berbew | 496ed933f9ed1a42169e2d387cbaea7239243492faf8e8cf68799c79c706073b

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

496ed933f9ed1a42169e2d387cbaea7239243492faf8e8cf68799c79c706073b.exe
Size

245KB
MD5

7924a4ae6d89ce1caa9159987f53eb3a
SHA1

962eb5e427fbe3a62760a71eee6f56112aed236e
SHA256

496ed933f9ed1a42169e2d387cbaea7239243492faf8e8cf68799c79c706073b
SHA512

d0e675a809e4b7ec396013631134f1d7da6da1e018d02f0bf3230c69039b7f6c185df8f836dfd640ab2176fb4608d45a8aeb1028e08b907fd10907f96403dce1
SSDEEP

1536:rNrIuJBhdRTuUwzIbWp/4cXeXvubKrFEwMEwKhbArEwKhQL4cXeXvubKr0:rNrIKdRTSTpwago+bAr+Qkal

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jioaqfcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfcpin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	496ed933f9ed1a42169e2d387cbaea7239243492faf8e8cf68799c79c706073b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcioiood.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeklag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4056	Jioaqfcc.exe
1652	Jpijnqkp.exe
3388	Jbhfjljd.exe
2192	Jefbfgig.exe
4296	Jmmjgejj.exe
2332	Jplfcpin.exe
2196	Jcgbco32.exe
4832	Jbjcolha.exe
4968	Jehokgge.exe
4244	Jidklf32.exe
2652	Jmpgldhg.exe
2992	Jlbgha32.exe
2588	Jcioiood.exe
3088	Jblpek32.exe
4988	Jeklag32.exe
3628	Jifhaenk.exe
3960	Jlednamo.exe
1476	Jpppnp32.exe
3036	Jcllonma.exe
4592	Kboljk32.exe
2900	Kemhff32.exe
3408	Kiidgeki.exe
2952	Klgqcqkl.exe
4928	Kpbmco32.exe
3328	Kbaipkbi.exe
1536	Kfmepi32.exe
2380	Kikame32.exe
2072	Kmfmmcbo.exe
540	Klimip32.exe
4620	Kpeiioac.exe
2392	Kbceejpf.exe
3688	Kebbafoj.exe
4204	Kimnbd32.exe
2664	Klljnp32.exe
1460	Kpgfooop.exe
1404	Kbfbkj32.exe
1616	Kfankifm.exe
4456	Kedoge32.exe
4324	Kmkfhc32.exe
3444	Klngdpdd.exe
224	Kdeoemeg.exe
464	Kbhoqj32.exe
3940	Kfckahdj.exe
2304	Kibgmdcn.exe
1124	Kdgljmcd.exe
4276	Lffhfh32.exe
3144	Leihbeib.exe
2736	Liddbc32.exe
1592	Llcpoo32.exe
1096	Lpnlpnih.exe
1800	Ldjhpl32.exe
4260	Lbmhlihl.exe
2248	Lekehdgp.exe
3184	Ligqhc32.exe
2956	Llemdo32.exe
2288	Lpqiemge.exe
3640	Ldleel32.exe
4960	Lboeaifi.exe
380	Lfkaag32.exe
216	Lenamdem.exe
4060	Lmdina32.exe
3668	Llgjjnlj.exe
3564	Ldoaklml.exe
688	Lgmngglp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jioaqfcc.exe	496ed933f9ed1a42169e2d387cbaea7239243492faf8e8cf68799c79c706073b.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Mdckfk32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Kbceejpf.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Klljnp32.exe
File created	C:\Windows\SysWOW64\Ebinhj32.dll	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Medgncoe.exe	Mbfkbhpa.exe
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Neimdg32.dll	Mibpda32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Jcllonma.exe	Jpppnp32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfbkj32.exe	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Jcgbco32.exe	Jplfcpin.exe
File opened for modification	C:\Windows\SysWOW64\Jpppnp32.exe	Jlednamo.exe
File opened for modification	C:\Windows\SysWOW64\Kfckahdj.exe	Kbhoqj32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Jlbgha32.exe	Jmpgldhg.exe
File created	C:\Windows\SysWOW64\Jlednamo.exe	Jifhaenk.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Jeklag32.exe	Jblpek32.exe
File created	C:\Windows\SysWOW64\Leihbeib.exe	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Jefbfgig.exe	Jbhfjljd.exe
File opened for modification	C:\Windows\SysWOW64\Ldoaklml.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Anmcpemd.dll	Jlednamo.exe
File opened for modification	C:\Windows\SysWOW64\Kmkfhc32.exe	Kedoge32.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Kmfmmcbo.exe	Kikame32.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kdgljmcd.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Kpbmco32.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Hhmkaf32.dll	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Jpijnqkp.exe	Jioaqfcc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6736	6592	WerFault.exe	276

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpppnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhfjljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpijnqkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mchhggno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeklag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kemhff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfcpin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lenamdem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohkhqj32.dll"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imllie32.dll"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfbkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4056	2148	496ed933f9ed1a42169e2d387cbaea7239243492faf8e8cf68799c79c706073b.exe	84
PID 2148 wrote to memory of 4056	2148	496ed933f9ed1a42169e2d387cbaea7239243492faf8e8cf68799c79c706073b.exe	84
PID 2148 wrote to memory of 4056	2148	496ed933f9ed1a42169e2d387cbaea7239243492faf8e8cf68799c79c706073b.exe	84
PID 4056 wrote to memory of 1652	4056	Jioaqfcc.exe	85
PID 4056 wrote to memory of 1652	4056	Jioaqfcc.exe	85
PID 4056 wrote to memory of 1652	4056	Jioaqfcc.exe	85
PID 1652 wrote to memory of 3388	1652	Jpijnqkp.exe	86
PID 1652 wrote to memory of 3388	1652	Jpijnqkp.exe	86
PID 1652 wrote to memory of 3388	1652	Jpijnqkp.exe	86
PID 3388 wrote to memory of 2192	3388	Jbhfjljd.exe	87
PID 3388 wrote to memory of 2192	3388	Jbhfjljd.exe	87
PID 3388 wrote to memory of 2192	3388	Jbhfjljd.exe	87
PID 2192 wrote to memory of 4296	2192	Jefbfgig.exe	88
PID 2192 wrote to memory of 4296	2192	Jefbfgig.exe	88
PID 2192 wrote to memory of 4296	2192	Jefbfgig.exe	88
PID 4296 wrote to memory of 2332	4296	Jmmjgejj.exe	89
PID 4296 wrote to memory of 2332	4296	Jmmjgejj.exe	89
PID 4296 wrote to memory of 2332	4296	Jmmjgejj.exe	89
PID 2332 wrote to memory of 2196	2332	Jplfcpin.exe	90
PID 2332 wrote to memory of 2196	2332	Jplfcpin.exe	90
PID 2332 wrote to memory of 2196	2332	Jplfcpin.exe	90
PID 2196 wrote to memory of 4832	2196	Jcgbco32.exe	91
PID 2196 wrote to memory of 4832	2196	Jcgbco32.exe	91
PID 2196 wrote to memory of 4832	2196	Jcgbco32.exe	91
PID 4832 wrote to memory of 4968	4832	Jbjcolha.exe	92
PID 4832 wrote to memory of 4968	4832	Jbjcolha.exe	92
PID 4832 wrote to memory of 4968	4832	Jbjcolha.exe	92
PID 4968 wrote to memory of 4244	4968	Jehokgge.exe	93
PID 4968 wrote to memory of 4244	4968	Jehokgge.exe	93
PID 4968 wrote to memory of 4244	4968	Jehokgge.exe	93
PID 4244 wrote to memory of 2652	4244	Jidklf32.exe	94
PID 4244 wrote to memory of 2652	4244	Jidklf32.exe	94
PID 4244 wrote to memory of 2652	4244	Jidklf32.exe	94
PID 2652 wrote to memory of 2992	2652	Jmpgldhg.exe	95
PID 2652 wrote to memory of 2992	2652	Jmpgldhg.exe	95
PID 2652 wrote to memory of 2992	2652	Jmpgldhg.exe	95
PID 2992 wrote to memory of 2588	2992	Jlbgha32.exe	96
PID 2992 wrote to memory of 2588	2992	Jlbgha32.exe	96
PID 2992 wrote to memory of 2588	2992	Jlbgha32.exe	96
PID 2588 wrote to memory of 3088	2588	Jcioiood.exe	97
PID 2588 wrote to memory of 3088	2588	Jcioiood.exe	97
PID 2588 wrote to memory of 3088	2588	Jcioiood.exe	97
PID 3088 wrote to memory of 4988	3088	Jblpek32.exe	98
PID 3088 wrote to memory of 4988	3088	Jblpek32.exe	98
PID 3088 wrote to memory of 4988	3088	Jblpek32.exe	98
PID 4988 wrote to memory of 3628	4988	Jeklag32.exe	99
PID 4988 wrote to memory of 3628	4988	Jeklag32.exe	99
PID 4988 wrote to memory of 3628	4988	Jeklag32.exe	99
PID 3628 wrote to memory of 3960	3628	Jifhaenk.exe	100
PID 3628 wrote to memory of 3960	3628	Jifhaenk.exe	100
PID 3628 wrote to memory of 3960	3628	Jifhaenk.exe	100
PID 3960 wrote to memory of 1476	3960	Jlednamo.exe	101
PID 3960 wrote to memory of 1476	3960	Jlednamo.exe	101
PID 3960 wrote to memory of 1476	3960	Jlednamo.exe	101
PID 1476 wrote to memory of 3036	1476	Jpppnp32.exe	102
PID 1476 wrote to memory of 3036	1476	Jpppnp32.exe	102
PID 1476 wrote to memory of 3036	1476	Jpppnp32.exe	102
PID 3036 wrote to memory of 4592	3036	Jcllonma.exe	103
PID 3036 wrote to memory of 4592	3036	Jcllonma.exe	103
PID 3036 wrote to memory of 4592	3036	Jcllonma.exe	103
PID 4592 wrote to memory of 2900	4592	Kboljk32.exe	104
PID 4592 wrote to memory of 2900	4592	Kboljk32.exe	104
PID 4592 wrote to memory of 2900	4592	Kboljk32.exe	104
PID 2900 wrote to memory of 3408	2900	Kemhff32.exe	105

C:\Users\Admin\AppData\Local\Temp\496ed933f9ed1a42169e2d387cbaea7239243492faf8e8cf68799c79c706073b.exe
"C:\Users\Admin\AppData\Local\Temp\496ed933f9ed1a42169e2d387cbaea7239243492faf8e8cf68799c79c706073b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\Jioaqfcc.exe
  C:\Windows\system32\Jioaqfcc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\Jpijnqkp.exe
    C:\Windows\system32\Jpijnqkp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\Jbhfjljd.exe
      C:\Windows\system32\Jbhfjljd.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3388
    - - C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        25⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        26⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        29⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        33⤵
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        41⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        45⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        49⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        50⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        51⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        52⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        54⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        60⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        62⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        65⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        68⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        70⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        71⤵
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        73⤵
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        78⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        80⤵
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        81⤵
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        83⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        86⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1220
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        89⤵
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:644
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        93⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2724
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        96⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        99⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        102⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        103⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        105⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        106⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        108⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        112⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        114⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        120⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:832
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        127⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        129⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        130⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        132⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        134⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        136⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        137⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        142⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        147⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        148⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        151⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        154⤵
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4612
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        162⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        166⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        167⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        168⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        169⤵
        Drops file in System32 directory
        
        PID:6188
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        170⤵
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        171⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        173⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        177⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        178⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:6620
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:6664
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        182⤵
        Drops file in System32 directory
        
        PID:6712
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        183⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:6808
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6888
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        187⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7120
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6176
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:6256
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:6380
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        192⤵
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        194⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 396
        195⤵
        Program crash
        
        PID:6736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6592 -ip 6592
1⤵
PID:6688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
245KB

MD5
761d4b380593c01e770e08f923b66117

SHA1
43858698565a0585234d9f2003c82bbf784fcc05

SHA256
c385cfb1109fccecaa6ec08722fc9c23e79156505955a3d63dc27517e1c941aa

SHA512
782ac54dc9a65f172d7c05a3909d46e98d44106a4a127d89ffcbc797bcef02e110079b7ed5fb5adfd5638614d1ed00ec3fc28513467340e6ded63b3aa6855dee

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
245KB

MD5
5da4b322501be0a0a28511f29a8354ef

SHA1
bf46b8c12a1127043d36a321f25c20b58ece5af6

SHA256
3a549d55c2ff1b34a50dfe5f35fd22d439d421980f40bd6a0dfb680de9868058

SHA512
546af73396f2e96730773d88a14363776d2985cc09dcba758d710e1f32a023f12b351347b934f130015607a659977e5329d4640cc6fe851246116a40d6d1f3ca

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
245KB

MD5
517ed679bdea8e539a476e9f15efb5c1

SHA1
89af7183e5939609d01ff947d6a7a1f83b1e85b2

SHA256
0165880af4b4e8da5cfbfab674c68ee017d2fa6c39f22cfe34b3401dfe7cac06

SHA512
278e3e96a95c1cfd0733dce9ed54a73be0422a0396fa5a7a3f62fc0c390ee056e3b36408d60f4977711f61b859329d2de337c9cc24161350c1420da2ad6fa09e

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
192KB

MD5
36f9d12436ff0cbb29cd3fc28cdeea41

SHA1
3c828bfdeb95bf186dd0e1f859923fcfffaea2e6

SHA256
54251477d5426d9625d0ae93e52a0739e9494b9d748480512c8f7cfba857e604

SHA512
b5b8d272aaffbb9663ebfdbaa11896e94d8aa25dc137f3dab17e38916676e0fa99c4e5e61ba85257cdb837403e4f3e94e05d5b3ae60c62858267a7e098450f9d

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
245KB

MD5
c9d7ede597a7e711a2c0cb2f0c34f0c8

SHA1
55c7759ebf37977b59bbd5614b06e36451a8b102

SHA256
cda48473cc067f049c7e4a020504906e6750018a81833668db7577232b153c69

SHA512
1b5f29b470ec0e32e564519c5bdc5dcd817ee2c74bcdb420263d4fe841a367a0ef9832b6ed40e88b5e43f7db3f349a15590292148cb028aab4e931a65e50b8f2

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
245KB

MD5
17c82a6896c365080f65f353799cec81

SHA1
01769cd66ed6bc918a74ebac37d54fdda6053f59

SHA256
0add24fe20e131a72e6354aa086eafd9149438b1979123634edf8800361f782a

SHA512
5760800c8aa2eb4b0e6503d38014fa7e2d9d77345778d57d270e6d3f8b756bd014aeba04242c6bc2c21a8ec591ac2c00fd657c16f563a280e165f22262bdd197

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
245KB

MD5
a688cebe9b74d05d4d38aaf096feca22

SHA1
690ac81ef6fb1d2e2338d3b9cafe9dbbb0cd2de4

SHA256
7982f896d694f1abe0cd12b05cefe993f19f4fa14b4ff4a11b3aade9c8e3ba0e

SHA512
83eb95f76a89926548135390cbd9bbf14ec479474d6cf9ef280d1fadb97f79f1f062c6c7542f6f24f19ced8491cc5100ef7bb50ebba1e15c0057b6345dbd5202

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
245KB

MD5
448d38801b0511e6203a89f409e407dd

SHA1
77ac9f41f4a1c3dfd4ebfdc082da2cf3b004e0e0

SHA256
06f5297ab00e14bc487199c182fd41d54256473b40c95e9adaae333343c965fc

SHA512
bea831204a9f5f45809c0317d0e7c51ff15611fdecefa471016cda909844de6319cf94d61ecaf2b3dafb33bfe7f42ddf8f50549131bf0b0f7c82272114ad925f

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
245KB

MD5
4bd8a473842ed23746eafda4bd89c250

SHA1
f3b06659c74d500943ec9fe988c65148c4d91ba8

SHA256
95b470c9dc273230f0e8534b2f50602eebfa54460feb80c9e4b8d4366f06f488

SHA512
ae773f32fb6735086262a1219bebc389db52c53c077a72206071b5bb25c6150ec2ba972ab9e29a039c0d6ebcb179072a7a7438f00e5eafcb40974556e4570907

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
245KB

MD5
515657debae769b4dc679ab750bfb6f0

SHA1
b1ec918eb2caedd9e106d58f604572183987b036

SHA256
94584fc0b87a1914e607018c0d0e6ccb47eae4cf98c3a7455b35027de8e25fe0

SHA512
2ea3fc329459d4567ad0f55c9371aefa5c1d6700055b6744156a7a5f2c01e96b320697be57de8fe76f9e193b977fccc000cb3e4cfa705c64e8db5faa5c74cf20

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
245KB

MD5
5d6709b4afec1f0e1cf6d73b34ed8ac6

SHA1
fa6e1ac3793708dbf1718b693af63b0e80bcb6d7

SHA256
073c1f7997df70b3f6450f159631c5e780a2540145686a32e38cd525a3ff3200

SHA512
a5c28660f7014f09efd8e190226c46b567c061e027a2ebbcfe40f153fffc2f3b4ee29ec32f0fcc43b8b3598b2dd24e93298fa0a7622b7e2930683b5145947da6

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
245KB

MD5
41436e233835a72b922f64e2505a1977

SHA1
74dad1fa4fb414dd0d6b79449d40bffeda9c56d6

SHA256
fce7bec4d589c07517f7b1e8ad4227b5e03c5298ba0bb8648e2ecc36647d2ce5

SHA512
61d92e1438394442d9c46c0c6f5362edf3a7ec223bdaa241c04a8c7e86248264e292cc839521d886b9522af9619f2882078722e6c3c89763957a62dfa0516a53

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
245KB

MD5
39cc39df209d50e83569a35b1727804a

SHA1
230d0b9674338645c90da6d468d11ba17c54fabd

SHA256
10637573ae2e6147079c024017ad3bc3b551acc9b4bc2d22919f7d42addcb7d7

SHA512
0064ff717015315b11eeb7939b6861b1f95d079ebe16d028e5c6de3d6bccf44447fbd135f39430ac2700928da843c0ca6ec7d611db18a2e7cc31cc7e98cb51af

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
245KB

MD5
881a5dbff109e7bd73d4525b58ae2151

SHA1
42d0f432dd1cb281aac16200d08fa6fe34d79bd2

SHA256
a0f338f14b9d00f4871f36e09e57c9fdc8887a213482095b01cd6c97edb21d6e

SHA512
ef4480ef3f2825457663b94bdcbcb28eaf0cb1b33f04de63e6c020d46f313f06c6192a986816b1a80650245a1075863c400e0623e11fd93a56419a041198ac21

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
245KB

MD5
258dac4fc2982ea9f3d897546864fc8e

SHA1
631647a173e8896638dbdd57d72c392d96c275ea

SHA256
ade5f225e6577c74e747adfd9c3bc92ab1a7254934341401b4e94befb96c3b16

SHA512
7dc1329a9f155df6fd4c938321b6526180a45e4387f4755bbd12fef005741387c5ac4f21329f7c961bc8fdd149405e6d22fe364977a7c1f1d1241d524d23804e

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
245KB

MD5
7ce5128cfd40096cc78d8a5de2cfc398

SHA1
aea369c1712d216f83b77d134ec8cc5ebb404e49

SHA256
6ef1cedebf3431714c343f65564d51853ea945dad56d67983af3d2be19a687a2

SHA512
acd9e40cbcc48b493eeaff61fdbe5a0a8c17beb0789e9ff6c564f66439dea392643a6cbddac5163d66390a87b2b703a0e9921754017f1518d9a18c969c391c66

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
245KB

MD5
e7774c9be4d5186ddd73ed257abb7ae4

SHA1
8b051c9e7de7d2cffbcfcc968b4da7fec4ef5fc7

SHA256
0ca883d54cdc8952ab4ee0e4a4c742011b4384f69be7384f3a8c39d35458239d

SHA512
f58bb21d42d7e99ea5d82e3f2ddeade736736ab16fdfa4d30c1646b5a0e68cd5a9adf9076b2df4563b5c6b488f648559914d33f40b90f04ba498c3b1f04b8c10

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
245KB

MD5
007b2eeb43ab42ea47939525f29c468f

SHA1
a58d7755898afed16d4135b4b8bc6b91cb158553

SHA256
9f8a5e75e789ed492ef1d5bb7e80efe8419da4fef62a55bd6b57007b2c30ffd5

SHA512
6b983909d0467d11da13f7896f12cdb52ab4399be605b394fc0af118f808f75871dee8860b215485384d4c2e975f84e9c565c0adaa409923e813484be3f460ad

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
245KB

MD5
dfd5e049c832d3b30efe90e7bb803021

SHA1
e0762c73ba6a1640edc872d389413bb89fdc3c70

SHA256
4a53affa9bc4f20ddfda520517429f5ec90dd8e3d82bd9088f6eec91a696b7b1

SHA512
92dd741b8bda6a3f9e36caa79a05308ca29ffdecad23ac95df02fdde99a68189d19c5f201212d377c95e3fd3eebb1eb9a7fa30619e0f0e21371e479a31467ed6

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
245KB

MD5
056641c9c755877f5b1a8a2ffcd4b6d0

SHA1
439fcd9cb03e9211735c4cd922db47ec4627aa8d

SHA256
4f67596b81eba88dbdbf08d1c0ef79cde2e6a97741b77c725b0e6a82e552e6a2

SHA512
5175692ac83cf9b8974c5f81ec63a7044eb807ccdb545010046fb58e68a8fb7731e5635ddb9da0f32fefafdd45ffe5bc05ec54fa6d1e41a3eeccb779fbe4ebd8

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
245KB

MD5
f202a60176b4625a7df0bea3b549bb7d

SHA1
8c8fc5c7ac637f43a6b60142a17ddfe241a7f69d

SHA256
2cd5ef10b99075121ceefea7406a280aa431dbbf6a39089bcbf733ba6bf80f0f

SHA512
ae0679297de20f9ffa2635f3b1de44819fede9622e6bedb8a89c5dd5ee676217c78644a6f41d43f0aa3addb2989f7994ebc23032739411cf6cb6d74aeca37972

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
245KB

MD5
e8c7ce36204bdc7ba70843e227b96418

SHA1
4b47e88a11f0b18f33026cd6d6cd5c8fca8e23d0

SHA256
e65d389179679f4d9edf4b59b6781707fa75ba86e213db95a225d3f3f46f9adb

SHA512
7e5f3ede94430a3c2783f776a3eb93f8d446cdf7ed9c40b9edca7b5158ffd8f5095e349c8baa463c5729b47584823eaf66268b0aa2286fd7cb60b9d481a0d524

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
245KB

MD5
f0bbfcbaba4b4d7344b7dd16d454918b

SHA1
ab0b688ecddb34563125da18ee5b176d3c80d754

SHA256
6665be3d1dc98881d89b26b7f4a62a55cac3638c6e83cabce0a5bd07319d8240

SHA512
15d901b040c1e6ead176196a340d6811e6bc11fe724ce25d15850be0d2430167835f43a6562968fdb05c2f483304d78866db3b30e7eb3cbf711d61e54532daee

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
245KB

MD5
3909eaea1fa34e4abe2f81b33e6f75cd

SHA1
5b630e449b58c5889d87c87c6c0bdca77e5b4cd8

SHA256
a8b28cfeacd0d729965fb46dee40fe6d5fa5f4367813ecfec40202805effbb64

SHA512
f2dc0856cc243ab4c29b1e4fbe2db989e2d9efa33923fac3b5ba5c77e9a8dd09c2fe460dcc4f860d782206729797666a5dda058a7b3afb673703edb724fa2c18

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
245KB

MD5
0ae61df1489c381a2ecff2b8377e0b0c

SHA1
bdddaf1e9a513f3441b87ed60349c50e69478dd0

SHA256
a4e8a89eedada131f12292da258e3a28216c21e91b81cdb0bfca720a9f0d06a0

SHA512
9beae5aa68c6b41f2b7eb55557dce2e9c44f3449edf7596facbf1e21087f2f0764a192b8b49bb1f8c9d53194eb8c6f400a414604e5a7a7fa2616bee4184a1ad3

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
245KB

MD5
d336a3043a8e8d4ebc68c4a5f90e5c08

SHA1
ca989b676d0d360602a1c8046b38da5e33227bc2

SHA256
eb8b85cafa1a8eb70563a9f46f00c9830dbe5dc70f584a50eedbb8c5cbc2a1d9

SHA512
cdf76b0881355292e73f7acfe1f74b10e64e3b4a5340b193d9dd0838e4996f40e39927903a392ad07c397ab455955761ecdd57bbdf0b725049e0cdfcab5dad30

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
245KB

MD5
70305b0c4bdb0a0c4a0dc409020348df

SHA1
9aae8a32b249c30fe56875e6bdf36e2adfeab853

SHA256
60243c0f250823bf5c974735a598ea13fb6cfd8fcba345095f226417492e7645

SHA512
5c8746918d806fb7a1b591a43e297335acb83351f3409abcbdc8fd45efbcea8a57ac4167ecb4379d5c494720fe0f9513b6c43a7524418ed63d30cb7f8fb80836

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
245KB

MD5
833455ba667e6719b9d1d32459558c30

SHA1
49ec912a171a9580f55fc3a140709666686aba9d

SHA256
825248792c8e10af74909e77b2159c1adcbf66a8e7c721b0a9540fadd745e3ca

SHA512
203cc84e3556cdb19ca54b05c4e4d5fceee0f08d4aa1a34453ed250f5a417310be6de4e383caac3a3e1e6c552187dc0d88efe278bff173a664644b4690614639

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
245KB

MD5
202034cd43792f55d7a8d8acd4f26928

SHA1
dea3e68fb7dc672365db5336ff8c0bb6244ef3ae

SHA256
7f7141415790f9d96f985cfe49e9d4694bb1a2d891eae7a7f9f00f7c8642b884

SHA512
d5a3a3eeb3798204f22cfea95f7d14e017e6da05361e1564451049b9338b8f3bf1b993e236fa0af7d5ff8653bb5824eca0206e4c9a6537c0d6a8171740aa4e66

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
245KB

MD5
07e0a68c3f5b3780c590119d44b440de

SHA1
0e4a8292b76146a23b48f4a074d8a9e7bb27fbbd

SHA256
25aa82ee98ae87c87d14c740deae196386939ff19e67ce8d64be6c7e4a6d8f3a

SHA512
b441d96b0214893c7c1c2f73d97afa91f3073e0f3206cd78837d79573c84836fbd95df9f220b3bca0eeff76a02d03d4c3f78c076ae259f1f174d8e328588a0e3

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
245KB

MD5
520089912ffa90889decb090d4af174b

SHA1
d64b51bfbd13dda86b20ff8677b5ecd4d4c53d60

SHA256
6ab4ecc9cd3c744d39e86bda53d18ad79e61bb3c304dd8f2b7e40f3855640c2f

SHA512
fd847695c76b2a9a0a78841f85842b2bd2cfd2104325c582c9bd977855ad53c049c27ee708d567a8db200147c99a5e7d53ac32578a3876422fbdcf64935e0510

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
245KB

MD5
42f79fb69e6a7d027f7375f4c454607e

SHA1
a2fae2f26bd6fea98646b89f5f0a9ad1e910905a

SHA256
e61107070e30fdbd7eb8ad69c5db1bca54d4fcbcdd458ae4863ce985c0037598

SHA512
d7c3527526489815626f596e369dcbc0404fe22998b2fe9e8d19db90b74336a2adb9761f740110e1d50b34211b0a967de53383d508499b4f15c5a52c9b41c185

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
245KB

MD5
44cebf0c75e8627bab97a54888c2daf5

SHA1
8ee5b186217a8651927ccf6bd3e06b18ee7279bb

SHA256
4a21a1742f0acc2be8a26d62e5e74f0a0b2b6ec31d932482ac8914734bfc7567

SHA512
ef0a8fd27064f13c80bcac7e03877f607e7ece4ae396452cae615824981ed0bc3ec98385c0d4de34e8eeb0e75ce2702ff9adfee5892b1b4d77e457b07c61d8aa

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
245KB

MD5
36e13fd027c30b7ecb3a897a987072fe

SHA1
eb9d67924e364d2da2d4f70a962e4e8da124c35e

SHA256
193668fa87554ad179427f2d9ad45916527b0bfbb458b28b9abe1fac7dfecdf3

SHA512
a44dc187334b68543ab37b509dee1979115c95442b2545c7b6dee3e0ddfd0bfb5d7721beb26516be2018fadca8e578d5fb55e5530c8b6d66ade2705a8b906e67

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
245KB

MD5
eba848ca03214f6bcb1e9327f45ac75b

SHA1
1799e9521115842b2f2f5d912405742e19a3ca92

SHA256
8fd32c09c995d0494403c78adf2490dd8dd3de3f11b1a0ac17f6b8592edfcb1a

SHA512
cfdf5267f858664a157af9658b7619fe1b24cdeaa1af2394d51d87e46384bdbf4ca6d49d7ada4a5ab389c9f04e0da9bd87a3dbdecb29b57a3d4369cb25b9945c

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
245KB

MD5
f5f1eacf7e724f1124b98fecb846eeed

SHA1
964dc5b0566bd4755bd5f6b8370c86a5bbe5105d

SHA256
d7f5b340e3cfc0303af06d7ac22c017e6ea3d1eee31b314ec1a650d49f2668a6

SHA512
f77c5fb34a266a65045721f3ccb569f1308f878d1054f00bcdcb4505b7b926d23842a81e979c6fa7391f68905cdd2573af8220ea37544d4c13e54ad2e56ca6b5

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
245KB

MD5
4a82d2202e7726e4fcedc80a5704d4de

SHA1
d022d6648992dceb1503b3685975d4f9be109efc

SHA256
4ceaded02e5665885ff8427a7c388a6778897630aa9060731e63df87d5d90689

SHA512
07cbc71da76abfd893041bd981d9a6f55401c804528d51185bd8aea7eb5fbe2c540305318fa1f6c9f014293b73ab023ea4c670020b66fc84f4374bec92b06f6a

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
245KB

MD5
9ac88187677dc2c8ff7a387febc0c6e6

SHA1
f2d8019d6a0b8a1ddd3f7badf0475c5a8e3e3729

SHA256
368cb77a90826612a9863fdc0b259a64f375674a4daf9a09ac58beba2785466f

SHA512
5691d27b0ecc062db598f6ac2e3fec8348a0a105d7087f1dbc44566652bcd3ff31500e1eff140b2a5fba7e3df7d6b2148ab7efb4e43680e1d10db75f3ba0d822

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
245KB

MD5
70ddf9dfb97317e310774e31c63e59b0

SHA1
9a8f8534705acbbc63fcc23aec8cf69c8fb241e9

SHA256
3586f757a892df97b04d9e9edc76ce350c71a128e84ccc7b7bd91841c4654978

SHA512
7527943272b5a73729bb1172a234c22dcf820d97e0d39fce95e8b7af219276e1c3ed751c67906902c0e0e21eb4b7a6c06416f906684276f6c669ea7342da0ca6

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
245KB

MD5
563ac7c0e5b4470750e6c7b9e0b82547

SHA1
2ad80754180d03c96082a944a76e8058e1de7094

SHA256
f78068ba1811e04d7fee3d7a0b18ec8308ea2451c4ad94838ff38de034edd661

SHA512
686ee766f4d7882f83a9504fd0916c3767e0d0c387d51607d9c3f2c8250692f94040bbb7df820b383029ffa54aa8ecf041276a68727e74aa539d4e17e6d55e4d

Download Submit
memory/224-452-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/380-541-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/464-453-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/688-543-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/832-766-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1096-519-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1320-546-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1404-447-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1460-1552-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1476-302-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1616-448-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1652-22-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2072-310-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2148-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2148-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2176-544-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2192-284-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2196-291-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2204-555-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2248-521-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2304-641-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2332-290-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2340-750-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2380-309-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2588-297-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2652-295-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2736-517-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2956-523-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2992-296-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3080-552-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3088-298-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3144-516-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3184-522-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3240-1313-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3388-25-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3428-649-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3444-451-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3564-542-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3612-551-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3628-300-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3640-524-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3940-454-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3960-301-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3968-774-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4056-8-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4068-556-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4148-567-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4244-294-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4260-520-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4276-455-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4288-561-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4296-640-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4456-449-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4484-768-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4592-303-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4620-312-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4636-545-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4800-642-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4832-292-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4928-304-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4960-527-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4968-293-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4988-299-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5004-554-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5092-648-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5132-756-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5148-1337-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5228-634-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5260-744-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5264-635-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5304-636-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5336-637-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5404-780-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5412-638-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5448-639-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5492-786-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5500-804-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5544-796-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5552-655-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5568-1298-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5588-798-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5596-660-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5608-810-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5636-662-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5688-668-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5724-816-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5728-674-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5740-822-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5768-685-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5800-690-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5864-828-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5880-697-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5900-834-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5924-703-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5964-709-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6000-840-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6004-715-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6044-721-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6084-727-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6124-737-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/6432-1238-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads