berbew | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
144s
max time network
162s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/03d5f6bace8c6a0a2d14ef775d3c02d1.exe
Size

371KB
MD5

03d5f6bace8c6a0a2d14ef775d3c02d1
SHA1

e58e87a50be5bbc7b93af011fc316d35ed591294
SHA256

b0d69301bb3d9d35a6e7a51805495162e45aceb1021fd5486f9af941814ab68e
SHA512

8ae2454c737ef5c75fabef5ee5a047a50aa4caea596c043a9b96c57d4ad60fe58523bd90e32903bd892709286af6a1553a173e4e96d7e62da7b37b3f0cc78758
SSDEEP

3072:0YDztpePvPKeMe8hbRdIu6dNeXZs+XBL+FhVukEB0pwGvJe2VTBpifm3FKCE:PqqakN+NQs+RLOhSiix

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mddkbbfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Poidhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	03d5f6bace8c6a0a2d14ef775d3c02d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amnebo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijpepcfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjgkab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdnebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdknpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibpgqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmjfodne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fggdpnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbaahf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lamlphoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflfdbip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnngpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgcmbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcjmhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljpaqmgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abhqefpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hannao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpepbgbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimogakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbbkocid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piceflpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihceigec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lakfeodm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfobp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnmeodjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlqloo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aealll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amfobp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlhqcgnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilhkigcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iagqgn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1640	Kcapicdj.exe
2324	Lpepbgbd.exe
3700	Lpgmhg32.exe
3252	Ljpaqmgb.exe
2584	Lakfeodm.exe
4744	Loofnccf.exe
4772	Llcghg32.exe
4688	Lcmodajm.exe
2216	Modpib32.exe
3552	Mlhqcgnk.exe
4376	Mhoahh32.exe
2520	Mqhfoebo.exe
1768	Mlofcf32.exe
2396	Njbgmjgl.exe
3816	Nbnlaldg.exe
2120	Ncmhko32.exe
1824	Nmhijd32.exe
1684	Nmjfodne.exe
1332	Ommceclc.exe
1972	Omopjcjp.exe
2176	Ofgdcipq.exe
3376	Oqoefand.exe
892	Opbean32.exe
3808	Pjjfdfbb.exe
3436	Piocecgj.exe
2792	Pbhgoh32.exe
3360	Pplhhm32.exe
4364	Ppnenlka.exe
1860	Qclmck32.exe
376	Qiiflaoo.exe
3772	Amfobp32.exe
2004	Aimogakj.exe
2172	Acccdj32.exe
2816	Amkhmoap.exe
4608	Abhqefpg.exe
4640	Amnebo32.exe
3764	Adgmoigj.exe
64	Aidehpea.exe
3960	Abmjqe32.exe
1476	Banjnm32.exe
2912	Bfkbfd32.exe
444	Bapgdm32.exe
4980	Bkkhbb32.exe
4832	Bphqji32.exe
4044	Bagmdllg.exe
452	Cmnnimak.exe
3520	Cdhffg32.exe
1504	Cmpjoloh.exe
4596	Ccmcgcmp.exe
4724	Cancekeo.exe
1512	Cgklmacf.exe
2208	Cmedjl32.exe
776	Ckidcpjl.exe
684	Cacmpj32.exe
3136	Dgpeha32.exe
1808	Daeifj32.exe
408	Dcffnbee.exe
4580	Dnljkk32.exe
1676	Dcibca32.exe
5012	Dkpjdo32.exe
3468	Dnngpj32.exe
2512	Ddhomdje.exe
4368	Dnqcfjae.exe
456	Dalofi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fljhbbae.dll	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Cboleq32.dll	Kalcik32.exe
File opened for modification	C:\Windows\SysWOW64\Djgdkk32.exe	Dkedonpo.exe
File created	C:\Windows\SysWOW64\Nnoefe32.dll	Enemaimp.exe
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Lajbnn32.dll	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Mddkbbfg.exe	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Kdohflaf.dll	Lakfeodm.exe
File created	C:\Windows\SysWOW64\Ofgdcipq.exe	Omopjcjp.exe
File opened for modification	C:\Windows\SysWOW64\Amnebo32.exe	Abhqefpg.exe
File created	C:\Windows\SysWOW64\Conllp32.dll	Pcijce32.exe
File created	C:\Windows\SysWOW64\Fbcolk32.dll	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Mohpjh32.dll	Hgcmbj32.exe
File opened for modification	C:\Windows\SysWOW64\Kocphojh.exe	Kopcbo32.exe
File created	C:\Windows\SysWOW64\Gfdcpb32.dll	Gdknpp32.exe
File created	C:\Windows\SysWOW64\Koljgppp.exe	Klmnkdal.exe
File opened for modification	C:\Windows\SysWOW64\Mddkbbfg.exe	Mlifnphl.exe
File created	C:\Windows\SysWOW64\Pakfglam.dll	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Aaqcco32.dll	Jdopjh32.exe
File opened for modification	C:\Windows\SysWOW64\Nhbciqln.exe	Mdghhb32.exe
File opened for modification	C:\Windows\SysWOW64\Kcapicdj.exe	03d5f6bace8c6a0a2d14ef775d3c02d1.exe
File opened for modification	C:\Windows\SysWOW64\Lajokiaa.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Mhknhabf.exe	Maaekg32.exe
File created	C:\Windows\SysWOW64\Naapmhbn.dll	Ndnnianm.exe
File opened for modification	C:\Windows\SysWOW64\Cmpjoloh.exe	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Epdime32.exe
File created	C:\Windows\SysWOW64\Ijaaij32.dll	Jogqlpde.exe
File opened for modification	C:\Windows\SysWOW64\Kdkoef32.exe	Kalcik32.exe
File opened for modification	C:\Windows\SysWOW64\Mlifnphl.exe	Madbagif.exe
File created	C:\Windows\SysWOW64\Nchhfild.exe	Nhbciqln.exe
File created	C:\Windows\SysWOW64\Knaodd32.dll	Aimogakj.exe
File created	C:\Windows\SysWOW64\Icifhjkc.dll	Amkhmoap.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Dpjkgoka.dll	Khkdad32.exe
File created	C:\Windows\SysWOW64\Ohhbfe32.dll	Mojopk32.exe
File opened for modification	C:\Windows\SysWOW64\Ibgmaqfl.exe	Ijpepcfj.exe
File created	C:\Windows\SysWOW64\Jjdokb32.exe	Jaljbmkd.exe
File created	C:\Windows\SysWOW64\Jogqlpde.exe	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Kchhih32.dll	Mclhjkfa.exe
File created	C:\Windows\SysWOW64\Emnhomim.dll	Mcoepkdo.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Daeifj32.exe
File created	C:\Windows\SysWOW64\Edaaccbj.exe	Epdime32.exe
File created	C:\Windows\SysWOW64\Edpabila.dll	Gkhbbi32.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Leoejh32.exe
File created	C:\Windows\SysWOW64\Pcijce32.exe	Piceflpi.exe
File created	C:\Windows\SysWOW64\Inpoggcb.dll	Qiiflaoo.exe
File created	C:\Windows\SysWOW64\Dohnnkjk.dll	Amfobp32.exe
File opened for modification	C:\Windows\SysWOW64\Adgmoigj.exe	Amnebo32.exe
File opened for modification	C:\Windows\SysWOW64\Eqkondfl.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Oacmli32.dll	Klmnkdal.exe
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Cacmpj32.exe
File opened for modification	C:\Windows\SysWOW64\Fgnjqm32.exe	Fbaahf32.exe
File opened for modification	C:\Windows\SysWOW64\Hgocgjgk.exe	Gbbkocid.exe
File created	C:\Windows\SysWOW64\Mlifnphl.exe	Madbagif.exe
File created	C:\Windows\SysWOW64\Gnmlhf32.exe	Fnjocf32.exe
File opened for modification	C:\Windows\SysWOW64\Koljgppp.exe	Klmnkdal.exe
File opened for modification	C:\Windows\SysWOW64\Laffpi32.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Omopjcjp.exe	Ommceclc.exe
File opened for modification	C:\Windows\SysWOW64\Opbean32.exe	Oqoefand.exe
File opened for modification	C:\Windows\SysWOW64\Piocecgj.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Aafjpc32.dll	Aidehpea.exe
File created	C:\Windows\SysWOW64\Modpib32.exe	Lcmodajm.exe
File created	C:\Windows\SysWOW64\Mjaofnii.dll	Bkkhbb32.exe
File created	C:\Windows\SysWOW64\Gkhbbi32.exe	Gdnjfojj.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcjmhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgdcipq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cancekeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maaekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhqcgnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edaaccbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgmaqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeijqqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iagqgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Madbagif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hannao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmodajm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplhhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmcgcmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkjfakng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdnjfojj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkondfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koljgppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piceflpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03d5f6bace8c6a0a2d14ef775d3c02d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqhfoebo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnngpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgcmbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibpgqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgnjqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkepineo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnpaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihceigec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jogqlpde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcapicdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aimogakj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnebo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbaahf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnmeodjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkhbbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modpib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmhijd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banjnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enemaimp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdknpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ephbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enopghee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnmlhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khkdad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mclhjkfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbdncaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkbfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfkeihph.dll"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlpen32.dll"	Dkedonpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfqbll32.dll"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlmhj32.dll"	Lojfin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mhknhabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll"	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapijm32.dll"	Ilhkigcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpoggcb.dll"	Qiiflaoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acccdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddhomdje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfokdm.dll"	Ddklbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kchhih32.dll"	Mclhjkfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemeqinf.dll"	Dkpjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gnaecedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlefjnno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmhijd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hannao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icachjbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maaekg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeejn32.dll"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnbnjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkojhm32.dll"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdnebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlifnphl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enemaimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifdeda.dll"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbqmiln.dll"	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Modpib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccebdmn.dll"	Ielfgmnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcoepkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oohkai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgfaf32.dll"	Nooikj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkedonpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gndbie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odbgdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bphqji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofobm32.dll"	Fgnjqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibpgqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhhodg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 1640	4424	03d5f6bace8c6a0a2d14ef775d3c02d1.exe	87
PID 4424 wrote to memory of 1640	4424	03d5f6bace8c6a0a2d14ef775d3c02d1.exe	87
PID 4424 wrote to memory of 1640	4424	03d5f6bace8c6a0a2d14ef775d3c02d1.exe	87
PID 1640 wrote to memory of 2324	1640	Kcapicdj.exe	88
PID 1640 wrote to memory of 2324	1640	Kcapicdj.exe	88
PID 1640 wrote to memory of 2324	1640	Kcapicdj.exe	88
PID 2324 wrote to memory of 3700	2324	Lpepbgbd.exe	89
PID 2324 wrote to memory of 3700	2324	Lpepbgbd.exe	89
PID 2324 wrote to memory of 3700	2324	Lpepbgbd.exe	89
PID 3700 wrote to memory of 3252	3700	Lpgmhg32.exe	90
PID 3700 wrote to memory of 3252	3700	Lpgmhg32.exe	90
PID 3700 wrote to memory of 3252	3700	Lpgmhg32.exe	90
PID 3252 wrote to memory of 2584	3252	Ljpaqmgb.exe	91
PID 3252 wrote to memory of 2584	3252	Ljpaqmgb.exe	91
PID 3252 wrote to memory of 2584	3252	Ljpaqmgb.exe	91
PID 2584 wrote to memory of 4744	2584	Lakfeodm.exe	92
PID 2584 wrote to memory of 4744	2584	Lakfeodm.exe	92
PID 2584 wrote to memory of 4744	2584	Lakfeodm.exe	92
PID 4744 wrote to memory of 4772	4744	Loofnccf.exe	93
PID 4744 wrote to memory of 4772	4744	Loofnccf.exe	93
PID 4744 wrote to memory of 4772	4744	Loofnccf.exe	93
PID 4772 wrote to memory of 4688	4772	Llcghg32.exe	94
PID 4772 wrote to memory of 4688	4772	Llcghg32.exe	94
PID 4772 wrote to memory of 4688	4772	Llcghg32.exe	94
PID 4688 wrote to memory of 2216	4688	Lcmodajm.exe	95
PID 4688 wrote to memory of 2216	4688	Lcmodajm.exe	95
PID 4688 wrote to memory of 2216	4688	Lcmodajm.exe	95
PID 2216 wrote to memory of 3552	2216	Modpib32.exe	96
PID 2216 wrote to memory of 3552	2216	Modpib32.exe	96
PID 2216 wrote to memory of 3552	2216	Modpib32.exe	96
PID 3552 wrote to memory of 4376	3552	Mlhqcgnk.exe	97
PID 3552 wrote to memory of 4376	3552	Mlhqcgnk.exe	97
PID 3552 wrote to memory of 4376	3552	Mlhqcgnk.exe	97
PID 4376 wrote to memory of 2520	4376	Mhoahh32.exe	98
PID 4376 wrote to memory of 2520	4376	Mhoahh32.exe	98
PID 4376 wrote to memory of 2520	4376	Mhoahh32.exe	98
PID 2520 wrote to memory of 1768	2520	Mqhfoebo.exe	99
PID 2520 wrote to memory of 1768	2520	Mqhfoebo.exe	99
PID 2520 wrote to memory of 1768	2520	Mqhfoebo.exe	99
PID 1768 wrote to memory of 2396	1768	Mlofcf32.exe	100
PID 1768 wrote to memory of 2396	1768	Mlofcf32.exe	100
PID 1768 wrote to memory of 2396	1768	Mlofcf32.exe	100
PID 2396 wrote to memory of 3816	2396	Njbgmjgl.exe	101
PID 2396 wrote to memory of 3816	2396	Njbgmjgl.exe	101
PID 2396 wrote to memory of 3816	2396	Njbgmjgl.exe	101
PID 3816 wrote to memory of 2120	3816	Nbnlaldg.exe	102
PID 3816 wrote to memory of 2120	3816	Nbnlaldg.exe	102
PID 3816 wrote to memory of 2120	3816	Nbnlaldg.exe	102
PID 2120 wrote to memory of 1824	2120	Ncmhko32.exe	103
PID 2120 wrote to memory of 1824	2120	Ncmhko32.exe	103
PID 2120 wrote to memory of 1824	2120	Ncmhko32.exe	103
PID 1824 wrote to memory of 1684	1824	Nmhijd32.exe	104
PID 1824 wrote to memory of 1684	1824	Nmhijd32.exe	104
PID 1824 wrote to memory of 1684	1824	Nmhijd32.exe	104
PID 1684 wrote to memory of 1332	1684	Nmjfodne.exe	105
PID 1684 wrote to memory of 1332	1684	Nmjfodne.exe	105
PID 1684 wrote to memory of 1332	1684	Nmjfodne.exe	105
PID 1332 wrote to memory of 1972	1332	Ommceclc.exe	106
PID 1332 wrote to memory of 1972	1332	Ommceclc.exe	106
PID 1332 wrote to memory of 1972	1332	Ommceclc.exe	106
PID 1972 wrote to memory of 2176	1972	Omopjcjp.exe	107
PID 1972 wrote to memory of 2176	1972	Omopjcjp.exe	107
PID 1972 wrote to memory of 2176	1972	Omopjcjp.exe	107
PID 2176 wrote to memory of 3376	2176	Ofgdcipq.exe	109

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\03d5f6bace8c6a0a2d14ef775d3c02d1.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\03d5f6bace8c6a0a2d14ef775d3c02d1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\Kcapicdj.exe
  C:\Windows\system32\Kcapicdj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\Lpepbgbd.exe
    C:\Windows\system32\Lpepbgbd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\SysWOW64\Lpgmhg32.exe
      C:\Windows\system32\Lpgmhg32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3252
      - C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Ncmhko32.exe
        
        C:\Windows\system32\Ncmhko32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Nmjfodne.exe
        
        C:\Windows\system32\Nmjfodne.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        26⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        30⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Amkhmoap.exe
        
        C:\Windows\system32\Amkhmoap.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        38⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        40⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Bphqji32.exe
        
        C:\Windows\system32\Bphqji32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        52⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Cmedjl32.exe
        
        C:\Windows\system32\Cmedjl32.exe
        53⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        54⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:684
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        56⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        58⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        59⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\Ddhomdje.exe
        
        C:\Windows\system32\Ddhomdje.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Dnqcfjae.exe
        
        C:\Windows\system32\Dnqcfjae.exe
        64⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Ddklbd32.exe
        
        C:\Windows\system32\Ddklbd32.exe
        66⤵
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Dkedonpo.exe
        
        C:\Windows\system32\Dkedonpo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Djgdkk32.exe
        
        C:\Windows\system32\Djgdkk32.exe
        68⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        69⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        70⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Ejagaj32.exe
        
        C:\Windows\system32\Ejagaj32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        77⤵
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:752
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        80⤵
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Fboecfii.exe
        
        C:\Windows\system32\Fboecfii.exe
        81⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Fgnjqm32.exe
        
        C:\Windows\system32\Fgnjqm32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        88⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        89⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        90⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Gdknpp32.exe
        
        C:\Windows\system32\Gdknpp32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Gndbie32.exe
        
        C:\Windows\system32\Gndbie32.exe
        92⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Gdnjfojj.exe
        
        C:\Windows\system32\Gdnjfojj.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Windows\SysWOW64\Gkhbbi32.exe
        
        C:\Windows\system32\Gkhbbi32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        96⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Hkmlnimb.exe
        
        C:\Windows\system32\Hkmlnimb.exe
        97⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Hannao32.exe
        
        C:\Windows\system32\Hannao32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Hcljmj32.exe
        
        C:\Windows\system32\Hcljmj32.exe
        103⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Hnbnjc32.exe
        
        C:\Windows\system32\Hnbnjc32.exe
        104⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        105⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ilfodgeg.exe
        
        C:\Windows\system32\Ilfodgeg.exe
        106⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Iencmm32.exe
        
        C:\Windows\system32\Iencmm32.exe
        108⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Icachjbb.exe
        
        C:\Windows\system32\Icachjbb.exe
        109⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Ilkhog32.exe
        
        C:\Windows\system32\Ilkhog32.exe
        111⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        112⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        119⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        120⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        121⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        124⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        125⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6064
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        128⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        129⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Keceoj32.exe
        
        C:\Windows\system32\Keceoj32.exe
        130⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        133⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        134⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        137⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        139⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        142⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        146⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        148⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        149⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        151⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Lamlphoo.exe
        
        C:\Windows\system32\Lamlphoo.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Lhgdmb32.exe
        
        C:\Windows\system32\Lhgdmb32.exe
        153⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Mkepineo.exe
        
        C:\Windows\system32\Mkepineo.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Mclhjkfa.exe
        
        C:\Windows\system32\Mclhjkfa.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Mcoepkdo.exe
        
        C:\Windows\system32\Mcoepkdo.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Mhknhabf.exe
        
        C:\Windows\system32\Mhknhabf.exe
        159⤵
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6504
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Mddkbbfg.exe
        
        C:\Windows\system32\Mddkbbfg.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6580
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        163⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        164⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6656
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        165⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        166⤵
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Nlqloo32.exe
        
        C:\Windows\system32\Nlqloo32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6772
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        168⤵
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6848
        
        C:\Windows\SysWOW64\Noaeqjpe.exe
        
        C:\Windows\system32\Noaeqjpe.exe
        170⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Ndnnianm.exe
        
        C:\Windows\system32\Ndnnianm.exe
        171⤵
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\Nlefjnno.exe
        
        C:\Windows\system32\Nlefjnno.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Nfnjbdep.exe
        
        C:\Windows\system32\Nfnjbdep.exe
        173⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Odbgdp32.exe
        
        C:\Windows\system32\Odbgdp32.exe
        175⤵
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        176⤵
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:7152
        
        C:\Windows\SysWOW64\Ollljmhg.exe
        
        C:\Windows\system32\Ollljmhg.exe
        178⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        179⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        180⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        181⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        182⤵
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6500
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        184⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6648
        
        C:\Windows\SysWOW64\Oflfdbip.exe
        
        C:\Windows\system32\Oflfdbip.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6708
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:6768
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6840
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        189⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        190⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:7100
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        193⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6220
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6328
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6444
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        197⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        198⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        199⤵
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Qpbgnecp.exe
        
        C:\Windows\system32\Qpbgnecp.exe
        200⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Abpcja32.exe
        
        C:\Windows\system32\Abpcja32.exe
        201⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        202⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        203⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6424
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        205⤵
        
        PID:6616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aimogakj.exe

Filesize
371KB

MD5
4f62448ac8260e50f2d1ef6df04a64b0

SHA1
b74003db83355a957120105e2172705a22ccb74a

SHA256
045f9d23e8a45e3f55b3d90f7190323cfd2e1a449567d3798d047501de670873

SHA512
24a122c55cefe466f7495e634cf74c4b78b9c5a04d50c87d67ac81e3bfe2a6a0752e35f90bf3d7c3afb1ea65bbb505604b2e884f9d161c32b4304afe07775b74

Download Submit
C:\Windows\SysWOW64\Amfobp32.exe

Filesize
371KB

MD5
6b56ac4ee2422a5b3705bd34ca015758

SHA1
6f848fb7886cf8a3b7bd1779a2a56369668d1ca2

SHA256
58d6332367ba3623ae1823fda8c0096036af1698b3c262f928c8d72ec0da0399

SHA512
2afe054a2e61cf693977437649ac3436506ef0fd8615b99fb7c8e85ff6c5910f1e615246b9c7ad757105a33fdae0ba8ad237fc24106303d97cedc0c5f8744eb1

Download Submit
C:\Windows\SysWOW64\Hnekbm32.dll

Filesize
7KB

MD5
9195f54060d9414492b4523288add4d5

SHA1
c1539f7065000b094aa55887df1f061be7db495f

SHA256
d7b8b1dc8e8cccb7d6a626b5c796e54d8ed6332b84f434c9857b33ca63c15ca2

SHA512
feb5e59dff3e7db2810ecfd5399aeba0e8c20acf6191f42dd1ed4622c79f155eaee2afa6b86e99041a8fc1c7421ba67f5d9a013c82e1f91a9f2d7a52e2d81fe4

Download Submit
C:\Windows\SysWOW64\Kcapicdj.exe

Filesize
371KB

MD5
f65712214db07d8d7e210029a4b519e6

SHA1
1395b9ed43d3e63b1ad2671b5dae82729211b057

SHA256
ed1960d426a498e27535b958fd9bec3e74ca38c836f01e369d485ffccff5f327

SHA512
ad56260b42a7b02eaf0b1a1dfb04833babaa3156666f344e6d8abf897da298d2d5cf5b37a40d4ec96cf0aead281b8222b5a7c4c59f0541234b8312398150c151

Download Submit
C:\Windows\SysWOW64\Lakfeodm.exe

Filesize
371KB

MD5
bb43cf9f099ea80a57bb091e70122195

SHA1
60e66aa072d162c0082019f8e65aa386f4664fb7

SHA256
3bc0275dbadc02ee5e3c9bb040f76e8156800afca65d5a3f517b38a61413cdcb

SHA512
83e2929b6df772c907f17df7b611912c56c5c2438c0d2436e15033a3ff5849fe6886d741e347eeaa6b8e56635b4550ffde24417e567979c6aed95ed746aed4a4

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
371KB

MD5
31c4edc9312a8eafc899018274509389

SHA1
7727b4d9ec47e01b986a985d28ae099d5e010c10

SHA256
1a14716a6235d7d13a566d87647f312064f1d9b61e1c6dc3d1a20a25ae6d380a

SHA512
dd62d43cad7b0b812aae3c95186574c01e133a299d1a829b4dd5863e424b397ba07e4bf5e071384c65152da9f70f6f9a3935afa8731b71bebb268c3dc52a50c7

Download Submit
C:\Windows\SysWOW64\Ljpaqmgb.exe

Filesize
371KB

MD5
f1e1bed76b06b1f4b33512698e8aa2e0

SHA1
6bd140204f41ffc21c933b7153aa2291c24c2af6

SHA256
6f248b9d6bf2a9c2810d21d3383e746c85be361224b2871d5dc3d2b1d89a36ef

SHA512
f6f26327bcd539826ecc68871ff4af96e8303d8fea6cedb15323958af4eef22b1f8ca6163d0a269966d5974cc6467c122e24934476f9bb18d68fba4e8ccd0962

Download Submit
C:\Windows\SysWOW64\Llcghg32.exe

Filesize
371KB

MD5
8a1e1aa61e9a8079612fe55faa53b50a

SHA1
ffeba976c7d7b602f07ec0bd212590e74817e675

SHA256
d98ac6923b11a7a21018f35ad1c491389c892b28c5a50a430458e7d957e9dd47

SHA512
58f6904edfc8f9dc4c692515a1e1fe36b5e73c78c8db10cb9865bfcca39dffb95ec10f14ef5f04d1b34ef37645bd647b7a74505193cea09f9990187facf73190

Download Submit
C:\Windows\SysWOW64\Loofnccf.exe

Filesize
371KB

MD5
8c240a8212d52be0d25d4b6520e3ef36

SHA1
e84f0b1bccd4449e3481b6cb226d353ad71da8ff

SHA256
307c8af6e8c2c7280201af176a0119c718ed3326f0d211aabd746afaaa6f805f

SHA512
69ea995d8f165d324e31d7b36ffb68a4913e08d5f5a77c667c80378b79da8f8af736414ae8bb115a9b360b7e803a41287f69e7a8a6a3e921bdd0c37fbdca2c47

Download Submit
C:\Windows\SysWOW64\Lpepbgbd.exe

Filesize
371KB

MD5
3f5015cd68faa4e56adf3898baba61e2

SHA1
5c3bd7964676c812e021a2fcc649bc3e992c2f6c

SHA256
990fe4c9cfe18009838b8f0d843c9d2d5841c528ae1d08af37a2f526f14dcbad

SHA512
5f54255282e972442a749c3f9a3117b8535bdcaa994d9c374217c1b782e1377b8bd94083a2cc0b8706fe9299e8cb7bff1f374ce7f22bb39b1523831e5c15cded

Download Submit
C:\Windows\SysWOW64\Lpgmhg32.exe

Filesize
371KB

MD5
6eeb753f90f634ae0bed8062036b7521

SHA1
13549d9e8edb79dfa2a2989983f9d6c910360d1d

SHA256
6821649960bb082b89afe477357b4cbd4d736d6b7eaacc2a857d941bcdc7d068

SHA512
ab4b47fc8d8ae811c5c41b47623b770acf1699613ea04c367cb1c9a14ea24ee0b722e8ad533001f0681abeb305e4949b65ddc32806c8cec0ffa75737296c4afb

Download Submit
C:\Windows\SysWOW64\Mhoahh32.exe

Filesize
371KB

MD5
ed353a34d6e98b7e46ccb8bb0c4f9b5d

SHA1
32ea916cfe5e9f643c142dde802369d51fff359e

SHA256
129f9e9803ad9ab671a2abcb84d2f98a2a2c7f845fa6be9c92d60f117dcc7a44

SHA512
17747395de55d3eea219e8e3e72077e21ff785b0880d77c8b0377de05bafbaa083caf17e8f2dc3a8ca2d7d5f642ce51b88dfeca7fad59f7dc0e1bcc9c11b0c89

Download Submit
C:\Windows\SysWOW64\Mlhqcgnk.exe

Filesize
371KB

MD5
90fcd641543b3298685b42ba4752310c

SHA1
7e42cf29afdf5c2032f86417776406071a652640

SHA256
736a0529df60bef66d966f02f25805b2e48df4fa52f428f59b0bb47afc666a53

SHA512
f4e46ecec3aa56be7bc1a9880e21da1147b93e69cb00a90372c2b34e4b236f1e90c428cb432cc4f7bdb3ab40c4c90b3c772457fd157c8dd8f7bfc6549935e6dd

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
371KB

MD5
943c1c4404e2df0bdcc998afe030180c

SHA1
e50e9ffa98181c740de9e1f95f41066cda6c3e22

SHA256
f2b523b4012601c98924b41c94756ab57f77016a0158070894c3e8c32df1b170

SHA512
6aad8b7a8ad90a4460e24ca94da0b4143d4b91e865f26c17d6ddf5e8ff9526d6f53477c853b926ed36a44e9cf817e217b7d3a1d588467f14dc784f5a64346102

Download Submit
C:\Windows\SysWOW64\Modpib32.exe

Filesize
371KB

MD5
93e94c9b92400fe676bc113fb3dc03fd

SHA1
bb7273ba95afe9a2ccf08e55760695f8fd7aa026

SHA256
fd560a299035c1e2ab05f8940ddcc0de00d3ea102868d8541d7ff288750156e4

SHA512
60af693b1723f7b93fbc95c973adb09d031cddbb22ba36071661b0bda484b380fbcde661659abc68d599d84373ffc878ce0146583aa9dd57e73ddd8956abc6ba

Download Submit
C:\Windows\SysWOW64\Mqhfoebo.exe

Filesize
371KB

MD5
c404d2dd726b4f27c0b1d8c3b1e7dbc7

SHA1
38553dd3e9d7a6644d07651b1f413c26063b6a58

SHA256
25d9501ec163466532a0e958dd0dbdeeffb0c69ccb28c4bfcfc8bef795fa93dd

SHA512
c8e7499f56d87f8b41771139be0e51932a1da191ac677c1fdcf8867d4e377b0e304cdd09e44302b73ff92095093dbcba0c124f39b039f78ad2a7dd826e6dbf34

Download Submit
C:\Windows\SysWOW64\Nbnlaldg.exe

Filesize
371KB

MD5
8b8feced7f016be97ba8dba9a606784a

SHA1
f1e95de0748c88fbfe93d66a6d005aebb3cb678a

SHA256
49d36fd0f997edfbfb2892cc6c8c8683ab4c2e1951b27524acf5ba053fd6f881

SHA512
19d19c28be74d60ca0059f4d434d51649edc87e155c0d2135285d2c60e72deda55c141397e29ca28ab3c4907f381c3566c52f09b9e868bc6e9a981ec1120cce9

Download Submit
C:\Windows\SysWOW64\Ncmhko32.exe

Filesize
371KB

MD5
2b07205ac8f2efbbd3c2f0ea28a38d57

SHA1
84d5411c19881ff474436b9f071fbe42a5808dfd

SHA256
da418f54a60b1d5b709bd395b2265267ac9d6c7d49ac5382ebd00b291537963f

SHA512
b4c52e0427e310b5fdbc07f36218116ef1345a4256d83b400341faa1c38060f94cab7cf53fd464fb68b2e6d8abc7d41962797f7cd9e94c6a867e738c9ed83c7c

Download Submit
C:\Windows\SysWOW64\Njbgmjgl.exe

Filesize
371KB

MD5
78f4a60adb304cad48f5628824ce2c3b

SHA1
d1953f88986b582cb19694225e37dc8d41d76998

SHA256
f7bd8fb0bcebce84cbfd44240bd27ff3baf9da49bf9be4af89ebba6bf6c5b10b

SHA512
4fb5a650174161aa451c832604dea086ef3f46a885987c2d40a04e059c0b2c7c835f6e67c70e86adfb3385384b104a9d1ceb7eca35a77d65020e730cff912e16

Download Submit
C:\Windows\SysWOW64\Nmhijd32.exe

Filesize
371KB

MD5
617385e2a767c35666689da1d7180be5

SHA1
50a14524a770fce65041b65ff85630ee4a7679bb

SHA256
65a20c1285fa048bfa6b50037f8a0289d542845f9afd0a09c842161269b35d2f

SHA512
0d13a5a3af6d43132340310b763f7fdefba6eeec8daed038f65829c20d8bf7cd29f5a6e5590b73cab71580be7ec961d34e7bd9914dc70b9ec6c00c369b9ae078

Download Submit
C:\Windows\SysWOW64\Nmjfodne.exe

Filesize
371KB

MD5
1bf5d57b5f526d052b892ed8511877fd

SHA1
ba63521eb4341aa6555b666792a4c11d246bce86

SHA256
3e6e6447466c25bfea7802d1fc970bab02e896b05699cb2042a3634674c1a589

SHA512
dfbc1804f0a6197163f8515eebf4eeee17be777058783411f07e9bedb696c5cf7c1f35eeac6ae0eca24b6b33f8e7a058298e26df0937dc1d239ee270a43f537b

Download Submit
C:\Windows\SysWOW64\Ofgdcipq.exe

Filesize
371KB

MD5
1563f9cf921fcf745a4c447327108596

SHA1
5a4f65146c4baefc116ccf96ba991843a9c81d11

SHA256
d3c08bff75ed40f502ff4c3d9562986b309776e82a540e64f232bef07ac1801e

SHA512
cf4ee834d06613e1ce9f7337ebbad9d0f8bb4a6323f3220c620c0d9a1d421f264c483a81a796cce3998311eecd053df7a0e7f86ec583911e9722b7dcdb53438a

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
371KB

MD5
711eafd2fda56e1b193a0bbea84e520b

SHA1
ec9ea0f1a26dde7c00bd06d602f9b2714b2200b0

SHA256
a41869b2e7e95069cbe3f6dcba2f85f20dd7f11bd4c0de9b3a6ea8ca0c0c5682

SHA512
444b074a989b002fe1410d0941ac2dd2f9d85ecb9729ded72aa65fd388d5399d4921d0b51ff6c31ed70c59990b7dab4a5d0b287d6d73e1d39a71c87d0d566d44

Download Submit
C:\Windows\SysWOW64\Omopjcjp.exe

Filesize
371KB

MD5
2d990356c937407347b5bf49a1386942

SHA1
848aa28a2a2db5e1d2f71c1a82f08ced9e6ec8eb

SHA256
25c593d68e48f91701a5ac4e0fca0b06d47f1aae30855b71ae21fd6f6d6ea126

SHA512
0c75a41aec7a90a8e78171dce0d40a3092f23007be78325676e1ddaf5ccf976414ce752b6f4153e7b75684651f25e58c77d0ac00c70ac84680ad001173c9d170

Download Submit
C:\Windows\SysWOW64\Opbean32.exe

Filesize
371KB

MD5
1b571afa69c4fc871b04daa3d8f12232

SHA1
a7c971b2e0eddeaa35fc0dbf072bcb037fdd10ec

SHA256
2d22fdbbd3921de70ab32dc2b9ad914600b9aa8e170bd62ac6996f15d38c7aa0

SHA512
084f48de2a052bdd9726b1cfbf874a38eb48f0dfe001c06286dce5deaaf3e05a53b21e447249c1c734b40a978516645bb8632551816019c9619dd67e127f3e87

Download Submit
C:\Windows\SysWOW64\Oqoefand.exe

Filesize
371KB

MD5
2693244c578a5c337688970faad80fc4

SHA1
c50d1aa191418b096b985e296942251460ec067c

SHA256
2ffecd837222bf217415a467013e8103376c0cf526b8657ad3559813b52a24d1

SHA512
844a93e39cc36eb17fd164ba85b981e4928b38f623ce50d407309017a3570e37eb7b9da167125ceccbe0341bd6639c7dd1e1d0495e3312bcdb890b9f3da5b211

Download Submit
C:\Windows\SysWOW64\Pbhgoh32.exe

Filesize
371KB

MD5
621b6496d95c1d17515b415341f9c11a

SHA1
e8b5b45abb05d8ca047ab8498ca5952ed67350fd

SHA256
f20298cc7206fb6a0b22105fad2e56829b4dd73f3dd69ff1f6eba0c2a7e925ab

SHA512
6d51203aea0780099753d6a0ee83ed43a348dba627cb97e324ec29eac91e520b78c2edba98c224e01b2e5ac319272bd18ecd5569fd5a16de796e4b9dae993e65

Download Submit
C:\Windows\SysWOW64\Piocecgj.exe

Filesize
371KB

MD5
996c9148fb38460890d86a31311aa53b

SHA1
ec8c6609932ed83271a9bdf9da10dee8a61f78c8

SHA256
74dabcb062abbcb41a0bfb62639cd977e9c9195ecc823aff71edc674306dba78

SHA512
d43814f0f982241fcb3b4ffd30edbda4b2b3928eb273fed0a9ba2f4c4de96ebde7fd15c6f5db7d5a1e5b98626b77c980cd2bb95ca1c68b968c6c08a5d209d70f

Download Submit
C:\Windows\SysWOW64\Pjjfdfbb.exe

Filesize
371KB

MD5
6ef47ca8b26a2a62cd957326321eca2a

SHA1
9b7af0ddc0e321fb4ee336869f5a721442333297

SHA256
70fa5836fb5fa2fd23494c507ebb72b39ebec9eaf68671372f2ff93d9724628e

SHA512
9b351462988197042a39f5a70251c8ffb342a0f0cae3a67e93508a3f67c9c26e56164717bb4c7c92a6b65d6c08ba7fa6763acb74b1308e4489af651709236b50

Download Submit
C:\Windows\SysWOW64\Pplhhm32.exe

Filesize
371KB

MD5
686aa5da4602449e9ca0cc84bbbf6991

SHA1
45cc3c2e6da80b6416255faed99b0e63843b997d

SHA256
ef97bea61853f9b1ea1d4e189ba2029daeb6be2df8a59f10216c0a09bf6667b4

SHA512
385f5e99b6c6be916a0e8708cc80d0b8a0f57eeb747663c26039b784257fe6af9c066fd2e06af54d8435957445b06798d962a030e5c052edc90887f7ed4c4fda

Download Submit
C:\Windows\SysWOW64\Ppnenlka.exe

Filesize
371KB

MD5
bbce903fe28bf9e5a78ec6a64d5bda2d

SHA1
4466d154d63dbc59aab74d21f1a410c0514ade38

SHA256
5b02facb4d773aa41dde93595a00eb624d3b6d5deeb17cef3949fc94601e6267

SHA512
a36ac4f745045741b191b74360677d5d5ffb7d1b8ece2bd3d7e6a7ed5b26794439a4ff4ef2295847f93ca62d08344247ec8f4385e9db79f7ae822e286bbeca31

Download Submit
C:\Windows\SysWOW64\Qclmck32.exe

Filesize
371KB

MD5
642636c8b08e0757a597fb2c489adc86

SHA1
3efe94919d693bad312db3714d9be0172bd59463

SHA256
d1873b4f8950d328ed4c5b7e133e52fc00cf6ffaaf4285cc7bf9b9e3f6435e47

SHA512
1b809c1af063d55ea439db56c5099122769a91f1fd6657e37a87045c57b5ff9f0fa28e4cc86bf785b311e34f62cbcdc51473b2d99a0a4f7d8c6fdafcf30bf3c2

Download Submit
C:\Windows\SysWOW64\Qiiflaoo.exe

Filesize
371KB

MD5
64d2e237363af2e117d84ba5ec0dd1d2

SHA1
f54006ba10e0ac326ba168cccb441bfbfe9332ba

SHA256
505c377c8cf230b5f5a2b802ed91c3cc457ef17703191d49778e6889b8c0af1f

SHA512
979397f70f2719c7f027b244fa714c60807e3c932b2600b75f8a86b68f69123ec6eb88462222f7f81e6d1fa61013d77d2f14229419ad9100a03011dfb30e8222

Download Submit
memory/64-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/892-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3808-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5168-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5208-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5248-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5284-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5320-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads