berbew | f58c3ef68b7b8f98419538928f101b691f9a3ee939a490c4c1444bd46b86238e

Analysis

max time kernel
96s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f58c3ef68b7b8f98419538928f101b691f9a3ee939a490c4c1444bd46b86238e.exe
Size

45KB
MD5

f6c0a51f6727934cc28b904b070aebef
SHA1

29c4b5afb3bb91c9bb3fe6c8bdeaca5cfe789846
SHA256

f58c3ef68b7b8f98419538928f101b691f9a3ee939a490c4c1444bd46b86238e
SHA512

ddfeb4d6573d96be58a16cfe65304bc520ad378d7531789eed58021479bc38af644dced6da6732e039cf1ed25fa1758ab61617239c2a3a51f874cd18b4ae9b02
SSDEEP

768:DZHVeubgDPhzkbBZhOCo9b3ibIxjUy0Ve9YnOPQJa6I9Tj3LSPXMWFqPIJ/1H5:NHUubgrhzShyFabarZ3qMZPID

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iehfdi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icifbang.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikbnacmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipbdmaah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnlpnih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3628	Iefioj32.exe
1240	Iiaephpc.exe
4540	Ikpaldog.exe
1188	Icgjmapi.exe
3176	Ibjjhn32.exe
4848	Iehfdi32.exe
3036	Ikbnacmd.exe
1272	Icifbang.exe
1420	Iejcji32.exe
4180	Imakkfdg.exe
224	Ickchq32.exe
2512	Ifjodl32.exe
452	Iihkpg32.exe
4416	Ipbdmaah.exe
3240	Ieolehop.exe
3708	Jlnnmb32.exe
4804	Jbhfjljd.exe
788	Jianff32.exe
2328	Jplfcpin.exe
3488	Jfeopj32.exe
3980	Jidklf32.exe
1380	Jpnchp32.exe
3504	Jblpek32.exe
1712	Jeklag32.exe
5060	Jmbdbd32.exe
1164	Jpppnp32.exe
4920	Kfjhkjle.exe
2524	Kiidgeki.exe
2444	Klgqcqkl.exe
2060	Kdnidn32.exe
3168	Kfmepi32.exe
2344	Kepelfam.exe
1784	Kmfmmcbo.exe
4944	Kdqejn32.exe
2796	Kbceejpf.exe
4812	Klljnp32.exe
3692	Kipkhdeq.exe
5012	Kpjcdn32.exe
2920	Kbhoqj32.exe
1084	Kefkme32.exe
1560	Klqcioba.exe
4116	Kdgljmcd.exe
2672	Lffhfh32.exe
2112	Lmppcbjd.exe
4088	Lpnlpnih.exe
1408	Lbmhlihl.exe
4640	Lfhdlh32.exe
4328	Lmbmibhb.exe
3604	Lpqiemge.exe
2360	Lboeaifi.exe
2124	Liimncmf.exe
4760	Llgjjnlj.exe
5064	Ldoaklml.exe
2720	Lgmngglp.exe
1228	Likjcbkc.exe
1276	Lpebpm32.exe
4684	Lgokmgjm.exe
4952	Lmiciaaj.exe
3096	Lphoelqn.exe
2844	Mbfkbhpa.exe
2420	Medgncoe.exe
2260	Mmlpoqpg.exe
2280	Mpjlklok.exe
2204	Mgddhf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Lgokmgjm.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Klqcioba.exe	Kefkme32.exe
File created	C:\Windows\SysWOW64\Nmpmkplp.dll	Jlnnmb32.exe
File opened for modification	C:\Windows\SysWOW64\Jeklag32.exe	Jblpek32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Ikpaldog.exe	Iiaephpc.exe
File created	C:\Windows\SysWOW64\Lgmngglp.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Iihkpg32.exe	Ifjodl32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Ocdfloja.dll	Kfjhkjle.exe
File created	C:\Windows\SysWOW64\Kcdgbkil.dll	Liimncmf.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Ipbdmaah.exe	Iihkpg32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6292	7116	WerFault.exe	283

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f58c3ef68b7b8f98419538928f101b691f9a3ee939a490c4c1444bd46b86238e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipbdmaah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfjhkjle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifjodl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibjjhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnchp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpppnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikbnacmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjjhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdfloja.dll"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgjmapi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeokj32.dll"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liimncmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iejcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 3628	1532	f58c3ef68b7b8f98419538928f101b691f9a3ee939a490c4c1444bd46b86238e.exe	82
PID 1532 wrote to memory of 3628	1532	f58c3ef68b7b8f98419538928f101b691f9a3ee939a490c4c1444bd46b86238e.exe	82
PID 1532 wrote to memory of 3628	1532	f58c3ef68b7b8f98419538928f101b691f9a3ee939a490c4c1444bd46b86238e.exe	82
PID 3628 wrote to memory of 1240	3628	Iefioj32.exe	83
PID 3628 wrote to memory of 1240	3628	Iefioj32.exe	83
PID 3628 wrote to memory of 1240	3628	Iefioj32.exe	83
PID 1240 wrote to memory of 4540	1240	Iiaephpc.exe	84
PID 1240 wrote to memory of 4540	1240	Iiaephpc.exe	84
PID 1240 wrote to memory of 4540	1240	Iiaephpc.exe	84
PID 4540 wrote to memory of 1188	4540	Ikpaldog.exe	85
PID 4540 wrote to memory of 1188	4540	Ikpaldog.exe	85
PID 4540 wrote to memory of 1188	4540	Ikpaldog.exe	85
PID 1188 wrote to memory of 3176	1188	Icgjmapi.exe	86
PID 1188 wrote to memory of 3176	1188	Icgjmapi.exe	86
PID 1188 wrote to memory of 3176	1188	Icgjmapi.exe	86
PID 3176 wrote to memory of 4848	3176	Ibjjhn32.exe	87
PID 3176 wrote to memory of 4848	3176	Ibjjhn32.exe	87
PID 3176 wrote to memory of 4848	3176	Ibjjhn32.exe	87
PID 4848 wrote to memory of 3036	4848	Iehfdi32.exe	88
PID 4848 wrote to memory of 3036	4848	Iehfdi32.exe	88
PID 4848 wrote to memory of 3036	4848	Iehfdi32.exe	88
PID 3036 wrote to memory of 1272	3036	Ikbnacmd.exe	89
PID 3036 wrote to memory of 1272	3036	Ikbnacmd.exe	89
PID 3036 wrote to memory of 1272	3036	Ikbnacmd.exe	89
PID 1272 wrote to memory of 1420	1272	Icifbang.exe	90
PID 1272 wrote to memory of 1420	1272	Icifbang.exe	90
PID 1272 wrote to memory of 1420	1272	Icifbang.exe	90
PID 1420 wrote to memory of 4180	1420	Iejcji32.exe	91
PID 1420 wrote to memory of 4180	1420	Iejcji32.exe	91
PID 1420 wrote to memory of 4180	1420	Iejcji32.exe	91
PID 4180 wrote to memory of 224	4180	Imakkfdg.exe	92
PID 4180 wrote to memory of 224	4180	Imakkfdg.exe	92
PID 4180 wrote to memory of 224	4180	Imakkfdg.exe	92
PID 224 wrote to memory of 2512	224	Ickchq32.exe	93
PID 224 wrote to memory of 2512	224	Ickchq32.exe	93
PID 224 wrote to memory of 2512	224	Ickchq32.exe	93
PID 2512 wrote to memory of 452	2512	Ifjodl32.exe	94
PID 2512 wrote to memory of 452	2512	Ifjodl32.exe	94
PID 2512 wrote to memory of 452	2512	Ifjodl32.exe	94
PID 452 wrote to memory of 4416	452	Iihkpg32.exe	95
PID 452 wrote to memory of 4416	452	Iihkpg32.exe	95
PID 452 wrote to memory of 4416	452	Iihkpg32.exe	95
PID 4416 wrote to memory of 3240	4416	Ipbdmaah.exe	96
PID 4416 wrote to memory of 3240	4416	Ipbdmaah.exe	96
PID 4416 wrote to memory of 3240	4416	Ipbdmaah.exe	96
PID 3240 wrote to memory of 3708	3240	Ieolehop.exe	97
PID 3240 wrote to memory of 3708	3240	Ieolehop.exe	97
PID 3240 wrote to memory of 3708	3240	Ieolehop.exe	97
PID 3708 wrote to memory of 4804	3708	Jlnnmb32.exe	98
PID 3708 wrote to memory of 4804	3708	Jlnnmb32.exe	98
PID 3708 wrote to memory of 4804	3708	Jlnnmb32.exe	98
PID 4804 wrote to memory of 788	4804	Jbhfjljd.exe	99
PID 4804 wrote to memory of 788	4804	Jbhfjljd.exe	99
PID 4804 wrote to memory of 788	4804	Jbhfjljd.exe	99
PID 788 wrote to memory of 2328	788	Jianff32.exe	100
PID 788 wrote to memory of 2328	788	Jianff32.exe	100
PID 788 wrote to memory of 2328	788	Jianff32.exe	100
PID 2328 wrote to memory of 3488	2328	Jplfcpin.exe	101
PID 2328 wrote to memory of 3488	2328	Jplfcpin.exe	101
PID 2328 wrote to memory of 3488	2328	Jplfcpin.exe	101
PID 3488 wrote to memory of 3980	3488	Jfeopj32.exe	102
PID 3488 wrote to memory of 3980	3488	Jfeopj32.exe	102
PID 3488 wrote to memory of 3980	3488	Jfeopj32.exe	102
PID 3980 wrote to memory of 1380	3980	Jidklf32.exe	103

C:\Users\Admin\AppData\Local\Temp\f58c3ef68b7b8f98419538928f101b691f9a3ee939a490c4c1444bd46b86238e.exe
"C:\Users\Admin\AppData\Local\Temp\f58c3ef68b7b8f98419538928f101b691f9a3ee939a490c4c1444bd46b86238e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\Iefioj32.exe
  C:\Windows\system32\Iefioj32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\SysWOW64\Iiaephpc.exe
    C:\Windows\system32\Iiaephpc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\SysWOW64\Ikpaldog.exe
      C:\Windows\system32\Ikpaldog.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
      - C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Ifjodl32.exe
        
        C:\Windows\system32\Ifjodl32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Iihkpg32.exe
        
        C:\Windows\system32\Iihkpg32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        25⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        26⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        30⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        35⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        36⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        39⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        40⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        47⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        51⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        60⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        64⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        68⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        69⤵
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        70⤵
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3816
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        72⤵
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        73⤵
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        79⤵
        Drops file in System32 directory
        
        PID:692
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3088
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3684
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1612
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:644
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        86⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        87⤵
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        89⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        91⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3968
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        95⤵
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        96⤵
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        97⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        98⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        100⤵
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        103⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        105⤵
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        106⤵
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        110⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        117⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        119⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        120⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        122⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        124⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        125⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        131⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        135⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        136⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        139⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        140⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        141⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        144⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        145⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        149⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        152⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        154⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        157⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        158⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        159⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        161⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6172
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        163⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        164⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        165⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        168⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        170⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        171⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6612
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        174⤵
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        175⤵
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        178⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        179⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        180⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        181⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        183⤵
        Drops file in System32 directory
        
        PID:7100
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        185⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        186⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        187⤵
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        189⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        191⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        192⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        193⤵
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        194⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        195⤵
        Drops file in System32 directory
        
        PID:6916
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        196⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        198⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 228
        199⤵
        Program crash
        
        PID:6292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7116 -ip 7116
1⤵
PID:6200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
45KB

MD5
0fde29ad8d0d205cbcf92b9f50aea930

SHA1
e61d3221fdc962eed7313bcdc12eba784c64db74

SHA256
76c872a1bfc0fe049d10b2ed81902c21ee9ede2f838a52985a6428788d42e71d

SHA512
fa811f4a8f7c8b423bd1cc01413721e50a61ba198b767694506a81ffb2c273019e7d3aa7ff62f3f268b98adfdc0ab697824c6d568b49810800f0e8eda681e2e4

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
45KB

MD5
e7118d6259a0efbaeb49e63cf1290940

SHA1
d408b296943dd6c91d5f7865f20dfe25897c8f48

SHA256
b24a2b627f3648d184120c1572ce461551a12cb76ff3fce8e744cebc9c0bd1b7

SHA512
c0b889e4f511aeaf9a6cec978ffd54ea16fa2b548332132f459b29495993f28edf411d4d0de37403c9594b6e342d4dee79a5aa953a6e05b52c5e95cc6783d05c

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
45KB

MD5
788ab5caf017b678ec86603b36f4970f

SHA1
f00022717b53106a1fae8f0dcf4888e650e2d002

SHA256
9da1ffcfde59b3f5788812dd1c384a80806c71e9df4ec6a3b7b405a596caf8e5

SHA512
9ed7d94b8c561c3555f5ce1abb75261bd115d150bce37ecd99641a0c9e520db9b328e7f68176f631bcbab84a1454593b20e8612f92def69fe0a01feacb750837

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
45KB

MD5
df04d6f16b60a76abec71979e5bde096

SHA1
1ad5bb432ced9869e2389c9e34962085a4243f45

SHA256
bb7c770ec113d8f270df0838858427775140d6f0403e368fa414a6ee5848c58e

SHA512
adf149bf92e8e3503078e847af6a514d1767e72450ba63f7c35c7aa185b642ff28325148c93cb002027a1874fdedbc9dc8868e3c82901b34d095feefe4dee58f

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
45KB

MD5
207a68391afe67385c63ac623a8c36b3

SHA1
372e3040331f4d7f4215d98e272349641472f385

SHA256
010d95e8341911ca34d54f9a9e7f43fef94d5d93e82dad8200872741d48668c5

SHA512
854a0666d16dbf4ff79f3ac0761a20747f985e6ac59e788df3535c24d3bc7efb57d15f4ee4b1e42fe242299252185213fd6ed534d23cb08aaababef04e37d09c

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
45KB

MD5
4013e95f754abc2a42eb7ccc23d91a77

SHA1
6bc4db267ed317bd16a4ffbe2097909eb8ce3866

SHA256
62918f6573e2652046a764c20f97438f2c28f991fd174b499821a8ef5dfc7472

SHA512
bbdee232b60666df9a8e8a300ec5cd5fe64d5c93e83207fae96095e20d7b95dc72f592ba6a2d0035ed13c8a95033b86836e165aa4e61e984814442a9a1a95a1a

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
45KB

MD5
6ac629f9800af987cfb6bdf17e02c009

SHA1
2de3cb3131b341ff4231891f01c0b522be4fcfc2

SHA256
48c1d37190fa6c269f85810c4d96f331e25aed8d8f4b84ab0a68a6bbd290cdb1

SHA512
83671ae8a3d2a3ac7c0c7a4b092341976684a47dda4e59fd0f02d9fc5857a94bd8b8a17a4b5007e771d2f6048cd44ab9b72c6bd1766f8d990634470bb9d331b1

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
45KB

MD5
9a7e1470f8bf9c94c1bd1ab78bc7eb1f

SHA1
029f4dcee5a9f15102cac2c8727da889be79da57

SHA256
6b0b9f65432e8ee89b6adfc5a8b900629e7b7577ac4788ec78e26a089146010a

SHA512
15bc83bed02df1bc17f0f2dd062f6917241e646f46cf7c09971ef37e6c30f1a9cfb106d2f23579d8cf18686fa02a1b84c6283af129460241e3ce0afc193f5ecc

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
45KB

MD5
7a3a5cacf31f458fbab4c6d71919b53b

SHA1
35726075b44a99c2ee358cf8dd11c0bb9591a518

SHA256
db175ba6dad1aff0b0369d3c86b4038e09b7dadcd027a5946f1c0db1af2a9545

SHA512
c59cbcff7396adc6a34f2d95943e047ae601072953cf145dab2d135b3d90706392e9baa6ff4264fc064eedb123dcf96864aa826ec20192e0044098036ac12790

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
45KB

MD5
399930ec099c157c1a2279dc452f511d

SHA1
da60f4d1cadbcde2878238a229311a2ec24cda93

SHA256
43c6ea4b08b50c34ecb096c50566b1d26f13ae11e0f71f9df6a6553e3c2b6672

SHA512
fc92458297b4a60c5851330848ffcbd7f1bc7ff66c310c3b98566bacf21d28a4adc23084725b9560f169fef897299cb625384c6177ff1a162a703dbdf86ffb81

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
45KB

MD5
5e2a1fb951caffe65267c2709a70cd3c

SHA1
984103ccb265176a5ebade5ada99c0e4f85fdd71

SHA256
7674171647b3e00dc0d8d1587e131f92b20c9ef9aeaaf7b418561bebfbcc4a23

SHA512
e5e339e5aee2470d5dd93acfd560400b8272dcabddc9afc244e42b87be288f22197612d4aaef6a2ad0fbd95ed23c9a29c1811314489f74c391e4844545c756f7

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
45KB

MD5
9eb36086db254cdce6feca5688906375

SHA1
ce7f24781c6b76c65b9a827662e9f0e24aa0d332

SHA256
d5d4a38dfe61a1b87b992e606bc6b7b1e948420903abccae5cca2ff5fcb893bf

SHA512
8491f82a252c2d67a91aa2357deb40cb1710e3ddbd67e7b33b5308debd97ec7fa0e53cdbc46c32480ddb938e2aa358587689a63498416b679008288ff69756f9

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
45KB

MD5
3a50f49a573a4497a4081d337ab99fb4

SHA1
fbbb83f3bbc75da5883a397b7ddaf0ffcbdfc8cd

SHA256
e4b1e0cbfc2dafc311cae3a1790931fe7ae443714d0dd58252741bca2d0ff6e8

SHA512
829186b7392d620cae14f4f337c455c789adae1ac321b996e7236ff7111b139ae24e5d939691eea4979c14e57272ab5391553034658531af0559d3d22470b791

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
45KB

MD5
99afb21bfbf2d0f153d4224c87c7a045

SHA1
05d0350064a3b3205f53ce5583ebcf76e4303b5b

SHA256
b1ed0c7fd116250b7272b1300bc7b001e3460660d75a80fefb894060efdb8afa

SHA512
d9477a0d4f8f9e11c569323a62ed1060419f2efc822f6b0811546db84e5d8cfd8971f009ee5ce6fb066ded2f746479801bce5a81163b7c1afea822e6579202bf

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
45KB

MD5
c44a78d5bfa942b3770abf7426579c06

SHA1
1ff2d600bc2f0e59b4491b1476d7006a1690946b

SHA256
df4b91e76d7b7bbf11538a4f1ea83304152b7fda54d6457609020750baa51ac2

SHA512
942143829845bf7e9e9baa801e0f0b0751baa9b20de740fc56f20926fdcedcbeb19e5ebe0ff4815a3dcef61a70d86c97cd3a70a6fe49c42af44f16dcbdeecfab

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
45KB

MD5
442ee63f69b76bb6962d5cd2ea4266d3

SHA1
e600bb4b9efc9223a9943ed928ccd308c361bca9

SHA256
a038ac0d85a77b52ca9e9d086ea04f89c9ef405784b47de3435910aac8e10267

SHA512
a6311ebf05e433a2068223bb6ede4e53903943b295c17dc5620686129157ab941fd55c7a6b04814b98c3a43c75c0517001a2a022d5b2ad1685361f681c5a4859

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
45KB

MD5
e107c20b573a3be18ab7abf8e2babe1d

SHA1
4a5f5349e220ee0d8e88fbae5d944e60d2e8421e

SHA256
9a352287508ded001bb53c7b55e3c003be8b7556b8b1b2f7b76577a8394e6ee7

SHA512
4917ddeea87371d6c8e0e02e782b3f145fef1964271b8ce94f30a1a04bcc20f2ea84af356da7169384bfce7ba81c8b11d361ef4b451d8c80cba1764139bb329f

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
45KB

MD5
c0758810296dfd3416e4c905fc35009c

SHA1
c393bba3e942ffa851fc3e210200c722078a81ba

SHA256
19e00f6aaa742f2f937613f5d702b260b7117d45e4729ee65bd6ddc366da5466

SHA512
92eae773548e96253d9679d8ffde37d49f669c3108c2ac667d82a591279144d91c56929f908bc2322b3ce2ac7980fd894def7bb50055c9d78d6c5ab5de4f5a67

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
45KB

MD5
62af2ee9d7f163bc922648cd33f56fac

SHA1
0b39a646455c9085918dbc8270155d911b6692cb

SHA256
b92c4b120e4013e52973f1fce81bb2c275a1a3ac79fa44483a7080878d8c4350

SHA512
ba224ccdd059f914ee29df3e32300c5fd4c6f869ee698a1f73cd6e83117208d63ff4ec28f1bce716a64cb8eb79ee28feb4b63a2ffe5ed8651579add2a7d0a9d7

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
45KB

MD5
14792bf171d858daa7ed7125b8770361

SHA1
70e5bdee5ec8442a0013e437a20984a7256f7378

SHA256
1d4912b4cb869594402d9b9f1d40a03dd5088ccc9595671177ce08f6173b207c

SHA512
ae88826567de2ed41827bf94de3484f7870fb922a2f552f93fe523f41a97a7fcf0b6dc591fbe4f3d3204e014f1f51f1078ea6239144847af0485810869af2c5c

Download Submit
C:\Windows\SysWOW64\Ibjjhn32.exe

Filesize
45KB

MD5
a4a58e0d51d8acf31692f07e82305dc1

SHA1
86b8dcaf093594b2e817d565c044da0d86f3c513

SHA256
3c55ae19c6559e23bf606cc6accbbaac27702b64ef424b40c1b9b86640f9f84e

SHA512
ba277c56bc7814fc5d3f6c0116376437c8dcb281f5a8c65647450291de6b6b89aa12e8f0386f41cd4479dc757e1fe5e582d8f76939d0cc82bec5d5df971f9e9a

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
45KB

MD5
875a7c37cca76aa61f6c841c8c93fe78

SHA1
d4bca2586df6360e484cbd6291035c3d253d8f59

SHA256
90e3b5d63cfa47680041635a5ae9153601411a224077fa40cf4cb614778fe0d0

SHA512
6efe39382f67dd1dd8c4de9c575b74a74502a2d3618985927d4d32c33e7812a76d3c7346bed3f09b6f04cd2d7da77fa5ed36f2e3d79f0b53962d0ddf977f0a00

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
45KB

MD5
419108b7d3bddcebf6bc352d1b6ea816

SHA1
91520cf3797fa2c9783498df9bdde17ee8d9ce1c

SHA256
9d0ef07a75c5588808a35c0ad4edde56f38acc4b46801f281d673579b84ca9f9

SHA512
4ddf1253a3edcb7526f1b3c9fa9f96226aa5711020292442c99bf05ce387356ca8a0daf0bce8d12084224348da72cd394eeae4785babf1563cbd81804dbd1f81

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
45KB

MD5
5cf1d799d74ec74b4cf7de94774d9be1

SHA1
3ce3eac31c6f03b313b9dd958f1ec5b1836ddac8

SHA256
194230b33cb866f9b5bf06fdd608997113c78182222e7a44bb4d710008feed6e

SHA512
9b4b3f281f919aeee43674e5aaaf6afff0d781bca249aa4c167933332f675e1c9f0f13c5edbd737ad5253d6905efd38ad9bd37da1e07b756dbd204864cac946c

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
45KB

MD5
5f77b97ee584e5f5f663bd0c74b1aa07

SHA1
33dbda417ee4def331cb1738f5183f57946cd145

SHA256
f84bfb096da2096b73d5ecdc05113bd70b942da925667e30db04a158a123232c

SHA512
89168eb6040434011461de71d60f6abe3daeaf3ed32590fe617d4be09b05eed31404d4043b1f099d35efb793d4fc0b5ac2d912e905909d6c2613b92067624e36

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
45KB

MD5
b4d897bdb1d55e3bcd3ed516e32c9395

SHA1
184bfc8ba27f766f442a105bd4d17b5a19c47506

SHA256
473734bd29121c6ac10006b60e822669f9afcdfd5a46a174e174b098949007ed

SHA512
2b69e0f98e4224731534ebf6356df49641193885edceca3ce32d9730fd665477e2275a6b780941a579907e32255800d0801a453a614b67dca735e8517db46800

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
45KB

MD5
2e58972d83d6b46ab97d58652bf97480

SHA1
46eb52f03e295359a8159d727c146438cf1507cb

SHA256
887f42efb95b6e24c16ee68b44f864e971a7d0979d523024826429542c3273cb

SHA512
5dab8f464d99f4ab6bc9879aea0489e9c30de9adac2df837033c398d8ba8f288cba0e51aad788f8a9f7a5ccf10d745e4204c1fa2b730337ce68d7f8e9d2fdea5

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
45KB

MD5
b4243f8e4711d90b754b6259a34bfa6f

SHA1
d9f4e20a0c54b987a0c9ec44b4c8f2735c53475a

SHA256
89a165260f1de454c09e095e8de93010e98e2182c6d47a9466cd35ed7f5062c8

SHA512
abbfe7ff5c0da7dcd850a00272f80366e43cb49a8cc8f54395bc13525ddeb2949a84e01891fdb6b64274db960b50f4ae39e87f0fbe5ca74c6e2d16e0f4967a9e

Download Submit
C:\Windows\SysWOW64\Ifjodl32.exe

Filesize
45KB

MD5
32effdef29820099ed7c3f4c873ee8b3

SHA1
43c1e1b3ae7ab9d5d37a036d51d0afd1b9df2dfa

SHA256
9a964eb133a107795bfc7e1f572cf04c78b4234354548b4023df4c710e305ab0

SHA512
912a39d1dde53e0d388603205af7309b7328b781ee289c75cd0b31768c2946ca88bf16fb48faa510b1a77f854cc549a55923aab2e95774f30c5c20bb4441b606

Download Submit
C:\Windows\SysWOW64\Iiaephpc.exe

Filesize
45KB

MD5
57ffc6c3a928502cef8142e7ee9acba7

SHA1
75a4526cb7d27e470f4399ded1bb559f7ca2e0e9

SHA256
f164e034be1bfea77d6141fa7b38b59af585bf0911074db5d5f9f5e915f5ce21

SHA512
3537b2a6356282601ab339f678ad913eb4007a30c54be8aa8d2ca19a234e9e78c6bd78bd64a9d8937a4bae9ab4398728446298396bdaa7e5c9c5c5daeca7c838

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
45KB

MD5
1d74fd715c436a2905a0faeabaeaac74

SHA1
a4540107566b5c1efc24e654eed020e4ae05dbc3

SHA256
371b992d028f9bbc3888afe498280217a2f816c190fdaf72434cc23f22a784e1

SHA512
414fa821c1ec79233332b333254d9f4992d9968d7920bc3fd75e249f4c22a9b0e65533569786bca7dc91e4e69fd83b814a8fb4e2086aa2e1b04fa5594c952d3a

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
45KB

MD5
08b9138f52d48f3a6112b0037d5dc72d

SHA1
686a5bce912ac5652a47d228f331ecef0ce74fb9

SHA256
51afca5a7def90904d1c3fefe4c54a4ee0342d57948583b90445ef13540b5a85

SHA512
28f0b216ae0c7fc99992c7a1fbd42c0b2de31f13c5bc03112ca063d055912cca918bea537f337a5ccb122643f9ca006e62abe860dff2b0f795323deb563b77b2

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
45KB

MD5
517a8c9d74ec716dc4ab9069c7b88922

SHA1
3e60ed542070aab454430b58ceaee228bda5c829

SHA256
3e572b3b55b2cd89ff0cff1d215f2f120b09b7e421e47f05c0d3304073a5b991

SHA512
b356f6cf98fd12cdd9f58147e0eef9bcae5dd4b447c709471efcbbf9be4ee21f56d5851bbeec655f762495ce9e6853c43a864ca33a846ee220c9221740977b26

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
45KB

MD5
6cf27882dd07c98b3e0850768d4a7aa5

SHA1
08fdcca61ef2acd18b7e7e299db1ba029d32dac6

SHA256
c4f459c4585e2234cf983902da3472f83b9d7ac6a1cdf7b8d18c32aa4578e0b4

SHA512
11513077dddcd443878f3328d1001c8f07ad0dd18ce9042a7224043b74138e4d1da977081f7001d7c27cb9c357664e35a08aead958ba7d9af724e61037f40ee1

Download Submit
C:\Windows\SysWOW64\Ipbdmaah.exe

Filesize
45KB

MD5
2ebad3d04da06affadd88f4a15bfc989

SHA1
2a7ece88c44597c164f3b743afb4cc1ad2caf2da

SHA256
15a800110ea23475691555546f83e1814d1b91d23a27d6701489b80722769ca9

SHA512
b33c5b5d1887a7777a538d0a512b6bc7f39fcd0e83dcd7ae65134dfdcdc4c034a60178c145fac2782888f06237279b590a735a706e1bb2d5f4b559b5716e7e7e

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
45KB

MD5
951356a8d821a16dc117952f68c99e5f

SHA1
562b057d3fc2c230d1f8043a24efa10737b21c20

SHA256
19ca5060d08c2cd327ed92a983d8ebf09686e1436d08cc24ce8f461605fe8cea

SHA512
8e222e14e33445b208831025a1f267b7c83b11581faf9eb9e7ec6d97247eefb36e9e8f67290b74141ba6bedc93f3811de008387a4a720ea6b8b3b09a1abdd84e

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
45KB

MD5
b163197ede64f5930b1c762c2f35c9bf

SHA1
80db7bfc592c63297338bcbc610cc43c251aa1e1

SHA256
6b3a444e0df8d7a0f8401a39ea973c424d102a0f6a7b450361f4cc338efbd953

SHA512
239749a937aeee42c2aaadbe4bea4af76c8ff5d8153f317a9731a84afb1b153ef101cecc95be5ca237db3af876e82d6702f549f6a7abbd2c5ab7a7c126adcef5

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
45KB

MD5
3acfb02c74207e296be772842111e51e

SHA1
df63784ee6f8876111395c77a8ebe104132314c5

SHA256
20ba27d30c7ca9ccd0aacd38b1dfc3d7f59384f2a03ec28c58f3529b4915c0b6

SHA512
27700ecddb516796a2fedeaa9b574c718188492cb1a1824511b9afb54e847f22fd658946aa9fc59bd640ba005f0cdcb8582e3a349c5045bea18a35e2ae9cc08c

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
45KB

MD5
6e7c291259ae2bfc332ff60da1f973c7

SHA1
6ecc1520e8b5490ce37a4d99fe683d262d20bf7b

SHA256
c9b21e78f1ab5ff85df0d986e1f7020a549dbd2beb353bd3a4eaef04190205e0

SHA512
46080a7cb37b5f8ab44367ae30a739b65f57aaa38a52cf288895ae4aa77197e7cf7c15bd45c04349db7a47d0c3d1e30d1d2cae5212b9de52c14dbf2dd8ea2159

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
45KB

MD5
89891aa12916ef6f0542d7431c2764c1

SHA1
9c8aac7e2a31e3f537f34c64a569de2e6a89176c

SHA256
3128166bbd27ab46ac052a3c65f5d0e29fc94761a251b47eee22520ab357ac03

SHA512
7e8de7103db19cdee5eb68e66705430b0cea97675cdbce0e07fd8d032b26228788f6c752d26d44a097248db87fe0d31cdafcdd2120844f0fbb328b610208b9ca

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
45KB

MD5
4d6cbee4ef72dbcb4bdbbb03b79132ec

SHA1
66335ac1c0af0b37c70cf682f4f24d028e7789a7

SHA256
714f0daf39ce3120e6d8591482835042c4853958a67e737f1dafc4832fd17804

SHA512
20bb1fc8e035b6d7bec7cf6656d6fcad4d68fdb2301f876fdfb48f29b728d92196624d8f8860181706bc63776678f903833770aaabbe4b06acc75208229ee5d8

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
45KB

MD5
af3ea7a283f5393f8d15134ad6902521

SHA1
5ae4fb896a970a193399ac002ef8fa886a89de02

SHA256
d0692bd2529390488c437d6f61071569e7828ea2f6f164f65e711cacb9d59571

SHA512
d3bd1747e4f6f63ae07a74bfc8492a45698b9928214d28615d7b7c12582cb03823e7362737617ee4d311faf3cde7000cffa49822fff971b9ee35afdfeeb9f3a8

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
45KB

MD5
40b2f6313d88082a77ac4a04b4a98d37

SHA1
b4a590bc103494df267ca9af872f53955274b0f5

SHA256
637290f4bcff864d4b121ea7a9cf4326341450861b3aa4ea7ca5f53a99e18ba7

SHA512
7033220d652d9cfc75fe5ff21d18a63378c1d9658fe7d2554a3c346ccc9444c95f6cf00d2d6179caa52c961907c5143cc168df38c1fdbda244c7caea12b32e09

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
45KB

MD5
8c66045896901db4ca3eeddd677d5064

SHA1
1f1a0fd52a9f5116828ca29ce1b8550c90c30032

SHA256
feb1f8409c27973275e6731ef80c44395a1a5416def1673cbed0e803bf55cfa2

SHA512
3c53970a7dc21d549a9c1356bb45f0a3d841565ec81b76b59aa2b3214724ff0147cedb94e72ef16c03ba3e23ecbb77cab62fa56ab7bed526c1b1ed913ef7aee4

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
45KB

MD5
fd4e53fe669c1d102f0887b6a9d96e61

SHA1
3f4854e6324e7ddcfb447dd4d5203a8965c61ade

SHA256
9d249727d3b1deb0aa789c720b598407383e0ff29fd3597e9c7c4e5ad3d318d9

SHA512
f9970228be122d89a8b02b47ee873dc8b5565934f8bb883a0efe39dc721846b92b67b4baebc7eb37d3c3d2c3f15932f95d1d7aefe62a501e716a557f8e2bae51

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
45KB

MD5
c4dee7d7488fd48e895f505eb13ba8c8

SHA1
592758272dd26a1bc57e8e2b4f37bf611496c00f

SHA256
dcb7aff4366c24bebed79d427e0b463fb961e7168613ff737dc7686b8352bd87

SHA512
682e20705395ce88128a44d9eec9af8553f219e1a71d953d9b9a688b4891256b4c9614176572922c48df70665694c9fc419ec278c2a577426d854772752be7c0

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
45KB

MD5
77ce3c423ee6fe176e14e632361b49a1

SHA1
7728575975c5b4c136ced6be0568736077e9f059

SHA256
fa723df72be86fc7fdabec8087f39cf029331845260a2294f5921323d7e68cc8

SHA512
8332cabbf02035ee81b425bbd752a08862ba0aa460bbcd0e79526cba18db8bfae6c2d0c44a010518246649851d63b8bf349470826638a427a4f153f6c303db9d

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
45KB

MD5
f17e61e249856d0f54630fe1aab654c7

SHA1
45628fc303dfb6fa9eec860399df353b72597d45

SHA256
990d35b371e8294c0937a495984becaaa45ba00e97f900c5fd84343992e604ee

SHA512
0bd5806c32b39e1f05d5480f2d0b9eb1b1198381c077b796c332084f9a0cac3444afc93187026f2b3bd2c362867c239681c28a97cd33a4f355b9540bc2ace487

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
45KB

MD5
56eac783f93fb14cc69ea7714e6f1a45

SHA1
50b435a77bcb86f3dc29e4d1538a52b5e712c47a

SHA256
a8b35a5a7c340ce920d947603f3b1a7792efe35fe0846c874eaa749d4b2425a8

SHA512
f216b1003f127b9e23a553b8ab0f36bc61afa8c25eeac6f49974146aee187a5a1a4a0649bdadb83e8b1f69d6cfaa8420db6efabd20163ff63bb365481f13384d

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
45KB

MD5
4d3b0d4f1faeae51b6a3c3ecbd072595

SHA1
ce0b34ac6a48d9d3140dd29cf1a05dfcd090425d

SHA256
f4350c72e0d1e75f40ce7cbc4dc853929fd20f02780bd43cdf3dfcf8589441dc

SHA512
bef9c006e71902cbcac750bb5f84f2eb63dc69dd186f8281ea965cc1d5dfec9133f1757297e1526178f5ff6cdb324d1130644834165cb43b56e4a37d8d400221

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
45KB

MD5
4d4d5ac05de5ec01886fd35ab357e71b

SHA1
3c75fdcd1fe7276e1106f0923ba887264f946fcb

SHA256
2876a553d97559dac81eae06d8ddb360fcf3bd4d537645016553c5f31fddde9a

SHA512
c837075f51233d062a8d8f76fb2862956b60c0251dd73199cd6dd85aee17a57c2ac945b3761c911f3c7ddef80a073e99ded4e7c3539e037d2738598075ffe529

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
45KB

MD5
7ef4e94a50a7950ff3f194ff4bdb800a

SHA1
437561b28dec0f5ef46180d2e832babbee4005f8

SHA256
380d0727c435709431ddd710f48e2fe211b1a58dfa935488e1677fadc54e8b66

SHA512
c4f8e85e05af86d9de401609ac75033cfbc46598a16bcd443334abfefd2b5146b56a26fe45d1dc9c8474f8588c66c716b45bb50da34917fde2d93aa50ff06462

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
45KB

MD5
f51d0a4cf7285736822514be53621f52

SHA1
536ad54fe64295e379db2430e9bb3d1774e6ee3d

SHA256
9f07adcf8beb4764e2eca1158ec1bcec189cdaf65d3839a286682cdbae12f360

SHA512
637972114dcd3921636b21c032c45441dbd78be790c3890d87a14b147b4333857d03c23c83cc598dae62f2919cc72e5bb534d09faebc8284fa28dd6c3666fe70

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
45KB

MD5
890458465b7dd929d88e1fc0f03a9214

SHA1
9dcc77eb0380e61d0da5ad21089cb5d851ce072b

SHA256
e17986775d23edff8742ad40b1ee1b4d9a259657d94e27665138fbb41d247f7a

SHA512
b037d9ba26adf4df9f5888f8ae2eb5d6cd2bb1c5419572eed62a86fd62694835c5b9257b8867bbc1200e922c2f645136a9dae8554eda6e3ce004985e0bc79e54

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
45KB

MD5
5bcaf15e0cdbe37cc4532e40ea800498

SHA1
a6dcaae7efb393792ad3ef8092ecd96a420967ee

SHA256
deaa7646caa5fbba820d3602c68315beb2838aa55cbe2f7ab431768479e3d265

SHA512
68c1adff514a7138f863372ad042e5d93e784aebd3f302f3030a4adbaa8902e0d833e7b201a230f21d7869a78dc1d14f509fad1ebbf332ef9a8f1cc51520667d

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
45KB

MD5
bac9a913233e5ddd3819ee6710b6e416

SHA1
0c7915357684c44b8fe9a5e8b6383cb10a69980e

SHA256
656910ee7ac44a7c4bbea055c4dc73da5b595e71f573ff43c15ec7c993e8cbac

SHA512
dd8ba9af9925e4b6fd5d7d5ddcde50f2fb3369ce5ae392dc1c9838d7fe8bc89318ff47204df2b3c4ba4301b1b08f23cd1d5bd074ad5a7a034bc99eaccfff81f8

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
45KB

MD5
2be62d8207c3a9037421610cdeb71307

SHA1
a8dc3fd2e9c80112344c8c77f4223ce07aecdebe

SHA256
dcfd9d0f7e3d3543c15e7d1bba9ca8574d9902cf0f411fa39e76bc38d8a8abc4

SHA512
54a9f299c4a8471ce7ca5f01fc4b7a3c11488bd5dfd8a0d907122e18ccb8701c6c3931e2578cf1c4900f5306a7d09d30a47ddcec382e453edaaa86833c81c996

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
45KB

MD5
7a1e510925b5859115104d30ba3418e4

SHA1
cf885ed07cc9a0c9302dff512d94090de17a31cc

SHA256
03828e673706c7f881f940aac8361a0c6fad5c8ba6c40882f9f09de1d5a4a92a

SHA512
9a76af94519aed7f7e9eb6727ab4f97b3d02aa5800dcdff97c7a4fbbf5e4680d4c600c74d0ad893b31bb1218e400dd8e8280a7fad644a4683e24da570cf6deae

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
45KB

MD5
37d430f01083a0aee9deb1d13e6b41e3

SHA1
99bfbd80a16a345ffe5f9dc0d00218658d9031a4

SHA256
da4d516f5eaa1013b8e3d5fd2bd0ece062ba0dc31f46eeda0eab7793841c67dc

SHA512
115dc89f9255d3ce829dc9c29999f491b2dc223229e1ee65c1ef111a0609c2b39831cd129e975b1727e47512f238dd5adc19a8a90b33e1d0cecb4dce55f45649

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
45KB

MD5
75a98fd25970963670529d96f9b2114d

SHA1
c7cd7065e7243ac99be41b2ae64a26f61557fdae

SHA256
a0e6429c34c8fa40edfb68e5e0286b8a47a3551f041e3d88492087451a6767d2

SHA512
0298fb5888c663355c9fe9f899879df9bde1ae386bc3992fadc4a2e1973abc1a2b51b40c7200a69bb4214de39b4a2630f350f9195a0811f1cd1e5b12ba836d20

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
45KB

MD5
ceb17bb44710d8fd6d1319271cb49081

SHA1
6eddce899cc9cb82e361617670e27006be0a6c71

SHA256
6531dfae71fc22edc99df1cf206375032374fe2be292070b2132805758c611ee

SHA512
4955d3af5b329edb90ed16ac862aa0177bcd55c49fcc6d02853aba7b94bc37393d50eb157641bc31ff9eac7e0d7287949f6134280005b4cfd4d105cc9940981f

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
45KB

MD5
4299fc8685e8c8275554a685d762988e

SHA1
2bd7a709903f0364fe4d348b136d0efc0fc9dbb9

SHA256
6eddf3a8fe10f9979934a97129faee38ffd6757036ac2d4cd89eba7a8d120660

SHA512
b18d6c38de386a7459d1fd41b5dd87354c014433ecd40dfd58f3f59635373b2cc547237d771bf5983942b1e6abd97952f0be5914d7c95f51a104ad5063c6e824

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
45KB

MD5
4ddb55756333f09216f44f1ca743d8ab

SHA1
a4679bc40e0448d2b5ea1e4640e08a80357ddaaf

SHA256
a2b96f9b66f6d1dec5ae40460fb086c2bae523b651fc9bd2bd9fb6fe22cbb4bb

SHA512
b976b93138b373f398489fc093d76f0e0a9f30f4a12cb27a96c8e59bff6e123ca1110e5505c8b4cac582d56ad3fe36c2af40a9d4e574ce1afd4846ac61d5c7ee

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
45KB

MD5
5078f8149a872f6331fedfe5e02604e7

SHA1
c58cd6d51fe2b289b0047ed625c4f3cb5f2973c6

SHA256
3cd256c044f7a56a0680f01838d9d0a4da0c22f8ee3580c17f1781cc10a5920f

SHA512
f10deecdc5748ad26af344c4ed9cd26d68d1adf36cbad9ec896ca34e296db0d2bb12f3627759e16f3898566b92fb8a57f50b5174bee265a9598dc800b7f70f7f

Download Submit
memory/216-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/224-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/692-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/764-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/788-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1228-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1240-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1240-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1276-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1380-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2060-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2112-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2260-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2444-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2456-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3084-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3096-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3240-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3504-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3604-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3628-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3628-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3684-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3708-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3744-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3824-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4088-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4116-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4172-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4180-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4292-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4464-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4640-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5064-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads