berbew | 4c7051f9c4cef21b354766203765605b8287e47e35a5541c2257e96f95dad9f0

Analysis

max time kernel
94s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c7051f9c4cef21b354766203765605b8287e47e35a5541c2257e96f95dad9f0.exe
Size

55KB
MD5

43229120377cb798930454d13c2e22ba
SHA1

d8cfeaa11b8ab9e626c14aa5ef31e1f9e039299a
SHA256

4c7051f9c4cef21b354766203765605b8287e47e35a5541c2257e96f95dad9f0
SHA512

d6334eb2637ece0ba790e26af3a3624217220c1001d4ec6e6a9ede3b27fbc499eb746fcadaa590672074d5a88ebcb69d921ed3094872473dfd88a51051c2bddd
SSDEEP

768:kzfWtpqqbmM2OEAk71WRaTDe6LXyF3abd6VybxFlj3eBS2p/1H5xXdnh/:5pq2MOEh3DgqbEVybxzjuBS2LBd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgmngglp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1468	Jcllonma.exe
2488	Kemhff32.exe
392	Kmdqgd32.exe
3232	Kebbafoj.exe
3308	Kimnbd32.exe
2224	Kpgfooop.exe
1928	Kbfbkj32.exe
1728	Kedoge32.exe
1684	Kmkfhc32.exe
4172	Kdeoemeg.exe
4248	Kbhoqj32.exe
2724	Kibgmdcn.exe
1280	Klqcioba.exe
1556	Lbjlfi32.exe
1704	Lffhfh32.exe
1540	Liddbc32.exe
3952	Lmppcbjd.exe
3888	Lbmhlihl.exe
3604	Lekehdgp.exe
692	Llemdo32.exe
5100	Ldleel32.exe
2276	Lfkaag32.exe
3176	Liimncmf.exe
1752	Llgjjnlj.exe
1932	Lbabgh32.exe
4424	Lgmngglp.exe
4132	Likjcbkc.exe
3920	Lljfpnjg.exe
1980	Lbdolh32.exe
3264	Lebkhc32.exe
2380	Lingibiq.exe
2504	Lllcen32.exe
2308	Mbfkbhpa.exe
3124	Medgncoe.exe
2384	Mmlpoqpg.exe
2760	Mpjlklok.exe
2960	Mchhggno.exe
716	Mibpda32.exe
4396	Mmnldp32.exe
5088	Mplhql32.exe
2916	Mckemg32.exe
4544	Meiaib32.exe
4564	Mmpijp32.exe
4196	Mpoefk32.exe
3164	Mdjagjco.exe
2828	Mgimcebb.exe
3760	Migjoaaf.exe
4936	Mlefklpj.exe
3948	Mdmnlj32.exe
2848	Mcpnhfhf.exe
4608	Mgkjhe32.exe
2884	Miifeq32.exe
2368	Npcoakfp.exe
3036	Ndokbi32.exe
3132	Ncbknfed.exe
1308	Nilcjp32.exe
3136	Ndaggimg.exe
2776	Ngpccdlj.exe
3816	Njnpppkn.exe
628	Nlmllkja.exe
3148	Ndcdmikd.exe
3964	Ngbpidjh.exe
4904	Nnlhfn32.exe
1376	Npjebj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Liddbc32.exe	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Mmnldp32.exe	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ohkhqj32.dll	Lllcen32.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	Mchhggno.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Efhaoapj.dll	Llemdo32.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Kebbafoj.exe	Kmdqgd32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Lmppcbjd.exe	Liddbc32.exe
File created	C:\Windows\SysWOW64\Jphopllo.dll	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ojhnmh32.dll	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Nkbjac32.dll	Kdeoemeg.exe
File opened for modification	C:\Windows\SysWOW64\Lingibiq.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7632	7472	WerFault.exe	314

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjiol32.dll"	Mmnldp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4c7051f9c4cef21b354766203765605b8287e47e35a5541c2257e96f95dad9f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll"	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Olhlhjpd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1468	620	4c7051f9c4cef21b354766203765605b8287e47e35a5541c2257e96f95dad9f0.exe	85
PID 620 wrote to memory of 1468	620	4c7051f9c4cef21b354766203765605b8287e47e35a5541c2257e96f95dad9f0.exe	85
PID 620 wrote to memory of 1468	620	4c7051f9c4cef21b354766203765605b8287e47e35a5541c2257e96f95dad9f0.exe	85
PID 1468 wrote to memory of 2488	1468	Jcllonma.exe	86
PID 1468 wrote to memory of 2488	1468	Jcllonma.exe	86
PID 1468 wrote to memory of 2488	1468	Jcllonma.exe	86
PID 2488 wrote to memory of 392	2488	Kemhff32.exe	87
PID 2488 wrote to memory of 392	2488	Kemhff32.exe	87
PID 2488 wrote to memory of 392	2488	Kemhff32.exe	87
PID 392 wrote to memory of 3232	392	Kmdqgd32.exe	88
PID 392 wrote to memory of 3232	392	Kmdqgd32.exe	88
PID 392 wrote to memory of 3232	392	Kmdqgd32.exe	88
PID 3232 wrote to memory of 3308	3232	Kebbafoj.exe	90
PID 3232 wrote to memory of 3308	3232	Kebbafoj.exe	90
PID 3232 wrote to memory of 3308	3232	Kebbafoj.exe	90
PID 3308 wrote to memory of 2224	3308	Kimnbd32.exe	91
PID 3308 wrote to memory of 2224	3308	Kimnbd32.exe	91
PID 3308 wrote to memory of 2224	3308	Kimnbd32.exe	91
PID 2224 wrote to memory of 1928	2224	Kpgfooop.exe	92
PID 2224 wrote to memory of 1928	2224	Kpgfooop.exe	92
PID 2224 wrote to memory of 1928	2224	Kpgfooop.exe	92
PID 1928 wrote to memory of 1728	1928	Kbfbkj32.exe	93
PID 1928 wrote to memory of 1728	1928	Kbfbkj32.exe	93
PID 1928 wrote to memory of 1728	1928	Kbfbkj32.exe	93
PID 1728 wrote to memory of 1684	1728	Kedoge32.exe	94
PID 1728 wrote to memory of 1684	1728	Kedoge32.exe	94
PID 1728 wrote to memory of 1684	1728	Kedoge32.exe	94
PID 1684 wrote to memory of 4172	1684	Kmkfhc32.exe	96
PID 1684 wrote to memory of 4172	1684	Kmkfhc32.exe	96
PID 1684 wrote to memory of 4172	1684	Kmkfhc32.exe	96
PID 4172 wrote to memory of 4248	4172	Kdeoemeg.exe	97
PID 4172 wrote to memory of 4248	4172	Kdeoemeg.exe	97
PID 4172 wrote to memory of 4248	4172	Kdeoemeg.exe	97
PID 4248 wrote to memory of 2724	4248	Kbhoqj32.exe	99
PID 4248 wrote to memory of 2724	4248	Kbhoqj32.exe	99
PID 4248 wrote to memory of 2724	4248	Kbhoqj32.exe	99
PID 2724 wrote to memory of 1280	2724	Kibgmdcn.exe	100
PID 2724 wrote to memory of 1280	2724	Kibgmdcn.exe	100
PID 2724 wrote to memory of 1280	2724	Kibgmdcn.exe	100
PID 1280 wrote to memory of 1556	1280	Klqcioba.exe	101
PID 1280 wrote to memory of 1556	1280	Klqcioba.exe	101
PID 1280 wrote to memory of 1556	1280	Klqcioba.exe	101
PID 1556 wrote to memory of 1704	1556	Lbjlfi32.exe	102
PID 1556 wrote to memory of 1704	1556	Lbjlfi32.exe	102
PID 1556 wrote to memory of 1704	1556	Lbjlfi32.exe	102
PID 1704 wrote to memory of 1540	1704	Lffhfh32.exe	103
PID 1704 wrote to memory of 1540	1704	Lffhfh32.exe	103
PID 1704 wrote to memory of 1540	1704	Lffhfh32.exe	103
PID 1540 wrote to memory of 3952	1540	Liddbc32.exe	104
PID 1540 wrote to memory of 3952	1540	Liddbc32.exe	104
PID 1540 wrote to memory of 3952	1540	Liddbc32.exe	104
PID 3952 wrote to memory of 3888	3952	Lmppcbjd.exe	105
PID 3952 wrote to memory of 3888	3952	Lmppcbjd.exe	105
PID 3952 wrote to memory of 3888	3952	Lmppcbjd.exe	105
PID 3888 wrote to memory of 3604	3888	Lbmhlihl.exe	106
PID 3888 wrote to memory of 3604	3888	Lbmhlihl.exe	106
PID 3888 wrote to memory of 3604	3888	Lbmhlihl.exe	106
PID 3604 wrote to memory of 692	3604	Lekehdgp.exe	107
PID 3604 wrote to memory of 692	3604	Lekehdgp.exe	107
PID 3604 wrote to memory of 692	3604	Lekehdgp.exe	107
PID 692 wrote to memory of 5100	692	Llemdo32.exe	109
PID 692 wrote to memory of 5100	692	Llemdo32.exe	109
PID 692 wrote to memory of 5100	692	Llemdo32.exe	109
PID 5100 wrote to memory of 2276	5100	Ldleel32.exe	110

C:\Users\Admin\AppData\Local\Temp\4c7051f9c4cef21b354766203765605b8287e47e35a5541c2257e96f95dad9f0.exe
"C:\Users\Admin\AppData\Local\Temp\4c7051f9c4cef21b354766203765605b8287e47e35a5541c2257e96f95dad9f0.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\Jcllonma.exe
  C:\Windows\system32\Jcllonma.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\Kemhff32.exe
    C:\Windows\system32\Kemhff32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\Kmdqgd32.exe
      C:\Windows\system32\Kmdqgd32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        32⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        42⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        44⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        45⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        46⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        47⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        50⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        52⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        56⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        59⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:628
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        66⤵
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        67⤵
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        68⤵
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3284
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        72⤵
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        75⤵
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        77⤵
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3180
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5240
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        87⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        88⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        89⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        93⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        95⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        98⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        100⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        103⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        106⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        108⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        109⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        110⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        111⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        115⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        116⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        117⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        118⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        119⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        121⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        122⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        126⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        128⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        129⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        132⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        134⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        136⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6176
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        139⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:6376
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6424
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        142⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        144⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:6604
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        146⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        147⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        148⤵
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6780
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        150⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        151⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:6928
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        153⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:7016
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7060
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        156⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        157⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        158⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6164
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        160⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6456
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        162⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        163⤵
        Drops file in System32 directory
        
        PID:6592
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        164⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6728
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6796
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:6856
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        169⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        170⤵
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        171⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        172⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        173⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        175⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6868
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        177⤵
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        178⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7072
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        179⤵
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        180⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6452
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        183⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        185⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        186⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        187⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6388
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        188⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7136
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        190⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        191⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6940
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7180
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:7224
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7268
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7312
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:7392
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        199⤵
        Modifies registry class
        
        PID:7440
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:7484
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7528
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        202⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        203⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7616
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        204⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        205⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        206⤵
        Drops file in System32 directory
        
        PID:7760
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7804
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7848
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        209⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7892
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        210⤵
        Drops file in System32 directory
        
        PID:7936
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        211⤵
        Modifies registry class
        
        PID:7980
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        212⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        213⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        214⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8156
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        216⤵
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        217⤵
        Modifies registry class
        
        PID:7240
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:7304
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        219⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        220⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 404
        221⤵
        Program crash
        
        PID:7632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7472 -ip 7472
1⤵
PID:7564

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:6628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Balpgb32.exe

Filesize
55KB

MD5
401f01033e7a15c25eed11ecbe9cff15

SHA1
1e6fe0a35d6926c84faf418a8e26caed4945c11b

SHA256
651b855ee299806065e02bf1ad20a7556bbb42c92ddf1a41be5ac6a3bf76f13c

SHA512
2ecb5245cf50e516ff9dfe4ccfd41d147f31e0f530fd9de1377a764c8f2981bcda4ca36206f6069292dca16dfb37ba319414902444c0b35d9bc785b9379e11f6

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
55KB

MD5
da88ffcd1dc43d05235d21c49395e5a8

SHA1
92a3edd3954ddecb28f30500ed0e7a530d3b9399

SHA256
08e7fa04bf943c322a33ad6cf48f749034a7c9c9caf3fbd0f8bbdd08c9e77860

SHA512
1f5ebe59a27b8d4d13877962e322adfd06a106d733c133753b7030b48271214c58723a7cd94c3bb76fcd8f327fd3e3774a3e36799e3432303b90f2b905ddde7e

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
55KB

MD5
eb9ea3b3fa0af58951f2da3f8ed7238b

SHA1
b52d0fda20a7f6be7a211327fa954cec3c546478

SHA256
8ce92a9971e41b085a075aa886a27d3cd36939c4b621d6fa5f3ccfdcbfa3ec7d

SHA512
f9919968ab0027ca5297e78c8e5d952c731969d6e71c74c9f84ff618c9f2e0f894a353025b5bee7b0f22d78c9186bdc363b11cf952f0a945a6c7c0ab64e121b4

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
55KB

MD5
a28f14aa08ad74e2134a4416ff34e29a

SHA1
69d072318fa6dea16f7450ba2c4b3656584e82cc

SHA256
b0d6b97444c6d2ff3a49eccf427c0e7ff841993c97961a82e2878c3711ee1115

SHA512
7afa260e3bd5a4ae5bc68a21977e63dd9f38bcae93bd8076ecaa35fc2cd43187dd9c73b014ede577ea2e12fdc32e86bf9716ef2f8cfdc46a855aa405c6fdd513

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
55KB

MD5
ec85c0daf35e63e5eaad5902fe38ce90

SHA1
89b62199f1a56904032ee60a48c32da660f13168

SHA256
5020a82446ebf21c0543129e853f18ccf5cc5d69930f830797005f683c07bd91

SHA512
9c1b9bccbd79894e05c2c305ab814b29d2073a75e5d51927c9c49f0fdb84e1a0aa5de6ece1f9d490337eeef3e502e2145092236ba1edd791b8b304d32ac468ea

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
55KB

MD5
7f47bc54bccfc632e53b411c57707cd4

SHA1
e829e0ccbbd663839751b08e941c721c38b92fb1

SHA256
b08dc769ad45cd697785f36e85bd409b74443ba4180811c595751dae4065462d

SHA512
d55cdfb1a6d81fd36e4a43a917873670f96ab523ba9d2ea81f7c0cc1e8e00df7aaca482b5b0f3b3600f58bf1b2b491968dd1586e2012c1b03d3d3a972c7b5db2

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
55KB

MD5
68d5c868ae494ea48ecb57aee03a7a3e

SHA1
5c36b933297d8d1eb485b3be3ab0969c95663831

SHA256
c023c8842f68d86c080b4e079176396607905de2f19200fe32b3ca1da2b9445c

SHA512
daea1641fbb700cf23a514c087d80635f73b4da643bbff72707866cc58b338d46ce409d5361abe0251fdc567e84431c9cebcce787366516b0720dba77deb0bbd

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
55KB

MD5
d26f4be109353005a61a0e2dd0a18c62

SHA1
daad94dd0d90264a5e92c478a2d04c98759e8c9e

SHA256
b11792f45286e603179cfcd00702edb167781dd0043dda42d67c0319725ae736

SHA512
359638a24c074262708744c020d75e5b9b4c40f84a46b9c65bef84b5c7c753eadb59bbde5eade27d4e1eafbd91614c75f59b908df7a26b15663f3b3358cbf627

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
55KB

MD5
3a9d7a746f6b055ce8d0ee9d66e79637

SHA1
5680b230b4a1cb34e9bdf32c28280778187b0d81

SHA256
2d90d499b30ec1f5c4207e2588f7f474b0e9d795a947ac27ecd8eebe4087d0a3

SHA512
23b151f6d9f52e375e677ef4618b63e60836bd0eaa16c37af6737b25ce6087efdc7ca24bcb73cc31f98e766ed562312fd9529646e6dd2dca075b9079f341031c

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
55KB

MD5
d853f08562318c4dc876dcd1f31c8fdd

SHA1
0e9ba56b0aca4e47a63383334978b6d2fa552b30

SHA256
a1d58c9c8ea86ca86d81b86cda3ec091b886817582ef93ae3c22947e33628f3f

SHA512
421c87b4f13b7b43b3e3a903be02855a88fefc5207e1d81988412f32e787170f764cc9dac9932e3de0523bf57c8945d5a1ee1cbb1655cc4ec7f90a75d4a8029e

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
55KB

MD5
baca3c5537830048169221a2c34cbd8d

SHA1
8fc72f7c84997334d4e65f6acd5060c04df0bad4

SHA256
3a4226ef8b7439eaa4806ac1cd0103909a7948e5cf229070c74f11a9128de6c7

SHA512
d45ffd8af26670c98f943c1aadf8ef728e74334da751892f83ef3327d044e30a9da741a6127cb9c3d3dca476a7f95eea133035f9fead03dbc4c694d60fc12a88

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
55KB

MD5
9bd872e28fcacc9a42c1d406849212e5

SHA1
2763d85e464fadb4c2881b3c74083e720ea9ce04

SHA256
84f2eb2cdd0eb58495f4a998ea1b1434f31479512e456e4ab148ba1b00a5726f

SHA512
651d78d4958878a5de45bc08531c99c7e35816fea2f70ea794372931ccf9061480daf10daa3323af078355bdfac2e34fe9d486835e6452c80d5777dbde4110f3

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
55KB

MD5
224dc7f2d2a076a9e565d2212acc7f96

SHA1
3844bf252f64fe4f5f2a054c25290a1ae9828e12

SHA256
2b1140e1db8dbf6516e4111ac290766ede8399c29399d1d967d048f930c58bda

SHA512
37e77dd186240f14bcd83298af619a173b683c669ec376e6a6054ee9731805eb1199442d50b4ede44856995a7ab5a70a4e184ffee65dce4babdee0ff6280dc24

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
55KB

MD5
f14fe494eafbaf4c9c83ee546087b35f

SHA1
15013aac6ef114bfe567a9719560f303bc69a59b

SHA256
65c0bcd60a5c690e1f4d0783d5d6d6a582ce22f83ec643a8b5249660bf1ffd47

SHA512
9bc14d5809c919d09db3e3bb153f5a5359d5b8ad7b80f03aa499a56c7ecebd5378943ecbebef80c1ab65891c1eb3fef88f98d277313139aa68511233fd838491

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
55KB

MD5
c443723708eb8513d35baaa72817011d

SHA1
1317c03f15ff1d4aa6ad8f1d1bedd985ce520c8e

SHA256
0c0bfe9c1a8c8d94b921176f0929d2afc8044e03aeb64a3da4d58a0d598423b1

SHA512
fc1403457b3c85923f6515b5a95ff296f9e2bd76216ef8f9be727f144e062eec1c15c5aa6ce8a2ea6e4abb0d216ee7bd9690d1586aa8b203bb95aca0202de212

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
55KB

MD5
0544081de1ca8b1450a0fd64997750ff

SHA1
c761b4e875646055b3d926cc2d831edd4eafa804

SHA256
68ac75c4bb2b3d0db237691559a0cdf3d993195fbf7dc8d1735e316ec4a9e7fb

SHA512
86a0f92d268ed7da7efeaf1b16b35c57f02241dcc558033c5455cf38e68c2fd348e290d338770311a913bcb7759b41e6627ab1692ed2ef8743cfc8fa234a32a4

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
55KB

MD5
ae53e154f3b960c640a089311eb2c102

SHA1
619711f00719c584f14da749e25529fbc6948e76

SHA256
a93ce34ccfe0dac6f4b94243990313bce4e019fb1abf071a76e2646cda1e52fe

SHA512
17025202e1735d805d2aaebbdfc8b8238e232d61be008950f0dbb987c905eb484f51c108ce97b4d8afb4649c0fe32671609fe08e181ccb6cbb18a532246e38e7

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
55KB

MD5
b8f3b7df5228fd0c6e8e86b450874527

SHA1
db569d8cfa348e7a693680193ec374954a52c94c

SHA256
7a0371fb4e1b16d13a74d2744708bce3c4ca1466a10a684e9e562275745d0e29

SHA512
2107d047bb5960ed56b307f36d429774d97dac4b5b244b43262c703635f61dba2fb242256c80f1992abfd7eb3cd7b9100831bac48d45edecf04339d52fe28a01

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
55KB

MD5
62b797353f0f6767fd76d234fac7d47f

SHA1
56eb201f78806b5c3360f5fce97fd148c8353fdd

SHA256
1c992c69405e07f6d2da815b3462e5e213c09137f1879857afee9fcd67cf7927

SHA512
bbce2776c54201fc9f25589e0befc694ef13ea039a753ce3a753cb9d5c605b0c5cc7b2a43dcd37769fff00d4f017a1d311e82f672e429d4577e6478da51257f1

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
55KB

MD5
a2d4cfd2f56143080d0f0f9e7686deae

SHA1
f1e5d291498f7717059014475233ac9e6f38f7aa

SHA256
e57ef3d9b90c69a9d5fc26ae5327dcac9f000617d96455fa87f93bc2033c4470

SHA512
e60d4baf3415c2f567bafafb62b6be175348e709e4318b8984dec4def79f46faee5b1884c44f9df0af5f072b03375af3a81eb3c2a3c47a415fe49826b3e57129

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
55KB

MD5
e37938c93e18200c88407591f98dd3eb

SHA1
b2e83aeebb21bb3e8f53cbc36da6bef353c3dda3

SHA256
ac39230cac50a930374d3b115d1226fd5785d1eb000f833d5f30c1e49bcf73e0

SHA512
55457e7b7a24f0f535d1a2fb28337ba5dd9722eca5fe53323f049702a8e4b89d9dfd02fd220c8c551432150a0279771fc8df472f560a76bc11e6df9a2d03c373

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
55KB

MD5
360cca75a8c16cffd2b9071b186d022a

SHA1
98a4995335e139a79a11e01f713c4229aed033e0

SHA256
aa53594b678f59c5c36c4eb61b960833fa7bc158c8aebbe60eb0efc366272b7f

SHA512
5450a64fc35628f5281959fbb0bc8f38cb16a03252a6eead254ab5b0a21e08bbba7ecb9c24be4023c88be551d5b555ff6eded77e1738eda380e2f0b9f2136448

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
55KB

MD5
dddb0b5ead38071880c3343971511a7c

SHA1
a10d833094a908cab9aed25d0f94c37c426db0c0

SHA256
e091d4a02683f51daa823450b4c04a7d4a5fe26782afe6803994b9b9ea2ea429

SHA512
a32d0ce80b68553fc35bd1fd34367ee09c0fa43af4c83f3378b4f1b1264140add74305915fac503f7f49208b20de351b8d09cd6bd8e724b33f5377d6d10d43a8

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
55KB

MD5
8faffccdfe59c1ca5d2929eefc2b3439

SHA1
50e6a911f8d6124826f88f9cc0c1b912b1e81c44

SHA256
3630bdc9004c37b6be6dc2a633d6f8b644e949bca54e7612e131ef7294e09883

SHA512
3ea5def8ec81346d8bc995eb86d47c8de66bff23bcda7b9e7bb3c639cb47c3f9a020c3303a09021dd80f3f2e8fb8862bb459a61b80073ff8bdf16ee2d34e2cd2

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
55KB

MD5
a3dcd9739b009c3bdf3453650b1aed73

SHA1
5f5186d89cdfd8963bddf9bdd42c35c5be3609f1

SHA256
4918275162a31f1b54ef966de0e28e4f40e0b8145a3c68f6f558be4ea4bd77ff

SHA512
093430fca796bbd9e7227f78b676f3ab0508c92cd89b57948832c5bb90e258c5e39edee96d98be664aa19a30a13f0bda87f8376887b8d16496e96805050e3de5

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
55KB

MD5
e7215481cfa925dd7456417c0e43bb39

SHA1
ad00cfd0ada9341c48fd4169eb3eb3f1588283ed

SHA256
d24bc4c62f7391f5d5cfa3a1d15194c327da0437edd5a1954e37359257983a7d

SHA512
d20da6663eec787e8540b378998672aafdc35524670d8783034a753f729f0f0220c373383c763c9d71178f2a2c7510874cdb6379591857dba9216b504168d26d

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
55KB

MD5
4603176fe34245f1db525bfde524e281

SHA1
bdd0f9c2653fbc55656b494d3468e6f209ad77d3

SHA256
778962e93fd6203c2e15a906d221c82d3d139e12059afda8d64bb908f11972bb

SHA512
4b9c1a0cfca77a54b6d3b2236ae49e6efbd92772244df91606a73232c96fa2517b17d07f963dcdbcf44aa99ee5b6f51350857799370e40560c60a33dab01fd1f

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
55KB

MD5
42aab59e7467fcc2c1f285048d95b2c4

SHA1
bcbcb732d0424cfd450ea5128651b08d30f662e1

SHA256
a4e8527f97d3e639a69d014930fe0215db21242c9e56af7b0ed5d75ce6dc43da

SHA512
a27cc077240508df694ecc1fed973d8da320be6435da031645e24b0c7491f7215e661949ec7e4b5f4fe024e2a95e22b3b06e29d7eebcb70f87d09581d7bfb942

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
55KB

MD5
abde3dfc2d9e59a6a9e389bc4a0448b8

SHA1
5d95d147dcf610c371565064be25745c66d23f06

SHA256
6ff4642b1d2e9d2cc7e14899b96d30556aa7482c369cd3b11e2f21e8fc3c19f0

SHA512
93190674b2c6fd0bb954bddf19b1b5c928d5b6af193dd7df72d0395726059b2fa42a60d1ee79fc26762e781171f1fc0984ef59d9eb3ff4a81515597e25d06dbd

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
55KB

MD5
32d49ea02370e3c14caeef6fcf740692

SHA1
69f3f8b8222124f069edbe0b25e1b5d73d6ab443

SHA256
9eeec6a6c5f133b3dd0e0516505695a76abcd3c2a3c071b7ad9c20e3e2bcb1f9

SHA512
b841a7e1f68e4da91cfa9d3c331f39479f2682420a4d23d310f99d146cec8f6a3b72e96106d19ad4405f73bc29f257ee2e5612cb7fd7c03fb28c4dfd5de81239

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
55KB

MD5
986d0e9d580605865eb52bfdace2a828

SHA1
1d6fc789b803740e0680d188d2867869e5741d82

SHA256
791dba9d5e0370c166e47584abef1c68f21058a2c7cc9864f9933dbb109865f0

SHA512
6d784ff7609e56a655bbdc43dc5adead82d8bbec55b831247f77f776b5f633f383710f6b3d0146e28f430c3c32fb5878940636c31f0e4dd725d6a1ac7bedece9

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
55KB

MD5
87279a3b36bf90f4c851ae012d1fe139

SHA1
3bb6ec7cc273d5957915871c56079a892e93c9e1

SHA256
68e66f3e0e196322d996f91959a900e61ef94f337926de114910dcceeef4a791

SHA512
c1e08fc2ea3c1960607c59c680e0594498ad96ef0790096513ed1373734f65c404b03685a0b4a774ce0688f25a57f630f932816470289a45e3a4c42c83bbaeff

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
55KB

MD5
1c5ff87a3f7874c7acc5140a9c637870

SHA1
b737ee5bf9675e0f8d0ff58f5476f1ee62f48887

SHA256
1451f4dbc442ea1b068a7febda53dc5d7ecce42ece05fbf7c376187471dc9758

SHA512
e11e015708387b8afbacfc2103aa8a36bb7f3918e0b7e507c1deb2b7f8adde4d95e54de616eeab6285c254c022f074436c939080d353e304325389456168829f

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
55KB

MD5
0d8fd4900167814a87f1065bc6139082

SHA1
57793d152aa28131ac19b82ad39ee9ea878b8be2

SHA256
3bebf45cd794726b91b32a68b33904b6243d01a6b6a25064245d16a21afcd198

SHA512
29617eead5b0c5c2467899d01c4bbcbfe65f0d2e95ab18534a4e189d7bba6076aeab1c1d0ad3426cb3d66ef4b91517fe2754616311ddc9a6e3c4d557d22a58d6

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
55KB

MD5
8d339433f84726e5ba705fc94fe6136c

SHA1
98151c70da54c4a8bba0b6d29a743b11ec56d84e

SHA256
ca2efb8b8ed093adebce7bee643a5a1ea5c558a8f42fcc6dca0acb0b719bf56f

SHA512
49bacef49054712f1b150036cc067fb3f5609dbdda6fee6c9610034326d3bb21e158e8a0a0af94d171977a2b4505726c82252a9a0f00cbe73b914d2f1236b0ba

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
55KB

MD5
cbe90a74e7e354eaed26491804d88c49

SHA1
9087790708a37beb16d64c5442d12ca7b4d26421

SHA256
2801fb3c561ea1d31c456f15c5cbad3fcecb909f31e4bdc89c167ca309479a27

SHA512
cb0f24d9ed162e4eeba46525f14faf555588e6f2e1c1bc89b26112c798cac8c9beba43629a76c577e44937ebcba289a231d764ca41b9d09849f3efcd61f1c01b

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
55KB

MD5
11a8aac9aa8d7124e2db9f08b4fec0d3

SHA1
68b16fc9d18322be76fb98c11e3af43845ae66f7

SHA256
d41b9ec5cadd8c1274d523b68df26c699a07e75c78f56e735eacbac5d96ec997

SHA512
6e641420891f6a08acc2a0ae3827f2dd3904db5978ab4f45dd621e379b8ff52b5017a56064a7dd3682e1cf2aa533010aec771e8e5369c6061b5c93bb2fde9c7e

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
55KB

MD5
1a1f9869eea73e50f3e23fede56c67e2

SHA1
974350d9602ba4ea0916b9c3224b5aa464764021

SHA256
0cd716707b9658ffd41066e6e50b3a34dac8b75e9430e2dc03f0de9c3386a825

SHA512
e264916d5d48cb36a4191ea50ae64d2a9e583c7243a0c1f04838e572d74ff7a62b43820be29d31bb5fd6204987cb8d5cb7980be10cd0af4bb07cfc9080b463cd

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
55KB

MD5
61cb1b028da82344dd2faf6cfb516e29

SHA1
b8412e03c3823979345ff3669114836fccbcf954

SHA256
6079198c4e18c80c0d866917d20720e5616b2dfc703cbe74eb11ed23a32b6575

SHA512
50e96d81a15bc425a96f8480c45ad36083e743ba22aa45a8a1b0b0536bfeb7602aa9e4bb1ea0fc3cecefa203be52b39914e1202307539f9a788b18541a3bcf87

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
55KB

MD5
6912f366c268b19acfdaf2af5c975404

SHA1
c31bdde8f96e3e77a6a6e44f66553016aa6e7a53

SHA256
e128958b944934640f690865bce5fe79509a19b9e957f3c317be15aceb889cae

SHA512
e9681be086a9705c15a9b4299f1dcfe1345079c8ba59e9975889f823a67f8735b50207bf4262c66921b889e87c3b2bfbcc5af4a9db2babe57cbdc85d1788bf2f

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
55KB

MD5
f2316f89afc3af5d8deef7dc12fca428

SHA1
1b28d55829dd6c61aed4dffcd8c21651b7751f57

SHA256
11b4839ed58e762dbdbd343f8bfd3127a6c7830ba271db22831e0252257f0db5

SHA512
ed811ea6445ebcfdd73ce7764c824369f2a5ad09fbe9827bcaba5b765ca2c3e76c08069d66f23ee95c5f1a44795459ff3c07bd91b1a0da0b3d0f02d882f11d14

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
55KB

MD5
d20375827133d8da6a86b049eb94ffba

SHA1
a1a402b7ec2918523c83e1a965484e05a5b6fe7d

SHA256
08cb02d48728c0a19be380e462cea1e845a1d17f623b118703dd2b1017faef1c

SHA512
6aaa4ff037c03c64934e6b756a3dabd3eb72c4ab2bf0bca2642858b05b1077af1b81644f7dd90747added8e9826f4b45b5d7b478f022044a6a51a25486f1c3a6

Download Submit
memory/392-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/628-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3176-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5156-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5200-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5240-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5284-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5328-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5372-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5420-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5464-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7008-1579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7892-1538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads