berbew | a532c7522a13578ee4d92abbcddee5d63a553a10d63c15b274b71c42b19187e6

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a532c7522a13578ee4d92abbcddee5d63a553a10d63c15b274b71c42b19187e6N.exe
Size

76KB
MD5

75b9ffd6d737d913f5111e2a4b08ffc0
SHA1

bd06e6c55c014b71c7595c65f8ea1387b22373c0
SHA256

a532c7522a13578ee4d92abbcddee5d63a553a10d63c15b274b71c42b19187e6
SHA512

8101632cc891c58ec807b4d498cfabd87a0d4ec270c23e0a885f3188f0a33c3dfea6d1041dcbfc55e0dd726b713fae973d14d4a0cb4651e9bc095fe9f7d28d4a
SSDEEP

1536:QhR3xsmhnNaZQUwLdYscj7+EteetHbTjV+Yv4HioQV+/eCeyvCQ:UuSEt3tnJZv4Hrk+

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4924	Nnjlpo32.exe
4228	Nphhmj32.exe
1488	Ndcdmikd.exe
2656	Ngbpidjh.exe
3268	Njqmepik.exe
3100	Nnlhfn32.exe
3964	Npjebj32.exe
3364	Ndfqbhia.exe
3136	Ngdmod32.exe
4172	Nfgmjqop.exe
1448	Nnneknob.exe
2336	Nlaegk32.exe
4516	Ndhmhh32.exe
772	Nfjjppmm.exe
3044	Njefqo32.exe
4280	Olcbmj32.exe
3048	Oponmilc.exe
1244	Ocnjidkf.exe
1072	Ogifjcdp.exe
5096	Ojgbfocc.exe
1916	Oncofm32.exe
916	Opakbi32.exe
4536	Odmgcgbi.exe
4648	Ocpgod32.exe
1080	Ofnckp32.exe
2756	Oneklm32.exe
852	Olhlhjpd.exe
436	Odocigqg.exe
1940	Ocbddc32.exe
3360	Ofqpqo32.exe
1228	Onhhamgg.exe
2332	Olkhmi32.exe
2840	Ocdqjceo.exe
3704	Ogpmjb32.exe
4208	Ofcmfodb.exe
1776	Olmeci32.exe
3544	Oqhacgdh.exe
1796	Oddmdf32.exe
2728	Ocgmpccl.exe
1304	Ofeilobp.exe
2000	Ojaelm32.exe
232	Pmoahijl.exe
4752	Pqknig32.exe
3500	Pdfjifjo.exe
876	Pcijeb32.exe
1116	Pgefeajb.exe
4788	Pjcbbmif.exe
2576	Pmannhhj.exe
4064	Pqmjog32.exe
4052	Pggbkagp.exe
1284	Pfjcgn32.exe
3168	Pjeoglgc.exe
3108	Pmdkch32.exe
4292	Pdkcde32.exe
1224	Pcncpbmd.exe
3196	Pflplnlg.exe
3052	Pncgmkmj.exe
4820	Pmfhig32.exe
3212	Pdmpje32.exe
3528	Pgllfp32.exe
4564	Pfolbmje.exe
4988	Pnfdcjkg.exe
3396	Pmidog32.exe
3296	Pdpmpdbd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Andqdh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6860	6720	WerFault.exe	281

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a532c7522a13578ee4d92abbcddee5d63a553a10d63c15b274b71c42b19187e6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a532c7522a13578ee4d92abbcddee5d63a553a10d63c15b274b71c42b19187e6N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 4924	3472	a532c7522a13578ee4d92abbcddee5d63a553a10d63c15b274b71c42b19187e6N.exe	82
PID 3472 wrote to memory of 4924	3472	a532c7522a13578ee4d92abbcddee5d63a553a10d63c15b274b71c42b19187e6N.exe	82
PID 3472 wrote to memory of 4924	3472	a532c7522a13578ee4d92abbcddee5d63a553a10d63c15b274b71c42b19187e6N.exe	82
PID 4924 wrote to memory of 4228	4924	Nnjlpo32.exe	83
PID 4924 wrote to memory of 4228	4924	Nnjlpo32.exe	83
PID 4924 wrote to memory of 4228	4924	Nnjlpo32.exe	83
PID 4228 wrote to memory of 1488	4228	Nphhmj32.exe	84
PID 4228 wrote to memory of 1488	4228	Nphhmj32.exe	84
PID 4228 wrote to memory of 1488	4228	Nphhmj32.exe	84
PID 1488 wrote to memory of 2656	1488	Ndcdmikd.exe	85
PID 1488 wrote to memory of 2656	1488	Ndcdmikd.exe	85
PID 1488 wrote to memory of 2656	1488	Ndcdmikd.exe	85
PID 2656 wrote to memory of 3268	2656	Ngbpidjh.exe	86
PID 2656 wrote to memory of 3268	2656	Ngbpidjh.exe	86
PID 2656 wrote to memory of 3268	2656	Ngbpidjh.exe	86
PID 3268 wrote to memory of 3100	3268	Njqmepik.exe	87
PID 3268 wrote to memory of 3100	3268	Njqmepik.exe	87
PID 3268 wrote to memory of 3100	3268	Njqmepik.exe	87
PID 3100 wrote to memory of 3964	3100	Nnlhfn32.exe	88
PID 3100 wrote to memory of 3964	3100	Nnlhfn32.exe	88
PID 3100 wrote to memory of 3964	3100	Nnlhfn32.exe	88
PID 3964 wrote to memory of 3364	3964	Npjebj32.exe	89
PID 3964 wrote to memory of 3364	3964	Npjebj32.exe	89
PID 3964 wrote to memory of 3364	3964	Npjebj32.exe	89
PID 3364 wrote to memory of 3136	3364	Ndfqbhia.exe	90
PID 3364 wrote to memory of 3136	3364	Ndfqbhia.exe	90
PID 3364 wrote to memory of 3136	3364	Ndfqbhia.exe	90
PID 3136 wrote to memory of 4172	3136	Ngdmod32.exe	91
PID 3136 wrote to memory of 4172	3136	Ngdmod32.exe	91
PID 3136 wrote to memory of 4172	3136	Ngdmod32.exe	91
PID 4172 wrote to memory of 1448	4172	Nfgmjqop.exe	92
PID 4172 wrote to memory of 1448	4172	Nfgmjqop.exe	92
PID 4172 wrote to memory of 1448	4172	Nfgmjqop.exe	92
PID 1448 wrote to memory of 2336	1448	Nnneknob.exe	93
PID 1448 wrote to memory of 2336	1448	Nnneknob.exe	93
PID 1448 wrote to memory of 2336	1448	Nnneknob.exe	93
PID 2336 wrote to memory of 4516	2336	Nlaegk32.exe	94
PID 2336 wrote to memory of 4516	2336	Nlaegk32.exe	94
PID 2336 wrote to memory of 4516	2336	Nlaegk32.exe	94
PID 4516 wrote to memory of 772	4516	Ndhmhh32.exe	95
PID 4516 wrote to memory of 772	4516	Ndhmhh32.exe	95
PID 4516 wrote to memory of 772	4516	Ndhmhh32.exe	95
PID 772 wrote to memory of 3044	772	Nfjjppmm.exe	96
PID 772 wrote to memory of 3044	772	Nfjjppmm.exe	96
PID 772 wrote to memory of 3044	772	Nfjjppmm.exe	96
PID 3044 wrote to memory of 4280	3044	Njefqo32.exe	97
PID 3044 wrote to memory of 4280	3044	Njefqo32.exe	97
PID 3044 wrote to memory of 4280	3044	Njefqo32.exe	97
PID 4280 wrote to memory of 3048	4280	Olcbmj32.exe	98
PID 4280 wrote to memory of 3048	4280	Olcbmj32.exe	98
PID 4280 wrote to memory of 3048	4280	Olcbmj32.exe	98
PID 3048 wrote to memory of 1244	3048	Oponmilc.exe	99
PID 3048 wrote to memory of 1244	3048	Oponmilc.exe	99
PID 3048 wrote to memory of 1244	3048	Oponmilc.exe	99
PID 1244 wrote to memory of 1072	1244	Ocnjidkf.exe	100
PID 1244 wrote to memory of 1072	1244	Ocnjidkf.exe	100
PID 1244 wrote to memory of 1072	1244	Ocnjidkf.exe	100
PID 1072 wrote to memory of 5096	1072	Ogifjcdp.exe	101
PID 1072 wrote to memory of 5096	1072	Ogifjcdp.exe	101
PID 1072 wrote to memory of 5096	1072	Ogifjcdp.exe	101
PID 5096 wrote to memory of 1916	5096	Ojgbfocc.exe	102
PID 5096 wrote to memory of 1916	5096	Ojgbfocc.exe	102
PID 5096 wrote to memory of 1916	5096	Ojgbfocc.exe	102
PID 1916 wrote to memory of 916	1916	Oncofm32.exe	103

C:\Users\Admin\AppData\Local\Temp\a532c7522a13578ee4d92abbcddee5d63a553a10d63c15b274b71c42b19187e6N.exe
"C:\Users\Admin\AppData\Local\Temp\a532c7522a13578ee4d92abbcddee5d63a553a10d63c15b274b71c42b19187e6N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\Nnjlpo32.exe
  C:\Windows\system32\Nnjlpo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\Nphhmj32.exe
    C:\Windows\system32\Nphhmj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Windows\SysWOW64\Ndcdmikd.exe
      C:\Windows\system32\Ndcdmikd.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        40⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        45⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        49⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        52⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        53⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        55⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        62⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        66⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        69⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        71⤵
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        72⤵
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4176
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        75⤵
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4360
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        78⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        80⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        82⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        83⤵
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        86⤵
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        87⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3308
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        89⤵
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3988
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        92⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        96⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3176
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        98⤵
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        100⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        103⤵
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        108⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        113⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        114⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        115⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        116⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        119⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        120⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        127⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        130⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        131⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        133⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        138⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        139⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        143⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        146⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        147⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        151⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6052
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        153⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        154⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        155⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        156⤵
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        158⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        160⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        162⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        165⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        166⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        167⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        169⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        170⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        172⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        173⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        174⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6392
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6436
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6480
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6524
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        179⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        180⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6612
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        181⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6700
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        183⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        184⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6832
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        187⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6920
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        188⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:7008
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        190⤵
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7096
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        192⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7140
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        193⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        194⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        195⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        196⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        198⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        199⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6576
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        200⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        201⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 404
        202⤵
        Program crash
        
        PID:6860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6720 -ip 6720
1⤵
PID:6816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
76KB

MD5
0683e15cff173117f3a436a5835d66e8

SHA1
9b4b0505a2c0e35cd52e1c5fcb8274501aa9e40b

SHA256
c2cda77d5173f6941e06fcb4df9a319242d7a2a8af8987983461bfaa16cb6fda

SHA512
d2d37da1e06c2c700d57bc8953ca89155af7a8dc1036e73d3031ec24aa9483cc421a2a200d23b1f28f85a96ec8e384ff5064e4824058c572b63f5c18e26c0468

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
76KB

MD5
9969775c7073c032bb9b192446c29c46

SHA1
6040bf7457eb6cd7b629fd4c4b016d63342112f2

SHA256
0d10673a660149ad2660bb3dde6a1bca483559d63e6f37e658b43384efa6be00

SHA512
f34036ec503a8c7f0e36582c0c776c1d6a858e63584bb066010ccf356f1228455c7153682603d1d53c97b150db84133c3162aa5dbe81e744d63c40ee369a4cac

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
76KB

MD5
6a6dc66742b7e0c16b9648600cf2a715

SHA1
dae1ec99500ad0038efd824a0313e79cf7091a4c

SHA256
263ea700cd5208cbb11fe6ac617baf6e7deb153efc0665e169da0f4272f8cd53

SHA512
3f1a071db7d1f0081e3e98cf1617ee2d12f5bc7beeb3de3d54009e9cfbaad94cded6467963feb7a54facddba00658c39cbe60bd1fc0489843cb6e8f7f7c83296

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
76KB

MD5
b79bfc54ad224584246325dbf98752b7

SHA1
97b601b6cdcc658b6ced22d03173c303c069c82d

SHA256
02cace460d143302b328fadb3700c2b35ac23defa41a21f439ce3987fd82cd60

SHA512
e52e75ff03444418f59bab7fc3b109879523c40682c4d144e8432d681796d4383d4d8c70b2140cb2034880f2ad0d00a8f40afe3a5629488a625735782e104cad

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
76KB

MD5
198700f6b90393305eb83caa5fc8e1ec

SHA1
9c67a5fd9a55cc152559e45a132920ce04f1f3e4

SHA256
1e810d36f16921b8980282c87fa653bd788634680c627f98dbc9246fed458a20

SHA512
160cf3cabef4204570336355e2a986f8996f2daa0ee8e6f0462d642ef8cbce74b4ce29a99efcc09044852ce639b6bfe9bbe12c5c1bf7e118e9eb94caa6fc67f1

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
76KB

MD5
6153ccdc3d3123a6a110043235569af4

SHA1
656becc5df7396f04a5c7bfa167db8fdda1bff3e

SHA256
2d26c297b1542be4032497c8e1b7d4e71168cf3075a69c0795aaad6097a4fc66

SHA512
b436f8ae73feb074891aa378caab0f3dd79aa94e338a6d691cdcd0d80f88a50cf5823a7f3c2a409b992c69124e0ed72e27333f2d0ddc7f50c766a65882e87c47

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
76KB

MD5
80209ca14515cfeaf68f4b28a3de8743

SHA1
8722638c70f0de6c42e47d24bdcc0d12bb864668

SHA256
eeb3fc18e41259469181244c77fdbcadef8d28c46fd3bd014cd6dcf54fe4babf

SHA512
0b9fe98f95beee7c29ddf283878d24302fe93ffef42f902cba60c3a4292d270411c4e14da1a7b0dffa02c3645d488ef70706188f77f818b58b2b924a5ea7945f

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
76KB

MD5
c7ce1b533606e82ead49aa7fb5a6c332

SHA1
16f6ac408b18b1ee43bacfb374c43246124fc226

SHA256
2cf459cc3ea95f838c4c1c8c38fb555a48d3dbbe87c229fa9f0cb2505253ef8d

SHA512
a9b1c61534db5b14da7b9098949f03ad8cf974bff7e4a3771fff448850c8373ea1ac32918396d06e0ff6f2d234800e8f6c03e261621d17d6b52f94788ecde450

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
76KB

MD5
7b560da5f62adf7ab1fd225c567dc563

SHA1
334bbe9f564f2507061e8ccc359680895070bcbc

SHA256
ca09c663d4206706612929c96ee7c165853ec34ae13681843f3b2883c86721eb

SHA512
87650e5d6ff326a0d1464e59c0fbf8713f4df09773c6fa58a8d69786bb03f4932e4dbf0066ac75b2e15b22f5f903e2734ac07fc26f2bbe62528679fc53208ff1

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
76KB

MD5
f6f19c7667b4f9bb859020c0246212cb

SHA1
42b95f9c80f4255f13aa234704cff07ad6504f8b

SHA256
7be844047603c8f23b4b5376beee59ebc16baacadbd8948985995065d3ce8aec

SHA512
25f74c1913ced9d0c24064af1b5a9ae0739a930333c413a73101685cbf5087c97f41e22eb19688cff686bcb2cf3f795233e7e6173a0268aacc6bb5f1a7d2425e

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
76KB

MD5
c524b0276c868a36899a839d2ee2b398

SHA1
423ef663151347a226b7f888d53c0e55371b2fdc

SHA256
4d9db61a411fd55fba3eace3bb9c1c2769bd2470a3e83f8684ea9317dcd14cb2

SHA512
07b9709fbc93e02496918e7f4eebefd2227c0892e51703ec47ee15bdf72dff5bc92bf8a5653a615530a0e1f4d9c1e7c1181d1dfd8fda1584ee71eb15a734e212

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
76KB

MD5
6b6bda4d89e37c6e5a1a2643d0497485

SHA1
e9d79a7e0731ebe1b99897224f28c4df296f526d

SHA256
3d0b5c35ee129933dcd1f6a3aab49c1a003e6010582d56d5a87ef25ff996b52e

SHA512
96b59c825f4f198999019a48e5db31fa0da6f1ef7ecf274e700d20cb12a7fa31dbc1a4ef0ca97b25adb2d7aa11aad934ab17219d0d43c7a5a7b9e32a099217d3

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
76KB

MD5
59d0d869a305568977acf3d9a5d62921

SHA1
ca865c78bce092f4696ac5f8810409bf347f1316

SHA256
d5b9b2de77841a506f0564969aeba1b82d011485633549f83e70043cef54a1e1

SHA512
ed5995d4bd1069efdeca2197157cb804f1fd3b3429b353071c60f6a2eabfaed516eeb3ffdce58c500f44e065aaa6d69583313e85ac072a4c05ab33215bd4d438

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
76KB

MD5
22660640dcc9b8cb15d500f46f7e6643

SHA1
669213c3b99b23ae41a2880082c2a5925b5466fb

SHA256
afe77989ed0d4c5d7c5d6806d9288ef87bef2614435a4a2ecd7d35ffab67360b

SHA512
e1e200fa1798e203612ea36c73898ed4d14621d9493a197985ce978ec881702565a9fa24544f9bda52b74069a0ac316134173ca09fedd2e728c377c2c6edcc35

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
76KB

MD5
77b74bcd7e61c101579199198febc2ee

SHA1
de4aad8ac91d8ffddf5ba3f8ce91b8eeb7361f36

SHA256
6c55452ff183588cc4a02b4875f939df11e6a22d9667f94563d4f8cff6d8516c

SHA512
ea06135a0c285dd83af799a7cf22bd3c8cb456a3403f4333b97e1e532fb0fc445333d16550aa237e7c1537752600a1871aefcf17b7e176310a8200a48d742ec9

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
76KB

MD5
c3eb71d7143da67d00f1476386b53146

SHA1
a02dfcd2678c6b01f9b5b395e0f29653b65c508b

SHA256
b63dc5afe8039e54c205363d9b998cd3ef23dfe596228b48ec2d16ea066f46be

SHA512
5f6616e61bd04992cb0688e3c46baeb8c96ade94767e918cb5d25b9aabe2be3d07a597274e9840fb22e55715d9b89573e64ffe279cd52f2768506193cab72c0c

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
76KB

MD5
420d93cc1f5b3eca989ce87b68406d8a

SHA1
70c8528d5088f6d301ae175ba82aebc0bb85f64c

SHA256
9a188e4a57e75b93e309e4d11ac330b8192e20563868fef554f480cc196f7e1e

SHA512
3be0663de2461444573df786d1495fee8345d947f0f4493cf8bfee693c499f6f60e0c6de701d6de34981c0ae5310da090252dcf9b6df5b42925692555dc1f148

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
76KB

MD5
768dcb2e1d29e332d376411e1125cfa2

SHA1
89eee79fe190cc6a90cf66a80f271dbe68fb8768

SHA256
db15e393f5eaee9036818a113753313829402ca2429e6ded4230fd7e389a01a0

SHA512
fb07d142aa49fb585379411279038762920bb6d5077fa8e45d9c9f0bc6e6a523447f400efbd11df794eb204e6467402c3d0bf27f92ca322603d4fba27b31d520

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
76KB

MD5
21741dc1565bb97c13ca86b3b34e627c

SHA1
ee4b02bf5c2664328ad3a611726addde93e19ab7

SHA256
198068e8bc227f7abe36033ba6f89b68cbe8c0a8cb82ace64ca94d1a4c7da0bc

SHA512
c61073a25799d36004de3e3002c4010c69e754b19a14ea4c60646b9666963ff037ab63bd8fc8082d54c5e30fdd142a0518abcbef6505094ebc070151d61127d0

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
76KB

MD5
a9fc46d267f1e491d19a8e8e906f3df8

SHA1
8df560faa5978e2169584b476ae1ae32d4fee12c

SHA256
142f18756c82d90a1b9bd3f396ba66244847175501539fd4d1d9441d2161ae43

SHA512
53f85f0f84b664a0d959c7e64c456a4e00e195bf27f31056a049afe772355ce247f5be60125861fad8f4eb471e136ea1862d954b538ccbf34d74accd36a16364

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
76KB

MD5
324e74ec96a992a2780b8fa56a0ff6fe

SHA1
ea6eb20c44b4427bf333b50c392f4146bbbc2e9f

SHA256
1e908d1dda22cb77336497410c382447aa77a6f64cd22deb1ea4ad2f9bdb8c7c

SHA512
70b47c1060ffce54e9921f53241a8197d6db401fe6a8c380a4f89e1b5596143279bbecafbb40018ecc5e71b5484cf660b3a4f03aa9d94509bc5f652d0d3b4010

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
76KB

MD5
eab3cc071ecfc1b7724fe317386afd4c

SHA1
2f9433c467eaf4eb5d67a7064eb34807efb56108

SHA256
4d6d9d765aae38d0f3e7469df1f5edcceb32072fb0ab06721d355d381b675475

SHA512
ccd620101a2e8af23fa47941dc3c05940f2f0bb696b4a21b11bd22535798f10131954712446e77c362f52933bb355478d768458db5bd308d8e409fdd89a91230

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
76KB

MD5
6dab69de3f730f730c2a1d8c3e49e8e6

SHA1
d173248561374dbd229add0eba3966a6496b5e21

SHA256
dfe0b693c9bbf751df8a7b275cf860b8255fe2f55c41ced0a72e0378bbc18d7d

SHA512
2e2aaef38a380448ff9b215f1032af1f342efd15a0f8498dbff6ea076d32710ae1c857fa6ebc6de8bf36fa11778ecef822ab4467f790d0359e4f287658a1d9d9

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
76KB

MD5
f8bd34c0c9609afb156a591978e88710

SHA1
cdb778c29f6e621caa8720ff78c26abfbdf56485

SHA256
fab23f53ab438f055624e3d7a343a938ec391076fa25c457c373c1f9d989abd2

SHA512
d150d9bbeb1e223b18cadbb5878520172c2beeebce6ec795982c8844bdd1fdcd85e5b7efb1a41da34a213cf76bf1db47632931438b0661a720ee245b8df3e41b

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
76KB

MD5
2fe4f0a43579ad0b214df6538f92f1c7

SHA1
12622b33e3cffe748f970488183d3d141239aa35

SHA256
5fad558bc7b9e5c2c8695eb5c3b24907c42af7884c2936c233b196afc32ce54a

SHA512
af3ce6f889d66ecfc522768838a8d7bb76c5de10a6e9120b8f6fbd409672cd0c778bb16c71b17ef25e12ecc62bb2e4fca3912f8a1303fafc17bdf5285e992b3c

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
76KB

MD5
c96fdd1566adb75f0f475d4005e2cd3e

SHA1
b540dc63c6aa6e12fd43e3108d1dedb62c88d4cb

SHA256
25d3f9fd7108278b15629532fafae26749b2ae17ad93aa43fc7f0eb091eaf10b

SHA512
f02f32c1384b694e2d58f666eb7f0f2ece42f7906da51911fafa861bed27740d093df1667e1f6092280c9b6b133a60023b970d125113e06404d3fe1e6c46ba82

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
76KB

MD5
b690511928d67b4628d5a0ba4b6fa648

SHA1
55994ff770f77267370c02f0cfe45b34a8bef715

SHA256
663155361607d7d024c5e70735da8236b12e751bf9f2e03fb0836eafec4eff1d

SHA512
36c39e50d431869274b0e07dc9fd42f4c9c43325437718206e5bf71e7726c4c05800fadc5e7d07021c714fa13233991512ed923de0a2d8b3cd40b8f1e5c10c9f

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
76KB

MD5
263239961a0e07e276ebbb2c48e89db6

SHA1
a39b44503b7099974359505aca8dc5648dc18d9e

SHA256
ff0b150a36c058970062d6f6d12303231bb759ef56943bbaeec5ddfe2ac027e3

SHA512
972593b0b10f20bacc1b1e651b3de633bb2e7a15cc6a0f470361a14180863bf0a08193b4cc684d95307bdeb36a605d05de526e0351a33a03525897979a852bc9

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
76KB

MD5
e16e3c251317139b9a360692753490a1

SHA1
f11ea49f2263980e118162a6a463294242309d2b

SHA256
476e178bdfa788dc874eaa418a850e91e2efce867fdec96187ede013a6c8ee3b

SHA512
e298165b5a22668e0c0cea5ec159669e8d79a6cbc4e150cf69de10bd79087b8d3e37c9ae99b8a93a3f68456cf0d20237d979dbf3c870993bf7d6c5d4d0cfadde

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
76KB

MD5
9b9332b28ee6358300f2f61df846c94f

SHA1
c45693f33101f3372bb0b5fda60d5cfd91ddcc9e

SHA256
02522933823c4dbb812dfcfe52720a6a6b9a9bce2754bf25e3a203d65b939159

SHA512
3ef59e42844c4407b23e507287c349344ef1527843c889d3b05a8558de9f50a8ec9987401f2b94557f1a4be0c936228f9530649123454b877edfa41358da55e6

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
76KB

MD5
2126004fc40f78883401c8100e710deb

SHA1
9e94b0cad1b0932cf4f6c18c3eff121e6882ff8b

SHA256
4f1950129e5f3b16ba9564d913a45c57c0fd4a3fb3c31124e3b648d7a8d20761

SHA512
ca3a01996eec9f432446c9fcbc65d4852b449780a7eb28b53a66a9af062acefee1bbdf146b7afc91a05552b404eba9de1d377fbf5a74a346075c7e36a4254fad

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
76KB

MD5
d40a126a6e70d8049562abb66034eb1a

SHA1
a7a81e40884d0bb4fd5d13a1d7cca41f540f67e1

SHA256
85871dd3dd232804a24d8ae17f083550c2b937053b91ee2493eed0d548f90ffb

SHA512
5e9f4a91f596de4fd4808a5a9be642d0f602e0d2761888ef1fe6fd92c31c6f3192c39a8677731386af8399510c42e81d77e0ccbf6c5f32332dae8c44677279da

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
76KB

MD5
a91de32d90dbfb6dc0b8b4cd211cd7c8

SHA1
2aa3732d4ef2feec861cc6ea73e0edd30f9e078c

SHA256
20642217e18ac29cd6d3367d1c54c654a183fbc12a2b9bef52cbbeeb18c9fe86

SHA512
10e932132380617784f1a6aa1880e997a7482563cc2f68ee50f5a529b8c25cd9e9fd8ce77647ff1e64e9ad2582b6b9dacb1092a16f7f2e06468a34dcb360092f

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
76KB

MD5
4c7328cb0c2bd487c29d82e75c6a3ca5

SHA1
b61eb45f9f8b7a47d2696e4416ae7c941191e747

SHA256
dd3c6c56c5807b112affa9988a74455a72f2f999c730181e2e47b4391f96172b

SHA512
e07897d8bd2b763300020fb37fb603cab8a95c041bde2a8c8bfb47dd452c957608f9d275ac487834943190d868b428be4fe19072db0ab27d368b4284e30b3a6a

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
76KB

MD5
89bd67756d3b9f01b46952e6ce9c84bd

SHA1
e956777b2ef75fe9622e843dbd7655bba0680724

SHA256
f447de3b6e716cc46520c55c757b3a6d8a8827f3c45ad444975a60f04145307d

SHA512
e97393dea1abcda18741cbea029710f3aa552db2584cd658e7faba755ad79f79c913be98e9433dbd4fd40ebaed22537d89ec99f5cb1d0e6f731115601aacb2e4

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
76KB

MD5
db20c28f2290fde59f5a3167cda3a72e

SHA1
5083d561af5deef21af7fffd51b940cea086f1ef

SHA256
5f24d389f5e7607348be5f84d99db8cfe35d22e111ef9033e609e9345124c7dc

SHA512
8862b91e35652e8f9550fa55e86ac0c3040aeb4dddf98a32dad61fdf465bb9131258b13bf1202fe1497b5bd181ff4b5a591767b91a8f335b9ec07b4ab9995923

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
76KB

MD5
f11c5ece0896e12232cf23482f4438b4

SHA1
fa68d33fd2154b019635fb7f1f5a719e61714081

SHA256
a38f2ef69600f7e779fa30d66f2ab0810c0faedde26d249aa3445ee4f39762cf

SHA512
70eb5c580b0a9e170cb87c7be96d3626ef01e12064bdf2c215e89eefb2dbcd239c416526fc34d677a684def60001a619eca95d2a1afc5f137f7460059b6af1cd

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
76KB

MD5
49baf4cee49dadedc7cb7cf45f6a4456

SHA1
585291f6f03bbe8fc50b06203df5a3daae7d0be1

SHA256
0c6e6af42cec30a4c7da44d96d89ec873ff3127386f0df851f31dd6d878de1a2

SHA512
bf407c99d3a21f77555f5fe65d292aa95fa1356ff2d7812727e55f3772f61c3cc6914e6eec29a3dd2594ee79e26f8e87974ab24113d4e176745ee32fbefe2e96

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
76KB

MD5
eb56221050d84fc3671698830c7ca84e

SHA1
50274ef832c0211d25c098a12688b70a9c0218ab

SHA256
907cd05c9418cd3de8697936fff9029f81d05d2f0bb60020216f9d73a4a7db2b

SHA512
48f0b718b81cd2439f9a5f7ca84415b48e1bb87619f4bbbca3a643fb83392ef9e73f8f2a6f42835615770c9d5c2dc18a3a1d8e425e8ec2102f96897424e523f8

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
76KB

MD5
a1763987455bfa86af6ff473cafbcfa1

SHA1
fefdf721902510a5fa93360a9d95faea841b0463

SHA256
d45e51178f984ffed520ee77edb27fc11971c239922772c17d181c74d183b172

SHA512
cacbfd61167370dc927b7b22200d74a3e3918c2b5c8e512e840380e7edc96a3bbd024620a208e97abb97a5be6db75625cdaed2a537ee6e17c1b3f85702b7d44b

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
76KB

MD5
4747047da150e08de3b6a2bbc9593961

SHA1
4e7339e4c83a325b59c6b0e36175f9e4e9a17e28

SHA256
4e61825b017258d51e3bc5c60bb8c3abac3261da0c1dae07a42ebb9e6e0b99b6

SHA512
02082b42253e0777a69a422adcfc133fc5714e82c0fd638e7ae6504c4ce7a3cba08bf6c23d03c1cc908e678b2ca61d015233fcd53e3256c57e9e7d3aa3d5816c

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
76KB

MD5
2145495a17b17ffc12e9667b6cec30a0

SHA1
ffb7012245e030b31a72ed76d194daaa9641e276

SHA256
a71ae3b2d45a293cd6fc1dd27e5e013cd45a13393a5fbe60dda44a10b293b7e9

SHA512
b9c07dcc7b9ac004adcfe6212cca56f74cd5408527e4fea00ae2550ee5ea39227d2506438ee35f4ec99c4c2379e5c1ada8359ec0e81795c3b4783c255fbb7a56

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
76KB

MD5
b6ab88959d97970852992d466e382cbf

SHA1
dcdcda7c3441918d415d6c9d41dbbed8ee2d7002

SHA256
75e5a6c0624926d8244139c88d6291426bc5e52cc10d7e0fca23060357b83686

SHA512
74ec1f489f31ab88efd9e7bf41aad6d9f1edb3f8e8d82a8deb32f91fd78cd4544cc65ec4c38b56e4a870ddb46effa813f05afe3dc3ef7973fc2822695bebf57b

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
76KB

MD5
c13756a0f1e787f307b8a2f9fcfea0d2

SHA1
3a572593a16f133b0770e2c569a6ec227e04f521

SHA256
5c78a19d2f30b6563f79a6a75104059e138a148aa009c0502d3c58457d1cf955

SHA512
125014bc611a6ac27719b4d278077542b0149241f63a6d078cbec2df535268460d80a804289d5d1adabdaf83e7a218d94acbb3508c378f7f7c7b65e4487f8503

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
76KB

MD5
ba23a6a20f25e201fe71cdce60d812ba

SHA1
63a7c8896c5b26861e1d82e5334d0670a14fd99d

SHA256
131c60244c285cd21b47fd54efe1ae20b8e46501297b3b69fd1f42ed06db3070

SHA512
6af623a19723fa3daec94fe30e88665cb8ce65a6eee71a5a4facb8276a638d2514d094805c7f7e717108591fc4c18222fe1db1eda75ad03e7585d32192aaeb8b

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
76KB

MD5
3ae5a917ff69a20a4932fc757f399bbd

SHA1
290b1a8eaeefcfeeb20bf00c6d352310ed7d60e4

SHA256
af28f38a09a69da9ea424ba5d30b71cc763c3f4e380e6ace9189c7e45db836df

SHA512
63f21e66a35b513cc01c841a53b7763e9244c5258621ee8d74a7b32fe52d93ba8a81237ad15c600a17206c5a57526d0ae350ab29b3a29d94bbea21a158d8249a

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
76KB

MD5
5e1100b5c7e9945d3bf3e71587ee587e

SHA1
87ba54cd92a10b907bd7709aed05c150c13604dd

SHA256
bca4fde97d5b02eab9543e7d793859d7580ac5a77ecd870580e69334737471ad

SHA512
cdef2ba443b9f4d34e88ace8ebbc2ce2d13aee316cc4fb1f3dda574790cd18a896a4444b0da70bbe099bcf0b16aec259c23c62ceee8c4e7bb9970353f6b68c8c

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
76KB

MD5
ac63effa5c6acb408466728d7dac4779

SHA1
4d0b92620461d17cc065d5915dadddf5486cf5fd

SHA256
be5979d3873fa1f20a0fa9a7ee7a40e990c7b423ca3e144dee69d7d3e9df4037

SHA512
76a8f55969b338fa09a324292a6e3e704c842258f282497a5fda686ea36c04a489297e654ff64f37d9cfd5eaa68aa155259c4c32191942e00922a6470fb3cee3

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
76KB

MD5
f82f8979a4a13443465305d237920901

SHA1
f190bbe1f7f1d9501d8dcaec26564426cb74b46a

SHA256
d51511b84943aa2b27f57d45f18421d073fa84214d0984e4ae920526bbe84482

SHA512
7175f2389cfb963d4992acbfadf61dcff9b82ff41fa4ebd7dd1a2bec83c0624c9575a0e2aade83582b66dd8c47b64067049629b7821263ef6a9972226e86c881

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
76KB

MD5
a8893306dbf0959d59e45fdf915e4c97

SHA1
fad656fdce1ea9d881f0a69bd2aee2a95b49ffa2

SHA256
a43821e352313274cd3860e2bef8affe1a5b57b4ec9a1e5fc2f96958fc600945

SHA512
bec0fd15b785ac2550ed9062c52fd3458472cc31e7ff011c6a033acf1da25231f4ae6ce162022ce5d5a13005e7eaddc14de0fb51f04038f64e9a7988822501af

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
76KB

MD5
efcbced20641f4bda3e82f66d6250c51

SHA1
e63de3253c896d3965d341aeb3e0c05ef20860bd

SHA256
6d2c6e621ca778c39d42a72a99d00488f94ec58f9231cb804498e0d2aa61ce6b

SHA512
f40dce08186836c0f2ee3c6bc7f992c7d445ffdfab6844e47b85bdde78554a27a5fc66b91d74d41ea4e66894b96f6f52f8829d84614c95aafe28191895a13dfa

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
76KB

MD5
89daf3eb2499e94ab143be96de3a5089

SHA1
4b606a72cd35e8a9038614e28bdf0c56f362ce34

SHA256
3d7076526cc420a4870245179b6be0481f0bfa41c3f9fe0cb624f79ed88c691f

SHA512
3a92be8f832cfb8899729b7c245331706c9e1ee511938d330033fe49134c7b79340dd4f09e9cba39b607f714f935fa43d79c2587e0721170eddc77607b77340d

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
76KB

MD5
694f066ce8c0fb458da4548c601bd1e9

SHA1
b0180ed832027d8575c48c60c6f9165b4ad2bebf

SHA256
8b54d830b9f6387779605c0fb8dfa751b9afcdae313e28461ec126842777f990

SHA512
b296e63cb5cd22a3fd5fbaaef4207ebedffc43ccd963517fbe017c0413a713b76ba67b2ff64dd541b4a27134f0af27286478b9fe1385e049a58171cb9c4f1247

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
76KB

MD5
c6e2a4551bb141c797663bd484e725af

SHA1
1976753d34243f5b92aeea277958d4f533e2904e

SHA256
c997341e34311e3efdbeb3b5b00b66ef1dcbed3ec3b668fe47b8a0accb0a59ba

SHA512
020240d2dd824c99c4eec5f9ceefa51e0627a0faf116f81fcb8226a4e0e6d60efe1dcbedde33d90090421d28b8179f2ecc68f45984ea8d32f23a6867e2d43d5d

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
76KB

MD5
36dfb6f98dca0d41464a8a99f15db4f3

SHA1
4a74d7699fb797149a2845648b209cb281186556

SHA256
dbbcd82e217200e3d22be4e8c64c5005e14d2a7399b79235f94517e6f83b9470

SHA512
555a544698e82ac72625ace551e8d812e5b5c87464afbd74c2eca2c2f931607cd08cdf166acbca6b4acc8ea8ca043289ca66c7d166901ca720c372a0580c3a9d

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
76KB

MD5
6d3c524c29075e30d0926f69fd773954

SHA1
eea8fb865e4efef152e94c5e3451939869cbad40

SHA256
0ad06337925282f69f761e639b1e49cea371290eab29416c49c9330a21b48d3e

SHA512
f7035593166d33ae5e7658f064d668539b991ce74e36de923782c94791f0adff7c0c3f86e38e657e498ece4d88ecc719aac7b79f58c4e8e533ba68a3520e2b4c

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
76KB

MD5
230a8ac2061664d8e6311b0f86a8a44b

SHA1
093fe1809c0d8ff040646e9682e97e935dfdfd96

SHA256
1405266ca82747324cc71300b6ebe63dd0245fa726328218b970e8714ec74b64

SHA512
d6164ee3ec69d86859323ac32e4661f64ad5b061840aa39a724ec86da77b2eacf5fe0be7b83d0f919bf087796541793aa66861ea660f5f16edb25ff9bbaa2ca5

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
76KB

MD5
3abf641da9a86667197100c6382c6b75

SHA1
881619145324540e22dc303cc2e95f85ff420e70

SHA256
27d14d348a9214d618d6d3cf3092594fab647f722285eea25ae67abc97a3550d

SHA512
fda73164d97e8aee49d19537a29c39ec9a0062bab6651e113ecd94704c9bd03ccd43c39b00c9d377c0d3ff15f70f35668ebf27c139be57a3ed592717f6b4aeec

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
76KB

MD5
b3c5df6d74940d365c85763c5de71a95

SHA1
fd6f8d5dd74879a56c25db128284b29d27857219

SHA256
414d620ae550c4d7aa6e18ca205dcb2f0d3068a2ac22915e95aa1f74a1cbe65a

SHA512
487ca9501349c8038b53125f19e4f5415e4695c921d9dcdac076578d14fc24f7b2ef1293a607da9f92626541285c9746f7cd78ac44b7eaac03a31209334b4d6b

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
76KB

MD5
cf8083dd15495838b263a4993ef0b6de

SHA1
b13651803a561d119cc7b894d09964f10ac519ed

SHA256
31efa0cd4630c0e750b632faebd425655aef93a5653862be384e0ef37bb084a6

SHA512
a6303a9cf55347f2a32e8c1d63aa8f380438d34c7596fd6fe1053b0ec9bc9b6b0060b62178efc2dea548b0e34c78ad6e7153eff01ce4fd1356e22fff11ebef97

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
76KB

MD5
88e7b4999c13dd8070bee6ef660d4c81

SHA1
fce4b70f0f5d73c90d525822fec367b3cad0f5b4

SHA256
e2041bbe4ab8a8553c1692e186bd9ff452f36a592f505dc6d07c8e12fa7db759

SHA512
3a1c14b02ff98237bb71affc9cf460adc74c37b3a8e905da97167b978a2218500ca6e9a8fa63eb926d82faf18a1824b83dfadd8ae44b6f111ff93e397d6e279e

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
76KB

MD5
7b0fdb7fc4c28ffd7589360e8915eace

SHA1
d135d0f46a27832e94780a3acb0957d502227709

SHA256
7bbff722874bdb129caf75e0e6657edcf0bab37c201a1d43c2a1aa55da7c6cdb

SHA512
b58efa718e7e585a8d4b7d26309ff4fffed73066bd0e7101df02173ff33d3e36d1b1abc512adb944e0f3285d72e95df134952bf13ee959729e80392af44993df

Download Submit
memory/232-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/852-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/876-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1080-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1096-535-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1136-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1224-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1304-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1448-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-576-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1916-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-569-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2332-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-568-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-582-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3100-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3108-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3136-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3196-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3212-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3268-575-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3268-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3360-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3364-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3472-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3544-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-589-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4208-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-554-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-555-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4456-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4852-562-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-583-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-548-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5096-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads