berbew | 0df734dcbdd1629b265204a609bbd1e852ed862efac536e9a52ee2417f3cc73d

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0df734dcbdd1629b265204a609bbd1e852ed862efac536e9a52ee2417f3cc73dN.exe
Size

49KB
MD5

3e4f4d524960ea114ab3ec54e140dff0
SHA1

06bcff23c8b7ef577399925c5b86898fed478097
SHA256

0df734dcbdd1629b265204a609bbd1e852ed862efac536e9a52ee2417f3cc73d
SHA512

cb5ea9a171b783b5c1563d046868101a097d33c892a714e1cc354cd0501c456737143dc69f3a1aa27162233369ef1b95df80bf4fd103a08b909667ec749f1778
SSDEEP

1536:EFiEgjMYZeuPfAfQ5/PugEyl9pE1FRrBzl:E25euYKeyJE1FRrBzl

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emjgim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpgpgfmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebngial.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndnpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ickglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emoadlfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiahnnph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emanjldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnqfcbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieidhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilcldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmeede32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpenfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deqcbpld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpode32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glkmmefl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcmmhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amlogfel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deqcbpld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpchib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igajal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaagkcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgkfnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpcjgnhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flpmagqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcmdaljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgkfnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iliinc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofgpikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffqhcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klcekpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpanan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjjbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnegbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dndnpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmiikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knnhjcog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnbicff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjgaoqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpnoncim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4908	Dndnpf32.exe
2812	Ddnfmqng.exe
4884	Dkhnjk32.exe
3292	Dngjff32.exe
3980	Deqcbpld.exe
2768	Eofgpikj.exe
4952	Ebdcld32.exe
3620	Emjgim32.exe
4832	Ekmhejao.exe
844	Ebgpad32.exe
1964	Eiahnnph.exe
3560	Eokqkh32.exe
4728	Efeihb32.exe
1640	Emoadlfo.exe
1412	Enpmld32.exe
4820	Efgemb32.exe
1108	Emanjldl.exe
3156	Ebnfbcbc.exe
1856	Felbnn32.exe
1956	Flfkkhid.exe
1988	Fbpchb32.exe
3412	Fijkdmhn.exe
2708	Fpdcag32.exe
4880	Ffnknafg.exe
3592	Fimhjl32.exe
2348	Fpgpgfmh.exe
4352	Ffqhcq32.exe
1820	Fpimlfke.exe
2536	Fbgihaji.exe
4084	Flpmagqi.exe
4404	Fnnjmbpm.exe
2388	Gidnkkpc.exe
1152	Gnqfcbnj.exe
776	Gejopl32.exe
3552	Gifkpknp.exe
4936	Gppcmeem.exe
2172	Glgcbf32.exe
852	Gmfplibd.exe
1204	Goglcahb.exe
1032	Gfodeohd.exe
416	Gmimai32.exe
848	Glkmmefl.exe
4676	Hfaajnfb.exe
4996	Hipmfjee.exe
820	Hmkigh32.exe
3068	Hbhboolf.exe
996	Hefnkkkj.exe
5104	Hlpfhe32.exe
4836	Hffken32.exe
4176	Hidgai32.exe
3080	Hpnoncim.exe
4308	Hfhgkmpj.exe
1552	Hifcgion.exe
1104	Hlepcdoa.exe
4328	Hpqldc32.exe
1816	Hiipmhmk.exe
1400	Hpchib32.exe
916	Ifmqfm32.exe
4460	Iliinc32.exe
1160	Iohejo32.exe
4056	Iebngial.exe
4848	Illfdc32.exe
2472	Iojbpo32.exe
3040	Igajal32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ficlfj32.dll	Glkmmefl.exe
File opened for modification	C:\Windows\SysWOW64\Hlpfhe32.exe	Hefnkkkj.exe
File created	C:\Windows\SysWOW64\Igajal32.exe	Iojbpo32.exe
File created	C:\Windows\SysWOW64\Ldjcfk32.dll	Koaagkcb.exe
File created	C:\Windows\SysWOW64\Jcleff32.dll	Nfjola32.exe
File created	C:\Windows\SysWOW64\Eofgpikj.exe	Deqcbpld.exe
File opened for modification	C:\Windows\SysWOW64\Ilcldb32.exe	Ieidhh32.exe
File created	C:\Windows\SysWOW64\Klfaapbl.exe	Kncaec32.exe
File opened for modification	C:\Windows\SysWOW64\Klfaapbl.exe	Kncaec32.exe
File created	C:\Windows\SysWOW64\Mnhdgpii.exe	Mfqlfb32.exe
File created	C:\Windows\SysWOW64\Ilnbicff.exe	Iipfmggc.exe
File created	C:\Windows\SysWOW64\Iojbpo32.exe	Illfdc32.exe
File created	C:\Windows\SysWOW64\Jgpfbjlo.exe	Jpenfp32.exe
File created	C:\Windows\SysWOW64\Dmokdgeg.dll	Lcdciiec.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Panhbfep.exe
File opened for modification	C:\Windows\SysWOW64\Qodeajbg.exe	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Kfbdfl32.dll	Eiahnnph.exe
File opened for modification	C:\Windows\SysWOW64\Hpnoncim.exe	Hidgai32.exe
File created	C:\Windows\SysWOW64\Ignlbcmf.dll	Jcfggkac.exe
File created	C:\Windows\SysWOW64\Elkllcbh.dll	Dngjff32.exe
File created	C:\Windows\SysWOW64\Hfaajnfb.exe	Glkmmefl.exe
File opened for modification	C:\Windows\SysWOW64\Jjpode32.exe	Jcfggkac.exe
File opened for modification	C:\Windows\SysWOW64\Knqepc32.exe	Keimof32.exe
File opened for modification	C:\Windows\SysWOW64\Adfgdpmi.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Fpgpgfmh.exe	Fimhjl32.exe
File created	C:\Windows\SysWOW64\Ddipic32.dll	Hefnkkkj.exe
File opened for modification	C:\Windows\SysWOW64\Jcfggkac.exe	Jllokajf.exe
File created	C:\Windows\SysWOW64\Njgigo32.dll	Kpjgaoqm.exe
File created	C:\Windows\SysWOW64\Pdbeojmh.dll	Mjodla32.exe
File created	C:\Windows\SysWOW64\Ilgonc32.dll	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Gbhhlfgd.dll	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Kdjfee32.dll	Eokqkh32.exe
File created	C:\Windows\SysWOW64\Cqopkcbn.dll	Flfkkhid.exe
File opened for modification	C:\Windows\SysWOW64\Kcidmkpq.exe	Kpjgaoqm.exe
File created	C:\Windows\SysWOW64\Kegpifod.exe	Kcidmkpq.exe
File created	C:\Windows\SysWOW64\Cjijid32.dll	Njhgbp32.exe
File created	C:\Windows\SysWOW64\Bpfkpp32.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Dkhnjk32.exe	Ddnfmqng.exe
File created	C:\Windows\SysWOW64\Oaifpi32.exe	Onkidm32.exe
File opened for modification	C:\Windows\SysWOW64\Bnoddcef.exe	Bkphhgfc.exe
File opened for modification	C:\Windows\SysWOW64\Mjcngpjh.exe	Mqkiok32.exe
File opened for modification	C:\Windows\SysWOW64\Efgemb32.exe	Enpmld32.exe
File opened for modification	C:\Windows\SysWOW64\Mcelpggq.exe	Mnhdgpii.exe
File opened for modification	C:\Windows\SysWOW64\Oaifpi32.exe	Onkidm32.exe
File created	C:\Windows\SysWOW64\Ggpcfd32.dll	Efeihb32.exe
File opened for modification	C:\Windows\SysWOW64\Hfaajnfb.exe	Glkmmefl.exe
File created	C:\Windows\SysWOW64\Illfdc32.exe	Iebngial.exe
File created	C:\Windows\SysWOW64\Cfidbo32.dll	Ibhkfm32.exe
File opened for modification	C:\Windows\SysWOW64\Imnocf32.exe	Igdgglfl.exe
File opened for modification	C:\Windows\SysWOW64\Jcmdaljn.exe	Ilcldb32.exe
File created	C:\Windows\SysWOW64\Dckajh32.dll	Mnegbp32.exe
File created	C:\Windows\SysWOW64\Mjodla32.exe	Mcelpggq.exe
File opened for modification	C:\Windows\SysWOW64\Ffqhcq32.exe	Fpgpgfmh.exe
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Ckjknfnh.exe
File opened for modification	C:\Windows\SysWOW64\Bobabg32.exe	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Gejopl32.exe	Gnqfcbnj.exe
File created	C:\Windows\SysWOW64\Hpchib32.exe	Hiipmhmk.exe
File created	C:\Windows\SysWOW64\Igfclkdj.exe	Ickglm32.exe
File opened for modification	C:\Windows\SysWOW64\Mqimikfj.exe	Mjodla32.exe
File created	C:\Windows\SysWOW64\Ampillfk.dll	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Emanjldl.exe	Efgemb32.exe
File created	C:\Windows\SysWOW64\Koodbl32.exe	Klahfp32.exe
File created	C:\Windows\SysWOW64\Pgpecj32.dll	Kflide32.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Adfgdpmi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6944	6752	WerFault.exe	285

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpnoncim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjkmomfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmiikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gidnkkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlepcdoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnqfcbnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jepjhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gifkpknp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebdcld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkhnjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hipmfjee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfhgkmpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbhoeid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfgipd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgbld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohlqcagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndnpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imnocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keimof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onkidm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhpimhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Goglcahb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaagkcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgpfbjlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgpoihnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncchae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igdgglfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klahfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffnknafg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffqhcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iipfmggc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpcjgnhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfpcoefj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebnfbcbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igajal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieidhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgbloglj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lopmii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfaajnfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkifmjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flfkkhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbpchb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpimlfke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpchib32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejain32.dll"	Oaifpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klahfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebdcld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfokn32.dll"	Glgcbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glkmmefl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcmmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpode32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glgcbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmfplibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migmpjdh.dll"	Jcmdaljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjghl32.dll"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgeenfog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpdcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihgkk32.dll"	Lmdnbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jipegn32.dll"	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iebngial.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgihaji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfodeohd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfhgkmpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdfqocb.dll"	Hffken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iliinc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbhoeid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jekqmhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifolcq32.dll"	Mcpcdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eihcbonm.dll"	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpchib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iohejo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igfclkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ickglm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofdocoe.dll"	Dkhnjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboeco32.dll"	Gidnkkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmmaj32.dll"	Gmimai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmimai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knqepc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kncaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjjbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficlfj32.dll"	Glkmmefl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgflcifg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4908	5016	0df734dcbdd1629b265204a609bbd1e852ed862efac536e9a52ee2417f3cc73dN.exe	83
PID 5016 wrote to memory of 4908	5016	0df734dcbdd1629b265204a609bbd1e852ed862efac536e9a52ee2417f3cc73dN.exe	83
PID 5016 wrote to memory of 4908	5016	0df734dcbdd1629b265204a609bbd1e852ed862efac536e9a52ee2417f3cc73dN.exe	83
PID 4908 wrote to memory of 2812	4908	Dndnpf32.exe	84
PID 4908 wrote to memory of 2812	4908	Dndnpf32.exe	84
PID 4908 wrote to memory of 2812	4908	Dndnpf32.exe	84
PID 2812 wrote to memory of 4884	2812	Ddnfmqng.exe	85
PID 2812 wrote to memory of 4884	2812	Ddnfmqng.exe	85
PID 2812 wrote to memory of 4884	2812	Ddnfmqng.exe	85
PID 4884 wrote to memory of 3292	4884	Dkhnjk32.exe	86
PID 4884 wrote to memory of 3292	4884	Dkhnjk32.exe	86
PID 4884 wrote to memory of 3292	4884	Dkhnjk32.exe	86
PID 3292 wrote to memory of 3980	3292	Dngjff32.exe	87
PID 3292 wrote to memory of 3980	3292	Dngjff32.exe	87
PID 3292 wrote to memory of 3980	3292	Dngjff32.exe	87
PID 3980 wrote to memory of 2768	3980	Deqcbpld.exe	89
PID 3980 wrote to memory of 2768	3980	Deqcbpld.exe	89
PID 3980 wrote to memory of 2768	3980	Deqcbpld.exe	89
PID 2768 wrote to memory of 4952	2768	Eofgpikj.exe	90
PID 2768 wrote to memory of 4952	2768	Eofgpikj.exe	90
PID 2768 wrote to memory of 4952	2768	Eofgpikj.exe	90
PID 4952 wrote to memory of 3620	4952	Ebdcld32.exe	91
PID 4952 wrote to memory of 3620	4952	Ebdcld32.exe	91
PID 4952 wrote to memory of 3620	4952	Ebdcld32.exe	91
PID 3620 wrote to memory of 4832	3620	Emjgim32.exe	92
PID 3620 wrote to memory of 4832	3620	Emjgim32.exe	92
PID 3620 wrote to memory of 4832	3620	Emjgim32.exe	92
PID 4832 wrote to memory of 844	4832	Ekmhejao.exe	93
PID 4832 wrote to memory of 844	4832	Ekmhejao.exe	93
PID 4832 wrote to memory of 844	4832	Ekmhejao.exe	93
PID 844 wrote to memory of 1964	844	Ebgpad32.exe	95
PID 844 wrote to memory of 1964	844	Ebgpad32.exe	95
PID 844 wrote to memory of 1964	844	Ebgpad32.exe	95
PID 1964 wrote to memory of 3560	1964	Eiahnnph.exe	96
PID 1964 wrote to memory of 3560	1964	Eiahnnph.exe	96
PID 1964 wrote to memory of 3560	1964	Eiahnnph.exe	96
PID 3560 wrote to memory of 4728	3560	Eokqkh32.exe	97
PID 3560 wrote to memory of 4728	3560	Eokqkh32.exe	97
PID 3560 wrote to memory of 4728	3560	Eokqkh32.exe	97
PID 4728 wrote to memory of 1640	4728	Efeihb32.exe	98
PID 4728 wrote to memory of 1640	4728	Efeihb32.exe	98
PID 4728 wrote to memory of 1640	4728	Efeihb32.exe	98
PID 1640 wrote to memory of 1412	1640	Emoadlfo.exe	99
PID 1640 wrote to memory of 1412	1640	Emoadlfo.exe	99
PID 1640 wrote to memory of 1412	1640	Emoadlfo.exe	99
PID 1412 wrote to memory of 4820	1412	Enpmld32.exe	100
PID 1412 wrote to memory of 4820	1412	Enpmld32.exe	100
PID 1412 wrote to memory of 4820	1412	Enpmld32.exe	100
PID 4820 wrote to memory of 1108	4820	Efgemb32.exe	102
PID 4820 wrote to memory of 1108	4820	Efgemb32.exe	102
PID 4820 wrote to memory of 1108	4820	Efgemb32.exe	102
PID 1108 wrote to memory of 3156	1108	Emanjldl.exe	103
PID 1108 wrote to memory of 3156	1108	Emanjldl.exe	103
PID 1108 wrote to memory of 3156	1108	Emanjldl.exe	103
PID 3156 wrote to memory of 1856	3156	Ebnfbcbc.exe	104
PID 3156 wrote to memory of 1856	3156	Ebnfbcbc.exe	104
PID 3156 wrote to memory of 1856	3156	Ebnfbcbc.exe	104
PID 1856 wrote to memory of 1956	1856	Felbnn32.exe	105
PID 1856 wrote to memory of 1956	1856	Felbnn32.exe	105
PID 1856 wrote to memory of 1956	1856	Felbnn32.exe	105
PID 1956 wrote to memory of 1988	1956	Flfkkhid.exe	106
PID 1956 wrote to memory of 1988	1956	Flfkkhid.exe	106
PID 1956 wrote to memory of 1988	1956	Flfkkhid.exe	106
PID 1988 wrote to memory of 3412	1988	Fbpchb32.exe	107

C:\Users\Admin\AppData\Local\Temp\0df734dcbdd1629b265204a609bbd1e852ed862efac536e9a52ee2417f3cc73dN.exe
"C:\Users\Admin\AppData\Local\Temp\0df734dcbdd1629b265204a609bbd1e852ed862efac536e9a52ee2417f3cc73dN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\SysWOW64\Dndnpf32.exe
  C:\Windows\system32\Dndnpf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\Ddnfmqng.exe
    C:\Windows\system32\Ddnfmqng.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Dkhnjk32.exe
      C:\Windows\system32\Dkhnjk32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3292
      - C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Eofgpikj.exe
        
        C:\Windows\system32\Eofgpikj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Ebgpad32.exe
        
        C:\Windows\system32\Ebgpad32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        23⤵
        Executes dropped EXE
        
        PID:3412
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        32⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        35⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        37⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:416
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        46⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        47⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:996
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        49⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        54⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        56⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        59⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3308
        
        C:\Windows\SysWOW64\Ibhkfm32.exe
        
        C:\Windows\system32\Ibhkfm32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        71⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        73⤵
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:824
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        77⤵
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2620
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        80⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1596
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        85⤵
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1220
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3680
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3324
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        94⤵
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        96⤵
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4064
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        102⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        108⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        109⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        111⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        114⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        115⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        116⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        117⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        118⤵
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        120⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        121⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        122⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        123⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        125⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        126⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        128⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        131⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        134⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        136⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        138⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        139⤵
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        142⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        144⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        146⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        147⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        148⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        149⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        150⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        153⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        156⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        157⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        160⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        162⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        163⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        164⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        165⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        166⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        167⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        168⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        169⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        170⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        171⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6292
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        173⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:6376
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:6420
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        177⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        178⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:6588
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        180⤵
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        181⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        183⤵
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:6844
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        186⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        187⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6976
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        189⤵
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        191⤵
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        192⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        193⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        194⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        195⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        196⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        197⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6532
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        200⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:6752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 224
        202⤵
        Program crash
        
        PID:6944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6752 -ip 6752
1⤵
PID:6916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
49KB

MD5
330b35514d2874f04fbcb763ccd23f97

SHA1
f59fad68412b972e3c81af7ffe3d885b472a2dd4

SHA256
8ee38b563e5c3cde84fd2a7581bd61a69db4310d4b15db2339fcea9ec939b480

SHA512
df71dbcb27062379e9018ee602686b8780d23fb60697f521086d4b465a679a0c871d76d80d2b317ee03bec5937ad739e4f6a07547cc84398e732bdd897fac5da

Download Submit
C:\Windows\SysWOW64\Amjbbfgo.exe

Filesize
49KB

MD5
d75ca265fd9ca2813db6d6a0e5c60914

SHA1
eb683a7391e7a2c647c02a48e9a6a01293e580c0

SHA256
aed0d355b784132d1293adc19ec66ec5296559ea29c4761e913dc0a1a1aa544a

SHA512
033ae4c62a540940cda3313e7c8b2a7affc2e33aaf8967e9c2e8fb12fc1d79a4e346e1b09abf101b3941db4eb3e9eb3c20a17dd9b55910cf4e9dd2b4bc123422

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
49KB

MD5
2c301b24336f823d9e9e6a6d0f6b3169

SHA1
57756970109e844ce496d2490d5f9e014006a517

SHA256
6222f64a15053bed85a34aab0e92da93cfbf540b60ae6de6121b1f87276f36b7

SHA512
0c17d6c3fbbed5f07066135e3fda8be8e14f88a056000c55c2691570c8f2d972949dab0f07fb63e2e92ac391d21b2211bad2383b2e139a6529972186d4629daa

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
49KB

MD5
4537c26cb39c3a03b87449b2bc09404a

SHA1
fdc8eec9913ea313bb8a3c0096497291cdf0ccb4

SHA256
b04c61061403738e00a1e0ab509a8669859f50edb4453f59b9531f36d528ceae

SHA512
3c7784511f6f38829ed61997d9da1b891b5edda35bd35e9049eebba3c66452ecfd82f9dff057125fd182edafbbbe07ccb6f57ec0ac08269d077a0955ff02d1d4

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
49KB

MD5
7e1bd2c25a1cb77003ad2943f647c459

SHA1
c0f0fb88fee2a5a5c90e40fd580501b37041220b

SHA256
1deb36803fb9950819a67091dda2e72bcaf630e3dc3f9d1cfdf9c0e30ddc9bb0

SHA512
a901e9607f49c9a7107c36b702967bb7ba61a77cfde2f4916035ea908bc4e8e6f345e3fdeec3f50c54454c307bc36b2e94615b42ee59ff7ba217d46dca87c08e

Download Submit
C:\Windows\SysWOW64\Bgpcliao.exe

Filesize
49KB

MD5
ae4a5c37ecb8822df12df41983055a98

SHA1
62de60bfd59a852500ca5b97fefb299aabfd0b65

SHA256
c40406db12753a3e61ca4df4b9f34261415f8fc4ce39107b80f73cb375e0871a

SHA512
2419c689b9a34933742b395e44786e764a2313f197e80930e2289a2b1f09458eed94805597b61ac64f23eab9654f74be94df9e9ffca2a4e6f63e6b46069d1743

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
49KB

MD5
71654316511e208d14002d98b34db4f2

SHA1
e0a768837547dfbd52531f60c26c3bc4d7326d55

SHA256
6bbc8c2c74eaf1e0f36bb86dda3f460cadbf635d9fa4a3432158d61bfda28953

SHA512
39a689af52f8550063be9b3b3a1b8e76e382d0f754617f16a5495af5146fbe0823475d884121ac32cf4e2fcbe6cf186513b6836af55d1d70331cf90be773c126

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
49KB

MD5
499378236e29204473b42f5973ac3d91

SHA1
05223c506f2ccf78ece584e63cce3ecf5e1ce73a

SHA256
a1bd4a2c5bce812e99e1faa9b249105dab389c59c5f83ae3ded104162dfca170

SHA512
a620f3c97eb542f7474c787818368b82683317e21321eeb119c09fbda3cb3ec28973337d9e296157c39de4df6a4ee78f72d17aa5f50a466d3459697ad5ff9b3b

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
49KB

MD5
3a309a6bbf30ab14a099c328153f923c

SHA1
cea3a46bdfe04ca2d0a704a0890e38c1956bde96

SHA256
36cfe4c179a476ac5ef55e8b3159bb4b62499da3f9df71490421904464865e3a

SHA512
8d2bcc389d7b17effb8b36597615070a6ccd7884f271ff7100583f675c26a7abaf3632afd84624115153eb95ccdf47681d6bcbd5c41d02f833fed06ae36e9d61

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
49KB

MD5
b63bf42a188da4ffbcdcbb669ba54aec

SHA1
23abf5a266bf2467209b31e80de142859510f82e

SHA256
eb4c82db7e8d16217d8e06de7506736a97af3db5c04300114b0f762e82aadcd8

SHA512
26a13dfb4fc2ee3dd2ad6a10d17f958f771f9373993c1edf1b3c493f354e6558366a0c71d74c1b2149c5bd8920b8f43c7f2835c1f58bc52ea7723c8ebec1bf74

Download Submit
C:\Windows\SysWOW64\Ckbemgcp.exe

Filesize
49KB

MD5
97e155a08fa11d18655183d87faa9cb7

SHA1
d933c3e4a941a06dd0b4da0db8a4eb091bd1e355

SHA256
9c95d273f306742307f4d5fc64f581398008fc86667e86f264ee93fbd1633ce5

SHA512
8dcdc1d2908a750cd4fdfb84e69cd73bf8d89cd3b93581b11d21b61e35ca60225d301fe3f2cc9e38b380c3a7004e3d9669c297b4c010fcde6ea8f606a18a631e

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
49KB

MD5
da6d57c54f08c439cc39bd19fc1585c3

SHA1
5ff7c9fc3e58207331d2fd4ac529f035fb821ce2

SHA256
ee113f090e6578c26bcac210fe5a5cf1cb92811406bbfb803bad46037420f95c

SHA512
654405fe7bd2cd055ecc6d67e2f4f2c15c430b9bd753a8950c34a2c7cae0e500d662093948117487b1c0c7d8853424785a49746b8bd63dba2ea7861e26ea8acd

Download Submit
C:\Windows\SysWOW64\Ddnfmqng.exe

Filesize
49KB

MD5
8c1d6f180f6d1176d5e352eac2bcb778

SHA1
7f7ae4d7fb74ac12bee350f154aca22665f6e30f

SHA256
2047849d45a2efcba834ead7a7dab639ab8618e339ebd8958c8c4c579736a512

SHA512
a13b709d706d8e5544c721a1ef7900fe9e68a5cafc816762708c86695ed93e7d76751dbb0a527d17cd55b19979791a073e986cf621b46773de4c673df844fee7

Download Submit
C:\Windows\SysWOW64\Deqcbpld.exe

Filesize
49KB

MD5
f4adb2ebae12058cd963bfba15ac067f

SHA1
2d82a785ccedc5ffab4966274b110f5484b5bb4a

SHA256
9a67c40d694266bfb0dbe24a9a6ab2e014dab573251ce06342f5ad25bdad9933

SHA512
d261e327dd58c7fcde6025b04e6be0ecb7ac5c87fb6e0c0016f0b9aae8a5eed7d5b0bfe0ecd871eebb4f4a8886e353763f2a040b0fd44b705cd8c14f3dbfe9bb

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
49KB

MD5
bb0d35b0dfcf1e97b768f20c3a3e6cf6

SHA1
36dff97c66c14b25971fdc4bc9f031e8585112a4

SHA256
b1dc357d4d8dddfe26b4a197695320bce0334fc89969ab423cea00c7b64e31b0

SHA512
6e59f79de299411f5c8045c58ade012f4d3d955a4aa0311e1850dd4d2f430da1dd84185c92da36d83770a38de9351426d511f98cb3c3361c9d48b6334d671253

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
49KB

MD5
d1e3d96b6dd4eb806f060ae7dd6750e6

SHA1
ebe7ec7e8890a0c863327ff5917e160aae30f3df

SHA256
513858f09b6a6fa2ee4a56aa3156f942585e2fc232064583f28e6f0340ab0f2a

SHA512
3d08dc86058bc332da85c01dffe0af5db78d478a660e014919e3b6587d441c40c0ff480f0ed10926cd94497086a15ba1d535a773b03fd030d68c3876662ea4d8

Download Submit
C:\Windows\SysWOW64\Dndnpf32.exe

Filesize
49KB

MD5
9394f6f8258ab0f2f5a95387256727f5

SHA1
8a47bb1656ce2e6aba1aba62b048a0845a9203d3

SHA256
13593da9fe31f53a323a611728ae83371940b058e0e501432e199313e5e154c2

SHA512
b7fc1ac8193ce0eca1e397567402e83d12892c3d4ca02433e183645cbc3f1398a0c1cc0a3f4aaab075e2a83ca001ad5d57b935c3f98b43bc611a3a2594ccde05

Download Submit
C:\Windows\SysWOW64\Dngjff32.exe

Filesize
49KB

MD5
eef9b2b56f491e7b06fd93204d41f903

SHA1
ded03c1b9bc2eb1fc6266f546a34bf5b370bd67a

SHA256
eb3a9fcd683bd9482ac2dff7600eae9f7b263a48a6d7539c70067d1ff0ee86a0

SHA512
0c28020f96e426d56f4c9fca52bd2cc7fe086a1e2c14980ca58e63d54e468beb87bdbeb2d982c4682e1cf025d0732137a2034b477227aaf513f1b94cbefd9f3a

Download Submit
C:\Windows\SysWOW64\Ebdcld32.exe

Filesize
49KB

MD5
04979dc1c293acf5d43fd7f192e1c0c6

SHA1
5655cc003e5af5e2521ffb6a79f8c097ea65e95b

SHA256
82656512cc128dcd61fa61e6d25ad9662badc7c13ba9cb52ba5310ac238b4136

SHA512
26c68fd4d39d48b644958ca3409825bf731d7bedfa2d2e94b66f8ecd9a1b48904ed11ed9ba170bd27c616ba6c5892b71bc2c671219a71161d4019944a1184c24

Download Submit
C:\Windows\SysWOW64\Ebgpad32.exe

Filesize
49KB

MD5
7353dfc9c752e047ce757d30aa258400

SHA1
b00030d2e4c21388fe6612d449a1135b64093ff5

SHA256
5fbedd8294fdd996d66b94e092b8333be6e72978e70fb316805510fe786c6eb5

SHA512
49405a64df8b7a3b914f0b35f7c17e8c6fdd8ac2311d232d22a9ee80570dea29d03da2cc98726f7474d4cfd67bd37cd29cce4eea5c2a7568ecaebef544fba0a9

Download Submit
C:\Windows\SysWOW64\Ebnfbcbc.exe

Filesize
49KB

MD5
2b9d440d0b98e8747dd18ebcda8af031

SHA1
ba00000a66d3d94b337e163d685f02e97d827058

SHA256
0135422ac8523a23808d71ce9e70fa5519d98bc68f2f583a110cecc84677ff3c

SHA512
8b9687211bed2b5af27ccd01e121f9fa2bfea94b8f1fc4d55b9e6494d07166e2e95751796fb4f5ef76d512a794262b72dd5b062844e07b64820d63b549e2bc55

Download Submit
C:\Windows\SysWOW64\Efeihb32.exe

Filesize
49KB

MD5
60fa59d68e0726f9c5324366f7897eee

SHA1
0e568747368b9936efd9d408af2c386d86ca487f

SHA256
b3313d92e6a1d61497667158198b3c61a64906a42eec6dd1f82a47458bf23504

SHA512
8ff8cbcb7ec9621bf98f5d9313a8b50eb221ca45aac34263dc377031907a4dd32c905f0a9df105fb1b42c8852005a14bdf99b93f874d6315df58dfe425d7448d

Download Submit
C:\Windows\SysWOW64\Efgemb32.exe

Filesize
49KB

MD5
7d5a6ea391fbff647c8ff6dcd130d8dc

SHA1
c41d542b79eae34f384e553f496e33e303a5c38c

SHA256
9bfe040d2def2dcfc0b6ec61449b6649acedcd82172d99137f9c5674b9183fb1

SHA512
18ec722e627942580495789fe108b5280a431d233bbbcef57acaa57c6f838cd3f2f421002a3924f97e237b79177682c82a9663f9e27fd5e64992ad3a51154a82

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
49KB

MD5
b0d20dbaa5b2c29cd9f1307dd948aa86

SHA1
6262b0dcfb5e0840c76d6be8d7fb2dff118134a0

SHA256
58a38fc32a7c94f66aea96833038c86a7f54cd72b6a4091f00358f48bda224ba

SHA512
d764fa70c32f7671a7e601085cf480531b17e8b9ffdee406be4266aabeaada73ed9876b5f4e90a2408d7ce122d74f3bb503a693125480b8ee2478dca48f4dbfd

Download Submit
C:\Windows\SysWOW64\Ekmhejao.exe

Filesize
49KB

MD5
2b57c6921bbabb8df5be2a5e88cf54e3

SHA1
720e740c0ce3d4f19d66bf7f104931f3b70108f8

SHA256
db63025b2384794ee898371e172142cbbc88c705e9dd5f5ce7f840c0381047c4

SHA512
72f7468a68cb0b90c662d7d6b66e6e4ac38f748a973dd051ff983035be554d8e71bb946a0084e2c47cfe4a9be755fff84539b7a43b7b05473ce2cfc04b7764f5

Download Submit
C:\Windows\SysWOW64\Emanjldl.exe

Filesize
49KB

MD5
bf2c4299fde1db23ff6ed9e27b8ffbac

SHA1
ced8f85505eceead7b4b7f9a83550bc68a59e173

SHA256
640aed3a1eff98986b4d7157ad72b614ff0d343437bb49c5adf846394825081c

SHA512
93ed20de248c995b3731228f3155676db572de0a18dcbd4e6fe1e801a5c496823dbcf92be66ff4382e49f01ee0afa115ba6ea2dbc3f0bb7db5e7bf8d7538a3dd

Download Submit
C:\Windows\SysWOW64\Emjgim32.exe

Filesize
49KB

MD5
041d3a62e983b67f15b2862521051a9f

SHA1
e27194242cc8e867485c157e521885af6d8f5a63

SHA256
b8c2432505adbe7e98693584ca4078d718050c6c1dda89428d28c7cd49c13c90

SHA512
d6edbb1e1ede34b2dca1738d8fb965b8b3ba9394a904a753ca2ebd6b41511d037e67550f1e83e0e7ea18fe8995adea0dcf1b708f26fc4df09865e1fc10847868

Download Submit
C:\Windows\SysWOW64\Emoadlfo.exe

Filesize
49KB

MD5
86eb44015e5c921abd27c2dd0b5126f4

SHA1
213c3c27fe397f11a6eb5c037aefba8bd527bf8c

SHA256
07b25f3f0b24f3f15018a7634b068965998f2fa17c4ff029301c036078333204

SHA512
5695e5d975b1d50c6186affc8e9584e121460e66a83d744e831a7439dd0a9ff5116440b71cb9a370c95e21bc62ddca9e8b97c0e952ff455922d8836c788c8412

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
49KB

MD5
95f6790c2e6003d4aa745bfc3d3aae01

SHA1
be424ef360ad9f680bbe9ed2028fe94098220888

SHA256
842cfe5ed9b5459486361d9991b15adbd0342e70d3e3bd626235e1e7cafc1256

SHA512
f0e74cd9c14a51198a412fa8bffa9ea979c813458dbda560d9c5144d6ea2d08517078698760ff27cd9f07d42328d2295f1e3b5a011b8785a8022718ed685e2d5

Download Submit
C:\Windows\SysWOW64\Eofgpikj.exe

Filesize
49KB

MD5
718feb12905be885ebcefbcd21a61e71

SHA1
2a17f3caed5cdf62d9ed1c2935d52000ffc2018e

SHA256
ff7f4b37c9f905b0d96f6f149d97b1f9b267692d06dd5c0e27762a4e093c1231

SHA512
9b8106a745e18af8f92e0f557cf84678c98b19cfe229897c4e3631f8a0c40f09557cb0de543393fcc39a8c0a4dd2b359e37dd5532289308be5ecad11ecd5cbef

Download Submit
C:\Windows\SysWOW64\Eokqkh32.exe

Filesize
49KB

MD5
4d289f37daa3aa472184e10ea2e5c75c

SHA1
b0392908c076d7cfbe677a56003170d5e4fad2e7

SHA256
9229aa619af7821efd1dd7e9e2c10539c559d4e85fd3f78ec53507cd897ea638

SHA512
2711c1fcf58d5b0db2388e41328757ec52ea719675b34e49726589456de676e3e80b5dfb851841b775f16106fd18622d0e285bd60eb708721a97dd1d9e1c22a1

Download Submit
C:\Windows\SysWOW64\Fbgihaji.exe

Filesize
49KB

MD5
c688946aa3185eda02550ab06e7ff64d

SHA1
249b2b8725bc0a6b7f49b79f9797f87f0f1b24cc

SHA256
3111555e452202067cda92e9934d881047afc084ad71695b848344d29876277b

SHA512
cb9b334a64dcd9aed2d220c3c6c14f23c9524688b1964bbbeb083dd72f6f4320dc8c0ed5ad62d52534c02e7b6f11b69e9fe916f30d546bb5fa47cec7acdff1a9

Download Submit
C:\Windows\SysWOW64\Fbpchb32.exe

Filesize
49KB

MD5
36258ac0b232598450a899fdbdca645c

SHA1
983778884cdbc14e16500f0c9fd64511c02c4cf7

SHA256
42ad88bd40d1fe8acad9a7a0ee028b798045813a8964f31d07a090dbbc84623c

SHA512
12065a25fc1830612c7a2f6147c19fae6d652cc037d70a78a76fb5e0829995ed262689c05df68bc4a61c2c33bd454f847333b2a25563faf8c4bb853b3a8f6d13

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
49KB

MD5
3f3539783c97ec1955ccfc95eff26fc9

SHA1
49ba2010e9a3e58c0828561e48dd33d298743b17

SHA256
dcd29c30b3f6adbd8f5e28a359878031c1984d0e8608e459e580d605f2143276

SHA512
810aff8ea75fd8b7ad7c6330fa201b6a928d9bdc98466aba83cf826c2f0a922b032b03a68f6c5ee543896d00f8470e1da356d420ad67cd8e2f0ce4a1d5962f1b

Download Submit
C:\Windows\SysWOW64\Ffnknafg.exe

Filesize
49KB

MD5
27e5a0a6019429bb0c131bed767f0ff7

SHA1
9bcc28845708d1d93a24bc2b6c89e232278b2520

SHA256
d1279fa8d80b36cf6403f8926e9e98c5eaa86a96401388bed121095bcc271783

SHA512
5dc920f443998369efa2e366a73139882793d5c01551bffcc6975880217e6d6ba7dd5f98b68949e27b3f7e4cdc2f4586c5ffea120cbc7470c0469f752aa501e6

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
49KB

MD5
ad380225d4a4f4814961a1969a8e0e10

SHA1
5cc6b26215bcfea1c1414ed47e3fe3bec17e3f9f

SHA256
44584747073ca0f95fc0e065245668e5fd3d9d97c2cefa608e4321988b196200

SHA512
0462aee19078749abd722ca39c12c2213d8b79e911f5ef710d5397b132dbda0a3848c15361009a794a7a4b13bec6a58342910b9ea427586c8d8f6665dbbd4400

Download Submit
C:\Windows\SysWOW64\Fijkdmhn.exe

Filesize
49KB

MD5
898f69eb4743a478e3df6ad6023e91e5

SHA1
43eca43ce3c23012558bed51a1a98708146844f0

SHA256
d9f75ddb6929c3cec047be3b8de32b5d5b98c332b3435aa85c6b185ac115349a

SHA512
68e476d342816d8fbf3bd0db74750e673cb0acd5102f51aa4a643400e56a147a9b2e70724ca1ca74aa9335e9c90b85fde87a919c131a115290185af5abb3d8dc

Download Submit
C:\Windows\SysWOW64\Fimhjl32.exe

Filesize
49KB

MD5
e68c69a6fb71fec77141b17ba475870c

SHA1
11c79716659f0670167edb59a21843f4c77467d7

SHA256
9c2c489351b5d54043e57d216d81612dbf04d09a2a768ed778fc4a7743b64aa1

SHA512
05bc13fdafb77e51d0f5ca101e13e69f4d578e220a0699dc109a4d4b3893869cdd0fdf2847ad3c970c7df84a369e931ee1c6dec1524b3c032ffe24379cafef90

Download Submit
C:\Windows\SysWOW64\Flfkkhid.exe

Filesize
49KB

MD5
f284ab38e4e3271e791717a51c9c7480

SHA1
67bd76bf03865474ced8e901c736b6ec2ab76097

SHA256
dedc67ad7937692f45c633b24178ce4dfab2223e751678a5611e76703c39472d

SHA512
fffd22b375382e4ad82be2d010433bc8ad7331f143f3bcf09bf461b8e68e0a5b728a9b40735ea8df4727a7dff1a47c37402af959559df9cf9cf0d34b577c56ee

Download Submit
C:\Windows\SysWOW64\Flpmagqi.exe

Filesize
49KB

MD5
2a9ba4dcdac269f622883249e0f42ce2

SHA1
d02f4f8bc27db6b6a2b959a85845922c5949f473

SHA256
905cac7a8a6f2ceff021192ab4e80c15f7c1e8a0f7def3d46b6b6da8958d672d

SHA512
65078e9733c52b25f58deb697bd81a1740b7d18482261e69e5b3275fff570ab2e89544c4642fe768bc6c12991e83da64af8ee03bdc636c2add51b13c61f3948c

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe

Filesize
49KB

MD5
136ffba3fff2923f0166df51c803ce11

SHA1
11db64572c240216660153fb7f03c9593e962eac

SHA256
1e1e7e5850b323bcf976973fe54aa89f9153dc0032a857a7b04d6880054cfbdc

SHA512
3345d291ae44f30a68025e86203e9ca309735a56a4eda5f11d2c0ab3408d82a0c5cdec200c2c769cacf19db1e5fff7654aa64343cee2cea3de4c4e8b29818f0b

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
49KB

MD5
d4b46f037d239bad4506428fcbc074b6

SHA1
eedc5b7bfdcbb33c621ce516180b82141dfdff5a

SHA256
9fdaa8c1e0155e52d921323094629b4eb76c40c40f364a7ac457fe5e65a0ee6c

SHA512
9947fb1c00f33d2f6a08d761c6c02188da006a4c02eea7b3a655c625c013031b04f763ffb48f937b3cf8a3f412caedb4884915a59e7d267da9d99ba447b9fbe0

Download Submit
C:\Windows\SysWOW64\Fpgpgfmh.exe

Filesize
49KB

MD5
858bead94aefe03568f45bfedff31ff2

SHA1
7bbf70850104600ae95dd52c30492e8121cdac70

SHA256
9f49b3e272ac4a37284b478c39475d63118f0a46933d013d9fced168300eb087

SHA512
f6fc87df6d3008fa41f31d6edf2208c5d36ee72e69deefafcc2ff73b70d13112ab0b2ee10758b61b1f8f128503b778e64de8b9096aa7b5c56439ff6408a22fd6

Download Submit
C:\Windows\SysWOW64\Fpimlfke.exe

Filesize
49KB

MD5
26e0e65b627246f385de8fa042a438e3

SHA1
9482854fa39dc111b840b9f9f8f33827c586251a

SHA256
2016e219b716b66c75a2d1c49251ce257a50dbb7a5bade02592f17be69684df7

SHA512
c1994d95383737cc1a9498aedc16a5eaf6bf1ca2098aacd4d72bb706bf225bfa25ba7cfecd2573528b2e4913fcf52078ada5b40746a43f3805d88a22b897ad5c

Download Submit
C:\Windows\SysWOW64\Gidnkkpc.exe

Filesize
49KB

MD5
daba49ea9e8b6733cab2372d845c972a

SHA1
6ab7c9d5c95d7555e7b40a9701df0ddc6f988330

SHA256
c48bac9d91b368c5335170df822cd5bedebc1ec5b13496ba4a731600e69a79c6

SHA512
295da198431ac15c8a62ac7c3b6ddb833976a62ecb66669a9f4ec136363e7c8d498fea101aadd4a57365741c35c1c59547ce56d8f5b6aa18e8faa4644765441e

Download Submit
C:\Windows\SysWOW64\Glgcbf32.exe

Filesize
49KB

MD5
f62856591c4910063853128ff227aac9

SHA1
1c2be46cebacb1f930aae2e43bc4de8d60bbe617

SHA256
c4b43e75c6d4fd4d0dcf3b2b59dc976338d084578bc140839d736f02268c9ff4

SHA512
24d2b1505c3fec89c81d2284d8e1f084dbcbf440ae706dc983e9aaa4d43e0d1678179a949ec8ff1a9c36c05c8dba4c1a054cfae5da1a53bf59edbe98e873cab5

Download Submit
C:\Windows\SysWOW64\Jgkmgk32.exe

Filesize
49KB

MD5
c4270d5f840cb011cbe71f67b9148b5a

SHA1
918e2a489782da5d397f1008a4dcfa084d925cc3

SHA256
02c52ef63540168e313a0238cb8c5b3d1bf98c7a3d842991acab0cbfd8b23318

SHA512
fa6882dbfb56723dfe7858e1090868ef1648ef6dc0eb14a799b64f8b7d1f1eebef4a3a4231042f89331c6c6987b6a203c918988c52be65048d37e1cddad3b9ed

Download Submit
C:\Windows\SysWOW64\Kpcjgnhb.exe

Filesize
49KB

MD5
72ee4d5d7f4ff6df717575846e6ad68d

SHA1
c539964c750b4463cfeed2ff0182e2bfad9671b1

SHA256
80cc5bb9046e7a3b4b836eedef933d57f94d9750edea85e0dce5a6bba345f95d

SHA512
b4d5bc6079815fa462424638beb6c99e8af2c57af4b9c57501ee706ee531e15b026de23758e767523fdc341c9083bedf079b6944072167d8485b74b5a260e3e6

Download Submit
C:\Windows\SysWOW64\Lgpoihnl.exe

Filesize
49KB

MD5
9ba143ac58cd5b679371bd96a146a7bb

SHA1
7e7a0593a2ae7111088f42d5b26f433268954237

SHA256
6143b023963b6ef8e49b798bb280db9559ff29053808a67acf105fe0956ae15f

SHA512
6e9f84158ce68cd3b2a22bc979179ed776c62801eb145a804196e699ee59c3206197936b83df8a5b48c0d84ae54640afe4b03ef7e379f9c0891ad7cd29d76269

Download Submit
C:\Windows\SysWOW64\Ljhnlb32.exe

Filesize
49KB

MD5
5d088aa89c30ea1fccfc75e4c4ed5841

SHA1
c24174da03e103044f2acc5c0759838682679f61

SHA256
13e9d2d914738ad32f79d7fb94f4e2d344f9f36c0537dc870d06aa3eed1edabd

SHA512
058e5ff62b5fdcc8f73d276f4e571e756f1b920c5a3cb0f19716d4298f29b5cc5e1adbcdcb7f0d0cec186049308cb464d60c93d579d81a8e070ed8746cbcfbca

Download Submit
C:\Windows\SysWOW64\Mogcihaj.exe

Filesize
49KB

MD5
36426909dbcdff1bfd41ba2ed8eaa1f8

SHA1
30ef79e82ed98cee977f06883fc35fb955a3c97a

SHA256
4a9eea5308624fbdcbb1bea0f02a571167511ff1d94958d8c99e87d4c211a292

SHA512
6da92ddc227e17ab52a51faeabc59ece8fd13ac4f8890abf6bf8396c5513e3128a8087743284659fb9c2d91a1ce0b82bb397f790a94cb6d116a5fd437d00671d

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
49KB

MD5
169173284b905695ef9d1d45bf90133d

SHA1
f3c44a277861ea89fe9f05d22616354025eb2b71

SHA256
8ded3b25604870029eda07ab6055b3a367d3610d7ce3601659bf6f774963114b

SHA512
ed24d00c9eed9a920b6cd7a2b14fc64b4e58e731ab77c0b86448df051062cc68cb92f2b5200930baffbacbfe28a092549477c8332a056e2d2c28598adb397937

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
49KB

MD5
0ef9c9c7d72db3c796968a268e080d61

SHA1
2f5dbd6bd140f5d57b0007617456edaf7d1899e2

SHA256
4cb0ac14e969254a78eeb721b360f881c1da5365d6caad448ab99834afbec8db

SHA512
d794c77484ba79691718552a356294bc75283a95915782f16a8bb298d47dc75509c8ee476ae5b224a173cd033e21912af19ddfca4629a34d07d2a01fa31fe690

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
49KB

MD5
34d0548ce53d6d285d992782b6fb2c6c

SHA1
21f135171d94602604811d64de726757a3d09f72

SHA256
74df4f327f52ca1c7e8e8d0513662fccb745e50ce7c757c25826ae1afde71cbd

SHA512
b80506f83a3f2252625e45ff02bcee767431b54430fd2a55781fbf2c65bc8b06a17534d8d206fc103a8188d62d139c7ee3ffb03a8e2e590baf55b37e82caf3df

Download Submit
memory/416-311-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/676-527-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/776-269-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/820-335-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/824-509-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/844-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/848-317-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/852-293-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/916-413-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/996-347-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1032-305-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1104-389-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1108-136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1152-263-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1160-425-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1204-299-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1400-407-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1412-121-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1552-383-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1596-546-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1640-112-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1816-401-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1820-224-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1856-152-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1956-160-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1964-88-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1988-168-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2172-287-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2348-208-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2388-256-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2396-455-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2472-443-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2536-232-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2620-533-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2708-184-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2768-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2768-587-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2812-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2812-559-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3040-449-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3068-341-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3080-371-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3156-144-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3208-479-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3292-573-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3292-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3308-461-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3312-515-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3412-176-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3448-567-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3456-581-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3552-275-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3560-97-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3592-201-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3604-553-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3620-65-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3756-485-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3804-473-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3980-580-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3980-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4052-501-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4056-431-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4084-240-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4176-365-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4308-377-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4328-395-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4352-216-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4392-540-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4404-248-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4436-467-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4460-419-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4532-521-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4544-588-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4596-560-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4676-323-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4728-104-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4820-129-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4832-72-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4836-359-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4848-437-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4880-192-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4884-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4884-566-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4908-552-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4908-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4936-281-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4944-574-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4952-594-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4952-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4960-503-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4996-329-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5016-539-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5016-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5016-1-0x000000000042F000-0x0000000000430000-memory.dmp

Filesize
4KB

Download
memory/5056-491-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5104-353-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6400-1389-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6532-1386-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6752-1381-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/6976-1404-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads