082d29b6269d853fd5338716533a31efca977f35642bb8495babc6

SHA512
d2bb755431bfbc23fc9f48b608f87441af9641f6c12eb2f8b6bba3b648f40a41efc0ec48fa21911045f262cbb69be2f35a548e9e7f9caf8e46e7bb07f72996cf

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
67KB

MD5
a7b3fc964de13609b8652be2baacbcf6

SHA1
c77e8c103ebb3721ea8bfa0a5682f6187a6d0c6d

SHA256
3528a917c630530832d8ad6e76c08a08bf470af5a651485b026cca9f4a75607d

SHA512
9a19f69eada8965a9ffaf030647c370c54af67f7fa2be77f8b2c316dc643c131edd8d3214530d0f0d07b0140a444c1af23af35bbea62376d1ce9df9d3402f095

Download Submit
C:\Windows\SysWOW64\Pdjjag32.exe

Filesize
67KB

MD5
f5eb28a1750289f13b55604ec8fc4478

SHA1
245ffb706931e62599c8753a9dc7712ddc4c33b7

SHA256
7009c8084e72d51829748ed93436e5b3d3eeca23dba8aabd6582ee506328b89b

SHA512
c94d3691c96da2546d8fe76c1cd985271b849e22262485c7a687f9d2de935359dd2346ae556abd5a13b06ad3905a097f17100326c47ac60665f512944bee6e95

Download Submit
C:\Windows\SysWOW64\Pebpkk32.exe

Filesize
67KB

MD5
809856dc37b1ecb24bd9259c35bb329f

SHA1
4831172d7699f5c0392895beb6f6120f6c7182e1

SHA256
f1cbb153dd1417b0581bf54dea46803b651ab0ef1cafe15810b4c4c2069b1015

SHA512
aaa895f63a6330a30024ee12d9c6dd31beca4d2ee5ec0b1bc2456bce0e78ab7e465dd823772a26370bbb0a924466bca2457f3232eac3232cd58d99c47e52a3a5

Download Submit
C:\Windows\SysWOW64\Pgcmbcih.exe

Filesize
67KB

MD5
66ac706c419edf349df7f599604a1ea7

SHA1
023c34bb2eea8a52b4dab3efab9e7b58f4a7ee69

SHA256
ffefce977bd60df64304202c1c0c4a29f6297a94c88e11699eabe706a646ffb0

SHA512
188696411147d5f04e9c16bcf3c0711392da46dca19d5b8f5b9d06e481caa898581dcc109534fccd108be52c647e8cf73ac0a2f64c6c2589d91a4b1de00ec4e7

Download Submit
C:\Windows\SysWOW64\Pleofj32.exe

Filesize
67KB

MD5
c38f0906762c0f76ea50253d8d047dbb

SHA1
184e4fe0424f0817b89a0dec60099298f3bda962

SHA256
f3a6669ca5692de6d20bc5a7ed0fbfe8d210ed5ea5d15e8dfc28eb7fda7e8806

SHA512
f7ad3c7f77ab39e3cff61100590dc4e7fa8dc82cf233888ce677c9493339eeea24af0b7050dab151055239211b69710540ef2675bbd77564a3a3b375799ea423

Download Submit
C:\Windows\SysWOW64\Qeppdo32.exe

Filesize
67KB

MD5
0d2f343ff64704e5cfc6c57e12604002

SHA1
f03465c0b16b090f7289335bc5f6ae090ce01d02

SHA256
537e2ce69da5c592e8d98932710e9d8c02dba664d71eb67f40b227f1c416157a

SHA512
67e2150d207b519d72cc6e571381712d7d7226939173112fd8f7fb4cceb9221a817f8216c2a001eade41c2fc3155549e60bc6c616e5f5910ad0c90e384fc84d1

Download Submit
\Windows\SysWOW64\Ajmijmnn.exe

Filesize
67KB

MD5
80bf5cc082c560b58b934df125b8e19e

SHA1
655486062769991b8a1f272dfb6e3f48e144a57f

SHA256
544bafd800c550500fe61cf5b0f55cd3c18f0f871f5ffe779abbff25445070c5

SHA512
e1fa53b2983fe8af302ea9fc0fee6069a7a81e02d07ea730f2887ae04b2da18d471bb966d59d5312ec159ac4a73ca4cc06f8a3b32edb540dcf6a10c83cece48b

Download Submit
\Windows\SysWOW64\Alihaioe.exe

Filesize
67KB

MD5
ba2201456356378adf0719708c14471d

SHA1
cfb5e2c9ed3f38baaa0a2fa52a8cff29c3cfc2d6

SHA256
ccab31d9f37844863b081b9200cbc53fa8fd897c40e3ec19f408c741df060067

SHA512
a2d1d7874b90d55cd47f7367abef8e63f7d425e20ef8bf8baeb4f1e7bd2281fd6754c2f847e96f6253df8e786f90b2a2cc9c9b848db3469add03f047b1b662e4

Download Submit
\Windows\SysWOW64\Aohdmdoh.exe

Filesize
67KB

MD5
bbdb117d09cacf19a2243929a051c4ca

SHA1
8ece1c5ded0e215d4f29f2db13ba8573fc71e0ad

SHA256
8e00190765e8067c7658550b0a01410ab1ab53d5eca9e2a11501d735951e2cb5

SHA512
2691ec76d0d721a186f6ce4a28837a30e13bc3cedf9412142bc5c5e296b91eaf4de9b0b921c148ab8068f4a24053ed951e365ae90bee05cbe0bb161fb0b5a6c1

Download Submit
\Windows\SysWOW64\Pdeqfhjd.exe

Filesize
67KB

MD5
6228b3b55119bfc4ce7d674314be5bde

SHA1
d27c1af6ca2c25f7378edb964dd5261487023872

SHA256
bf5f1ce65206e068071da6275e1179b340b6f357d1efc2ea66cec7f23c498bdd

SHA512
1d92ce2bf38562de773b11419dbb9b0a6e2a7f47bf3e49ecdac702da6fefab94476465bb465d0b41f6bd8d8b677b197c44f971367b0ea90bde1f7f656b35176b

Download Submit
\Windows\SysWOW64\Phcilf32.exe

Filesize
67KB

MD5
f5011681aeb8e375697caaed2d5f3eb9

SHA1
3b90d7ba7ec3c3621e4584b2185268fca0696bbd

SHA256
77620569ba83c993a546f6e001ce610cd55d057b862df5e78482b188a24bcb65

SHA512
3c19664dae7b76e5a08c4f775191ad450057393f8507c12c61ff3ba51be0f569afc92a5c962db33b1b4d187d9bd5d91a053bfa4a11fcbae520d75847ba826df0

Download Submit
\Windows\SysWOW64\Pifbjn32.exe

Filesize
67KB

MD5
1944ba001e0ee6aa615cb08d7d265a12

SHA1
0bffbceba6845ed116589a6c439407cf590ca363

SHA256
e5b590deea7ab5f9b9bbf47f9b953277d628d0d57a4c81f72310f7638aa52ce7

SHA512
2dd61ed27dc5a60ab47c93dc532a39ac0d57b9558527ea950afc2d1d3ffd8d5dc33c21b477681663aa0cc55626cced88c698486c4bf5eca14c6f3aa2ffef2853

Download Submit
\Windows\SysWOW64\Pmmeon32.exe

Filesize
67KB

MD5
dd3eff53a3442917ed73f34dd1e74377

SHA1
9fe4f490e8ec81c3f918f7acb04102e04617a03a

SHA256
bccf79db686e158f65f2db6e89728ae2d7a4796b39c02d589a6d3e3220de7e7c

SHA512
b2b87d33b60da37ff9166607058929289ce454df231d69ee6dd2ab654cbffe7c08ba8209eeca1ac5984eb0652f504a7a04444be6180432b1dc3bce03ea679e61

Download Submit
\Windows\SysWOW64\Pmpbdm32.exe

Filesize
67KB

MD5
53329d299cf6aa7054912741b2372074

SHA1
04b4fae59d140a9db89e3cd86cea30df8042d1a3

SHA256
cc21a72701d0407491cc93928f0b4ad909b45198e93e4376c091de3747c8a33f

SHA512
8e5f652a8ae16640654444bc045da2a360cfef116fdc3007023cdfead1feb11bb517349d402add903b74c74179b37cdecfa2bba4011c5cfa48e31bf1498194ee

Download Submit
\Windows\SysWOW64\Qcachc32.exe

Filesize
67KB

MD5
8031172963d6a683197cf55b4399c341

SHA1
c85a3fe3f158c07c6f43666cde22ed02e7f003f9

SHA256
111e0bf1abfd7fecbfbf09cfc28771cff405fef197a3ef3144f503936d473597

SHA512
fcfee0df8634c470836c18448b9a0a5cd94b66d72734b7a8b1c8ec1552b5cf10f6482b9fa1ae7b4d93f45540337312b70da5fa533c8591f2a1f759a4d98e027a

Download Submit
\Windows\SysWOW64\Qgjccb32.exe

Filesize
67KB

MD5
c39d60b6c3341222b1877cb964998a0d

SHA1
d0c13ca1d13baba0f5d4815aad8f1779541cf7f3

SHA256
6ff632dc198e9f9459115cf8bb8fb63bf434ca7e0337ba39c7c7515d03bce88d

SHA512
5d08a2aeb33b60417d1e3321ed7d4eb7e66ba5d17d5e7d54a4b9c6fb923e4ebb42fa83ccbd1d7dab533c4efa5c4ba87bf53a3b69dc3af72b5ebed63524ed031c

Download Submit
\Windows\SysWOW64\Qiioon32.exe

Filesize
67KB

MD5
d4a9aeb41d08094106a9e53e451bd4be

SHA1
de88c3ba944ccf7de08be87a8a9ed358eea44d61

SHA256
c20452e6168120294eb2765e98559d0ba53d07919efe70a0a520253f50bdb3c7

SHA512
8aa3431b5c49716ac3ef8716c46b1bf9794073c0793ead5794f3c1603425586cb7184673300b5c29d689c6c1231121a690159b331aff11e4ecaf0c2380940bf6

Download Submit
memory/484-433-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/484-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/484-432-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/540-283-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-292-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/540-293-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/560-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/708-500-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/788-232-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/864-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/864-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-501-0x00000000004A0000-0x00000000004D5000-memory.dmp

Filesize
212KB

Download
memory/872-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-499-0x00000000004A0000-0x00000000004D5000-memory.dmp

Filesize
212KB

Download
memory/1320-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-421-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/1628-477-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-479-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1632-410-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/1632-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1864-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-129-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1868-457-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1868-468-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1908-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1908-511-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1908-182-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1972-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1972-139-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1984-489-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1984-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1984-156-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2020-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-304-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2104-303-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2104-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2132-269-0x0000000001FA0000-0x0000000001FD5000-memory.dmp

Filesize
212KB

Download
memory/2132-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-210-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/2148-212-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/2164-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2164-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-282-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2216-281-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2372-351-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2372-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-352-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2416-223-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2452-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-12-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2452-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2460-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2576-358-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2576-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-388-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2604-94-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2604-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2604-105-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2604-435-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2624-321-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2624-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-326-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2652-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-376-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2672-337-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2672-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2672-333-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2676-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-67-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-80-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2732-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-52-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-404-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2732-66-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2732-65-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2764-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2764-196-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2796-444-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2796-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-452-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2856-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-453-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2964-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-310-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2964-315-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2988-464-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/2988-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads