berbew | 7f52902d5e8f59c694531a2f57e77ed33746760e0c86e085fba0c009efd0c3aa

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2024, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f52902d5e8f59c694531a2f57e77ed33746760e0c86e085fba0c009efd0c3aaN.exe
Size

163KB
MD5

c4b2ce80a29b89337367272578876e80
SHA1

133246a6f4e1053a3379bdda1c46ae76f110de0f
SHA256

7f52902d5e8f59c694531a2f57e77ed33746760e0c86e085fba0c009efd0c3aa
SHA512

ca51f8b2abde579a1e5c51a4979d56f76c71f721ecc3113c4728823ec806fe512a6cc9a4b7c49131dfd9e0149fa4be992fb5d48602c9798e46561e926923ad5a
SSDEEP

1536:P02+WIu5QXcAG+FKtYW9nJ7rMlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:82+WTQXu+ItB9JvMltOrWKDBr+yJb

Score

10^/10

berbew gozi backdoor banker discovery isfb persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpgldhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihbijhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmjdjgjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iemppiab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfqlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbeidl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7f52902d5e8f59c694531a2f57e77ed33746760e0c86e085fba0c009efd0c3aaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfkoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghaliknf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klljnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfembo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefioj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lffhfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkmefd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 64 IoCs

pid	Process
3436	Gkmlofol.exe
2768	Gbgdlq32.exe
1056	Gdeqhl32.exe
4756	Ghaliknf.exe
3976	Gfembo32.exe
2824	Gkaejf32.exe
3648	Gblngpbd.exe
4192	Gdjjckag.exe
3808	Hkdbpe32.exe
4988	Hckjacjg.exe
4008	Hihbijhn.exe
2716	Hkfoeega.exe
2312	Hbpgbo32.exe
2168	Heocnk32.exe
1824	Hmfkoh32.exe
1552	Hodgkc32.exe
2684	Hbbdholl.exe
3924	Hkkhqd32.exe
5100	Hfqlnm32.exe
828	Hioiji32.exe
544	Hmjdjgjo.exe
3392	Hkmefd32.exe
692	Hfcicmqp.exe
1448	Iefioj32.exe
2128	Icgjmapi.exe
1896	Iehfdi32.exe
4720	Ikbnacmd.exe
2444	Iblfnn32.exe
4708	Iifokh32.exe
4812	Ickchq32.exe
2024	Iemppiab.exe
3256	Ipbdmaah.exe
4904	Ibqpimpl.exe
3360	Iikhfg32.exe
1268	Ilidbbgl.exe
1628	Icplcpgo.exe
2304	Jimekgff.exe
620	Jlkagbej.exe
3600	Jbeidl32.exe
3816	Jedeph32.exe
4440	Jmknaell.exe
3956	Jcefno32.exe
2584	Jfcbjk32.exe
3332	Jianff32.exe
2956	Jplfcpin.exe
5084	Jfeopj32.exe
2796	Jmpgldhg.exe
2960	Jpnchp32.exe
628	Klljnp32.exe
3760	Kpgfooop.exe
424	Kedoge32.exe
3020	Klngdpdd.exe
1388	Kbhoqj32.exe
3492	Kefkme32.exe
4016	Kmncnb32.exe
4400	Kdgljmcd.exe
1236	Lffhfh32.exe
4736	Lmppcbjd.exe
2440	Ldjhpl32.exe
3612	Lfhdlh32.exe
4080	Ligqhc32.exe
3372	Llemdo32.exe
4572	Lfkaag32.exe
2932	Liimncmf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jfcbjk32.exe	Jcefno32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Klljnp32.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Hihbijhn.exe	Hckjacjg.exe
File opened for modification	C:\Windows\SysWOW64\Ickchq32.exe	Iifokh32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Hkdbpe32.exe	Gdjjckag.exe
File created	C:\Windows\SysWOW64\Lmgfda32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Jfcbjk32.exe	Jcefno32.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Gdjjckag.exe	Gblngpbd.exe
File created	C:\Windows\SysWOW64\Iedoeq32.dll	Gdjjckag.exe
File opened for modification	C:\Windows\SysWOW64\Ipbdmaah.exe	Iemppiab.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Klngdpdd.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Nilcjp32.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Lbkdpj32.dll	Gkmlofol.exe
File created	C:\Windows\SysWOW64\Fpeohm32.dll	Hfqlnm32.exe
File opened for modification	C:\Windows\SysWOW64\Iemppiab.exe	Ickchq32.exe
File opened for modification	C:\Windows\SysWOW64\Jimekgff.exe	Icplcpgo.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Hafgeo32.dll	Ghaliknf.exe
File opened for modification	C:\Windows\SysWOW64\Kbhoqj32.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	Ligqhc32.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Gdeqhl32.exe	Gbgdlq32.exe
File opened for modification	C:\Windows\SysWOW64\Ldoaklml.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ihjahg32.dll	7f52902d5e8f59c694531a2f57e77ed33746760e0c86e085fba0c009efd0c3aaN.exe
File opened for modification	C:\Windows\SysWOW64\Jmpgldhg.exe	Jfeopj32.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Nljofl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6436	6244	WerFault.exe	278

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hihbijhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iemppiab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipbdmaah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icplcpgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f52902d5e8f59c694531a2f57e77ed33746760e0c86e085fba0c009efd0c3aaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfeopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmpgldhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkaejf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkdbpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gblngpbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ickchq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghaliknf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iblfnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfembo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfcicmqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcbjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbbdholl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkmefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iledokkp.dll"	Iifokh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npibja32.dll"	Ilidbbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefofm32.dll"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjegoo32.dll"	Hbpgbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdjapoo.dll"	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkaejf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkmacoj.dll"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oolpjdob.dll"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 3436	4152	7f52902d5e8f59c694531a2f57e77ed33746760e0c86e085fba0c009efd0c3aaN.exe	83
PID 4152 wrote to memory of 3436	4152	7f52902d5e8f59c694531a2f57e77ed33746760e0c86e085fba0c009efd0c3aaN.exe	83
PID 4152 wrote to memory of 3436	4152	7f52902d5e8f59c694531a2f57e77ed33746760e0c86e085fba0c009efd0c3aaN.exe	83
PID 3436 wrote to memory of 2768	3436	Gkmlofol.exe	84
PID 3436 wrote to memory of 2768	3436	Gkmlofol.exe	84
PID 3436 wrote to memory of 2768	3436	Gkmlofol.exe	84
PID 2768 wrote to memory of 1056	2768	Gbgdlq32.exe	85
PID 2768 wrote to memory of 1056	2768	Gbgdlq32.exe	85
PID 2768 wrote to memory of 1056	2768	Gbgdlq32.exe	85
PID 1056 wrote to memory of 4756	1056	Gdeqhl32.exe	86
PID 1056 wrote to memory of 4756	1056	Gdeqhl32.exe	86
PID 1056 wrote to memory of 4756	1056	Gdeqhl32.exe	86
PID 4756 wrote to memory of 3976	4756	Ghaliknf.exe	88
PID 4756 wrote to memory of 3976	4756	Ghaliknf.exe	88
PID 4756 wrote to memory of 3976	4756	Ghaliknf.exe	88
PID 3976 wrote to memory of 2824	3976	Gfembo32.exe	90
PID 3976 wrote to memory of 2824	3976	Gfembo32.exe	90
PID 3976 wrote to memory of 2824	3976	Gfembo32.exe	90
PID 2824 wrote to memory of 3648	2824	Gkaejf32.exe	91
PID 2824 wrote to memory of 3648	2824	Gkaejf32.exe	91
PID 2824 wrote to memory of 3648	2824	Gkaejf32.exe	91
PID 3648 wrote to memory of 4192	3648	Gblngpbd.exe	92
PID 3648 wrote to memory of 4192	3648	Gblngpbd.exe	92
PID 3648 wrote to memory of 4192	3648	Gblngpbd.exe	92
PID 4192 wrote to memory of 3808	4192	Gdjjckag.exe	93
PID 4192 wrote to memory of 3808	4192	Gdjjckag.exe	93
PID 4192 wrote to memory of 3808	4192	Gdjjckag.exe	93
PID 3808 wrote to memory of 4988	3808	Hkdbpe32.exe	95
PID 3808 wrote to memory of 4988	3808	Hkdbpe32.exe	95
PID 3808 wrote to memory of 4988	3808	Hkdbpe32.exe	95
PID 4988 wrote to memory of 4008	4988	Hckjacjg.exe	96
PID 4988 wrote to memory of 4008	4988	Hckjacjg.exe	96
PID 4988 wrote to memory of 4008	4988	Hckjacjg.exe	96
PID 4008 wrote to memory of 2716	4008	Hihbijhn.exe	97
PID 4008 wrote to memory of 2716	4008	Hihbijhn.exe	97
PID 4008 wrote to memory of 2716	4008	Hihbijhn.exe	97
PID 2716 wrote to memory of 2312	2716	Hkfoeega.exe	98
PID 2716 wrote to memory of 2312	2716	Hkfoeega.exe	98
PID 2716 wrote to memory of 2312	2716	Hkfoeega.exe	98
PID 2312 wrote to memory of 2168	2312	Hbpgbo32.exe	99
PID 2312 wrote to memory of 2168	2312	Hbpgbo32.exe	99
PID 2312 wrote to memory of 2168	2312	Hbpgbo32.exe	99
PID 2168 wrote to memory of 1824	2168	Heocnk32.exe	100
PID 2168 wrote to memory of 1824	2168	Heocnk32.exe	100
PID 2168 wrote to memory of 1824	2168	Heocnk32.exe	100
PID 1824 wrote to memory of 1552	1824	Hmfkoh32.exe	101
PID 1824 wrote to memory of 1552	1824	Hmfkoh32.exe	101
PID 1824 wrote to memory of 1552	1824	Hmfkoh32.exe	101
PID 1552 wrote to memory of 2684	1552	Hodgkc32.exe	102
PID 1552 wrote to memory of 2684	1552	Hodgkc32.exe	102
PID 1552 wrote to memory of 2684	1552	Hodgkc32.exe	102
PID 2684 wrote to memory of 3924	2684	Hbbdholl.exe	103
PID 2684 wrote to memory of 3924	2684	Hbbdholl.exe	103
PID 2684 wrote to memory of 3924	2684	Hbbdholl.exe	103
PID 3924 wrote to memory of 5100	3924	Hkkhqd32.exe	104
PID 3924 wrote to memory of 5100	3924	Hkkhqd32.exe	104
PID 3924 wrote to memory of 5100	3924	Hkkhqd32.exe	104
PID 5100 wrote to memory of 828	5100	Hfqlnm32.exe	105
PID 5100 wrote to memory of 828	5100	Hfqlnm32.exe	105
PID 5100 wrote to memory of 828	5100	Hfqlnm32.exe	105
PID 828 wrote to memory of 544	828	Hioiji32.exe	106
PID 828 wrote to memory of 544	828	Hioiji32.exe	106
PID 828 wrote to memory of 544	828	Hioiji32.exe	106
PID 544 wrote to memory of 3392	544	Hmjdjgjo.exe	107

C:\Users\Admin\AppData\Local\Temp\7f52902d5e8f59c694531a2f57e77ed33746760e0c86e085fba0c009efd0c3aaN.exe
"C:\Users\Admin\AppData\Local\Temp\7f52902d5e8f59c694531a2f57e77ed33746760e0c86e085fba0c009efd0c3aaN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\SysWOW64\Gkmlofol.exe
  C:\Windows\system32\Gkmlofol.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\Gbgdlq32.exe
    C:\Windows\system32\Gbgdlq32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\Gdeqhl32.exe
      C:\Windows\system32\Gdeqhl32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4756
      - C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Hodgkc32.exe
        
        C:\Windows\system32\Hodgkc32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Hbbdholl.exe
        
        C:\Windows\system32\Hbbdholl.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Hkmefd32.exe
        
        C:\Windows\system32\Hkmefd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        26⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        28⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Iblfnn32.exe
        
        C:\Windows\system32\Iblfnn32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        34⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Ilidbbgl.exe
        
        C:\Windows\system32\Ilidbbgl.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        38⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        42⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        45⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        49⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:424
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        61⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        70⤵
        
        PID:800
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        72⤵
        
        PID:372
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        75⤵
        
        PID:536
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        77⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        79⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1700
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1624
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        84⤵
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        88⤵
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        89⤵
        
        PID:448
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        90⤵
        
        PID:640
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        93⤵
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        94⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        96⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        97⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        98⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        100⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        102⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        104⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        106⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        107⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        108⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        111⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        115⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        116⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        117⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        122⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        130⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        131⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        132⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        133⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        135⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        136⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        143⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        144⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        146⤵
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        147⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        148⤵
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6208
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        151⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        153⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6340
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        154⤵
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6472
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6604
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        160⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        161⤵
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        162⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        163⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        164⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6848
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        166⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        168⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        169⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        170⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        171⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        173⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6316
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        178⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        179⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:6612
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6684
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        182⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        183⤵
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7000
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        187⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        188⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        189⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 396
        190⤵
        Program crash
        
        PID:6436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6244 -ip 6244
1⤵
PID:6352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
163KB

MD5
c4228a092c3acd634ea1aa7812623dd8

SHA1
ae2fb2b156a22c88ec58a07ad3a7d3f3a596dee1

SHA256
4674474b9e31b4ca03c66ad297d715ce2e32a8bd4c1f22075554356bb2b5468e

SHA512
335b4a259622217d8daa659e78e34f87dbc0c3b860d5c33e75b5b04565a343aa98398bc579d17239c49fb3ea148c34bd016b2560edfd3f72853a1f507b0b8ac3

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
163KB

MD5
5d312f6e9b8d6dc493f1abcb19a2629d

SHA1
664b652729aab32c65d294279368d1c6d041551c

SHA256
28c4aaa37d44ed256ccc34f81947479fc3e83b23f6aa1e91206b39762472b039

SHA512
67d20b3b83e209fc2a757482839071199e0793c8c64206259660c5dbc25c4d656b2003c28d97c304e7ce695f58abcbaca81e5c4ae9c012334babec7bac8818a1

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
163KB

MD5
b945657ea2d8a1aa0ea1adba4a6ccc84

SHA1
e1d12d449f5ddf7663ad0082e88f33d6d48526a2

SHA256
a768e1e69cfe89d416058a7accee53c06e2a36464ae4c953566d4aeed611e69c

SHA512
c38ec37b8f429f05162e6370f916deee374d19046df7c9964d681f72b83b97ac8867c74f0ed223c95cf001439219a90b238a06114da5a17da67f14cd5e258f5b

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
163KB

MD5
0155d3d110a7e3dc7b06888f34aa69d4

SHA1
fb54a88afec71e40df1b612751162ae45078dd7c

SHA256
1778f6393abc90dc8168b232e203c2db5fb2df283b6da91585f498838ee5afe4

SHA512
00825c301ab70537e22c54a4776cac7b150914d7bf83ba6b0ef2427be00287f78504d5465fef1a828fcff6df0d9fccd7cf86d35d98f2fdf90ada8dead20c9156

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
163KB

MD5
00f144d050e0c6902e9b6425764829bd

SHA1
86796e8f9e9b47c0a6c4ae4781e179d2d2e90848

SHA256
457b94c6c5fcca9608b3be5c5e960d4b63bd37a0aee5a281a04446c9cc97e22a

SHA512
f55b3940257aac7a3e24a667f3ad30e3bd5592b1ae939269ce4c7f4aaa7c1b2b41ef4ec4d2eac6d97e4852253d99f3d5e117799b570f2c06da4e8a781df12913

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
163KB

MD5
3b6621c7210781d67ea5e885a513f60a

SHA1
f1d7b717af2e5bbd17c8de154791f7ce07cb52be

SHA256
f1e4fee07b2d26511e7c5ca8d994fcf60e3e9db9ebb65ae6e7a9e14b55323b02

SHA512
2f7745193db1b9880550233f87dcae78eb203120b15973726383a988f8a0a78b83b86e7593030f2d24b5b73acf9172535cd00a2f1b9db9396d4c8275025b0f02

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
64KB

MD5
ff99920a7fcb2c5dba8474298511b92b

SHA1
9142ef0a4b1ec1bfeb5a8b521bef962ee59acf4a

SHA256
a108b1da20b77833cd29d962eb7c0d24830b532e258c59fb0b3ffcff9908fdce

SHA512
0a91fe0130e56c0f618c5671856b322fe3e2519699980d96ac7ecf7863aa054ec2a7d732416ac403ee0464ffb3a7009d174355f713efc3bfb39efc266c027f72

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
163KB

MD5
d9a0b610b8eb432b46107fc2f86778bc

SHA1
78c186ce7b6dc8fe0152f5a89b03d196964e68b3

SHA256
c31fc94067c44143295bdcd25bc362d66fca3f7dfad8f36d382198ab3c1be4e2

SHA512
18ef89ec06fa19783b99bf896b674db56502b47e515e9a109ff382d8a8f6714c56160b8734ac2d677098b2be870457968fa0f8bc6708a2b9efa3fd0cbb89f51b

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
163KB

MD5
4984a56255b501ece94dadbd1bd11a69

SHA1
dae095e8fcf5a377a35447580572104f5c08162f

SHA256
6cecfdc266bb5ba1de79e897ecd86f367de5c333662a73780c19527c86b5364f

SHA512
23d86150034161a72220ce7a50fba572f6f9c0480fc348cf8c3a08700d1104376aa08e6ff6e0b9e2a2e2cd9dac67913397ecf094047c5daa0063d9ea24b9b27c

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
163KB

MD5
ed5802aa9fbae2878acfa8d818b91e48

SHA1
e3444b665e3d61f587498df89581a1222ed16e7a

SHA256
4848c7c0f9ae5bac0a5d771da385dc9fc12e8bb4d557fb2c50dad5f4c123bbbc

SHA512
74f532ed33bf8b723032655c1cb63ee0dbdb7958231b511e10c991623c6656d833afaf69d835d26e3d1089b4faa3dcf48bf76dcf96190884d7813e5e2c2a7552

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
163KB

MD5
bd59fde5c67a00f9835e27749c53160b

SHA1
f954dff9f9c6f1fc5602aad33b442a5b8767fe06

SHA256
2ba9d110cc15b4cd188f54acf9dcf3d293cb313d91ce879e082f56cc88762980

SHA512
8065215c96148a2011cc4e00f458bcd6725fb2116033cd8dace63ae930095ea46c1a4f0952de07c0758e69e55cf5d8075f7e18af71d2e6b3efd8bf3b6c9b4054

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
163KB

MD5
a72769296ed5c047ad441068814cd0a2

SHA1
a14b74caf4e84daee9e6df0fc5ade6ea5611f120

SHA256
be51ef7da61d2b99248ac531c35832f3ae99b1d27e86822daeb92b98e10c0466

SHA512
04791208a0520c973d8fda49cac2a4d810ec462bd5a768029f7d7c9c7c68fb9c75a1542734c0dd1af640664f284e4f0d12fca4d7ff20966dd76803b0babc3e6b

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
163KB

MD5
4e398b03d66629ba5637529fe76fda28

SHA1
6e73f054b2a4792c91fd8079ad38cbfba07f9a72

SHA256
06bdf52a950e8b79d84f77f90d3f540cd8ee99026b41773a53c89c11bbadcff0

SHA512
f1e311f268aea15d457e26745867da1767ad9c8d2211384d4675f2ba8b8ac3fa4e1da0405e763301a590812daa483219b5be6d9dc8d6f1c93dd50be98552a116

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
163KB

MD5
da2eb0e810a1ba192c3c8894d5b2cf45

SHA1
a0797fcf8224890b0b7a812852c023522ef2eb65

SHA256
b68b3786aab6713d2d74f129d123bdbb4966ad966a86bbc2ac1ebf5d46497b8f

SHA512
00266762c87380ff4c14885083a61c8f2de703f37be7543ca2f71c4f97b4bc9962d4d5bac46cf3ffd829b792d2de36f3f0d95a4b61efd476380face229cafa85

Download Submit
C:\Windows\SysWOW64\Gbgdlq32.exe

Filesize
163KB

MD5
29306f2b2a5e3a51af52be480d8c3204

SHA1
b0575269db65affc091498897065f3e23bc3a6d9

SHA256
8b1614fc2e2fd7da22e6da4cbb086dc6c82bf755b9d8af39c2d72d5ab6d78c09

SHA512
5db541bf4124644ad8e8b39042ad5a8d121eeea868210337c38e5591bb85f2f6266aa5a947ee2f9510e7ae4a6f3dd0d2eb5aec6307bd3c104fd488f51bbf4bc2

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
163KB

MD5
2e40e7800c134e482b2d25ac95d90ae7

SHA1
6e787cd4d2c3a00c2064fbab00ec622e839de20e

SHA256
768190602f67f52de3e283333da1bdd4d3681c2d3e175a841688c4d4c1307f0d

SHA512
dd3a92acff941e29bcf88c986a6e8f760a87a8b51cc13c78f1af4ac6f47420f37da49ce849ad005dbd665b5f62484f873e75b632f01eb48ffc5544bf35605475

Download Submit
C:\Windows\SysWOW64\Gdeqhl32.exe

Filesize
163KB

MD5
39bae0b3d56a614c5411b7bbbb8a1d81

SHA1
c63981618922580207133f7f37ee0ec4bd98823d

SHA256
b9594ca5ea000049c412e6e7d1d17e1a604c22f24f14e0c751466b86fd2184b3

SHA512
10e630c6e1099e57fa07b68956cfeb255a7f1c4f928c1aec39db0d9801b956a5e2dc87917c6c708e5ca2928fabc72bce86b328db05aef7947443851089b1ada3

Download Submit
C:\Windows\SysWOW64\Gdjjckag.exe

Filesize
163KB

MD5
ca73633ccd21037878c6ac5b442fc79a

SHA1
f2f916f7124d899c5733552b49321f0b7fcf8741

SHA256
79e99043e0529fd7f0492eea22eabb9b37ab8d2b93865b176905cb6b3565aeac

SHA512
34d1daa7c74ac923864a4a04e21512ad6cb1369bbc802cfd7e7cc2ff959f176d3f9fde793bef0869924c42757c0510a2396c70ad6214b8359328b1bc25ba7d5d

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
163KB

MD5
2be65c5a02e1764c0ed569e8fdc6528d

SHA1
bda18cc206be912cfa099042bd7b750c398378a5

SHA256
7414c2e633ce03a5f09371c89b4ac45f8b07dbef9c437d25a376f9c7be5705dc

SHA512
0cff75038c681f4088a24d8b82e86f5f590169c02af670a3b85326ac8ce534c6c91cc7aad359aa073091378f82bd54b120916c5174ef950a5e41ed55ccc423e2

Download Submit
C:\Windows\SysWOW64\Ghaliknf.exe

Filesize
163KB

MD5
a70f0acf40877a6426ee1f49c579b96f

SHA1
52ab2c7a67b17c427835c8a1e4519856794060b5

SHA256
b0eb390b5f91903914d9f8ab30d6038ad0d7056e379709932e15181f9b150770

SHA512
44875048292d0195c3de74840b7e9072a17283ddcf00dcb732ed6325c43149a90506ba4496236ee60451aad16e0b490018f30e4fef28009016cb71771ed39e02

Download Submit
C:\Windows\SysWOW64\Gkaejf32.exe

Filesize
163KB

MD5
acd3ae787a3be7a09ecf46d78cddb717

SHA1
481decb1bc6fdfbc86af73c6d146460697b8e433

SHA256
1baf839ffc9fb8d4b1f10772200498f7051062a9f27f153d7af1bba484bc8b1f

SHA512
4dd0d5c05e0fa15992135f0964fee305d0aca3649310bdb07e7ae881c36a6d81bd227619429e05f8887ade16f269d1c702ce9f6d60078c5cf85b5ef87ef6dc9a

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
163KB

MD5
3614fed892dd175b86db93ca67daa3f5

SHA1
2ab12db8d5133c9199eed2db8b5055f50ce61eb1

SHA256
1481e417a1df821394ebf0df78e81eb98fc8e7989589f5ef762adfb1769a3382

SHA512
820478424d1dc564c2663fb1f196d4991f3ff538b48a7faf68daa845dd53ad4a42f22afb452dcc0a8e330763fa748f7ba1e8a7f4d7dbebf3605b8af2822ab1d5

Download Submit
C:\Windows\SysWOW64\Hbbdholl.exe

Filesize
163KB

MD5
1a00c5ed0649058d3b5f2e7b386f165f

SHA1
b052ed758a169de9a96b7c720191d3933057afdb

SHA256
5b7d2d7c2fff733408eb623a5db4c0d567c0dce9e08325a0eb28cda3037d2a2e

SHA512
9e1e9d04754d40667bc6b0e3a2b9b26d06838d3855040d12374c66bb5340749d21997161ae1506a8e6735804568daa64699d860e60d1c1da21d887fc59f39b7e

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
163KB

MD5
71d3bfb358b28a52ce3ecd450389729a

SHA1
0def44d19550b07c4f08f9f747ccdf379fb41ee6

SHA256
bf5964f0a8b9a4612ccfb567eb5e936d7a915f839a87a4ea17ae752f1e8a60b4

SHA512
af4f57e8933a40da220c6eb3e545fcd6d38ca94f555bfc835d8cb5cbde79c3b914d6a1737b1f2e7576657a024f95561ea7d5ba9dda871054d5e55f4ddd73892e

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
163KB

MD5
95063f0f9f45a99d4d3d2e2267c4def4

SHA1
4fe063770e760bbf695245308c5a422bbb1ae608

SHA256
0aefd05d7eff10a81dddb0774289077deeeccdd689ec4bb3bfb7daa43873c3fb

SHA512
581d66dd6a86d940e454abbb02db08045c48c9c78b7c3eff9983edd6655027fe9efd307fb0ae00d22897d4d4712e478aa62e92189d3ce945264ca5a094851b68

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
163KB

MD5
6762515dfd379e523de6117bfc3dc913

SHA1
d1cb79f241713d83f460304ad7936da3c88af359

SHA256
85f7bc25fdd0d11daf1c8d513a59102b77b1c679025bd552aaacc16e293d0978

SHA512
754f663d5b4f61f244cf2be97b5611171347f2d4ecc25a1637ac786ef4e2dec21a7465ed3ae7a8e42e0832745e7881589f82c7048f2256d073f9b70f54be0c16

Download Submit
C:\Windows\SysWOW64\Hfcicmqp.exe

Filesize
163KB

MD5
e2e63e47509622e3cee6addf9b796358

SHA1
2de7a1c2274757d8aa93cd464bf2c8b9f8426506

SHA256
eb87f773cc28e4104657c242ad5c166b867cf563acba5c034294ed40cd3e2af1

SHA512
15d000265bc2efc94d2342fba55ed91ad9424d82741284e52bab4d9a1bf41c731e9fc50bffd1cc709a18849492206ae034d2364030d3334e88d238cc9c1e29a3

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
163KB

MD5
bd6a55e0e20e7fe0a745515defbdb654

SHA1
b973ba11413a6f81bd70191b65617bcb661c3841

SHA256
47ee417b1138c11dc458766fe9b2b121f22f29995f0cd1f3a9f2664ae4cf35db

SHA512
e09bad501ea8c1c4c4e9b35fd1c2424830975ab60c4d13b6ffdef11d8de9c7ac0feae8700da942410c6c92ef0c2905bb5ccb673a4362a8a75f7b19b16d2002d4

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
163KB

MD5
bccc81a069b0233804027191f9640a1d

SHA1
855bacc4a5ce7777976c74b5a39c6c41ea377f4e

SHA256
87716910bf0ec9ffa62728fbd0d51f9e12b1b055b63201f421a924f2bd182be8

SHA512
d9540ce7da1679fce660bab2b3b4ca9a60e0d09351b1d7632de34cd873e00c8ff41723ef97d6e9e4aa1e8c127e7d57d6339b1b80c0f99fd1beb6ee10452cfc83

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
163KB

MD5
0d7b0a5d33b657e94ab266060329788a

SHA1
71e7c97c0beec498c3d2ad6a688151fac6fd04c7

SHA256
4c0b42b13bbf8a23d4c55c808ac02ebbb187944a4bfc722f4c8137e659aa255d

SHA512
4a9557132bac039136a207930823b9c6348737b97e1ed35835995d159fcc1ae6d3be7ac7f1c7e4610c850cbd541602523f2a2ac9f6924900b8eea47af6b2dbd6

Download Submit
C:\Windows\SysWOW64\Hkdbpe32.exe

Filesize
163KB

MD5
fc7e0c9d049f2f201378a72407d6bb8a

SHA1
40d62c0b5aa0a2c0a1f83312c812d4819bb86c00

SHA256
62603c527870923d5daf6d464a8df25adc25f733d93276eabeddd3dae597ffa5

SHA512
7dae6aa9ba30901b244ac60dee70aa744cfeaa18df9030218128ed194e2b39f7109f9ad97ab682f34129de2ce7bfe865cc6ed2d7aad95dfccd73f75f39e48425

Download Submit
C:\Windows\SysWOW64\Hkfoeega.exe

Filesize
163KB

MD5
db14b1b42aa4ae3e85809a10852328f9

SHA1
241c5f4419f59d99f53fc03d89d83ce3a96d2449

SHA256
6931b7658b82ed831fab312b76cf686e71068bcf51ddf01ce41f3d7f9892c6be

SHA512
df118d7a9a2570d592436aea37bf3250241130e270290b162bf9973ccb99a4a3c2a7e7a1716829f5304573919695355b687afcc16acfb9654ff3621511221f14

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
163KB

MD5
8d139f783b995488e620dc504b8ae3af

SHA1
367c2055ba9a3dbb45d25570d7abe490c26b8c7f

SHA256
0980042634701e399d97225d0bb00bf077eaa0b58e4398659610cc616b81200c

SHA512
089826dceefd1b9bd48eaab21836975217a0fee8d0a83b73a53395724f008343b6a1669f88150d6414ebdc1ca84b913a8f925aff04cc52c788e66c5dbc359263

Download Submit
C:\Windows\SysWOW64\Hkmefd32.exe

Filesize
163KB

MD5
0c7232c3a990ac9bd6811fa89e1f1712

SHA1
3b278c65006f2c4b5af6ff8fa6a746a3dac5d079

SHA256
0e43b42e3a2fcdc8444ffcd378062bdf9e1779b964b4db289c36266b9f806cc4

SHA512
e9a92d5888c486cb9017d96b085089db91aaba22561f0bc6e51d20e33a2fe2f966d41ca6d4e32b73b69a1d8d7366841aa83e229b7fe31a69806d8a7de792b0fd

Download Submit
C:\Windows\SysWOW64\Hmfkoh32.exe

Filesize
163KB

MD5
41412da61b740f7414ef52d5d2b27ac4

SHA1
ee98d924817a16853a753ef5f014ad66362e83cf

SHA256
a85572c268f6cc12bdb3f9724d1bf14e073045b229e906f95114d61362725469

SHA512
a780e9d7d075960e8029b30c5f9fc542b3252223794b0ad84cf4620403b47d33bc94829a530c810bc1c456b5fa02f74803cac9c414d90ba809deb2ba05ab94ab

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
163KB

MD5
dc63abab348ea8b8cafa66171f554e6f

SHA1
44ab05a853e418b92ae4c56190fa25a2bfd5e3ca

SHA256
05acf66f03ff7faf6a50865640c4d27bf3b688c6eba54b6c754d2687b9044a53

SHA512
1151a2740348ee2face72b44f969b58b6afff63c62239f732b29662d0ec572d5a6318fc62913c89121a66b50d24f873c6e751d8e5f9a02ae0d276412237304a2

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
163KB

MD5
a91e5b9b440cbf42a6d1e013cf6b1682

SHA1
7fe888589051d35fedf41bfd99af0db1dac43e39

SHA256
f383f8f6d1ac33881ac0eed71909b9ca276514ec7da43a03d2ffe337d38c4799

SHA512
d3c477d0476071228b6a7b64b0d1d9957386f23419727d229aa2957bb5f7591a843d5f073c539e9c058c7d0634f1087e53967ba96875ab59c307b9c32d5526a0

Download Submit
C:\Windows\SysWOW64\Iblfnn32.exe

Filesize
163KB

MD5
184362d6a5b38972bb24638adddf1e08

SHA1
384b80264ac6924c80a89d356655267b77fc415a

SHA256
2b2938a7a172a996833a1a86741f0621b98056cfe0c5644fd763ebf7ed6496fd

SHA512
710a5b230995b5e754c2c9b8b39c648415f01dfe4b541109185c1f824e3ad08f4d0a07f336de0f781b8abaece00b7634f188a2cc5c276e194d1a439378c8424a

Download Submit
C:\Windows\SysWOW64\Icgjmapi.exe

Filesize
163KB

MD5
b022426973163205f9cf05dfa5707a8b

SHA1
eca685a2ee04f465cb6f13f4126e20eca23bc4b2

SHA256
252d897b4d27b0dbcad90ac0a47204499c8cb3a4281ed7f64f5126acf0bcaa77

SHA512
366d1fd1aa944776738db1dadb0ef65052bb64a23b52f20af4855c450f1cbc9f72898c11763d5df30875049a5d1e7a40cb854c561ac0f60c033c70288f653149

Download Submit
C:\Windows\SysWOW64\Ickchq32.exe

Filesize
163KB

MD5
363c68764008fbca14e74f110d75606c

SHA1
70224d9e810edbc258d615e870620f2d2a6201fb

SHA256
8f6b26e98b52a81d035bb93f8bbcaba2b207c00fb58f5e48d51162269c4dd5a5

SHA512
340dfafd3a5e071286ae5e9f41a8106b976d3108442402ab0250accfcb340b07808fd77757fcb465788268c0ca1a445f8c8443284f7a18f08a21b27802c41fad

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
163KB

MD5
c7fe8a80f39a296f7b8352450b2b16d2

SHA1
e464d8b90bfe998cae37ad0b5164f738d960839d

SHA256
ade01334120e5ff7111dc4f3ff9d3aa68d066481c0935a9f1e68b7bd1cdcc372

SHA512
f049fc1b337dafcfd0bc975cc1c2513ad12fe0cded6a7b614cd3cf8329a21d537d650a6b284b8699ec894ccc2065426195de97d125f9f83bd7f3f8e462ec47c7

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
163KB

MD5
2b62d37e63eb356a01cce337394f8e07

SHA1
6b9faab84e917751041c1b7a2bb04f60fedc7729

SHA256
3acdb95ef779e45cf4a061808b3b60ca88b6b4e362a939c132d61d14ceb1a2a2

SHA512
e07842465120dc920d01de4d43c62cefbe81c007eb12ef0372b3c273e0ad5851a3d347866fb744ce12f3f483189dfe20d65f2e1ef3d287aa56be4cadce3aa583

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
163KB

MD5
4fe25f80cad28c4ef50ee61941673be8

SHA1
821aa271ac390fe6fb35e3a4e16745ffa5962542

SHA256
a6894b492af80bda95de413b4b16500be4790afb04f7420a7e7b7f009b971bc4

SHA512
22360836e0e0a4bb1c93d45faf2a0b75041fd1983f7f5768be8563f933d1285ef355e78eae6425f6c3062356e518b8989de433eb6c26ddd419f5839926b9f2ea

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
163KB

MD5
86fb7ccd883efabffbb5f45dbc782a3e

SHA1
c88c1594790cf8e71481c83c97d2a8fb601d5dec

SHA256
526f35176ff1c78832c2fb396db682b39706957ff55ca8d6450b454bbfd9077a

SHA512
25a408cea050f7c3c245b1e9367503fa5822dea7e269bafe2332348a412a61298c92383c28400dabc69e5821e85f7f86689fcdf67c9a02c6cdd25ad745474da0

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
163KB

MD5
9d726e53fc7b5bafc919eaf36aea6908

SHA1
5960bc8548dd36e590102beb09f3aeac6ae6a952

SHA256
2924086a8880e885a5a57b3786e57e79e681dddda95e3972f317dbbd9ab29655

SHA512
6dd62d67cc6f092bd8e2f28e349c1550c5213ce04b53f8299115e79ed5e5bfa60a6cdcaf193d4924ef361ff9e98dc0ff24fd27bba4cba0c48d7ec1604ffe0a26

Download Submit
C:\Windows\SysWOW64\Ipbdmaah.exe

Filesize
163KB

MD5
2127d80f27e3e29cbc7f4bfbae870907

SHA1
e3cce63147b4fbf24e48d9f136797f2427e12943

SHA256
7d6f70962c338594d8a23fc249f69abd5cd1d3194fcbcff0b8139bd13d502686

SHA512
4b32367fa5b75192aa940b8bb847c46eacd35cfb0619e5fb5468f46159338a40b4099680e7604377e8c2490881c70766d9ecfea5b783b4c78ec0edfafde74d31

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
163KB

MD5
d7c11022c52a9a7cbe1bbcd9563efb7c

SHA1
499f81f48c7ec1530c83615a5458437adb9887db

SHA256
ed9bbb365181d669daa32663ccde6e68854c3d4f100b62d4a3f4d34afba789e3

SHA512
147f3f7b70cbbce2cd3441ed5da3644a0c0a95a5bf4284e9919b169ccec5d518224ca37c3483c2332684c4321f5f2015354006f43bf5edcfe8ffff692996259e

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
163KB

MD5
90a50b9f4fd9f466f5b19d0098c5c907

SHA1
41cde25d8f3476e5c8bd347221b00858f699455a

SHA256
8f689a65c4e679540574d13222c90b5364fa6a2938dd556889182423389b2b72

SHA512
219b5852d069dbf4f60a98cf069dffa8c886dfcc726cb58f60758e39c2324d629f3fe3a017d40500341a2f3d6f721eb04299f317890784176d7274472854bd7e

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
163KB

MD5
2b0488da6880a909e3b1fa1e842cb3d1

SHA1
bff205971f587b4e03d91c67ce57d687db4ea56b

SHA256
4d439412da0ab9a542156c3269e9cb85e145b73af764eccb43eb3fb5825b06c0

SHA512
07485f505082edaf46e1fb3dabc19dc735f819de133cad45c28c0e1a5376be4d8cd2ea2dac12c94625b92b7d7c866aab7573a1949b7aa596a670048bf99dc8dc

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
163KB

MD5
1a725c1344f50ca2fd098901d87270d5

SHA1
76337754b273a169386772930b2176467016dd5d

SHA256
6418ce2b725507ae4b7a7382676fe894db7844b089b23bc11e3fd7db5bf686d5

SHA512
6151a13726f4f0ba8c5a0a2e0cd9807b14e38cc984936046200f0d01398a12412906b9703e5ba43a12d73d876f5e0256eecd4e56898453b0884203d40f46f887

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
163KB

MD5
e155ae4461d6ac23e130010bf6df8a45

SHA1
9113d2ba713fd4f05efc2d70f6eebac3e0b46d77

SHA256
3d4de1bb10d85ad22fda73336781ab130b6cb4e46408e2d819c016483e44a248

SHA512
5f9374dabbdc5ca4fcc17d6281e00705fad4dfb72e08d5137b5a98b89b389a3c97ac47241a5af3ed7727f471ad55487b673658afab7f25e9a69f8c0d76d32bc2

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
163KB

MD5
9e7fc2f6781694b120d41b4041f59b08

SHA1
9f402d0ba14795ee6a6ff2da4e305bb57a8457a7

SHA256
80d8a134d8ced6e85532d347d53b067a8c7a58f1a3d122e31ed5dab35feb9fa1

SHA512
683e45c5f04ff4f3f713a6cb22500e1c81287211ce507bde4ff62547b8a1261ae47f20ba3de1d5c8214ad3fc7d8cf68b8c4166ec084cad6c415f60f1e892099a

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
163KB

MD5
8a6cdad0d10063f3a098798453e431cc

SHA1
bd89f342d1c7b223c4d8a7e4d67cdeebe691d911

SHA256
95dac9ef5157f010b5f0bc0131afea943096fafe190adfd68d8ffcc0708dd030

SHA512
ba4ddccd42f0052d74e1dc1cfd44a1850ef8311906cb1f88cc1827a8ba8e3b936a3cfa82f5ebcd978bdc49f4d5ff6b9544f84af1a4049d1f5f697f11f6ff2902

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
163KB

MD5
17adc1b9e609b48fa61257f7e5fff237

SHA1
1fbb06f5d13141c89fcdbda99b44ce03e8a5e6ed

SHA256
36ea719b38833b53647b4c69382bc44c10d119a6e65b0e1636a5c942c6f16b3e

SHA512
e145a2e42ed879e84923d55aa3bb8f6248b5837388514121e401e2ff30a18c7ff8659df1220a188907bbd59c8f88875b863fb625af81d69bafd406ada73634f8

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
163KB

MD5
c1da6262982a23c94334301b12c0e157

SHA1
a928713122c97eeb6585fd167cafa573c4ec5bb0

SHA256
7f9e717beb9b14044f80b5d857b40063be9c3a83bdb60c3d7fc692a46b8e1ce9

SHA512
598af7d5be3f8d5f22582b4cd1eee8e497257d0474334d09c3bf2247c64b9bbeb2982716b5c390f815643cd37821fe01c143b00e49707f6a79a10c5d0b61e06c

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
163KB

MD5
b4c920c745c00c001e20ed66ac731fc2

SHA1
7448c65b51a95f27a510f52c003b43eff67aada2

SHA256
a049c776f477b865ca91426b8ae7f928875cfade32b40c46c2ad563d62294dc9

SHA512
fb9043f71ba04ff88ea418f32779253287bb3496d9ad925af6536d2f3a42645fcc57f9776d0bf85dcf8862c5c76cd30ee7fc25955263b4e95bd6fa43d23fef60

Download Submit
memory/372-496-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/424-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/448-1459-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/452-485-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/536-508-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/536-1486-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/544-1594-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/544-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/620-1559-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/620-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/628-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/692-1589-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/692-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/800-479-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/800-1497-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/828-165-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/828-1593-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1056-28-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1056-564-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1080-455-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1124-572-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1236-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1236-1521-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1268-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1272-1450-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1388-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1404-565-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1448-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1552-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1628-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1700-545-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1824-125-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1896-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2024-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2024-1572-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2032-514-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2036-579-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2128-1585-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2128-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2132-586-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2168-117-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2264-1499-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2264-473-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2304-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2312-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2440-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2444-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2584-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2684-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2716-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2768-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2768-558-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2796-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2824-585-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2824-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2932-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2956-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2960-1539-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2960-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3016-467-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3020-377-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3080-461-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3128-526-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3140-532-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3256-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3332-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3360-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3372-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3392-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3436-551-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3436-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3492-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3600-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3612-1514-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3612-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3648-592-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3648-1620-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3648-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3760-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3808-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3808-1616-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3816-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3924-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3956-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3976-578-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3976-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3984-593-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4008-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4016-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4080-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4152-538-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4152-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4152-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4180-552-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4192-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4192-599-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4232-502-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4400-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4440-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4572-443-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4708-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4720-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4736-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4756-571-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4756-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4812-246-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4904-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4988-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5008-539-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5084-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5096-520-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5260-1406-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5564-1433-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5736-1428-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5756-1353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5804-1350-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6072-1390-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6076-1372-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6164-1339-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6384-1329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6604-1319-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6772-1311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6808-1270-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/7064-1263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/7088-1295-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads