berbew | 588e8f42c36e553498fbd22053c28eb0f9e26057f61e2fafddb9a179a27199a0

Analysis

max time kernel
106s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

588e8f42c36e553498fbd22053c28eb0f9e26057f61e2fafddb9a179a27199a0.exe
Size

96KB
MD5

f15d90e1280e2ee134aaa41162133cd1
SHA1

5107f7849dd3b73ea0b9cadc6285eaa8595f0144
SHA256

588e8f42c36e553498fbd22053c28eb0f9e26057f61e2fafddb9a179a27199a0
SHA512

0c6de9249d583d2416185a2a18ed54c996868c857191df51e3f78946fc5cedf7785efa8a860edc72ae0db9fcf5df6d149c8a7a13764f0b5a8cf4ca42a1292a03
SSDEEP

3072:SkhlsME9aRxFrc/m7tHox0z5eClUUWae3:SrFaZ5eCWUM

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
5684	Klngdpdd.exe
5452	Kdeoemeg.exe
3132	Kefkme32.exe
3120	Klqcioba.exe
224	Kdgljmcd.exe
2472	Lffhfh32.exe
5232	Liddbc32.exe
2144	Llcpoo32.exe
3740	Lbmhlihl.exe
1048	Lekehdgp.exe
4612	Llemdo32.exe
4776	Lboeaifi.exe
4904	Lenamdem.exe
4700	Llgjjnlj.exe
5996	Lbabgh32.exe
1236	Likjcbkc.exe
3864	Lmgfda32.exe
4860	Ldanqkki.exe
4880	Lebkhc32.exe
4932	Lmiciaaj.exe
4972	Mdckfk32.exe
3040	Mgagbf32.exe
4752	Mipcob32.exe
4724	Mlopkm32.exe
5164	Mdehlk32.exe
4412	Mibpda32.exe
5464	Mlampmdo.exe
944	Mdhdajea.exe
3744	Meiaib32.exe
3472	Mlcifmbl.exe
6040	Mgimcebb.exe
2028	Melnob32.exe
3204	Mlefklpj.exe
5356	Mcpnhfhf.exe
2772	Mgkjhe32.exe
840	Miifeq32.exe
872	Mlhbal32.exe
3780	Ndokbi32.exe
3068	Ngmgne32.exe
5592	Nilcjp32.exe
5332	Nngokoej.exe
6016	Npfkgjdn.exe
5312	Ncdgcf32.exe
3464	Nebdoa32.exe
4120	Nlmllkja.exe
3252	Ndcdmikd.exe
4988	Neeqea32.exe
1080	Nnlhfn32.exe
2368	Nloiakho.exe
4732	Ndfqbhia.exe
4728	Ncianepl.exe
5732	Njciko32.exe
5328	Nlaegk32.exe
3244	Ndhmhh32.exe
3236	Nggjdc32.exe
728	Njefqo32.exe
5708	Oponmilc.exe
1948	Ocnjidkf.exe
4628	Oflgep32.exe
4768	Ojgbfocc.exe
4920	Olfobjbg.exe
4928	Odmgcgbi.exe
4596	Ogkcpbam.exe
1112	Oneklm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Melnob32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lbabgh32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Lenamdem.exe
File created	C:\Windows\SysWOW64\Bagcnd32.dll	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7820	7724	WerFault.exe	295

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	588e8f42c36e553498fbd22053c28eb0f9e26057f61e2fafddb9a179a27199a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	588e8f42c36e553498fbd22053c28eb0f9e26057f61e2fafddb9a179a27199a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klngdpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 5684	3520	588e8f42c36e553498fbd22053c28eb0f9e26057f61e2fafddb9a179a27199a0.exe	85
PID 3520 wrote to memory of 5684	3520	588e8f42c36e553498fbd22053c28eb0f9e26057f61e2fafddb9a179a27199a0.exe	85
PID 3520 wrote to memory of 5684	3520	588e8f42c36e553498fbd22053c28eb0f9e26057f61e2fafddb9a179a27199a0.exe	85
PID 5684 wrote to memory of 5452	5684	Klngdpdd.exe	86
PID 5684 wrote to memory of 5452	5684	Klngdpdd.exe	86
PID 5684 wrote to memory of 5452	5684	Klngdpdd.exe	86
PID 5452 wrote to memory of 3132	5452	Kdeoemeg.exe	87
PID 5452 wrote to memory of 3132	5452	Kdeoemeg.exe	87
PID 5452 wrote to memory of 3132	5452	Kdeoemeg.exe	87
PID 3132 wrote to memory of 3120	3132	Kefkme32.exe	88
PID 3132 wrote to memory of 3120	3132	Kefkme32.exe	88
PID 3132 wrote to memory of 3120	3132	Kefkme32.exe	88
PID 3120 wrote to memory of 224	3120	Klqcioba.exe	89
PID 3120 wrote to memory of 224	3120	Klqcioba.exe	89
PID 3120 wrote to memory of 224	3120	Klqcioba.exe	89
PID 224 wrote to memory of 2472	224	Kdgljmcd.exe	90
PID 224 wrote to memory of 2472	224	Kdgljmcd.exe	90
PID 224 wrote to memory of 2472	224	Kdgljmcd.exe	90
PID 2472 wrote to memory of 5232	2472	Lffhfh32.exe	91
PID 2472 wrote to memory of 5232	2472	Lffhfh32.exe	91
PID 2472 wrote to memory of 5232	2472	Lffhfh32.exe	91
PID 5232 wrote to memory of 2144	5232	Liddbc32.exe	92
PID 5232 wrote to memory of 2144	5232	Liddbc32.exe	92
PID 5232 wrote to memory of 2144	5232	Liddbc32.exe	92
PID 2144 wrote to memory of 3740	2144	Llcpoo32.exe	93
PID 2144 wrote to memory of 3740	2144	Llcpoo32.exe	93
PID 2144 wrote to memory of 3740	2144	Llcpoo32.exe	93
PID 3740 wrote to memory of 1048	3740	Lbmhlihl.exe	94
PID 3740 wrote to memory of 1048	3740	Lbmhlihl.exe	94
PID 3740 wrote to memory of 1048	3740	Lbmhlihl.exe	94
PID 1048 wrote to memory of 4612	1048	Lekehdgp.exe	95
PID 1048 wrote to memory of 4612	1048	Lekehdgp.exe	95
PID 1048 wrote to memory of 4612	1048	Lekehdgp.exe	95
PID 4612 wrote to memory of 4776	4612	Llemdo32.exe	96
PID 4612 wrote to memory of 4776	4612	Llemdo32.exe	96
PID 4612 wrote to memory of 4776	4612	Llemdo32.exe	96
PID 4776 wrote to memory of 4904	4776	Lboeaifi.exe	97
PID 4776 wrote to memory of 4904	4776	Lboeaifi.exe	97
PID 4776 wrote to memory of 4904	4776	Lboeaifi.exe	97
PID 4904 wrote to memory of 4700	4904	Lenamdem.exe	98
PID 4904 wrote to memory of 4700	4904	Lenamdem.exe	98
PID 4904 wrote to memory of 4700	4904	Lenamdem.exe	98
PID 4700 wrote to memory of 5996	4700	Llgjjnlj.exe	99
PID 4700 wrote to memory of 5996	4700	Llgjjnlj.exe	99
PID 4700 wrote to memory of 5996	4700	Llgjjnlj.exe	99
PID 5996 wrote to memory of 1236	5996	Lbabgh32.exe	100
PID 5996 wrote to memory of 1236	5996	Lbabgh32.exe	100
PID 5996 wrote to memory of 1236	5996	Lbabgh32.exe	100
PID 1236 wrote to memory of 3864	1236	Likjcbkc.exe	101
PID 1236 wrote to memory of 3864	1236	Likjcbkc.exe	101
PID 1236 wrote to memory of 3864	1236	Likjcbkc.exe	101
PID 3864 wrote to memory of 4860	3864	Lmgfda32.exe	102
PID 3864 wrote to memory of 4860	3864	Lmgfda32.exe	102
PID 3864 wrote to memory of 4860	3864	Lmgfda32.exe	102
PID 4860 wrote to memory of 4880	4860	Ldanqkki.exe	103
PID 4860 wrote to memory of 4880	4860	Ldanqkki.exe	103
PID 4860 wrote to memory of 4880	4860	Ldanqkki.exe	103
PID 4880 wrote to memory of 4932	4880	Lebkhc32.exe	104
PID 4880 wrote to memory of 4932	4880	Lebkhc32.exe	104
PID 4880 wrote to memory of 4932	4880	Lebkhc32.exe	104
PID 4932 wrote to memory of 4972	4932	Lmiciaaj.exe	105
PID 4932 wrote to memory of 4972	4932	Lmiciaaj.exe	105
PID 4932 wrote to memory of 4972	4932	Lmiciaaj.exe	105
PID 4972 wrote to memory of 3040	4972	Mdckfk32.exe	106

C:\Users\Admin\AppData\Local\Temp\588e8f42c36e553498fbd22053c28eb0f9e26057f61e2fafddb9a179a27199a0.exe
"C:\Users\Admin\AppData\Local\Temp\588e8f42c36e553498fbd22053c28eb0f9e26057f61e2fafddb9a179a27199a0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SysWOW64\Klngdpdd.exe
  C:\Windows\system32\Klngdpdd.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5684
- - C:\Windows\SysWOW64\Kdeoemeg.exe
    C:\Windows\system32\Kdeoemeg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5452
  - - C:\Windows\SysWOW64\Kefkme32.exe
      C:\Windows\system32\Kefkme32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3120
      - C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5232
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5996
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        28⤵
        Executes dropped EXE
        
        PID:5464
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6040
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        38⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5592
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        49⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        50⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        53⤵
        Executes dropped EXE
        
        PID:5732
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        59⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        60⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        67⤵
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5032
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        70⤵
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        75⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        76⤵
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:748
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        78⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        79⤵
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        82⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2508
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        88⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        89⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        90⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        92⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        93⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        95⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        96⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        99⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1808
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        102⤵
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        107⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        109⤵
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5112
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        112⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        113⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        114⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        115⤵
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        118⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        119⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        120⤵
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        121⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        123⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        125⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        127⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        129⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        131⤵
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        132⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        133⤵
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        136⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6284
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        139⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:6372
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        141⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6516
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        144⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6604
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6736
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6780
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        150⤵
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        151⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        152⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6960
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        154⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7092
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:7132
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        159⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        161⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        163⤵
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:6556
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        166⤵
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        167⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        168⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        170⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        171⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        172⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6236
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3892
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        175⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:6664
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        177⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        178⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        179⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        180⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        181⤵
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        183⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        184⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        185⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        186⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        187⤵
        Drops file in System32 directory
        
        PID:6744
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7180
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:7236
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        194⤵
        Drops file in System32 directory
        
        PID:7280
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        195⤵
        Drops file in System32 directory
        
        PID:7332
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:7376
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7436
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        198⤵
        Modifies registry class
        
        PID:7480
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        199⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7520
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:7572
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        201⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7676
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        203⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7724 -s 396
        204⤵
        Program crash
        
        PID:7820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7724 -ip 7724
1⤵
PID:7796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
96KB

MD5
d16b06fbc0800ac769716340e0e75153

SHA1
9fc521c0485c371be17b4d110f355d656a2f8c95

SHA256
e3ae6a480eda66e3d3e31e7fc4bb3db638efa044b5777742c54d368390788306

SHA512
a30be9ba41bbdfc1e24d89cd459fd2d378d818bbab6444448c97a89b3421d1f599c647cdecf042b3cfbe36e5af1bebdd5f6580d7c250a5bb3f117dd3ce8a1fd6

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
96KB

MD5
5310ee8181f194f6d1cda2c91bf7cae2

SHA1
ce9c3ac8a5f6251843b688b155b96886e32475a2

SHA256
3a1fffcdb881a5689666fbf6ea34271e014d312077228c71b3715e9652e2ed8a

SHA512
f15b8bf66eaa6a3bce67da462771fdb76ad750278b1db01cd3de74ffac74419800a4dda06c6381d1a76f793fc34fea945891d8901de803225d1b10360167ab10

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
96KB

MD5
119e935a21b4261409d03504bf4e8383

SHA1
d8a6ed986d248b68602b4ca3ba9b14ccb3177f74

SHA256
7d395ec43f322340a969a3b0cc4e28a90b601cbf6aa116061ebf6db7acecd0f1

SHA512
69a88811738f38334f31efb0799adb8cbb652d8364a6ab0ab495da83178bdf031ac2242c38822e8b45fbf6bd22831699579f38eb851651e124d36c4527ef7249

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
9e5eea8c1d86d76c7434530d765d921a

SHA1
6a5d76d2c4999657d6f7881baf20f0c3d5045a41

SHA256
1f5ff3e38140e11a0e03c6bfb0c57ef92948a5c787096981b14d62fce780066d

SHA512
393ea3e4eba92f708f439b0290a9aa2451b59186a632476ab4e234f0326764e7685324cbf468550318da430e8ce874ba420067b88ed96cb8a58fa2deb0f84498

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
96KB

MD5
5b1ba90120741646313e9b540faf1de8

SHA1
df9622bac2946c94c4a703dff64c421ac530479c

SHA256
95412c3239d05056702f1258c2123d6bd794a0366f96eb6b09d7d7b965ee67b5

SHA512
e0251f7f535fcbf85d5207d28439cc35010c66578e93feec5d4ccae9e6c97dbce0d9e857abd7156a47f3352631aeb24cefedb6912841904c339f3c6448a45aa9

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
96KB

MD5
6f5502a604dddd0ea98f3f835341d8a5

SHA1
5598d64f883f8d2dd9b3475c8d82020e3317b1ff

SHA256
f88150db001fb03496c188984a6b99003a48f11b8c149d6c4544bf2ec0c245e2

SHA512
54c1baa3c2937c5d4530b34742e9fe540224da1b073a5bee11a660c02b37ef2c19cf6b84529cd5822091d4d207676af12de4fb6e304494522a89fdefda3614e7

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
96KB

MD5
3abed263ddbe5af58979f9ba15129fb9

SHA1
2542c0db780fa3207626e44783bb0a4a020ef5cc

SHA256
1521f9d31a7bfd59baea51fec730514829cdc738ef8f042496c982754af77d90

SHA512
50911e3f1254dfe645414188b184b13137c436bcf7045fe61b1b5ef56ac051b4ea9bc60373661cd7d1aeefdfbada8d0137cfdca75ddb3c3346cf1d3004c71254

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
96KB

MD5
d59b7d32c14e2837950360febbde8339

SHA1
c7b91b8179651200d7cc6c02fb2a2a9b757d908d

SHA256
3f1eb6480a1784f3a285dc159918b58704497b6f0056106631f21b23d07cd011

SHA512
6ec8a2ba9964726accd5781719ecfdb966a5d64b92338a49555c0723ba10134b0bba60526f07ce94719046ce32dda945de55db74ed04971b7007519e27f4263b

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
96KB

MD5
364d376192846b74e0899e3cc11b2336

SHA1
cdc8731c8c191fb3a575aebe1b8c48e9173deddb

SHA256
909b7087006a54c7165f00b84bdd9dd473aa3cbb6ab0ce40a61ae23fa694817d

SHA512
6a080b5c7c4d1db4e661c58b0cabd340d4df530c066d1824ec418153c9beb049b19eb2a4c61bb1194fe0a6c9cd14f90b87dda8733e6e2ad5e1346c73b6f29a65

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
9413065f0b637fc85095ea559862c189

SHA1
80e671fc46a0abb74154e8463100523ac527f39c

SHA256
7830cfae8f67baffd0f47132d154c18310ee792e30343210d4983bc6ccb97956

SHA512
4c12d6b215840bed7479f82dd3a0b1831f1b02d63f8aebbdcbc8b549ba17630ba8cd8890f7a2170cce78bc90505ec9698ec8094beccdb277f28c2ac0bcb62b99

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
96KB

MD5
b510aee2bee9d3a59155c2c4b8a6715a

SHA1
29615d95ad62437b4032de0c5e2b4d44e28ccece

SHA256
ffb90658d9516772330f0cfd2794e2ab9a0d430d7f24bd338b432a9276adaed0

SHA512
e6aa4decaae93e9f5baa60ead73ff57b9684da71429661d4447b741dca8c1e600b2854dbd3805bee8778a44e867d7b8171125d55b22bf72148d78a9046c43ebf

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
96KB

MD5
58ad6325f0791f81c2ce18253c4435d2

SHA1
333e1c232b1b1bbec5ed09815f7d93cb1c7a9942

SHA256
2582d5d1edc4372c787cbc4382919f9ad6f1b982a44d139d133a05fd3ad6db95

SHA512
61adda2203f2804951280eb1700bd174975e0412c8de3a7a9ae8f6f68b49f82695d1020ebd1c38f8ef85865dee3b62e426a92b38a3f5637d9bc79482977cdd5d

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
96KB

MD5
34d477b9672cf00eb609d686c01837ab

SHA1
002d36c551599f575dc38ad959cc0c84cc86a67b

SHA256
1ba077bac5b476c352a8f1a68eaed283777a1b79024fc99d70cb85f0dd51f2d8

SHA512
907305768421d49e0344cb4514d83b4ed4f199253b744e0a14f53974cec038474cabc0253878713d345f0cc631422fff025be61bc70bbbf717437e92f2a92980

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
96KB

MD5
13f88267a8b82f03ee2fe6636703f08b

SHA1
7e7e139bbbeb89affc0649ebd43692df6c17380f

SHA256
468fb595a8f2c4c2fd23f0c3550729e730170e924cd41067fafc918dd6ecb189

SHA512
eec5a6f5532382b48eaf985812e8f10d67220c727c28b0cafd5047e63e3adf2a295b7abb47fb6a942703e0eea273904f6b28feeb089eb406d39d66c25cfaed22

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
96KB

MD5
44da726aef35e83271e01913ca94626b

SHA1
d59a5c18a00fd45e0faa6925f50ef3c41415f5c5

SHA256
1176e38633f4bdef515c41b4a48e20f83eeaf406c1ff1785bc3f1766deb30ad8

SHA512
7c3a21a3af6cae6b6a53c9b612ae38b91b9438035207cb9c2175704a5e4104e1942f2296f41a8a725a37a2a55b21778c167800a7e9719a7d04ba56406ce45ebb

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
96KB

MD5
c8fe51af78ff6a96bf3f37e3e6ed148c

SHA1
f2864def4969a8331feb8b865e87d05f1af988c8

SHA256
dfdc013532b2d568686a0b633825e555f389ed15293477d71c59761a161ad8d0

SHA512
77cbc167909d29381755eec4c63ec38eb37d54eb8503ca6669a1d8cdd842874b81bb727d3c057e89981eba44e52ae395654a2b94a8ebbb1beb02eb35018ed385

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
96KB

MD5
3042afe2e2ea58ba7cb3893f81eb8a14

SHA1
6a2507fca6d08866cd2666aa82c4593c1a85340f

SHA256
e84c389b4e0fb06e6dbfba3dae7ef7e77c3c62d0653c6882bdd78371a56ae809

SHA512
54f6da206237a74a3502cccd97100fd5bd27e3d275740cad933b845e136a2393b654b5e8a93b0d1c270783c968e2d4f0a994050993c7a3bbf0cf3fbbed2e7648

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
96KB

MD5
f6ddd640dcf643e83d5efcd77ad02d7b

SHA1
37897f8ff81e9ae4bc9c65bca2a81cfb2b4a9d61

SHA256
00539b6a2d6c73f4cda51b6efe2ea33bcca17f8c84b1ef38470890dd7615feb5

SHA512
b36cf25c8274076199b19f29e9a087c280e665b3aaa19b3c6af2e76a39a11ba405649b80b46d525f1aee6dbd93a553cbad5095c4e233d4fe0098badd505997b4

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
96KB

MD5
a74ac75bc93cb63031fe73ce51e7c549

SHA1
6c0e9bcd111608b2d93983729e9c8884a9b16d98

SHA256
c086c1dea7f29863405aa7ae5179acb3d160b15dec9a8f54b0d87f39459517fe

SHA512
95c38df8d739d7f5d53bb39a583c57205053ff4af21a5218eb1b0c13b5a383f4d6823f5d26280aeb8a23f4c0a3ef3eb61cb17a996e8f2fc2cdc2eb72781e2a46

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
96KB

MD5
da8666031943dc54ccb3491dd81b34f3

SHA1
b0a639e2f268a6d74b39badae778f5011057da90

SHA256
b786357d9a9649406712bfe3bfe751fa79f846bbb32528df52b095420ff49952

SHA512
ba71e6901dbf2aaf1f7966c5530893762f399f041070f498e7e2d8993cbd1d3996f169db1405259b09d1472a8e09dea73dc84fcd710101ad936ab96c16c4abcc

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
96KB

MD5
34b91f9981291faca1bcafcba6ba224d

SHA1
6591654c1221e04444134a8233e432fbced83ffa

SHA256
db47bee72f7d448276803a832bf0f2490f17fd8523593ad8036eb9705eb2c5e3

SHA512
93ff781b25cb0f4dbec7021b05af40827ae1ee2a7ad83c8b8ada7caa5b102944e0cc8475b521859da0aa7aa24441890072fcc7dc2764e241a1fb61c1bbbf45bb

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
96KB

MD5
45da36bd095bf29b727b56e024e392d5

SHA1
3345f3e9e1017d9422cda96a52bb6b5358da3dcc

SHA256
c4d6977c00a64f44bf748c9a9c322b10fba560c851cb4e13761451109eceff38

SHA512
da824b1dce1a18387b2066db0a9ba48266b58c0e5334589e41d6909cb2a5c30d474cce769609cd6b244eb556a812ebb01b077301c1014854e5b02d628a38d5c2

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
96KB

MD5
2a3024e2ef3868991d61b6b63860423c

SHA1
ac35b79af11232579187d032d25e4b0372a2a5fc

SHA256
28b61d263852ac3da992066787eede35c55a8dcfb450235ce46795c05cc3780d

SHA512
d700d3ca76e1a69059f95e532ed8febe2952a850d68c89ca5c3e06eb1b4bb7417e47faf70d04acf765206943778ce56af9fab7d1c7df144940f8f57a78c5a91e

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
96KB

MD5
b2b667dcdadcf297677d3cdb5b1d41f2

SHA1
7698358db5ba0b048f76033f4a0c1208f521cf0d

SHA256
2605b5951b66caaf28fde7835514db2b8a30525541cae029f99e67d02255f99a

SHA512
120aba161da0fccaa8139fd2a1255ce16de2037666f37e49a35cc479598b175ac66f8f9b4897f9e7ad6f9d75b6f7a1161c9b25de9fd9bb2485058a8340f01ef0

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
96KB

MD5
56856817ddaa8af499e9545b3f23c8bf

SHA1
45bddf48f95ea176143080d7d5924234e7a4597d

SHA256
27aa9bb8266f2dc4107add223e5a08e053ec45a03c1bb2f00f46a49fa2f3dcdc

SHA512
24a65f4e3b9ba3dd212e7feb9c8e611cd8f8fe6d09daff525e4a6a357482b1c5b3147b43677fb8d5f3eeccffcf56b8b30a3e0751e9af8e432759cde439da146c

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
96KB

MD5
34e3a2d1a290aee336b2546278562971

SHA1
9c9c7d2922af1720f33529c2af9f9c0f83e7e05e

SHA256
64a068be8bcc0bcefdc9b1d07e66c5051e392a2f2d300f6798a3bf204308a7f8

SHA512
e3a324fb52eab80941ad809b96af447ce6e387a9fd5a76db5148b2d2b45b802f6c656996cf1f0461860e18b02bfeecae0973cec7100125793ea6fbde109a215e

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
96KB

MD5
6726f86b930c04795947a679004bcafe

SHA1
d5f6dee62bf77833e0ec7bbfa6b5176b8c43961a

SHA256
bb50d19f8263099027ccc15581587bfe4645654666bc39eb0bd5e90f170910c3

SHA512
f84ac97039e1d58d2fec8beb12a1ed3a0b6cc7fd7c50ded9279daebc4af11bfe7f9ca00e7b7c908b4d1ee25fc4dbc8f84e1ae9d7eb746a3c5051a5157a358c28

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
96KB

MD5
634a5f4b3e375819dc1aec02d838a32b

SHA1
9b81ef3c79abe2b2bb176fa262505efae558372f

SHA256
4a0c57fc3130fc3637c2006f4bbdd3cb89ac14a3262128b19a4a2452dfaf0a6c

SHA512
41f9a7fff5f3b6620cd46b9aa04273e1cf1529720bd37e0b8ec2f196c4340bd963182447ee7710fa0d0250b246fdb2b98019ee41eaa99a4a45f2ccf8398cf102

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
0a20944e34798583ad5c4b72c4e2b6ac

SHA1
2baf9fa43fc8fb7d94ad0e475f3489a009bd8dbe

SHA256
e9fe7a15b473f1bf3736399112378fbf22e60342ecd96526de8e969297278827

SHA512
3066b048b53462d9e036679f624a935c93696fc768a4290a17361e115fb0ab33de6ed1deb3796ad353f0faee7012fd7f35e59a31a126db97e4f45f71e0d21254

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
96KB

MD5
9cbd0a364caf232356e79577b6d9b4c3

SHA1
26bd55f0692874351116538c5ea1a7aad408884d

SHA256
34a9dab5233ebdb59c0a6aca05038880af39caa3a887e56164ddcc9200fd24c3

SHA512
0427e4bf1d3729078417e794ed0a73f07b0ee97ebdd35b978e16eb1628087b18734ea6c1a23fc96a8e1455385862446e654bece36587cd1f1c667a41e15433b3

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
96KB

MD5
2ec1fa7a8f4bdda1fafea50bf25d3271

SHA1
9546ce033c06225f560455e67383d7e2ff4833d6

SHA256
089b79a79058d8b726e3fce1f6ce634bfca82a0756f7d5354d4b62270ec5efe0

SHA512
aeb1642fca91db0be0f1e487526c1532d12f74f047293088b725348bb1c7b74841c43338f859a4ee2809caf7b4d608016755c324213c122fa7bad743d0313cf7

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
96KB

MD5
1706f1bea8f044c02cbd2ce0680f9fa2

SHA1
2cb4ec2207c1ac4ee1b4441b4b9849d976e3a3be

SHA256
ca662904e56a123d5e87181349b1a2c7c5762762d782eb46f3dc69404b29d8a2

SHA512
92036ca882488a2f0082bb7cd9e68b133494421cfbc769455f3ed71bf860ce9fae80189f52d0a1d129b402251f2b20280bf79cdee42e870a9e0e52ced05a1921

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
96KB

MD5
90c0d7c1542f1a6e7ab583942b46647f

SHA1
f0903983885e92146bced8c0c2c69c459384835e

SHA256
2835170c2cc30f63be2067381c5af0c92b65949d9646019631b814ef39f3c82e

SHA512
5336fbc7b2e2c1caa093fd8e54db8e5c6dcb6d263c55252be96508f69358d0d34eea5899b12eb0145d947804d71312c4c74a1311832f7e75b58045e565c1d5ea

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
96KB

MD5
9739eb68a3a3e47f39b9c96eb38ad85b

SHA1
7e67429210db7372e88f5a8403b5e4d9eae1647b

SHA256
88a73bb62555453ed96251210ac670d8572338d9ef36e15358e71aef31b813b6

SHA512
b4778dadc5b76ffe2478b3f0cb8dd6479c5ce56a4b1ed25d80d036c40074204cc9ae7128a0095631463235d81f16f6ee6a5670c4ed72a70421d767897ba5ed39

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
96KB

MD5
c0a5536b1c9fa8ca2076212759787906

SHA1
ea99904cd057f5190d1c13748b081058ea88e99e

SHA256
0cc3ef8605fae8a1cc0e238354cb94ffbc51a331bd25d3ed3bd4e48793341d60

SHA512
f5d7837918c811ce7266b19a24c0639ce91143111c179cd76fba664ccabf1a0c2ce0f1fc8d213d7c85511752e7b9d5918f5c8933071db3c429a43b8c0932678f

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
96KB

MD5
1400ba0bae3f046529e2ac5b5371f4fb

SHA1
457c8d2b6b5bfb72ad5a62af0e0028bac13e38d5

SHA256
53b811e72af80c484d11e78ce8708a65f9e4089cf0b21d1750cafc587c04954b

SHA512
6cfdcd0fd06fb799c2425f24c56b244e1ba4a1a31f5438a60cf44ba6180421e9184d3b8694e998f244426abfb5637613241f97256dd62935b7d862c532086933

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
2e6fa102ef02e64b060948f8a2b4eaa3

SHA1
b88f65e68191aa06c6d54731e1fb5a0b0ea131c9

SHA256
9cbb1c5f83d4fb8125ef66513a661658076417806872edca69bf1808740908cd

SHA512
339d8347d4a51a8a8f12e9d04b17166d9b41551542d93a8225dbd00f6819f80a7f24f8df7468620e51ad849c588b53669ae352507b7c1214425866677aca37d7

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
26d0ec55d19cda289b0b8d80e22286cf

SHA1
8039c0c4b2cdc3e4c1a14bd8e3b759e28c819dd5

SHA256
307e2955caaf34488edbc034c5a12fa203a86a8607ddaa800ea50f5be7e3eda6

SHA512
52112e4fcaae4c61318547c136718ae564959fa94ed8630e490c475856baa59c9675e345dcd32a956cf695e9ead0003c21c0235a36b79f659a4e9e2edfd4756c

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
96KB

MD5
c54d358efb5500be89e2272499a5f098

SHA1
84ebc5a73904fe381950ac5f5d8f3c9d6c5a1e63

SHA256
565e0c826168b41b23623905c67f78508b9fca449e91fde7288c535988530235

SHA512
7107c9b1d0a1fc62f394e33a82ee1db537f9d9c014502e30f4fe2ece6454280d9e726498f3db1430d0d23f621d60d7924eb9c96710da6199976df4440533cf77

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
96KB

MD5
b09a3f87221dde8d29347f12f4753481

SHA1
e4e89d1075216cc6d28783b592ac1b50eccd5a23

SHA256
631bceffb057bfb870bdb201294b9a02c5dfbc977dc01a7d1c185cad4f2db194

SHA512
c29643915a951aade000fc56d89c7329f1ecc4fd432099ac2ff8a949360e745214f86202c63a4244c6060acad6e877db94a4654b0ced90cc1d037d0697322f81

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
96KB

MD5
0be4d27b27a9b83c66bc2500d86eda36

SHA1
cc4842daa99af4f9a00c2b32b2529177c78662ad

SHA256
4e102dbb80ff4d7b5c1627b297e2a1cdf1d5f730fd14e714523aa36d110a401b

SHA512
808ee530fe8389cc28b8608df6a0e187b2486d5d4a337577be1dc392a810429114a114949e6bb14a2daf24e2dd9cb9a98b36c5502d5376f43f81ce7bff2a5b73

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
96KB

MD5
410762e5dd9cb08d445e4cf8773f94f3

SHA1
158adc64cbd573507d64190973914d6576586898

SHA256
7ad4295c9c7868e4f466251dca1318c18e2b3af94ca513957102cb791d712c20

SHA512
c433ac0eb39d629b862738dcfde640f5638a0dbda97fb3c41257e246cc762f70391c09fef6b2ba2dd6ab68434eb561a151e6a71f58609ae679b34815c7ecce4c

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
96KB

MD5
49b3ec74039b8f9076698a0807090f55

SHA1
893d9fdd7dc7ba3515d7b899a9c847ca837f4d2e

SHA256
a5dceff422523694385f8378612bb3aea922d243add03e11af45e8b6881cdd19

SHA512
d7330da1461d2bd71044dbc948fbe03258315ca63dae62e0d8e637c5dee40d4dbdc38fd1cdce3695b10762fc5f22064d56d7c08b3f06794269b3c6f9c9d9d416

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
96KB

MD5
7e1eb07a49a95fa24e40d1575efdb54e

SHA1
b7a2c4a991f5192139a3a9930d79e3a23b7abde4

SHA256
d91b74bd4816142823e0f764574ea29e51962b85f981af3ac762644287e11181

SHA512
a5e27b5cd2261cf0f09c03d76dae7ebbec50013e4dbe844b0752a785077b60fea49c3aa8a973aba0ffb2d78126341136388f6b6b5bb047fc512b58d59ff7351b

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
96KB

MD5
f54354f46af1626a66381dc2772947cb

SHA1
802dd386acedcb0610e436ea1120cc27d5e7218c

SHA256
91fff1639e6c17a0401e83269e2f9c7f89b5eff229f33f281f485040e7510213

SHA512
f3491da1b7f5b714e778565d1c545021b01e62e22c1e67cf2f375898148e181b21b6d2122593731952c2c89825bb69cfd3f77cc4af7aecd684e13998764d3acd

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
96KB

MD5
6f16de12d653bc265c03c203e8c7d5b2

SHA1
8093afbcba7d4908e98e0778d889b86d5f788033

SHA256
a85d62e8d3bbeac437123ef1d36276c71e2839b9beb9b0f6819d30fdc59b9fba

SHA512
6380296609573a4c5495a66bebd8ef1951c803a39ea062863c8baef19dcc04c6534d4d8598a2cbc0c2ac753b8ed5643948d85c8e15b3aeb29d9402221c95e49a

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
96KB

MD5
9b363077dee39ea71df6bdee2e192da5

SHA1
e97844ba4b490b1985e994c297e7c78e359b5371

SHA256
0bdd3ff9abc8f81f9be7011d030732548bedbd320cd30e2f4390594eaa33caab

SHA512
641a87db650394ae9c7d10045e84f3565ce2742f0090ed901fe3d33861c1b584caab6ff6a24f6e004c236e6fa84b37ed2c2d1e9e31b8224bd40a27cb086735b1

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
96KB

MD5
d8c15584e9c0960b8944c2455994fc39

SHA1
78bdcd6cdcff61d2996c16419aad1606ab1de5ca

SHA256
cd2352777a81a5f3289e927ae5baf011e7c54a2020c02bd889c3cd57ec15ff51

SHA512
e2910027c1ea10b7cb9924f5a99f1a0c87d5f3fbb94c94647410ff40145f240ef3d338c1889fd2ab2415494983690c96c6c75f1e7941fd999aeb128bc8fdb609

Download Submit
memory/224-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/728-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3520-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5164-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5232-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5232-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5312-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5328-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5332-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5356-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5416-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5464-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5592-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5684-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5684-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5708-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5732-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5832-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5908-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5996-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6016-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6040-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6380-1431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6408-1467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6472-1504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6916-1485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads