berbew | 162e0c90feddd39dbbbbbb988319bd65f66f260181661c3ceb0863c9c2fc4fad

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

162e0c90feddd39dbbbbbb988319bd65f66f260181661c3ceb0863c9c2fc4fad.exe
Size

84KB
MD5

7ba94f50c54ee5d21fad0e229c271761
SHA1

183b2db1f580cbf3385ce0e07fa9ba560a1432f4
SHA256

162e0c90feddd39dbbbbbb988319bd65f66f260181661c3ceb0863c9c2fc4fad
SHA512

5055085753335625c0a65f04fe2a0b0b970e8352493d31e0a695b81f2eb4fb553761844200fbd6a1eef8cb7cedfac118cefbfd132bcdc002079bc87650a5e86a
SSDEEP

1536:RURGo/+AKVm4XsRcjkMZBtDXSREXHfVPfMVwNKT1iqWUPGc4T7VLP:ORxRKVm4c1MZBtDCREXdXNKT1ntPG9pb

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	162e0c90feddd39dbbbbbb988319bd65f66f260181661c3ceb0863c9c2fc4fad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoeoidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedeph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikhfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iehfdi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbeidl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbnjmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcefno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikbnacmd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
836	Gkoiefmj.exe
3160	Gfembo32.exe
4248	Gmoeoidl.exe
4756	Gblngpbd.exe
2036	Hmabdibj.exe
3040	Hbnjmp32.exe
2256	Hmcojh32.exe
940	Hcmgfbhd.exe
2304	Heocnk32.exe
4688	Hkikkeeo.exe
1480	Hfnphn32.exe
3968	Hkkhqd32.exe
2832	Hbeqmoji.exe
5072	Hecmijim.exe
2300	Hoiafcic.exe
2260	Hbgmcnhf.exe
864	Iiaephpc.exe
1080	Ipknlb32.exe
1592	Iehfdi32.exe
1972	Ikbnacmd.exe
2324	Icifbang.exe
2320	Ifgbnlmj.exe
2272	Iifokh32.exe
4996	Ippggbck.exe
2432	Ibnccmbo.exe
2728	Imdgqfbd.exe
4816	Ipbdmaah.exe
2444	Ifllil32.exe
2792	Iikhfg32.exe
4540	Icplcpgo.exe
4388	Jfoiokfb.exe
4448	Jimekgff.exe
2752	Jlkagbej.exe
3588	Jbeidl32.exe
3976	Jedeph32.exe
2824	Jlnnmb32.exe
3616	Jcefno32.exe
3612	Jianff32.exe
4908	Jplfcpin.exe
2224	Jbjcolha.exe
4008	Jehokgge.exe
2856	Jlbgha32.exe
3128	Kpgfooop.exe
1812	Kbfbkj32.exe
1092	Kipkhdeq.exe
928	Kpjcdn32.exe
1156	Kefkme32.exe
2960	Kplpjn32.exe
4588	Lbjlfi32.exe
3636	Leihbeib.exe
1312	Lmppcbjd.exe
3180	Lpnlpnih.exe
4316	Lekehdgp.exe
920	Llemdo32.exe
3740	Ldleel32.exe
4384	Liimncmf.exe
1236	Lpcfkm32.exe
4244	Lgmngglp.exe
1704	Likjcbkc.exe
1784	Lpebpm32.exe
5116	Lgokmgjm.exe
3012	Lingibiq.exe
4184	Lllcen32.exe
4632	Mbfkbhpa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gcbifaej.dll	Jimekgff.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Lgmngglp.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Hmcojh32.exe	Hbnjmp32.exe
File opened for modification	C:\Windows\SysWOW64\Jplfcpin.exe	Jianff32.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Pacghh32.dll	Imdgqfbd.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Jianff32.exe	Jcefno32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Iiaephpc.exe	Hbgmcnhf.exe
File created	C:\Windows\SysWOW64\Memcpg32.dll	Jehokgge.exe
File opened for modification	C:\Windows\SysWOW64\Mlcifmbl.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Hbgmcnhf.exe	Hoiafcic.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Cbeedbdm.dll	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Ldleel32.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Nffbangm.dll	Jbjcolha.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ncnaabfm.dll	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ipknlb32.exe	Iiaephpc.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mlcifmbl.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Eeanii32.dll	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Aaqfok32.dll	Ifllil32.exe
File opened for modification	C:\Windows\SysWOW64\Jbeidl32.exe	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Kipkhdeq.exe	Kbfbkj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Hkikkeeo.exe	Heocnk32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ifgbnlmj.exe	Icifbang.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Hoiafcic.exe	Hecmijim.exe
File created	C:\Windows\SysWOW64\Enlqgg32.dll	Hecmijim.exe
File created	C:\Windows\SysWOW64\Gfmccd32.dll	Nilcjp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hmabdibj.exe	Gblngpbd.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6660	6808	WerFault.exe	292

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkoiefmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icplcpgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gblngpbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmcojh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfembo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hecmijim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcefno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkikkeeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icifbang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heocnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoiafcic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipknlb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikbnacmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkkhqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	162e0c90feddd39dbbbbbb988319bd65f66f260181661c3ceb0863c9c2fc4fad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbgha32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffbangm.dll"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmlocln.dll"	Lbjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmoeoidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lpnlpnih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liimncmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqfok32.dll"	Ifllil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhccdhqf.dll"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gblngpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbnjmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iccbgbmg.dll"	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pqbdjfln.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 836	728	162e0c90feddd39dbbbbbb988319bd65f66f260181661c3ceb0863c9c2fc4fad.exe	83
PID 728 wrote to memory of 836	728	162e0c90feddd39dbbbbbb988319bd65f66f260181661c3ceb0863c9c2fc4fad.exe	83
PID 728 wrote to memory of 836	728	162e0c90feddd39dbbbbbb988319bd65f66f260181661c3ceb0863c9c2fc4fad.exe	83
PID 836 wrote to memory of 3160	836	Gkoiefmj.exe	84
PID 836 wrote to memory of 3160	836	Gkoiefmj.exe	84
PID 836 wrote to memory of 3160	836	Gkoiefmj.exe	84
PID 3160 wrote to memory of 4248	3160	Gfembo32.exe	85
PID 3160 wrote to memory of 4248	3160	Gfembo32.exe	85
PID 3160 wrote to memory of 4248	3160	Gfembo32.exe	85
PID 4248 wrote to memory of 4756	4248	Gmoeoidl.exe	87
PID 4248 wrote to memory of 4756	4248	Gmoeoidl.exe	87
PID 4248 wrote to memory of 4756	4248	Gmoeoidl.exe	87
PID 4756 wrote to memory of 2036	4756	Gblngpbd.exe	88
PID 4756 wrote to memory of 2036	4756	Gblngpbd.exe	88
PID 4756 wrote to memory of 2036	4756	Gblngpbd.exe	88
PID 2036 wrote to memory of 3040	2036	Hmabdibj.exe	89
PID 2036 wrote to memory of 3040	2036	Hmabdibj.exe	89
PID 2036 wrote to memory of 3040	2036	Hmabdibj.exe	89
PID 3040 wrote to memory of 2256	3040	Hbnjmp32.exe	90
PID 3040 wrote to memory of 2256	3040	Hbnjmp32.exe	90
PID 3040 wrote to memory of 2256	3040	Hbnjmp32.exe	90
PID 2256 wrote to memory of 940	2256	Hmcojh32.exe	92
PID 2256 wrote to memory of 940	2256	Hmcojh32.exe	92
PID 2256 wrote to memory of 940	2256	Hmcojh32.exe	92
PID 940 wrote to memory of 2304	940	Hcmgfbhd.exe	93
PID 940 wrote to memory of 2304	940	Hcmgfbhd.exe	93
PID 940 wrote to memory of 2304	940	Hcmgfbhd.exe	93
PID 2304 wrote to memory of 4688	2304	Heocnk32.exe	94
PID 2304 wrote to memory of 4688	2304	Heocnk32.exe	94
PID 2304 wrote to memory of 4688	2304	Heocnk32.exe	94
PID 4688 wrote to memory of 1480	4688	Hkikkeeo.exe	95
PID 4688 wrote to memory of 1480	4688	Hkikkeeo.exe	95
PID 4688 wrote to memory of 1480	4688	Hkikkeeo.exe	95
PID 1480 wrote to memory of 3968	1480	Hfnphn32.exe	96
PID 1480 wrote to memory of 3968	1480	Hfnphn32.exe	96
PID 1480 wrote to memory of 3968	1480	Hfnphn32.exe	96
PID 3968 wrote to memory of 2832	3968	Hkkhqd32.exe	97
PID 3968 wrote to memory of 2832	3968	Hkkhqd32.exe	97
PID 3968 wrote to memory of 2832	3968	Hkkhqd32.exe	97
PID 2832 wrote to memory of 5072	2832	Hbeqmoji.exe	98
PID 2832 wrote to memory of 5072	2832	Hbeqmoji.exe	98
PID 2832 wrote to memory of 5072	2832	Hbeqmoji.exe	98
PID 5072 wrote to memory of 2300	5072	Hecmijim.exe	100
PID 5072 wrote to memory of 2300	5072	Hecmijim.exe	100
PID 5072 wrote to memory of 2300	5072	Hecmijim.exe	100
PID 2300 wrote to memory of 2260	2300	Hoiafcic.exe	101
PID 2300 wrote to memory of 2260	2300	Hoiafcic.exe	101
PID 2300 wrote to memory of 2260	2300	Hoiafcic.exe	101
PID 2260 wrote to memory of 864	2260	Hbgmcnhf.exe	102
PID 2260 wrote to memory of 864	2260	Hbgmcnhf.exe	102
PID 2260 wrote to memory of 864	2260	Hbgmcnhf.exe	102
PID 864 wrote to memory of 1080	864	Iiaephpc.exe	103
PID 864 wrote to memory of 1080	864	Iiaephpc.exe	103
PID 864 wrote to memory of 1080	864	Iiaephpc.exe	103
PID 1080 wrote to memory of 1592	1080	Ipknlb32.exe	104
PID 1080 wrote to memory of 1592	1080	Ipknlb32.exe	104
PID 1080 wrote to memory of 1592	1080	Ipknlb32.exe	104
PID 1592 wrote to memory of 1972	1592	Iehfdi32.exe	105
PID 1592 wrote to memory of 1972	1592	Iehfdi32.exe	105
PID 1592 wrote to memory of 1972	1592	Iehfdi32.exe	105
PID 1972 wrote to memory of 2324	1972	Ikbnacmd.exe	106
PID 1972 wrote to memory of 2324	1972	Ikbnacmd.exe	106
PID 1972 wrote to memory of 2324	1972	Ikbnacmd.exe	106
PID 2324 wrote to memory of 2320	2324	Icifbang.exe	107

C:\Users\Admin\AppData\Local\Temp\162e0c90feddd39dbbbbbb988319bd65f66f260181661c3ceb0863c9c2fc4fad.exe
"C:\Users\Admin\AppData\Local\Temp\162e0c90feddd39dbbbbbb988319bd65f66f260181661c3ceb0863c9c2fc4fad.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\SysWOW64\Gkoiefmj.exe
  C:\Windows\system32\Gkoiefmj.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\Gfembo32.exe
    C:\Windows\system32\Gfembo32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\SysWOW64\Gmoeoidl.exe
      C:\Windows\system32\Gmoeoidl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Windows\SysWOW64\Gblngpbd.exe
        
        C:\Windows\system32\Gblngpbd.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
      - C:\Windows\SysWOW64\Hmabdibj.exe
        
        C:\Windows\system32\Hmabdibj.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Hbnjmp32.exe
        
        C:\Windows\system32\Hbnjmp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Hecmijim.exe
        
        C:\Windows\system32\Hecmijim.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ikbnacmd.exe
        
        C:\Windows\system32\Ikbnacmd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Ippggbck.exe
        
        C:\Windows\system32\Ippggbck.exe
        25⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Iikhfg32.exe
        
        C:\Windows\system32\Iikhfg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        37⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        44⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        49⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        61⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        62⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4056
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        68⤵
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        74⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2364
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4024
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        78⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        79⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2812
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1516
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        85⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        86⤵
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        87⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        88⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        90⤵
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        91⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        92⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        95⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        96⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5264
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        103⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        106⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        108⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        110⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        111⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        113⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        116⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        117⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        118⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        121⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        126⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        127⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        128⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        129⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        130⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        135⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        137⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        138⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        140⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:6092
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        144⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:6152
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        147⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        148⤵
        Drops file in System32 directory
        
        PID:6240
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        150⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        151⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6416
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6464
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        154⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6552
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6596
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        158⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        159⤵
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        160⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        161⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        162⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        163⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6900
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        164⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        165⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7076
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        168⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:7164
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        170⤵
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6276
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6336
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        174⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:6608
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        177⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6804
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        180⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        182⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        183⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        185⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        186⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        187⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        188⤵
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        189⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        190⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        191⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        192⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7108
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        195⤵
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        196⤵
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        197⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:512
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        199⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        200⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        201⤵
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:6696
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        204⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 408
        205⤵
        Program crash
        
        PID:6660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6808 -ip 6808
1⤵
PID:6180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
84KB

MD5
45bcaed33b6695cda3a7eb4aca0a3636

SHA1
4f7f6fdbb2201d7f140cf5dd7dfbf8e9b959424a

SHA256
032b07d1705bac0402a102a0b6747d13066a697a0f80b5853fcea92c0c665116

SHA512
4b66c04c0e6ebf781480256d17a548177c28b981ffba97bfa4342e271d4654b2b9ab211f265e1eaa9187c1847de5aebdfc748ae5681a35de4b0146dbef207c05

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
84KB

MD5
10aee3b2a79338d21b33b7f62f48219d

SHA1
a05e48723f2277bcad2024dae5b782496881aac4

SHA256
c358230e24e26fb74028c76b62d9f50183dd879c0f297418485da53553502954

SHA512
ee21318f7f491367b23eb5e2efa4726823e20aec4555817aabdc0614e22fb5cd4a82ef5c8b2a588015e0f7ee90de69d148df4b4a013e52a3c111acb07c02fc92

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
84KB

MD5
facc0e6167636aa125c2794a7fd7a537

SHA1
c7c714242e44bb9190f922a8847d6b66e1cdde3b

SHA256
76e8b2c9701c44206cfa8c0da312e203038cd5e567978bc15e3aecde342d0861

SHA512
eb3d2b73ee5ff799ffcbf81adb52bb79416c90a53fff7f83379cc2467c347e1cf830acdcfe9f41776e38e539072ba8963270668f03d53b65471c90bc4fd3c400

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
84KB

MD5
5fe282566a83c4a299d123fd2ab4888d

SHA1
66b3616bd0c0692c8dd0ad36cdc50e88a5f4381c

SHA256
d441b23cac486f111a5fbb2111efccfbc2602183ed1d33cac51c554eb0606945

SHA512
3dbb59603a2719bd00ebd812ec382bac64e8388c8397043106300969f3fc5e16ef3387f8aa499f3f5a297d761a04a21eabbc77141024b92f5f0990e79d4385fb

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
84KB

MD5
079f70f6c490b08bf455a3673bec4ac7

SHA1
514c492a053e3de0bdec5b540faecb88906fed84

SHA256
87c2954e86a0fd22f9a00fc8cabad546a7cf624f2bc9c94524a983ff1723a03d

SHA512
aeed2a28635f2a05b3cf07585a239982ca3776d399656d4fb82cf1b97ec505ef7ddbd85fad46dea191fa1cb9407261d11eb91782148ad8b58066b24737a0ef67

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
84KB

MD5
b852487894fdcf1f265c6e640d742ca6

SHA1
db1cb1bcdae6563594b63515d4981552f4ba74e3

SHA256
6e433ef40f8a047c64349b5b0aeb342f7edc0cf6548ddb5e9124a93d041b2934

SHA512
8e8d97ee573bedf4347ccba68f218d4222d22f102eca70e20aba6c91f19ee49bd8d45e76e8436c230c6a24933e1e5b573a8d2a866f8de76c2373e09ea7503b40

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
84KB

MD5
8b9e7e03f3610e1c397119fb16f0d463

SHA1
f87bf29567fb8bf5839f73d0b09f746e0b257e9b

SHA256
d04ce1546c3eeff5fdff3d98aad5cdf1e4ec290bfa554b41d097b363324b31fa

SHA512
f453bde05e64d7591223f7f452ed35386164ac4e2eaa92faf2121a831cef6d04c8acd0129984882d7a6fa5bf38c669df4ae42954e929e3760d1f8abc62dfc72b

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
84KB

MD5
014c541ea31ad4495b34cb2282ffa4c7

SHA1
72111be0a808a1da6bd814617a081f313cb4bbac

SHA256
79a926d02e1c67327de116f9afca83c54c1b7bb9c6f394139df5f9884cdf38ed

SHA512
94b0831eaab85233f81636d80a1333f1254f4ae020f167537402c5dd7734eef5c8368ff9df4ff9618ec0b993ec6fb37dfa32fd60399ed0e4ddcac802808fe16d

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
84KB

MD5
8d0173ddeb6f230902f1dee97d4a6a51

SHA1
5ea80695a7289df7f2b55e22e606a2359a433fce

SHA256
a1f740322362390333671334eb2584ae971cfef852b7ce72c76ede25c374c8e6

SHA512
8d3ffc74f37356938e32aa7f364390cd402ad344bd5024b273c80634b0b501529aadb495f0ebed07115e6a838f40d2bc29591285306b2fc5d074d10531c690c8

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
64KB

MD5
e61f8b191366d9e7e9d0d64561cb4857

SHA1
2b2d7c72a26abcf1333055431c52427c6398b3e6

SHA256
759f6bafd3a6f739cea6d17ebec8ab2285dfa46cce53c2a01823e05e62a5d015

SHA512
ac4e13428968f8b48cce938c30f3628cbfd954a1b6637db49eb8bc3f40157bafa8c20b6c7f0d7fd1d75b70503dccd48b60d2e2ceb2afd4059b7d2411be60ca04

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
84KB

MD5
fb7f8877b28298ea0f55c89e4a4b0a0f

SHA1
5fcfc8aebdedf6e421b2b08be47a79b0db478d52

SHA256
e7f203e2c7e7732683db381dcb4cbec6d0e635a9434df110cbb8d2f747c346d3

SHA512
510ca5421d6c08fa6a2c4eeaf7c6b0cb57a3654f7c2211934ea4aeaf0016f5f54799c6b92817204c078dad7352ca896583d6899e0d66c09a94ae08a4ea0c74df

Download Submit
C:\Windows\SysWOW64\Gblngpbd.exe

Filesize
84KB

MD5
3c22bd1fc290c94769475519a1dee9bb

SHA1
9cc320af9760fd03b0bace5140d1f73ade423af8

SHA256
31455b4e65abd627092c9e6991e769dca753a2341f05dbf5f903c249780a7c3b

SHA512
909237e684098449942f85a71abb726324c09885d3b3d2219d4de769745627d4063210a3739d98d3c28c78e7781b77388c287be6b17579383c8fdd1798c11caf

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
84KB

MD5
edb5c2a8d3a00f6c5fd3f5eaeaf6ba9d

SHA1
da7a7d23027e85fa7c78661e0dbbf0f23dfba507

SHA256
e0653433164625394d3ed51a88ecd438c8e6fc8a816fb926d2ac1d1e50a93ae0

SHA512
fe0a42cb691bf2a0271c9afbdaa56ac8a17b2aac85fad759b6f67ba7ee8ca7478a5bff9a704f91cd5a9dd192d8b4a2c3727626ad031e6ab325598c93bab9730f

Download Submit
C:\Windows\SysWOW64\Gkoiefmj.exe

Filesize
84KB

MD5
0134c9bf90984cc31690711591a01f10

SHA1
99bc5922800cd764abfd900116915689a4a2c692

SHA256
eb497e3a74b20642a2e8c1f2d388bb3ae8508ace88752d2e116ed1e74a5b88e8

SHA512
2c8455668035a966142b4476507519e14a4695fe45624f8eaa054428708f75f0438bd2e8cea01b332a441db912684698eedd7404bc843764adb1fcb4e2fdd11d

Download Submit
C:\Windows\SysWOW64\Gmoeoidl.exe

Filesize
84KB

MD5
953bef5f6d69b77dfa611001b2807880

SHA1
ca2e0d3671640e42b275f63569ed5364098b019e

SHA256
2ff82eea4b10e675b0efeb0d6be35bb801800c58232eb1ddbe54f552b12171b7

SHA512
d9581556ee4277255554d7d92fbfa9470b318811626870b615e26aec9b7d001ca8fcae9adacfaf9ce6526ecf3025bbc46d6dcfa79f04d4d09329d99ba3fb409d

Download Submit
C:\Windows\SysWOW64\Hbeqmoji.exe

Filesize
84KB

MD5
2ccc2aa8c9d4fc51176568db8429d97d

SHA1
3d5bc78b7172bae17e883e7f34b63d052d807572

SHA256
419479f0a09d830ee3cb86ff6565f34041b893bdec975b5c69f9794009afea83

SHA512
de2cb96da9ff52fa53336fefacda9bb8c3f3fa6c93a7a58daca2b6740b0cfe0e29d21b5b24966e94954c2d2159a47c9374077d8a8354bb73932c1ac7ac614e69

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
84KB

MD5
c7c03dc6b01196087e474f0a97c0ab31

SHA1
7e4494e14349dca88a3c443f70f5d5867476f4dc

SHA256
2d812d3df8afbc426dc20f9fc4c9e0703da18ad2c1c859ab1674b82c21c37f1b

SHA512
a1861b144e097b9037508edb3e5b958ade45dd10dcc0c00e5e5ab11e3549f45589c1fdbabc1cf47fa9311ae98934142fd32778a47ede3bf0b2915ce19f880a0a

Download Submit
C:\Windows\SysWOW64\Hbnjmp32.exe

Filesize
84KB

MD5
9758a8ad48ec15ef5152583256c71006

SHA1
a128176f07948271b3cf1cfba7680066d8d98d63

SHA256
549d99a3ce40b8872d4bf6481d3cd714321a9220ea4165ec1d50e1e9fe603837

SHA512
e87b0ddbb8f2991f4ed2594f038ad88fec391f836ed8694df563d9fa3d92566be7f99fbd96fdd040c10146fba7d402a4649277a0ffa6fc18610dd9d269c85cd8

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
84KB

MD5
94345ba204424aa07762a68a9b816fc2

SHA1
7ba21301e4677bfcc06f17cfc9a423f1b27e5812

SHA256
44a129878b641e118cefffeb2487a29be730ec9c8b5eef9ea6fbd374b912d739

SHA512
fa19c2fcd92059dd3797a5f923b635f825a98e955da31a92378e4929bb4bceba4c8401c823d3c0bf7746dbc8fd42c075a3ef44246bb2e6b5bccb73930840c052

Download Submit
C:\Windows\SysWOW64\Hecmijim.exe

Filesize
84KB

MD5
9939c6de451c20d3a3062942689a09c5

SHA1
90f26f48376a5940f7f9abeeb76e4b60d9dbf2e0

SHA256
ce27ee97e33dd0979f5959b649e926162489b5a16a7cbd35ded847a64fde6b49

SHA512
954d5b61dd2cb0fdbfe5ee80fdce248c7711df2a96c97a024ac63b4642383decb75ed58ec8957418646327124898eb697b4cf6ad378597ff712d86834916625e

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
84KB

MD5
ed84bfc64184fabccb4d71d15a7f7e92

SHA1
5192e31ca05193646a904fe832ea254063a8c997

SHA256
a92750933bbac7f9ac0a097fb20612d6c900b1c7163005b157159441e9126ec8

SHA512
abe32895502e90d1e3e499e04a627514d0b2c5de76b127d60d14115c1fa835a51e1dac2714952ad3364ac07cfb863d3dbbca73e60f68c493dd1125fd10b88599

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
84KB

MD5
f08e3b3a2194fa7929da1945766b8d29

SHA1
dce62abc047258596cd20cbc991f115e45c53fd2

SHA256
562a8c69ecc0a4ac786c8833d32aa4addf6f86a9f949baf9c39c4db15bfaf01a

SHA512
86f799a2b801c788664b195f01c08ac5ed98dfaca1bd8bd41bd7d7e59239545fbdbf77add1c0f3e7e337ae06a89d90ef376875179a6a164aa07adce8abf34574

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
84KB

MD5
72d05f7b6b137709cdabc2d89f5e57e8

SHA1
1dbfb701e35f18a7ef0aae2a46334e97cc302bbd

SHA256
392128c3a610bfca32a32a2537062dbd8a8154807e5e61a42cec799ac4519c8c

SHA512
d8e29bad83f016c9ffffa8787343ffcc4efda328e09cff104737cbd8746172c3ceb6dd0926c4ba04049e2af01bd4bf1e76084f09dd91c58f08dd57e36b23f42f

Download Submit
C:\Windows\SysWOW64\Hkkhqd32.exe

Filesize
84KB

MD5
813d46c1dadbf68007148ab6a20314c4

SHA1
27bc9f84f9338b527746c4f825c0fbbb1c9979fd

SHA256
6597923cce03f60353458adff1b899ef17a4fad7604343747591afd9fa5544e5

SHA512
8bea3468ec4b2d453af397392169c53304a78ea654137ffdb5fb33f1c55ef4e9d74cd352a8a76c6c4a159b1fec4c8f1d8794c3e42b64b35fe51f8aec4029cc06

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
64KB

MD5
ca1b92223535dbfcf69361ba104e8752

SHA1
925aeccb19d37e2b0b60eff027e9ed470b7f9b53

SHA256
e47e080814ba99e6336aa90d52636aebb644440db8ec349024b3967ecff26e01

SHA512
bd94f902924384f08237af78421d40fc7d182aa3eed14d13d99a5f9471beaa3cc62b87bb3d7bee7cb201cc089da425ff56d995f904c79c0f3624539ea9a87f9b

Download Submit
C:\Windows\SysWOW64\Hmabdibj.exe

Filesize
84KB

MD5
5f90cdd28e56f19d81a442a28ecd028a

SHA1
cad167412ce3c9e82ff8ebea3e51c815dd67c81b

SHA256
eb808602da5ff5d39a15215afb925d66b105024b57460954fe432e9e0ad191ba

SHA512
526f63dd7f23f97827eaa71aa13b57b92e574364b85515cc742b61a6e914642299cc1855c7774aafcad09b0def2007aa2c80c9164909ea148b40ccd018a30833

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
84KB

MD5
2d301d65979a342fc88227945436af35

SHA1
e46c193aaaf11692a35889c940278331685f725d

SHA256
726343171ab583a0920241e1db9a32c1a5ae3d90ef11712eb314c26adc90738a

SHA512
0b9ef7d96c5782fd30672f98e7a8c2a6c5005fb847cafe3874a8de29a376ca061acf3ce7fc9b8b40f5752b41b8686ac5cc42ebc8f880eec7d8f43288344cdc89

Download Submit
C:\Windows\SysWOW64\Hoiafcic.exe

Filesize
84KB

MD5
0d18c4df25370c399f336cfcfaba6c4f

SHA1
519caa1f66a5600834e20c0f7e6d8a27476c6ff5

SHA256
8658f7340962bfa04bce4b81069a861d32e4064832524f6cc40da483e2dd01bb

SHA512
aae6842f69c26fe537c25667afc5b1c6f06c9d84da93fe95ce06436f661c674f72201fb9a2c8d15adfe0ee09fc9f863febb60f10e8aeba458ed786cb7e520b31

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
84KB

MD5
f2820d447dfc89c3501dadaa82e7ecc3

SHA1
43f55bfa764be8865bd00481f0b8c2e9af296ee6

SHA256
8971ee26e83985b90bd023c70467be52dee82589ae04d8db3aa2df43bc0e5caf

SHA512
8dc76d7a1abb5e3f6ddc9055ee1dc441b8ff230bdd91156829e33582eea3c6ac91b31ed0d0145f9384243288139585b2619e6af5b55c9c26969f22439e95fdaf

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
84KB

MD5
6bc34ed030a128936d6a09ca029fb4cb

SHA1
0432562a2c1e08d401ccb2ce954f05095954e06a

SHA256
48d5d0b01dd7a1e6ed849752510a16f796b65745afeb34e09436ac9c8d9c607b

SHA512
8755b8eb4ae0cee0937569b7c4ac942cb4885f648a7e1bc1f81625a9aa059f30be60b1bf263aae1f678c7b18385ecf898afa09a755aed9e357037ae85f6aa962

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
84KB

MD5
c9b6854492d855149c0f6081521c57cf

SHA1
a54fdb12ac7d01e70bfa10970940446df0d2ceaf

SHA256
af5fb2e424475bd4d97a74108e87e72fbdf677b888519640f0cbbd37fde03803

SHA512
71a68d2b3e73d18fa40ba357fe148ef4e430805b413002113c685f60376e60817ff33ea33b74e8f56e2b66219ec0e599a52f7d22ebaebee0eab628c9f431a3e9

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
84KB

MD5
84a1537425523b987bf720051acc4b0a

SHA1
daeee89e87529e8efd47916b3d9b2fdb9cf21aad

SHA256
6c97acea0643ff43165bfb4e0c4ca017b70f1289c5678425f3f402502a4b8396

SHA512
a028c9f5e6341c67a565fad59707fdbfeb4d2fb032891577856906dc3112c7922bc7cfb2e22fde95a3e32f1bd8478049758e89e4b201fbf85430ae7c34285d85

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
84KB

MD5
353c26f4edae90d8f890a4a12855a66b

SHA1
9e07ca9fd32e3df4e1968967af8d3d765c7f1282

SHA256
6e98ddede7564cfaae906453f0c9ae20aa36dc4fefe3ab6126cfc91cb6a597f9

SHA512
6e031eb2e04c4eeb97f15bb44145158ff1b6eb221135dc996bf59610a35ea89243e83725a74dcaeb4e7c38dc804eadd66b65a864f6df9d36273353cb4a755cdf

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
84KB

MD5
2b9b4a595b01c68678681a1ccf639a89

SHA1
564548f0e0705487d64bc5aa2c39bc6af0bc05ff

SHA256
9dcb2893fa707d68c03dd46a94a43279c8de25fd00219383e91a530c385b04ee

SHA512
be4dc3788c795789dfdb8cfb9416d58df281ad2858befc75fb6f267972c923dce37bc5cfba8850cdd2bed117bddca8b68676afecf9286c59de7caef51ce490e7

Download Submit
C:\Windows\SysWOW64\Iiaephpc.exe

Filesize
84KB

MD5
6e14394b2f9a51392c03d78da8eb649d

SHA1
c28b777ed79ce66862f4b1ad5055b6fb773fc40c

SHA256
42b058c86cd6f9640253a65e4ed71f9d2a40e0a5cb2d9c78f2bb56ca7855a5f0

SHA512
f37ddf2b8fa17ab7474fca1f81ace6f32bda33988afa059cb70941bca7b7f5ad19df50deba086b4b6463f96c594a680978b9d1fe5e6e8a3368a0b156d313661e

Download Submit
C:\Windows\SysWOW64\Iifokh32.exe

Filesize
84KB

MD5
3e1fa4da6610f80f8cd95767a67e8522

SHA1
ef9be7bf9889f2df841d2191d7c37138307326d5

SHA256
6a97e79e3170205a3fbce6ee229b7c6ec70154fbd7999f814e72c2afc11388a8

SHA512
3f8da12ef51410ac1e15f720966f126aaec014db617d52c953912d879a8a3d6cf6d57e7e857c52c1e49413b962ffb56c774f9f516846104791afb7cb9ec03c29

Download Submit
C:\Windows\SysWOW64\Iikhfg32.exe

Filesize
84KB

MD5
379dc91063a8ee1a0fdc259bc90bbb61

SHA1
2430ec50868b1ff3befbf27f89813dda583ffa15

SHA256
663f6bafb15ae228d0907f97becf3e85992de51f1f014b44297d935d046b6660

SHA512
83796834fcaed090a003a92b8ac42219f7774eda58ac2bb93230f79f06b86d508a4ca0b541a141124ca6534ba5fa8ca02d112f47b274e2606986af119e17f6d5

Download Submit
C:\Windows\SysWOW64\Ikbnacmd.exe

Filesize
84KB

MD5
6da861a77f614d2bb24595657de1148c

SHA1
6fb7d6b966d09a979453e7518517735f64bac51c

SHA256
4dec78d8be550aff29e5fb736c81ccc63bd04a2035b10c59bcb51369122ddfec

SHA512
1c5d8ea62098b1d3224c6d8fabb756d43023657e0357f15d9e2bc17a016071e7e68b0938f660ef5662eb729ed9823705f864c4df247b453dade68d61e0822b3e

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
84KB

MD5
02aa029fd9e8b989130211dff199d446

SHA1
48c37a689935c84d3f5e3f6482b84a2a896a644c

SHA256
2b4d5965932c181f6a60b8b3b470c3929698b49db88ec3da5de3312c1af531d1

SHA512
9c0629a18dd919565127ced608155ded57490cd9497620b15509787e0d70de4f51d4ab7fd2eb92ddc570a97a7e76159f89d8f9d95b7beeead3aac459b694c8a1

Download Submit
C:\Windows\SysWOW64\Ipbdmaah.exe

Filesize
84KB

MD5
938b0a127a9f031d2d94389b70123b88

SHA1
9be3a59aeef521e7e621e3e7c149fa0dd0a5101b

SHA256
6f5ab3f414c45a42eb47caf8f981c26d54810d5663a4cc291f08d6116910b62c

SHA512
8688518240cefa686387ac852fa7fc390d1d8cd34dd839e7654e42c038731afffe823b59faf85e0b42f95842f5a0fa7f3d30c1796101fb0f564ad3a20b320819

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
84KB

MD5
2f32b1de83039bc74f66e390320a0a0f

SHA1
ad4673c8520f239e67f7a70901eb93a20a75ecd8

SHA256
bca35a33985750640593611de3bb92a749130077d86cf3fd1abc803ab22ba9af

SHA512
c7ac6e079a1455e476d49f7cb8d95041fbf000377d9b497bc7eef07ab3aab3e7f4febd8f8214bb0f69af68521e3704f96dfd1563db5eadd069a9942bf5917460

Download Submit
C:\Windows\SysWOW64\Ippggbck.exe

Filesize
84KB

MD5
cb806702e268e29e7b8dd0d4f7871f23

SHA1
e7bdc85b44412637b50e2d7ddbc3d540ba12a6b9

SHA256
66ca87b6c179759b53c976478c8b8d46941ee0e67e8dcbdbdcc0d1b065fabe94

SHA512
bf8deb72c83f09b0b4354ceec8c8ff1e83c08cd7eab1c8e6029d4e057af39d6ff6667be465bb06c2a935cc84d1dac2bcc3164049c795d44f52dcd5ae1b64700b

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
84KB

MD5
88eae29d4c62bde71b30d1b7092fcc04

SHA1
2c7ddb6cb2bf2a2aa82d196a7a8e09d3da0ba06d

SHA256
4a348e6a33be1c1ea80a785f12004cd5f63853a09f8ed24fa5e6705e9058cc0e

SHA512
1da4aead2425b79730f6c090703b25226150841ce7fb66b2c679bc12fabd32de1b8bcb9a89c3e4d14aa3fa9d58ee172a298cb2171ddfe53cdf28b2047656c375

Download Submit
C:\Windows\SysWOW64\Jfoiokfb.exe

Filesize
84KB

MD5
c6ed0466172be1cd77992c451e8a2e7a

SHA1
1177971e05d75650c54f729d322287c1f69fea07

SHA256
6bdec6c1b17d66d1765708c285d15fbb0add2ceb299a9889cb0c2d9e52f5a993

SHA512
c6f2a09eefaae1b119ddb030be872ee8d60bbe674f58d8264d989322d7e9de206f46a95e6c62c12c63caf5591a3bfac2bdc244b5c66156d90b581afa0979694f

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
84KB

MD5
5bc8a39d605c2b2de0030a39163b1607

SHA1
5262d6624a7254ee8c1df3ff665585333028e3dd

SHA256
ed223c7ed10c26d17cb8a619ce9f832a3125d662447c7a0a596f10614ce9275b

SHA512
ee41e3208db0dde0cdd672d0b8479182caeb7f8ecc3fb48643e654e9240a820a221d15b6344d41b5164705ca5a197d6570e4ab42117baee35ae529c32986132a

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
84KB

MD5
a1c643730fd697bed398d5659b365d28

SHA1
07b2fe5469089893caca32c588e203eb4a497f75

SHA256
9fa078bedf2f127ee244c7d53200ee938352f386e2acf11a7c0ccf982e258d0e

SHA512
800ac7377f68ad7436eda0e8ea79ce669184caeaa27de3a359d574a1cb3d63b2bf054fc998c5f05f6fcd4ffbacd29496892eb1bd6652aa7222405d10b1003247

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
84KB

MD5
c8898775a28ed9a843ce8bd67003c0af

SHA1
779c4c692c10ebcd0c25f1736d7aad3429deae60

SHA256
0e81e6fac27a4270c7aa93620bfb4107db946659f213440813527b19a854ef5d

SHA512
d529ffe34d054b6a71c7719b90ed968a2d1ec17cab68fe189a9824a29ec897e140ad293dd99b06bee4bdf128bdf0539d9d002d708b3ef03ae026f3823d6ee7cf

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
84KB

MD5
c3002383dbd84f268c3fc9c028e4ae44

SHA1
1b75dec78337b5e81bda02e2f2e10f1ee836fcde

SHA256
5adfe7ad9ee70d2904e4f0ecd02a40efe39ed3d9ac4d5dad6ad5adae5aa06374

SHA512
3628df24a2548ced85ebbd91d117d96ccbfe28dcd82680f283fce17e8e5d53754fdac370fe1ad441d4e7a49309b6344a265a65b691adc965773f6833e6368397

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
84KB

MD5
e36f9c6fb655237eee18cd0df5232d50

SHA1
48eb4d40f1707c123a18ac8cb467bb4f5c0d79aa

SHA256
889fa3eb08f3b609f5e7c7fc55ab73573e69fbaf29823dd5154e2a742554fa0f

SHA512
1ff9d9b1bb44b0506d6d81fbaceee49fdca16fbfea4d6b6d373e51e9df8b812c54acca20f798d67b9c870cefb4c9d0869d8a931fa64048159af7dd30f7a1f5b5

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
84KB

MD5
4b9eee8d698dd0ddcc3dda90522776f3

SHA1
d5530f896603c7aaced18e805ca742e8faf03a72

SHA256
4fad8eba611cb32b95a94271a32a6a394b5eaf7bee5e11167eb40a966daa5c9a

SHA512
0b1a7ff9ebc6649327fc8d2b20d04edcfaefad98523438d203951e3e57511f6c9997021afaaeb7b53ace450c286eabc81cf52836edf1bed348ff135eb3fc8189

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
84KB

MD5
eb5fbe8cd480aa79d8a5a6d05bad2de5

SHA1
ef22e1b7e25cac04e83df339c1145f5601395397

SHA256
38efb6f52efcef50dc68d2277885cff66d2b6edcc568bec6997c7f120dae71b2

SHA512
76e9c431cb5af2aa8e64573956399b46a2ae13d3ba6739f8cf715d695db28de22aeaea9c26ad364d63807bf6fc7958f2dc673d30f4b2b3fbf87bb13216270811

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
84KB

MD5
5718c4169549eab2655b4b1f236974e1

SHA1
2c1cf655c30fe8f389d8b431a075ce2a7528e471

SHA256
d9d394ffe6d918e2573692558f7f8de49f2d899a8b1bf9ccc1f780b88fbbf000

SHA512
1aa5b0b249f339895285b50f97b78b7504295ce2c04eb50b60f766505f00073e0a2778c1bb8afb9a3bffee29714740cd8f1b0d202a8d9e0682e4c31815949006

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
84KB

MD5
e219f17a6e876d970e3e1cc77caba83b

SHA1
9e55bf5f19e5eca2d33c25f36029f34905c6e8c7

SHA256
bda4b3336dcc36d2a7f1111a21dbe83156fe159537388fc9f8987447fb1567ee

SHA512
3d6be20df311f7bdd979d2baa87c558766fd7edd7e56a188e4b5ea9141457847dfc3263acc1e9ccebdf949cd090c5b7d5cbddda4a66eee75dd48814991617af6

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
84KB

MD5
17732589cea8ea891324c8e06d61022f

SHA1
6c40c63315c5066ee8258ce5d93924b955393399

SHA256
1a9aba0ffd7ecb8f42ff5ed0caa8c52a78e56be6622bdb1ce6c318c3c04e1a05

SHA512
242de25245da69f27a80b54c3b999819bd67c69d8c0e42b2dba2149856ff7003c21fe719df8650b1b4818e699dad67eb543c4a6186dd1c2e205c385bceb67826

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
84KB

MD5
307dbeecd7a3bb44d8de734897c4b482

SHA1
e19a9e591ea3df6f1937562af321f8f957cfd483

SHA256
f99267aec61d8013811c95ac2ef0fb02ccf9499fb91840cff3b161adec1b3987

SHA512
9a73c949d4e4b2c3536eadd6741516cd151332481b664214a9c136fc5a672c66db2b58944ce01940fe157524d3839b9a802996441eb2e8bff8745c1fd914872e

Download Submit
memory/728-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/728-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/748-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/836-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/836-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/864-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/920-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/928-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/940-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1080-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1092-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1124-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1156-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1236-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1312-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1480-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1592-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1704-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1784-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1812-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1972-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2036-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2036-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2112-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2120-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2224-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2256-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2256-593-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2260-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2272-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2300-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2320-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2344-566-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2364-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2372-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2444-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2752-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2792-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2800-549-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2812-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2824-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2832-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2856-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2960-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3012-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3040-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3124-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3128-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3160-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3160-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3180-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3208-526-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3612-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3616-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3636-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3740-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3848-594-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3880-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3968-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3976-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4008-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4184-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4220-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4244-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4248-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4248-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4316-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4384-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4388-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4424-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4448-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4540-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4632-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4680-573-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4688-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4756-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4756-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4772-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4920-587-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5072-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5100-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5116-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads