berbew | fd41abccc01af282a29d06b71ed577d114b3dd3288d81e6feab3f4ada4fb2259

Analysis

max time kernel
141s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd41abccc01af282a29d06b71ed577d114b3dd3288d81e6feab3f4ada4fb2259.exe
Size

163KB
MD5

def6c7a69790a86dea766330e956afa1
SHA1

d57671da3cdc51f6b1a179e9011fca134f555b8c
SHA256

fd41abccc01af282a29d06b71ed577d114b3dd3288d81e6feab3f4ada4fb2259
SHA512

fe07dbee3346664f258a65f92253b9b3aec4ec14111d95ff68de6a0271ade8599656c0c1a049aaed1674b90c4f315314b22ebc9ee58515ed42ad0c7e7f91aaeb
SSDEEP

1536:PYkA7WEklqiO0Xr9Ywmt1CLSFsBtnlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:27WK0TmQNBZltOrWKDBr+yJb

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilnbicff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhmbqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmennnni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdpni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oakbehfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efblbbqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipoheakj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gncchb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dheibpje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klahfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Monjjgkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hidgai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmiikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pagbaglh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefgbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efeihb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Digehphc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iedjmioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jghpbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omnjojpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fneggdhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gncchb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igfclkdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opnbae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dflfac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnegbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgpcliao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibjli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dflfac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jngbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eecphp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjkaabc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1460	Dkahilkl.exe
664	Dheibpje.exe
4136	Dkceokii.exe
1048	Digehphc.exe
3372	Dflfac32.exe
2232	Dmennnni.exe
3260	Deqcbpld.exe
3784	Enigke32.exe
1176	Eecphp32.exe
1972	Efblbbqd.exe
4104	Efeihb32.exe
1388	Ekaapi32.exe
4696	Eejeiocj.exe
688	Emanjldl.exe
1524	Fihnomjp.exe
548	Fneggdhg.exe
4664	Fijkdmhn.exe
1644	Fpdcag32.exe
2036	Fbbpmb32.exe
4284	Fmhdkknd.exe
4528	Ffqhcq32.exe
4556	Fiodpl32.exe
3880	Fmkqpkla.exe
1716	Gncchb32.exe
3804	Gmdcfidg.exe
2796	Gikdkj32.exe
2460	Gpgind32.exe
4272	Hipmfjee.exe
3732	Holfoqcm.exe
3704	Hibjli32.exe
2656	Hlpfhe32.exe
536	Hidgai32.exe
4280	Hpnoncim.exe
2200	Hekgfj32.exe
3252	Hlepcdoa.exe
4536	Hoclopne.exe
4704	Hiipmhmk.exe
3700	Hlglidlo.exe
3860	Ibaeen32.exe
3528	Iepaaico.exe
2776	Imgicgca.exe
996	Ipeeobbe.exe
2412	Ifomll32.exe
3796	Imiehfao.exe
3636	Ipgbdbqb.exe
3684	Iedjmioj.exe
1416	Ilnbicff.exe
1936	Iomoenej.exe
4200	Iefgbh32.exe
3324	Ilqoobdd.exe
4088	Igfclkdj.exe
4024	Ipoheakj.exe
1368	Jghpbk32.exe
2452	Jmbhoeid.exe
4408	Jpaekqhh.exe
5056	Jcoaglhk.exe
3336	Jenmcggo.exe
1540	Jpcapp32.exe
2284	Jepjhg32.exe
4464	Jngbjd32.exe
3616	Jpenfp32.exe
2548	Jgpfbjlo.exe
3200	Jphkkpbp.exe
1112	Jokkgl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Klhnfo32.exe	Kgkfnh32.exe
File created	C:\Windows\SysWOW64\Ffqhcq32.exe	Fmhdkknd.exe
File created	C:\Windows\SysWOW64\Ibingd32.dll	Ffqhcq32.exe
File created	C:\Windows\SysWOW64\Hpnoncim.exe	Hidgai32.exe
File created	C:\Windows\SysWOW64\Imgicgca.exe	Iepaaico.exe
File created	C:\Windows\SysWOW64\Jcoaglhk.exe	Jpaekqhh.exe
File created	C:\Windows\SysWOW64\Mcgiefen.exe	Mnjqmpgg.exe
File opened for modification	C:\Windows\SysWOW64\Aaenbd32.exe	Aogbfi32.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Cponen32.exe
File opened for modification	C:\Windows\SysWOW64\Gikdkj32.exe	Gmdcfidg.exe
File created	C:\Windows\SysWOW64\Gpcpel32.dll	Jnlkedai.exe
File created	C:\Windows\SysWOW64\Bfnikd32.dll	Lfbped32.exe
File opened for modification	C:\Windows\SysWOW64\Lmdnbn32.exe	Lfjfecno.exe
File opened for modification	C:\Windows\SysWOW64\Mnegbp32.exe	Mjjkaabc.exe
File created	C:\Windows\SysWOW64\Oingap32.dll	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Cikamapb.dll	Hekgfj32.exe
File opened for modification	C:\Windows\SysWOW64\Jngbjd32.exe	Jepjhg32.exe
File opened for modification	C:\Windows\SysWOW64\Jokkgl32.exe	Jphkkpbp.exe
File opened for modification	C:\Windows\SysWOW64\Lcdciiec.exe	Lljklo32.exe
File opened for modification	C:\Windows\SysWOW64\Phonha32.exe	Ppgegd32.exe
File opened for modification	C:\Windows\SysWOW64\Chfegk32.exe	Cponen32.exe
File created	C:\Windows\SysWOW64\Gncchb32.exe	Fmkqpkla.exe
File created	C:\Windows\SysWOW64\Bkncfepb.dll	Mcpcdg32.exe
File created	C:\Windows\SysWOW64\Omgmeigd.exe	Ofmdio32.exe
File opened for modification	C:\Windows\SysWOW64\Pplobcpp.exe	Pmnbfhal.exe
File opened for modification	C:\Windows\SysWOW64\Agdcpkll.exe	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Nceefd32.exe	Nagiji32.exe
File created	C:\Windows\SysWOW64\Kfcfimfi.dll	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Agimkk32.exe
File created	C:\Windows\SysWOW64\Fbbpmb32.exe	Fpdcag32.exe
File created	C:\Windows\SysWOW64\Egdagc32.dll	Jpcapp32.exe
File opened for modification	C:\Windows\SysWOW64\Klahfp32.exe	Knnhjcog.exe
File created	C:\Windows\SysWOW64\Kgkfnh32.exe	Kodnmkap.exe
File created	C:\Windows\SysWOW64\Okehmlqi.dll	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Boldhf32.exe
File created	C:\Windows\SysWOW64\Jpcapp32.exe	Jenmcggo.exe
File created	C:\Windows\SysWOW64\Mhelik32.dll	Knqepc32.exe
File created	C:\Windows\SysWOW64\Olaafabl.dll	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Akhkncql.dll	Dflfac32.exe
File created	C:\Windows\SysWOW64\Dmkalh32.dll	Fijkdmhn.exe
File opened for modification	C:\Windows\SysWOW64\Jpcapp32.exe	Jenmcggo.exe
File created	C:\Windows\SysWOW64\Nphihiif.dll	Ofkgcobj.exe
File created	C:\Windows\SysWOW64\Phonha32.exe	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Bdmmeo32.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Akcaoeoo.dll	Eecphp32.exe
File opened for modification	C:\Windows\SysWOW64\Emanjldl.exe	Eejeiocj.exe
File opened for modification	C:\Windows\SysWOW64\Iedjmioj.exe	Ipgbdbqb.exe
File created	C:\Windows\SysWOW64\Monjjgkb.exe	Mnmmboed.exe
File opened for modification	C:\Windows\SysWOW64\Aaoaic32.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Kodnmkap.exe	Klfaapbl.exe
File opened for modification	C:\Windows\SysWOW64\Ohlqcagj.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Ejphhm32.dll	Aoioli32.exe
File opened for modification	C:\Windows\SysWOW64\Ppahmb32.exe	Pmblagmf.exe
File opened for modification	C:\Windows\SysWOW64\Qmeigg32.exe	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Dkbnla32.dll	Boihcf32.exe
File created	C:\Windows\SysWOW64\Eecphp32.exe	Enigke32.exe
File created	C:\Windows\SysWOW64\Cjafgpmo.dll	Fihnomjp.exe
File opened for modification	C:\Windows\SysWOW64\Mjodla32.exe	Mgphpe32.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Ofmdio32.exe	Opclldhj.exe
File created	C:\Windows\SysWOW64\Bmijpchc.dll	Aokkahlo.exe
File opened for modification	C:\Windows\SysWOW64\Aopemh32.exe	Agimkk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7660	7536	WerFault.exe	301

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbhoeid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpcapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfjfecno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpenfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcgiefen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngndaccj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fijkdmhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbbpmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilqoobdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monjjgkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipeeobbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpcdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljqhkckn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahofoogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oanokhdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnegbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd41abccc01af282a29d06b71ed577d114b3dd3288d81e6feab3f4ada4fb2259.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hekgfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pffgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hibjli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kflide32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjodla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofhknodl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfcipoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agimkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglhld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imgicgca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilnbicff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iomoenej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmfkhmdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nceefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngjkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmdcfidg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Holfoqcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apodoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klhnfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpaekqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llodgnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omnjojpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deqcbpld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efblbbqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekaapi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpgind32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jghpbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kodnmkap.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleiba32.dll"	Jphkkpbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jokkgl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjdipap.dll"	Llodgnja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aooold32.dll"	Lckiihok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifomll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jphkkpbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klahfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjlhgaqp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hoclopne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oingap32.dll"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baegibae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efeihb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcnla32.dll"	Hiipmhmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll"	Igfclkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfqikef.dll"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqknpl32.dll"	Holfoqcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Monjjgkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdfqocb.dll"	Hlpfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mogcihaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdpni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eecphp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmkqpkla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lljklo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agimkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dflfac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipoheakj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klfaapbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmkdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oakbehfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opnbae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojdgnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipoheakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgpfbjlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfoijn.dll"	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkemhh.dll"	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqibbo32.dll"	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcokoohi.dll"	Ngjkfd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1460	2300	fd41abccc01af282a29d06b71ed577d114b3dd3288d81e6feab3f4ada4fb2259.exe	84
PID 2300 wrote to memory of 1460	2300	fd41abccc01af282a29d06b71ed577d114b3dd3288d81e6feab3f4ada4fb2259.exe	84
PID 2300 wrote to memory of 1460	2300	fd41abccc01af282a29d06b71ed577d114b3dd3288d81e6feab3f4ada4fb2259.exe	84
PID 1460 wrote to memory of 664	1460	Dkahilkl.exe	85
PID 1460 wrote to memory of 664	1460	Dkahilkl.exe	85
PID 1460 wrote to memory of 664	1460	Dkahilkl.exe	85
PID 664 wrote to memory of 4136	664	Dheibpje.exe	86
PID 664 wrote to memory of 4136	664	Dheibpje.exe	86
PID 664 wrote to memory of 4136	664	Dheibpje.exe	86
PID 4136 wrote to memory of 1048	4136	Dkceokii.exe	87
PID 4136 wrote to memory of 1048	4136	Dkceokii.exe	87
PID 4136 wrote to memory of 1048	4136	Dkceokii.exe	87
PID 1048 wrote to memory of 3372	1048	Digehphc.exe	88
PID 1048 wrote to memory of 3372	1048	Digehphc.exe	88
PID 1048 wrote to memory of 3372	1048	Digehphc.exe	88
PID 3372 wrote to memory of 2232	3372	Dflfac32.exe	89
PID 3372 wrote to memory of 2232	3372	Dflfac32.exe	89
PID 3372 wrote to memory of 2232	3372	Dflfac32.exe	89
PID 2232 wrote to memory of 3260	2232	Dmennnni.exe	90
PID 2232 wrote to memory of 3260	2232	Dmennnni.exe	90
PID 2232 wrote to memory of 3260	2232	Dmennnni.exe	90
PID 3260 wrote to memory of 3784	3260	Deqcbpld.exe	91
PID 3260 wrote to memory of 3784	3260	Deqcbpld.exe	91
PID 3260 wrote to memory of 3784	3260	Deqcbpld.exe	91
PID 3784 wrote to memory of 1176	3784	Enigke32.exe	93
PID 3784 wrote to memory of 1176	3784	Enigke32.exe	93
PID 3784 wrote to memory of 1176	3784	Enigke32.exe	93
PID 1176 wrote to memory of 1972	1176	Eecphp32.exe	94
PID 1176 wrote to memory of 1972	1176	Eecphp32.exe	94
PID 1176 wrote to memory of 1972	1176	Eecphp32.exe	94
PID 1972 wrote to memory of 4104	1972	Efblbbqd.exe	95
PID 1972 wrote to memory of 4104	1972	Efblbbqd.exe	95
PID 1972 wrote to memory of 4104	1972	Efblbbqd.exe	95
PID 4104 wrote to memory of 1388	4104	Efeihb32.exe	96
PID 4104 wrote to memory of 1388	4104	Efeihb32.exe	96
PID 4104 wrote to memory of 1388	4104	Efeihb32.exe	96
PID 1388 wrote to memory of 4696	1388	Ekaapi32.exe	97
PID 1388 wrote to memory of 4696	1388	Ekaapi32.exe	97
PID 1388 wrote to memory of 4696	1388	Ekaapi32.exe	97
PID 4696 wrote to memory of 688	4696	Eejeiocj.exe	98
PID 4696 wrote to memory of 688	4696	Eejeiocj.exe	98
PID 4696 wrote to memory of 688	4696	Eejeiocj.exe	98
PID 688 wrote to memory of 1524	688	Emanjldl.exe	99
PID 688 wrote to memory of 1524	688	Emanjldl.exe	99
PID 688 wrote to memory of 1524	688	Emanjldl.exe	99
PID 1524 wrote to memory of 548	1524	Fihnomjp.exe	100
PID 1524 wrote to memory of 548	1524	Fihnomjp.exe	100
PID 1524 wrote to memory of 548	1524	Fihnomjp.exe	100
PID 548 wrote to memory of 4664	548	Fneggdhg.exe	102
PID 548 wrote to memory of 4664	548	Fneggdhg.exe	102
PID 548 wrote to memory of 4664	548	Fneggdhg.exe	102
PID 4664 wrote to memory of 1644	4664	Fijkdmhn.exe	103
PID 4664 wrote to memory of 1644	4664	Fijkdmhn.exe	103
PID 4664 wrote to memory of 1644	4664	Fijkdmhn.exe	103
PID 1644 wrote to memory of 2036	1644	Fpdcag32.exe	104
PID 1644 wrote to memory of 2036	1644	Fpdcag32.exe	104
PID 1644 wrote to memory of 2036	1644	Fpdcag32.exe	104
PID 2036 wrote to memory of 4284	2036	Fbbpmb32.exe	105
PID 2036 wrote to memory of 4284	2036	Fbbpmb32.exe	105
PID 2036 wrote to memory of 4284	2036	Fbbpmb32.exe	105
PID 4284 wrote to memory of 4528	4284	Fmhdkknd.exe	106
PID 4284 wrote to memory of 4528	4284	Fmhdkknd.exe	106
PID 4284 wrote to memory of 4528	4284	Fmhdkknd.exe	106
PID 4528 wrote to memory of 4556	4528	Ffqhcq32.exe	107

C:\Users\Admin\AppData\Local\Temp\fd41abccc01af282a29d06b71ed577d114b3dd3288d81e6feab3f4ada4fb2259.exe
"C:\Users\Admin\AppData\Local\Temp\fd41abccc01af282a29d06b71ed577d114b3dd3288d81e6feab3f4ada4fb2259.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\Dkahilkl.exe
  C:\Windows\system32\Dkahilkl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\Dheibpje.exe
    C:\Windows\system32\Dheibpje.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\Dkceokii.exe
      C:\Windows\system32\Dkceokii.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Eecphp32.exe
        
        C:\Windows\system32\Eecphp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        23⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        27⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        29⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        34⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        36⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        39⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        40⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        45⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Jmbhoeid.exe
        
        C:\Windows\system32\Jmbhoeid.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Jpcapp32.exe
        
        C:\Windows\system32\Jpcapp32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        66⤵
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        67⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        69⤵
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        71⤵
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        73⤵
        
        PID:992
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        79⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        80⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        82⤵
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        84⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        87⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        88⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        90⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        92⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        96⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        97⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        99⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        100⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        105⤵
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        108⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        109⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        110⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        112⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        113⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        116⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        117⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        123⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        124⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        132⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        135⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        137⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        139⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        140⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6152
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        142⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:6236
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        144⤵
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        146⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        147⤵
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6460
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        149⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6548
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:6588
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        152⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6672
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6756
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        156⤵
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        158⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        159⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7004
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        162⤵
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        163⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6276
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:6344
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6400
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        169⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        172⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:6884
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        176⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7012
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        179⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7148
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        181⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        182⤵
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        183⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6740
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6992
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        188⤵
        Drops file in System32 directory
        
        PID:7104
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        189⤵
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        190⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        192⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7128
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        195⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        196⤵
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        197⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        198⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        201⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        202⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        203⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        204⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        205⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        206⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        207⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7368
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7412
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        209⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:7496
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        211⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7536 -s 220
        212⤵
        Program crash
        
        PID:7660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7536 -ip 7536
1⤵
PID:7596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
163KB

MD5
1200ec398791e467bacf75f44b1e4773

SHA1
793acca345ffbf1364be996f5789713b7c644d78

SHA256
aa96dfe8cfb634694e0b902e5d4187b8778e71b80786b8c05cbd2ce350bfab3d

SHA512
06a923bc33ae52f39a3c8caf68061ba6c99db307b56bde8774b17cfc24ffc2a6f76c71f59ea89a170ae03f3fe57fd87e95cce17a9b3443b5af6da664ca1924f0

Download Submit
C:\Windows\SysWOW64\Ahmjjoig.exe

Filesize
163KB

MD5
f3ae53d1cc95cd559d5823fab15a8f40

SHA1
d8ac98fb5d914f73ebbe0b601e30e35e890b039f

SHA256
7ce70b41fa0c98ba176cc3c671e8d94547b7cd6d8861d53f015e4adefb7d7e7d

SHA512
c3fd801d8d1fe5f7da59131ec8bdbaeb9e49df9e2e9af26e6ed813914e252adaa45e8dcbe60e339cbd10952c15e53a7d51a328525305274374f568d4ece71212

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
163KB

MD5
ef4f1fcd3d3e83fe54435a429158b122

SHA1
e80a80ae449d70efc2fb73d6d20ca7c17c0ebd71

SHA256
698485210eedcddcad046b7984c44f4969318b07f98f6e6dce7fd65f17c8e4a0

SHA512
852a71f766ffd017ee2e38df4c02c8604d420f9f1b36b4f48406c5784fba0a552985140d9dffb78eb4a035cfcfcd2ad4dd12ca111ec1ed3b42a1fba809cb44f3

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
163KB

MD5
82cf2dc415cb96a28ae9797ad2c86cb3

SHA1
6f858bfb4ca416059f5b346e8f9953f00730ec39

SHA256
b29cd53c542e21750ccddb0e3b8a7886f67efd73921b3325a3aa2049f1f84cf0

SHA512
0d5ca15335f74a99e20d3cf47c3015293002ae960d2bc678c9390a759915d28baf134c9d3974e14f0008f988552de8a64a301a7eec0a16fb47eb24f7c7eb1424

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
163KB

MD5
b031eb7b59e55342442a8c0252c22549

SHA1
875217ace81b115bdcad6eecbb0c59a62b5b0a70

SHA256
7c4f4fb6041649825b4f6726b8f7756d1c2db63737d194e2890802b13589b612

SHA512
9ab459bbdf938a9cd8530d314886efea41e10f0e53010c44764905dc988014160306e6fee87b53257fc0c89b0c00003586a22b9cffba54edfb1b5cb081cbcd6a

Download Submit
C:\Windows\SysWOW64\Bdmmeo32.exe

Filesize
163KB

MD5
c6193f43be0b0ab8280056c84282c823

SHA1
5d61f58cfec218fa0cb803ad8dba6697e1f5362f

SHA256
15d8d47fe0d9d6af52cee4bfc5a02f060921462e6472b67d0e909102e4d7f263

SHA512
954ad5e6ec15f49fffb38e6dc11a2b964e2086aca59471c9235d41970660f15e37d43cb5314c6fc23d762ed82c8cb405de3bcc63b65779a338bf3c0965eb148a

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
163KB

MD5
7123d5dc2ed7a426a3dee4aef77edafd

SHA1
bf45bc7128eebc4db6003cbefb46727bba3886c3

SHA256
ff2e7656f33a5df6f6ffc672bfd66d7568bbe2e6b95d85cdc66655b244d77d6e

SHA512
6c92ce3ef13b35c2c47cbe5c8bda7f24175b7504dfeb4b481a7ff344b75b75725ca10f77129bbfbfed2bf678342ef8c81a525b0ac01511991bd1a197c4d364c0

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
163KB

MD5
4c9b127d619b07a24945101b642c7641

SHA1
754da98dd677ac37eeb799e85588aab18ac16866

SHA256
9cfd0ccdc20acc850a2d81a688d3c0db40508bfb2a4ef46078b10cd27daec33b

SHA512
64e93c18a8b5e9aedaacdc330dbb593fcf077ccd3e6023f65aa970fc4b651d96f590ea1163df208362e920b97a0f223a7534093e5dd6fc4092bbd59938969e35

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
163KB

MD5
3c1b36a48b6c9fa07ab92dae34c147de

SHA1
c9e23f1a61151a9ad8db2561c13e21a5125ae917

SHA256
8e10f8d00ee2ffa0c56fef5a0f23ab6e1e0e546f00943f65a7bbfd5e41a3246e

SHA512
dc494d3f9e06e7e922b8d70a62690faddd49733f334d40edfdcfbc0505578259ffa3f6d5ac1e43faef143d88a86217463276b52032450685440c258b380fecd1

Download Submit
C:\Windows\SysWOW64\Cdpcal32.exe

Filesize
163KB

MD5
236274ef5b533d06e100b09efe6c7b08

SHA1
2487049c88599cc3038b2c0aa12e41d32f4ed307

SHA256
f48b10a75e0082c76bdc25582a69f7948651d77e2c1bc851a26708ce4150ccab

SHA512
5bda55a90da58994db7024bf71c7287df2f72ff253c1adc5251f9c94ac0cc6224a51eb3a24061de7cdcaf691dd534735e2ca2c4b39638793140c77feffdedb60

Download Submit
C:\Windows\SysWOW64\Deqcbpld.exe

Filesize
163KB

MD5
60a7aee0b4736f13a3cd1da3531c228e

SHA1
2cf6bc3c27670bbb8a3f7a126240cd74d9f61d8f

SHA256
a13f8bbe3bf6479c6b5b2acd5bde585d9170d6a73f325f7a132ea031fd72eadd

SHA512
8448c1d523a1d94d0cc74163a638ca933c6af4078b651af8da029363582435b084b7af1924471ef57ab281529b53d1aa0a291b4519335189ec5a695426266e4c

Download Submit
C:\Windows\SysWOW64\Dflfac32.exe

Filesize
163KB

MD5
6195cb7a8a399fa5b46cc71021038448

SHA1
280cbb86c695348def43e4f81bfb91876d1fcee0

SHA256
7e7de424b95efefdf7620d264713f52a9497cfd49e1883a9dfd1a8e4ac4a278b

SHA512
b22d46291d0655c8ba57d61e93ca3fefabbe2bc9a6a4009ca8cc04e30370e99159781d1b1cda235d9832243976c324a88b1ad33126df6d5cc27111342cf20168

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
163KB

MD5
0be387177a4d8c2259426262df286540

SHA1
ae8d23f67df7d7870b8adcfbf988920db316df6c

SHA256
30d4aae144b75f25eeadbdba6459f8a560ff80062692ec1ec5f5ae60fc6e7f43

SHA512
9bfb9116e0e5239b73e8d5e0bf829bb1665255859d710531fd3c3f22a4c0b316dcdf2e64040010996f7220e9a79cac70d2e5a872cfbfcc7b29a2ad7782571a9f

Download Submit
C:\Windows\SysWOW64\Digehphc.exe

Filesize
163KB

MD5
d7ec9061dbed58f6df48aad708ccb344

SHA1
221af845b966998459d2cd5068ab357d73fe4cbe

SHA256
1bb058b7ff58fdbdfa1efc9eaaaf96b9fa1329c44d8ac47e7b7f1ce45fedf965

SHA512
1389b2ae3749276088ce6053789e0b7f61cfceeb2b63a6c27b7466bd4a89fff8bfe82882413b9357a6aa3809e2fe4c23609e8177286cfb0501ba9cfa9f8d8790

Download Submit
C:\Windows\SysWOW64\Dkahilkl.exe

Filesize
163KB

MD5
6c09b6e99d992be406088d246604dfe1

SHA1
074fcc8aef3e4c9bf81a6e97784b401ef0e4f98e

SHA256
ac7db93694be2eb39a698ad1fff140ee5cf15a7a0d6a152fd7751082833df367

SHA512
1928d2ea45d8645114172b20960f735b7af6ceb351468dd8fd5c7e02cee95f975dec67802cff596517ebd5a1638419b3da3126c7ec930ceaa7a33b9d7d5e0435

Download Submit
C:\Windows\SysWOW64\Dkceokii.exe

Filesize
163KB

MD5
a6493556fa8711adc4aa72b2f8ca1e30

SHA1
760bc576d5567e9e945fbcaf7d3574448389e06c

SHA256
2ec45e0c0397d92366a0533c9a7a2320bed594ff806a32b73ff431e9049c0684

SHA512
83d2d8d1c87fc1d0e0618d178545f341f1c0129b79326ac5a22ba01fdeb322d3be981e13c929b776febd06fb6eb6b286cf0b9243f5caba1904d33847546da242

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
163KB

MD5
0c33921a85a285a634b8df763532e5d4

SHA1
14570486ad884cadb33c4af99daaa20b69c8b076

SHA256
c5347f7283f12440e15c841ac644301c63b809d8a9ebde7fc8a26c21f1375021

SHA512
74a85af8f1b8a0b15d9d50b70b62cfb1e3ed1d8a9389a976a2ccbfb2ecc3b1f7aedc2791c0b31ceb93d78f4c9543e5971de3077510c1869195497e2e8a82d311

Download Submit
C:\Windows\SysWOW64\Dmennnni.exe

Filesize
163KB

MD5
21145d7f6f69a1332dfa1a2a0dbde299

SHA1
c017709d51638e52714340803f260eee98d7fcc9

SHA256
5d8284e32b27fcf697f0f2ea5879c65b05acead07655ecf73df69cde795075cd

SHA512
289ae22e0e5fff790352c3883ff16488868b13c85303cbb41cc9642f24d9ba4bfe1d171576bf1975f02a1a4e0217d05480cfa11975b22cd7fd0dda94bbafc0f8

Download Submit
C:\Windows\SysWOW64\Eecphp32.exe

Filesize
163KB

MD5
095d4217aff6b3705621f40804d13e20

SHA1
2273f15b754360c9655c074a3f771e8dd8c6ab24

SHA256
aa44832241fec2bbef4ebee7072439be6fc4bd3b45e1b669c9db6d90705ecb05

SHA512
f83f90348bcba171197bc302b6863abdbd27ffe2e1ab8efb2b201ced055c76541532249099d37ef7a46d7e3fda284820b520c73f4ddd5710e4c4797ada4da472

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
163KB

MD5
26c33b2da8854f017cab3adc3f93cfec

SHA1
b5a334b9937ce8eacdbb38cd23fb9c960bf745dd

SHA256
cc2e03229de36eceaf325cfa2a4e91ba10628946c84f31c742ea02f1fa7f8342

SHA512
5440d1d7ddfa08d0179a7f9b3ee32deb2ecd51e6973e83437646f7975d6e8a53aa14967d990e612bf01b3aaed826119a55d0186ed43e0daddaacad05a76a4ea4

Download Submit
C:\Windows\SysWOW64\Efblbbqd.exe

Filesize
163KB

MD5
cb2f2a289b1920c230ae822916cd8251

SHA1
536e088d20609ad96bc2dab74508eb3fe2871674

SHA256
419db6ef5a5a1bff57bca7c8e60c4e6722cfa70659e8d8ac4310d7bf00ac6c0e

SHA512
496f5dcca65ea3520bbef5557f797e90f01d8484a688aa708c543b6fae8c9ae5143cd2421099eb9d548af72fb91a04a0290a3b68227028bbdbdac67f86f7bfe6

Download Submit
C:\Windows\SysWOW64\Efeihb32.exe

Filesize
163KB

MD5
d570d0163e17f73d7cee281752de62c5

SHA1
79161b72d81974acf1e6c74036c954a437bb5c9c

SHA256
02b923185ac9535f7c56d3a166c7582abe28b62a0af2bc490e118d15b7f60e3d

SHA512
3d8cecccd8ea76714eee154758befc372af704a7a8e87efdebdb4611d2194d71fb53a781e4171b8b468eef2826365537dde624daac92e666196fc364b3a10ba1

Download Submit
C:\Windows\SysWOW64\Ekaapi32.exe

Filesize
163KB

MD5
91b4c9207992395a0dff5d8a67459b0c

SHA1
1b00310fd2bb8f9ebbb0637565902790b6698915

SHA256
8c15d45e6b0a769314fe79cf5c6936336724b15773899fe2c598983b727f7387

SHA512
e93e1b311d7497d0c24b6e4c6197f14d9b4c5cc9462b047c4b6ee96f444754e2bdd8c4d1e56f16bf0a321c4f327998e98df0e0385c779ef967490c6c6ac8f17e

Download Submit
C:\Windows\SysWOW64\Emanjldl.exe

Filesize
163KB

MD5
2dbd57ba7a3b1e62b0fb5799e1d5beb1

SHA1
8ee9e128ea5ff8aad8ecf9a05055ce4ea522f347

SHA256
f60bf79aeb28a7c8cf6aafed353a4f895169c0aa1846e90fd1473c18a9773852

SHA512
6a85e37ce0e523dd29f86172dc50c1bd78705e762ffe7c24ca021306be5d491f7630aa6bf6c7daa0d25b87d49173c02941a26878709489cd992c03db76b40a2c

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
163KB

MD5
6f3c43aaabcf978decf3c0cd1b6fda0a

SHA1
539bdf8078eaa02b52c2bb34771c70fad599f860

SHA256
187f03ea8b559d8bd338ab76223c3e32cc84a5b3d4f22c7e9fbd5c82558f8b06

SHA512
b3f78a110ed87967527273359e99483de2a94db44e8fdcbfa601abaaf827cfd539b8b27111b215a3c13d810775edea2f1ee47bd5907b13af4555b68200bbff61

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
163KB

MD5
af07be5a15d8b4ae53787f2e80ac5c72

SHA1
3a42794b9354d558db28b0af1ac8cef2ac4d95c6

SHA256
490591e4eaefe6e88850454e6b8e1eb9bdf78441fff4d28ccad7ec5bcfb148e3

SHA512
0f8e9446fc01f77a38d4f6294410802f7b4f23293cc0f1cb4e877ba9c5cd1544f646b30a46c0d7d20d5bcfb380c93532be98f82294c8d18c4e96545d37acc992

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
163KB

MD5
b54cc5969a50a2cf8bf06d3c0c5f3eb7

SHA1
14521ae0314cea929342735ced6c4e9ccc8fbeaa

SHA256
471f565fd797eb9d81ca6c08b0836a1363d819fe43e4d27eef160c8938670f8c

SHA512
2a50b6be167971a4f332d6a2948a76f198d82a945b11d6cdf898db9236e3c0c0dc1cb2040f6abb723f9364d6243e3fffee0426b4e1ed49d1ae05de63f2403f76

Download Submit
C:\Windows\SysWOW64\Fihnomjp.exe

Filesize
163KB

MD5
ed7cb490b6e6194d591879e6203b572c

SHA1
eec73228c75c6d0eb1a72a5837e31849d4e7925d

SHA256
6d9bb4d921a174c5dc0774edfca5b74d4c4b6a901ee25e2773fbbb508fb3e987

SHA512
df63219032711efc5c18edfd2a1ae68bf95aaba7c35bb7d711082da3a1d60c774521e4c94680c280d6be7931d53569933fb0068dbc985ff95d312c223698d8dd

Download Submit
C:\Windows\SysWOW64\Fijkdmhn.exe

Filesize
163KB

MD5
17b114f7ea0b7c5822e069f50ad55c91

SHA1
3dcf195a0c842f888bd66f5177a0d436fc880b2a

SHA256
e60a6a2d47c98572a12d818a4d766fe8ab4b83b8dfea49eef025a19dbbb62584

SHA512
45aaa36f409e2e7802f70a0f45162840c9f90741118d239a26b9708415b135424b64633552a7c0443782de8fd9d369d2e5e699f82c36e34482c453f29ff9b093

Download Submit
C:\Windows\SysWOW64\Fiodpl32.exe

Filesize
163KB

MD5
e6cfeab856764c17b505726762b39227

SHA1
2ecea70df5babd56d70e9e7c157b2b79ff99da43

SHA256
c330f0ee2f53f9ba8d51dd4b59e94ca89ea71748b66eee0b9eb0556b8b25bc41

SHA512
b154ce3df4eb6b1eda717b43b19c0b6191ee307d49a1ac64aa329ad8d08b3c5015a3c60ec03de81f249232842d7ddc342cd03b4efc2b8aebac00bdf55029d67c

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe

Filesize
163KB

MD5
de0ea12e926416c9eddcc5878a9289ff

SHA1
1eedaad260293a29fd26f99f99998073211c492c

SHA256
6fe31b8f85e90e5503d61411a065c025a3ad2339c3fc5b8fa29ca88776d7ca38

SHA512
da615f98f20a6f13a5a9d11f2e10b33e3fc3b70cb7eb39b5f62742ea17d701602c3b22c5c3f6f078b621cb0917aeaacd2cf7717f8048b5d9bbd185c7f3887bf5

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
163KB

MD5
1676fefd99226efbd349d6f99dae2280

SHA1
3fcf39247d5d7bf7b5fa89a49f1c2ee27375e196

SHA256
8c770f10fb13fd0ad78f578bf094c059dae79554597967bd912d3cf527ff8806

SHA512
71f8f0005a4fb7ac1a90da5e802f4c93d96cfb3621597343ef4f8a188e357d47a6878fcdda3633e171b5d8ca6bce784413ba11224fae1a69b34e4d8a1c151215

Download Submit
C:\Windows\SysWOW64\Fneggdhg.exe

Filesize
163KB

MD5
96b6c5148c823394ee603c4fc203e0cd

SHA1
2b52c3d0573dd22475871a6bc53a94a50a2a3b1c

SHA256
42e8e4e960ab6ae3c3c976b84acc1d6f85f7493d130f55113747c776132ff459

SHA512
8fdcf4bed0ac84a6f43c776aeb847f05fb6b1df9c9dc9a5f7a8b053bc859f7cf0722b095eabdf265b3680b6bc5b2a2f4c36f6fa4238dd24d43d53c8075e189e8

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
163KB

MD5
b404ef0e762d70c749a81d92bb924c44

SHA1
592543aac419b3603e898fc48046133c061b37f9

SHA256
6fc95af64239e99294aed1c17723d7e530d56d4e06c27baafd0503d2ea1ea224

SHA512
283a97bae425bcecd089fe95f085cf2a0eff9c120d72d99223063a330312a44b41f08279543ebe0fa456da9463a8d8ab7bb966c3dce40f4f1df0b144a0c3f3d2

Download Submit
C:\Windows\SysWOW64\Gikdkj32.exe

Filesize
163KB

MD5
0553b9e6bc4e32eaa517234f35c7bc8c

SHA1
703edf51e73346a853de4a41e0df0a5d0d5302c6

SHA256
936b631b470d90abc4025d2b541ee80582be266d10e4b66f305e9e082ec8a206

SHA512
17770496cee7fd337c7334b250e1a1376c97e1bd9159d644aed0f797c74b7695ce1a2d5485112c1bd7e6cc54badb7903cdde64a6841583e7be3762aa6e79cf85

Download Submit
C:\Windows\SysWOW64\Gmdcfidg.exe

Filesize
163KB

MD5
f1e39a484da54e1a11e2c96c0b7317c9

SHA1
c9d22ac3f625c0622cabfd4bb5021ceeccc1c897

SHA256
103640b717d5f53fc4a94f9758979571131cc35bc11eb0146db44692d01b1846

SHA512
a43fec7c6cc74e854f7448fd69b54a7b033b131d7aa50e8c17f8c05f24d1d94f0e4989a63a94ddd8d8cda75c976bb51b7668b5b24539997a333102698da881ee

Download Submit
C:\Windows\SysWOW64\Gncchb32.exe

Filesize
163KB

MD5
5843141aefbc858ed0b07168c64c2e10

SHA1
4954af73a5165bf017b035705fa79a3325feed76

SHA256
14d36c25d9456d0866c6ac36ac1cdb88de37087f84be4dea62ec2738d31ebafd

SHA512
cff321836e1227e3c34b2cd427a1fc9e22d4721394376cdb0e8391e707e7c5f7f4b0ad71c626c5238adc3799d290a7c122ec49457e74dc84fdfeae5beeda0fa2

Download Submit
C:\Windows\SysWOW64\Gpgind32.exe

Filesize
163KB

MD5
d522654e385dee35166c161d1f57f05e

SHA1
231eba2c5e2f1605579ac8d3003660c5747dcf5e

SHA256
60948d5dc04683010abb0e7a927325f4774fdf2ed0d4205b999e9bccb335b31a

SHA512
8eb8433b248066fc8a37c0edd1e9c8d3240c85687a018249fafc37fd3e83637c640bbee19d08f680fdb3ff280671c8240d56fc16c0fcd28d65fe733146b465ad

Download Submit
C:\Windows\SysWOW64\Hibjli32.exe

Filesize
163KB

MD5
1391ea0b849f0b5f0341f7f7b4eaef24

SHA1
1b8bc7f863d21e0070713a5297610a1ac624945a

SHA256
41b2ae4398683c8e7b81ddefefa7313598f3e98d0cfedda60a7830b960905455

SHA512
2d7d9aa8850f09f9c4119f33220dd37fe1a00319df1e0e2fce5a0ff93c82a77cdb9fb0fd8cf387d2c6b8591fe70b2745569b9c9dd6e9a842bcdde667b85d51e8

Download Submit
C:\Windows\SysWOW64\Hidgai32.exe

Filesize
163KB

MD5
decec6c4691a4ad69fa68c463144c6a5

SHA1
19a4577b9c8f06dd6f2eff0bb3b92b8dfbace57d

SHA256
356dda5d8b0efed9638dae182b0691c8f3d128e053618e96d63c61b97205d7ac

SHA512
5aeb1bfadb39e96850185d6aa123f059f3ba3304fee092ebb8fef721bd83e75d671dd8024db2cd5bba5db241b1115a18d859d228195cbdc29b197bc276bc57ae

Download Submit
C:\Windows\SysWOW64\Hipmfjee.exe

Filesize
163KB

MD5
b179c910c9ee60c7bdbe4cbaee41c77b

SHA1
bf60aa51dc99fe8f4067a58031796c9d2f8e2cab

SHA256
1cdf59c68b8585e0ab8019f62cf8edad47392cef4bfb81307a6110f50c419b02

SHA512
4655b945b21080207bacdd35986254b9a79023b2a208fafa6522d82b886a23a89f873f4547bff8f65039a26f955ea2ff963811c3765972b55ac5230fded2b2a0

Download Submit
C:\Windows\SysWOW64\Hlpfhe32.exe

Filesize
163KB

MD5
2de0de660554db338079dec6e5d5462d

SHA1
b5a39ce23a9f8f32f9915d703c6dc8977aa879c3

SHA256
cafda427c513c2a93b8f2706f982458e6d8fd6a80ca059bda65853c06eb36630

SHA512
788da4ad63deb5d96b0fa28ca6c19b8a025506b40c798d88a35dff54c864803cbd9ab4e81684117054f9e74f6d86d07f532a2b48b4287c1a76cf26da1ff9f7e5

Download Submit
C:\Windows\SysWOW64\Holfoqcm.exe

Filesize
163KB

MD5
6d3ac4083d9aba34fe4961a6c440bc52

SHA1
4dd07f06a32c22c978731af40045b970578bb190

SHA256
10666ebcf96cd942df6935a44b77b3d00ec606a7c68d1f39db65b45270f69bb6

SHA512
aae0b9abe0b867da6dff3f319b4f960ad3c6462ab857b058d79b8a2f12c0eb0bc9f774da77177cde531f51b3e61d0dfa32c36b9c6ec75075ea1a8a7163d6c748

Download Submit
C:\Windows\SysWOW64\Ibaeen32.exe

Filesize
163KB

MD5
8e2429ce19db7d7e200f98f5a3fc1f8a

SHA1
301ce57b63c5f5b7a903eed40f3d2449ff314639

SHA256
5e9ff6e64a7c3a11011ebec6427df741981f80342f067791c59ddfd106e1a4d2

SHA512
4c36eb76ccf36ef3820eb9d876b36fecb2a85080cbdb86a87ac95694cd1f40a3a0ea492580cc66249bde903eeff183a087398649eda360f099b5dcb8d0417ca6

Download Submit
C:\Windows\SysWOW64\Jngbjd32.exe

Filesize
163KB

MD5
c644ffca5643570811d6a7137eaf02a3

SHA1
0c77462fafa2c54b76c76f15458fc5a20392a5d5

SHA256
3323d125fbeef8a7997cacf2ddf5cbfda45b09289ab09135f993cb0150326850

SHA512
40e649daa537fc297b0762580e856a6e3bd6a7c54bd14fe4f3248cf25a500b7f37b795d37603054e88d5dc4411faf382a2a0be9dac9606bc32dfb0b5bcea789b

Download Submit
C:\Windows\SysWOW64\Klcekpdo.exe

Filesize
163KB

MD5
a2ce0d69d97633f038e708be75ef2bd1

SHA1
0c7ab6eb27a7b547940eb7c5a4b9637df52cf957

SHA256
435f015109a4a5f7c8447c4001e18ca320be3b966164054a08eb28b3a104c513

SHA512
82d9da32722dc21b925f522bff63d64efbdb24c34bc9a12e82a490cdbe2d7151949be21a89c71d7ddbf008ed135e4459e2e5b36630354b9cc9aca037e6396b23

Download Submit
C:\Windows\SysWOW64\Mjlhgaqp.exe

Filesize
163KB

MD5
3f4ae44770b1940addfd2c542cac73d1

SHA1
f5c4051d936d4dbf0c2158ae68571b0a6be1ec5e

SHA256
418e229451b1e792d92cc5a567c039856cf82ec747e198a6748f6802337a5be1

SHA512
0561e360cc4eb7248f3a0a55991359382395f6e59abd9c86b91e04112f942d7fecc1715f46f859c25787cb707e9efa4719b4db32dde1076b746d48f1d95ec988

Download Submit
C:\Windows\SysWOW64\Mnegbp32.exe

Filesize
163KB

MD5
a722e0bbc55bfa7a06977029de7fa5d8

SHA1
1dc9c5a2c577b62bf6f1ffc9198a56b3fb0c35fb

SHA256
cfe7a38b322e36a4788dcc5594d57c943c2ff057e9257fdabf98bd61628afb7b

SHA512
b50179aae2dc6cb88169bb16b3c449da013c81b4021ba65bcc8399a599972f3cdf7159d8a0ebdea4aa55cbbbc2983e565163d43b250355b50d757c5e9bcafb4a

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
163KB

MD5
d08b0ecd17e67e9a34ceeae15eff039a

SHA1
3f78adfe3d86bc95ed527c62eff245df5510998a

SHA256
957703d9d206e19467633905df33907ce96b2f997a9833afa8c84788e7221e74

SHA512
13b267cf1886dcfaeb7c05fb4133e8c8d1d8c4dda343c84ec3b19b7b04ea02e8d67f68370dafae382865a15bd23736ee94036ae4a515e22d5e84359b8e8d5b61

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
163KB

MD5
463a39976a31bde50e2fdb60804d5cb2

SHA1
ff1cda6d9370c2cd33b3b9a2e08fc5e0a244e73a

SHA256
2f8f0fe612fb055e9830cf5fac6da1fa28492fb9c7f50fc95532ae3d7e75186b

SHA512
eac684a60a0af407f67896e3c19ca2484a72bdabe60f3122ee153ba0f3a88b9d5a7880c445d6f844516e1e7c9a129c58e758cb4057e61045a67465ce9176dc02

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
163KB

MD5
e258ef6573662a3ad54370d289952a05

SHA1
28034b5007fdcd88a6fa088fbc991771b8f605c5

SHA256
10d018f300ebae279e016d08ca4620ba23ba6de83660286e8fe78f1bd41b0619

SHA512
dbfcd6c28a0cd581f3dd9de92deabb9419ac0a1059d5484e8a9e7b7b248145e16ffa76faac8e83e74e2ace137a693d4ce6ac0f0192330dbb142c5214918673e2

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
163KB

MD5
aa30ef71d47fdc9f1661d83ab5af7db0

SHA1
5433a6dc6e1c8f03be34845b9f150a5802da9f80

SHA256
6a333b6b4cce7166260c713c93215c68338310bee31ce06ead68c5337938ba28

SHA512
359e009eac9505fce59aa2d610c53620f750453dec5ed8f9dd455707ce719703c8ef07a44af767179dd14c25f92b0ec5357285ead8ad7307b90c6944d6bfe386

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
163KB

MD5
599794f81b1b0178f3d5dfba964178c9

SHA1
fe2943096c1db84ec14ae3aa718c90238fc00f6a

SHA256
75a74aec0c02a643a190a640c35e6af955f2aa23185e8d46a6cddd303807c4ff

SHA512
a1faa4eb821ff3619cf47c12c62bbc0870ef89477b0faa1e369abbae331bc259d33385ad00ef33228d9350580a8aec08f1cab07a4479883b3edcaea15761c66a

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
163KB

MD5
711c92b3bf08c1447fe7c3092039d8b1

SHA1
06dad854b695f202c353a1712bf8645a8a143594

SHA256
2a5a76a79db093fb3e7ffee412e997399eeaa8647d10dee402cdb3f6c16e6d8c

SHA512
91d42dbd194d4b01b65e1136183419f6e603eb3eab26483367629e795220000b1bc1780e3ead4446a5186259db2f9609ea6ae3ba3650179051b1730fc39339e7

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
163KB

MD5
a2f3d0692f2d361a84741971a1c7eab2

SHA1
7ec6c99b0ba9cf9de1093bd77cb2bf6c60cc3db9

SHA256
ea8ed45ccbdc322af503300a145827146bcc6d45998b2919b884af0edac253c4

SHA512
f173ddfd2bf36162eff21fcd71c10a637d2b0cb9c679f299b1b880f89d7ee36b52245cd7c6f45d83324129ebd286eb16b44cb6017d728c80b04a5ca91b8a2840

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
163KB

MD5
6923dfd67434ccb4d6c70f9f80089a59

SHA1
217a77eb6f5402ab1d1f298fef4ad0e839755217

SHA256
e486d3a3a2e62d82032f374fe808832d0b9d6bfb9e04d0f20659e78fd62908b1

SHA512
4cece493317fcfc8b9f0ad14135907ea1019e5ec413448598852551729435fc4fd1bad4429bcec5cc28fffe439a3078c0363ed1ee139694a9fc310790fed6839

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
163KB

MD5
776336a0ba3e0d1be9f3408f9b0974d3

SHA1
02f7be5e1496c3c0fdda38c98a3e23ec75a83338

SHA256
b32fcd6a275ad1ed478f30999fa249678f2893de4d382c387c4f74ebb87050a4

SHA512
afe10b26ff10be630d6369f74f11c8e08e0c1435abfe7b2dd3b99dffd711fefcfc8664e690c1217a01e8d10e9c3ac8019f1826a3c52b24185cbee166bc6efc4a

Download Submit
memory/536-255-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/548-128-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/664-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/664-557-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/688-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/992-495-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/996-316-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1048-570-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1048-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1112-447-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1132-501-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1176-603-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1176-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1368-382-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1388-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1416-346-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1460-550-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1460-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1524-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1540-411-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1592-477-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1644-150-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1716-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1812-476-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1936-352-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1972-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-507-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2036-157-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2124-544-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-268-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-583-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2284-417-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2300-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2300-537-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2300-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2376-538-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2412-322-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2460-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2548-435-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2656-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2776-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2796-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3200-441-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3252-274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3260-590-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3260-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3324-369-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3336-405-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3372-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3372-576-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3436-525-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3528-304-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3556-564-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3580-513-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3616-434-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3636-334-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3684-340-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3700-292-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3732-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3756-536-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3784-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3784-596-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3796-328-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3804-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3860-298-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3880-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3988-519-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4024-376-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4088-370-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4104-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4136-563-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4136-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4200-358-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4272-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4280-262-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4284-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4408-393-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4412-453-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4464-423-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4528-174-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-280-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4556-181-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4664-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4696-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4704-286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4824-465-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4828-459-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4916-555-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4980-489-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5056-404-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5240-577-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5328-584-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5432-598-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5484-604-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6088-1565-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6116-1622-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6400-1492-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6796-1482-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6924-1514-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads