berbew | db364e1fcbbfe6fda5592bcc47793b3e01423dc4ab998585a162ead17c1584eb

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db364e1fcbbfe6fda5592bcc47793b3e01423dc4ab998585a162ead17c1584eb.exe
Size

80KB
MD5

feaab5efaf9f56d3f3e3311f673e67f6
SHA1

212a89ce3dda0dd9473286708f9cd8c15ef372f2
SHA256

db364e1fcbbfe6fda5592bcc47793b3e01423dc4ab998585a162ead17c1584eb
SHA512

8fc80cad1b78c13ab3bb14718b5668bf2cb70d8192ba83492d36b963b8f6a2b94beb4973e2de1474221a40d001f827dc0a8db5f25d704e4c639128dc006e236d
SSDEEP

1536:od/4sPA3bTAOdHmgpFpMMVLj2LWQS5DUHRbPa9b6i+sI8:lrTJMMVsBS5DSCopsI8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmfcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffqhcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnqfcbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnoiqdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiiicf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coqncejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoclopne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikmbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igfclkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jepjhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iibccgep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	db364e1fcbbfe6fda5592bcc47793b3e01423dc4ab998585a162ead17c1584eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jghpbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lflbkcll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gikdkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibfnqmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgbchj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hipmfjee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iplkpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npepkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fealin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hifcgion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nclbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gejopl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoeieolb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igfclkdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljceqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiffqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfcabp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbpchb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gflhoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlbcnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbohpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjgaoqm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4856	Fbpchb32.exe
4848	Fpdcag32.exe
3324	Fealin32.exe
4392	Fpgpgfmh.exe
4864	Ffqhcq32.exe
1596	Fpimlfke.exe
2464	Fmmmfj32.exe
416	Fnnjmbpm.exe
3032	Gidnkkpc.exe
4104	Gnqfcbnj.exe
2652	Gejopl32.exe
2528	Gldglf32.exe
3944	Gbnoiqdq.exe
2696	Gihgfk32.exe
4080	Gflhoo32.exe
3696	Gikdkj32.exe
3012	Gfodeohd.exe
2456	Gimqajgh.exe
224	Gojiiafp.exe
2180	Hipmfjee.exe
1492	Holfoqcm.exe
4156	Hibjli32.exe
4112	Hplbickp.exe
3940	Hffken32.exe
3624	Hidgai32.exe
2688	Hlbcnd32.exe
3420	Hifcgion.exe
1816	Hoclopne.exe
5000	Hbohpn32.exe
4932	Hlglidlo.exe
4084	Hoeieolb.exe
4356	Iikmbh32.exe
1560	Iebngial.exe
1360	Imiehfao.exe
2524	Ibfnqmpf.exe
536	Imkbnf32.exe
3040	Ipjoja32.exe
2864	Iibccgep.exe
3708	Iplkpa32.exe
908	Igfclkdj.exe
2548	Impliekg.exe
1964	Joahqn32.exe
3276	Jghpbk32.exe
660	Jiglnf32.exe
1412	Jleijb32.exe
3244	Jgkmgk32.exe
3448	Jiiicf32.exe
3820	Jepjhg32.exe
100	Jpenfp32.exe
3160	Jgpfbjlo.exe
4272	Jebfng32.exe
1048	Jphkkpbp.exe
440	Jgbchj32.exe
4868	Kpjgaoqm.exe
3088	Kegpifod.exe
4492	Klahfp32.exe
1096	Kckqbj32.exe
2644	Kjeiodek.exe
4600	Klcekpdo.exe
916	Koaagkcb.exe
1960	Kjgeedch.exe
4524	Klfaapbl.exe
2116	Kodnmkap.exe
4340	Kfnfjehl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gnqfcbnj.exe	Gidnkkpc.exe
File created	C:\Windows\SysWOW64\Kbjpeo32.dll	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Nflnbh32.dll	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Kfnfjehl.exe	Kodnmkap.exe
File created	C:\Windows\SysWOW64\Koaagkcb.exe	Klcekpdo.exe
File opened for modification	C:\Windows\SysWOW64\Nnfpinmi.exe	Nfohgqlg.exe
File created	C:\Windows\SysWOW64\Bkgeainn.exe	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Adnbpqkj.dll	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Aaenbd32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Ffqhcq32.exe	Fpgpgfmh.exe
File opened for modification	C:\Windows\SysWOW64\Hplbickp.exe	Hibjli32.exe
File created	C:\Windows\SysWOW64\Klqcmdnk.dll	Hidgai32.exe
File created	C:\Windows\SysWOW64\Ndnljbeg.dll	Lomqcjie.exe
File created	C:\Windows\SysWOW64\Fopjdidn.dll	Mqkiok32.exe
File opened for modification	C:\Windows\SysWOW64\Ocohmc32.exe	Oghghb32.exe
File created	C:\Windows\SysWOW64\Lmnbjama.dll	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Pnbddbhk.dll	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Mgeakekd.exe	Mqkiok32.exe
File created	C:\Windows\SysWOW64\Pplobcpp.exe	Pmnbfhal.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Aolece32.dll	Fmmmfj32.exe
File created	C:\Windows\SysWOW64\Fogmlp32.dll	Hifcgion.exe
File created	C:\Windows\SysWOW64\Fhhfif32.dll	Jpenfp32.exe
File created	C:\Windows\SysWOW64\Nmfcok32.exe	Njhgbp32.exe
File created	C:\Windows\SysWOW64\Npepkf32.exe	Nmfcok32.exe
File created	C:\Windows\SysWOW64\Oghghb32.exe	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Ocohmc32.exe	Oghghb32.exe
File created	C:\Windows\SysWOW64\Ibfnqmpf.exe	Imiehfao.exe
File created	C:\Windows\SysWOW64\Kfnfjehl.exe	Kodnmkap.exe
File created	C:\Windows\SysWOW64\Enjgeopm.dll	Npepkf32.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bknlbhhe.exe
File created	C:\Windows\SysWOW64\Domdocba.dll	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Hibjli32.exe	Holfoqcm.exe
File created	C:\Windows\SysWOW64\Lmaamn32.exe	Ljceqb32.exe
File opened for modification	C:\Windows\SysWOW64\Npiiffqe.exe	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Mqnbqh32.dll	Bphgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Bajqda32.exe	Boldhf32.exe
File created	C:\Windows\SysWOW64\Gflhoo32.exe	Gihgfk32.exe
File opened for modification	C:\Windows\SysWOW64\Nmfcok32.exe	Njhgbp32.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Cponen32.exe
File opened for modification	C:\Windows\SysWOW64\Fpimlfke.exe	Ffqhcq32.exe
File created	C:\Windows\SysWOW64\Jghpbk32.exe	Joahqn32.exe
File created	C:\Windows\SysWOW64\Ljceqb32.exe	Lomqcjie.exe
File opened for modification	C:\Windows\SysWOW64\Paeelgnj.exe	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Pmblagmf.exe	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Cnfkdb32.exe	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Fpgpgfmh.exe	Fealin32.exe
File created	C:\Windows\SysWOW64\Dahcld32.dll	Ipjoja32.exe
File created	C:\Windows\SysWOW64\Nkbjmj32.dll	Kckqbj32.exe
File opened for modification	C:\Windows\SysWOW64\Mqkiok32.exe	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Dannpknl.dll	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Ondljl32.exe	Ofmdio32.exe
File opened for modification	C:\Windows\SysWOW64\Pdjgha32.exe	Pmpolgoi.exe
File created	C:\Windows\SysWOW64\Pcmdgodo.dll	Cgnomg32.exe
File opened for modification	C:\Windows\SysWOW64\Gidnkkpc.exe	Fnnjmbpm.exe
File opened for modification	C:\Windows\SysWOW64\Hibjli32.exe	Holfoqcm.exe
File created	C:\Windows\SysWOW64\Qfmmplad.exe	Qpcecb32.exe
File created	C:\Windows\SysWOW64\Ifaohg32.dll	Amcehdod.exe
File created	C:\Windows\SysWOW64\Paeelgnj.exe	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Iophfi32.dll	Gojiiafp.exe
File created	C:\Windows\SysWOW64\Gddedlaq.dll	Kjlopc32.exe
File opened for modification	C:\Windows\SysWOW64\Bgnffj32.exe	Bmeandma.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Cdbpgl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6904	6684	WerFault.exe	275

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gejopl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebngial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfohgqlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohlqcagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoclopne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbohpn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jleijb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmfkhmdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gojiiafp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipjoja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaagkcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljeafb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pagbaglh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahofoogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hibjli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqhdbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmaamn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnjqmpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaenbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chiblk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfkdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kodnmkap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgnbdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjola32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmdgikhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfnfjehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npiiffqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qobhkjdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Holfoqcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hffken32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoeieolb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnldla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibfnqmpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplfkeob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ondljl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdenmbkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aggpfkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacjdbch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmmmfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kckqbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljceqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfjfecno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikmbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjlopc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjjkaabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahdpjn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfcabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Bmeandma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqopkcbn.dll"	db364e1fcbbfe6fda5592bcc47793b3e01423dc4ab998585a162ead17c1584eb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hifcgion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aooold32.dll"	Lmaamn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjkaabc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpgpgfmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kegpifod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnlkfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkemhh.dll"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndhd32.dll"	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhfif32.dll"	Jpenfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejopl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffqhcq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikmbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljeafb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaclkia.dll"	Hoclopne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jphkkpbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqojdee.dll"	Nfjola32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbnoiqdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hplbickp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hoclopne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebqnm32.dll"	Iikmbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdmdpjg.dll"	Jgpfbjlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll"	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbmje32.dll"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Boldhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabfbmnl.dll"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfaemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oabhfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpdihki.dll"	Ffqhcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jebfng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmnhl32.dll"	Ljeafb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 4856	4040	db364e1fcbbfe6fda5592bcc47793b3e01423dc4ab998585a162ead17c1584eb.exe	83
PID 4040 wrote to memory of 4856	4040	db364e1fcbbfe6fda5592bcc47793b3e01423dc4ab998585a162ead17c1584eb.exe	83
PID 4040 wrote to memory of 4856	4040	db364e1fcbbfe6fda5592bcc47793b3e01423dc4ab998585a162ead17c1584eb.exe	83
PID 4856 wrote to memory of 4848	4856	Fbpchb32.exe	84
PID 4856 wrote to memory of 4848	4856	Fbpchb32.exe	84
PID 4856 wrote to memory of 4848	4856	Fbpchb32.exe	84
PID 4848 wrote to memory of 3324	4848	Fpdcag32.exe	85
PID 4848 wrote to memory of 3324	4848	Fpdcag32.exe	85
PID 4848 wrote to memory of 3324	4848	Fpdcag32.exe	85
PID 3324 wrote to memory of 4392	3324	Fealin32.exe	86
PID 3324 wrote to memory of 4392	3324	Fealin32.exe	86
PID 3324 wrote to memory of 4392	3324	Fealin32.exe	86
PID 4392 wrote to memory of 4864	4392	Fpgpgfmh.exe	87
PID 4392 wrote to memory of 4864	4392	Fpgpgfmh.exe	87
PID 4392 wrote to memory of 4864	4392	Fpgpgfmh.exe	87
PID 4864 wrote to memory of 1596	4864	Ffqhcq32.exe	89
PID 4864 wrote to memory of 1596	4864	Ffqhcq32.exe	89
PID 4864 wrote to memory of 1596	4864	Ffqhcq32.exe	89
PID 1596 wrote to memory of 2464	1596	Fpimlfke.exe	90
PID 1596 wrote to memory of 2464	1596	Fpimlfke.exe	90
PID 1596 wrote to memory of 2464	1596	Fpimlfke.exe	90
PID 2464 wrote to memory of 416	2464	Fmmmfj32.exe	91
PID 2464 wrote to memory of 416	2464	Fmmmfj32.exe	91
PID 2464 wrote to memory of 416	2464	Fmmmfj32.exe	91
PID 416 wrote to memory of 3032	416	Fnnjmbpm.exe	92
PID 416 wrote to memory of 3032	416	Fnnjmbpm.exe	92
PID 416 wrote to memory of 3032	416	Fnnjmbpm.exe	92
PID 3032 wrote to memory of 4104	3032	Gidnkkpc.exe	93
PID 3032 wrote to memory of 4104	3032	Gidnkkpc.exe	93
PID 3032 wrote to memory of 4104	3032	Gidnkkpc.exe	93
PID 4104 wrote to memory of 2652	4104	Gnqfcbnj.exe	94
PID 4104 wrote to memory of 2652	4104	Gnqfcbnj.exe	94
PID 4104 wrote to memory of 2652	4104	Gnqfcbnj.exe	94
PID 2652 wrote to memory of 2528	2652	Gejopl32.exe	96
PID 2652 wrote to memory of 2528	2652	Gejopl32.exe	96
PID 2652 wrote to memory of 2528	2652	Gejopl32.exe	96
PID 2528 wrote to memory of 3944	2528	Gldglf32.exe	97
PID 2528 wrote to memory of 3944	2528	Gldglf32.exe	97
PID 2528 wrote to memory of 3944	2528	Gldglf32.exe	97
PID 3944 wrote to memory of 2696	3944	Gbnoiqdq.exe	98
PID 3944 wrote to memory of 2696	3944	Gbnoiqdq.exe	98
PID 3944 wrote to memory of 2696	3944	Gbnoiqdq.exe	98
PID 2696 wrote to memory of 4080	2696	Gihgfk32.exe	99
PID 2696 wrote to memory of 4080	2696	Gihgfk32.exe	99
PID 2696 wrote to memory of 4080	2696	Gihgfk32.exe	99
PID 4080 wrote to memory of 3696	4080	Gflhoo32.exe	100
PID 4080 wrote to memory of 3696	4080	Gflhoo32.exe	100
PID 4080 wrote to memory of 3696	4080	Gflhoo32.exe	100
PID 3696 wrote to memory of 3012	3696	Gikdkj32.exe	101
PID 3696 wrote to memory of 3012	3696	Gikdkj32.exe	101
PID 3696 wrote to memory of 3012	3696	Gikdkj32.exe	101
PID 3012 wrote to memory of 2456	3012	Gfodeohd.exe	102
PID 3012 wrote to memory of 2456	3012	Gfodeohd.exe	102
PID 3012 wrote to memory of 2456	3012	Gfodeohd.exe	102
PID 2456 wrote to memory of 224	2456	Gimqajgh.exe	103
PID 2456 wrote to memory of 224	2456	Gimqajgh.exe	103
PID 2456 wrote to memory of 224	2456	Gimqajgh.exe	103
PID 224 wrote to memory of 2180	224	Gojiiafp.exe	104
PID 224 wrote to memory of 2180	224	Gojiiafp.exe	104
PID 224 wrote to memory of 2180	224	Gojiiafp.exe	104
PID 2180 wrote to memory of 1492	2180	Hipmfjee.exe	105
PID 2180 wrote to memory of 1492	2180	Hipmfjee.exe	105
PID 2180 wrote to memory of 1492	2180	Hipmfjee.exe	105
PID 1492 wrote to memory of 4156	1492	Holfoqcm.exe	106

C:\Users\Admin\AppData\Local\Temp\db364e1fcbbfe6fda5592bcc47793b3e01423dc4ab998585a162ead17c1584eb.exe
"C:\Users\Admin\AppData\Local\Temp\db364e1fcbbfe6fda5592bcc47793b3e01423dc4ab998585a162ead17c1584eb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\SysWOW64\Fbpchb32.exe
  C:\Windows\system32\Fbpchb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\Fpdcag32.exe
    C:\Windows\system32\Fpdcag32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\SysWOW64\Fealin32.exe
      C:\Windows\system32\Fealin32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3324
    - - C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        31⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        42⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        45⤵
        Executes dropped EXE
        
        PID:660
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        47⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3820
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:100
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        57⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        59⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Klcekpdo.exe
        
        C:\Windows\system32\Klcekpdo.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        62⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        63⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        66⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        69⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        71⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        72⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        74⤵
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:776
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        81⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        83⤵
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        84⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\Mcelpggq.exe
        
        C:\Windows\system32\Mcelpggq.exe
        85⤵
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        87⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        88⤵
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        90⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2388
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        95⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        97⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1196
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        103⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        108⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        111⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        118⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        122⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        126⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        127⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        132⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        133⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        136⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        140⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        141⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        142⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        144⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4380
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        147⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        156⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        159⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:6380
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        161⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6500
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        164⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        165⤵
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        167⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        168⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6808
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        170⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6920
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        173⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        174⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7116
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:7160
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        177⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        178⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        179⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6324
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        181⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        183⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:6636
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        185⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6684 -s 400
        186⤵
        Program crash
        
        PID:6904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6684 -ip 6684
1⤵
PID:6788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahofoogd.exe

Filesize
80KB

MD5
c001544f0f44bc7d46cf73b7fdf54fb5

SHA1
8b37ead0e294441f95d1b40a5fad4be9f3bd9fb7

SHA256
6706ca4d0330a448f6205217a753698c8f25ba98439b357a094ba599ce9b372b

SHA512
7d0ce4178e3e1131381d8ee3247b30c68de7521e21fb843f3657527521d437d91633e80f637b263a0e677dd58c262f5d80545ffd8dc6a6d548c94e80e8a83e75

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
80KB

MD5
46d1064331cf4d41d9bd5c926e4345eb

SHA1
28f690f64be25512e8ee25331081922bf46a898c

SHA256
5e9c21e66dfac41cdb8e63bc5009c87be224f34e9b1dc53771c1ea9e70d4b30d

SHA512
4fc04b65f6e7177b854e7c274339ebaf91fe7144210f2655159f2b0899bbecac8785a0bcbb591c24b91f05fddf8484103c01961680899642eeeac24dbef36f75

Download Submit
C:\Windows\SysWOW64\Bgpcliao.exe

Filesize
80KB

MD5
500c723a8ebe112d028ad46f3111b207

SHA1
e8fdfead88e6b83349d717ed49d580e19da1e4e6

SHA256
9760175de771ea560dfdcf1ae3acc0d2d4dbd228a2e36d3de79806f089dae8f6

SHA512
8e8cf11dc721b2098292dc6f89b4bb3fa352b898123f41c2ae42545b497f7cd59c97899e4e132faa44dc72b414c759ed9728d4f1bc4ea85e4cddd9900de580b0

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
80KB

MD5
ae81a79d8bfbc3408235be6b145a482d

SHA1
50628a213b8322435018a42eb3b91a9e3db44003

SHA256
7bca9926fbebba426aca45e94ba6ce4923d65d440d050d69ffea950663ea5096

SHA512
0c0e3e166af1a5c837d6faaf855aaf70e5f1d0423b378319b913a28b498a09ac9dae3a2e8c23d454d5b5098ccc7585ed913d953b12e72ee0087752a4438e6ebf

Download Submit
C:\Windows\SysWOW64\Boldhf32.exe

Filesize
80KB

MD5
28a0dfca54d9bde74022764cce994f1e

SHA1
1d94b9e84b4aac12a699f1f0b084d36461c2de30

SHA256
1d8c4a328b00e23b6635bce0bf20cc9c00951fc5520a9735def34509e77ff0a4

SHA512
4c593e9287ac04ecacfc3bf32f30d678397939b0440f748354f688d04156dd0dd13a78894854a1c372b935b21c378556acc6e2dcece85e15fcdcc51cd87d88b6

Download Submit
C:\Windows\SysWOW64\Cdpcal32.exe

Filesize
80KB

MD5
b012676b5669c626d33f52673772f90b

SHA1
94eec191e257f333bd46c159d91e12588e166f6c

SHA256
772846a4221d1a04c14686fe3be1e5d982bca2b12f86cc6d5ff27f4fc7fbc538

SHA512
e284c0c076f831bf2bfb2a007f64e618257dda3f3f6bfce3d55bc4fb9e5f69b9e38a7a06538c8b0af9a3283c0cf7e7c686748280dc173aaac8e6a936027b04df

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
80KB

MD5
9cc13d6b22d6f61ac20cbb4d3dff1e95

SHA1
bcdffd7441652409c7c9a814abb58ccf439d38e6

SHA256
d88c2b41dea24ab99a55594f9634977cffcffe1b67b02e824a42357a591779cd

SHA512
2a7c5c69c25c2031d49b1d4e9cf6cdc3065c0a74b97c633df84825cb4e92021e37b97c89174d4ba9ec090873853cf5b30d182874afe3cc544905623f5ecdc39b

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
80KB

MD5
4c73d7d71fb36b236cb6c39a6c31b82a

SHA1
22c5e279142dd06b319d25dcbaaa7df24a6c3ccf

SHA256
7d5eee38ccbdadb9b757c337cd3b526508eb8cb51fa3c16ae011916f1400c5b5

SHA512
599eae39795c020ae7bc76c6525988835880088f75cf62bbd55f49c19bb6baecfe4b8fbf358e7eb2fbaf6c078f247ffb36b4efcd20ac7b370bd7fa15c6e95928

Download Submit
C:\Windows\SysWOW64\Fbpchb32.exe

Filesize
80KB

MD5
db6071ac7c73163ac25eb6af26a7e517

SHA1
46a9a3c7c51fbdd2811d78447d205aa69a862e44

SHA256
b96327139865f07cfc10b9d67b1a60fc784ad926ac30695f73b92637b0dc5643

SHA512
6511ec7cb409efdf4f13dcacdcfea394fd1d3f5b0db617c28f1792393c37ada03dfd067e727be22c06131ccfa6455c181a6d1b3e64a937f8e4f0fcb6fd9dea65

Download Submit
C:\Windows\SysWOW64\Fealin32.exe

Filesize
80KB

MD5
316ed88ac0745502090bfef9b2526c1e

SHA1
5bb0a9bfc4565c74501ab68bc945afd445a034f6

SHA256
a6a7aebcd8621fa4fae8dd669a4e61d8f6bb192f3983dc1ba5072bd929dd0dfe

SHA512
54437baca9b85cd3e18a8a01344eefdaf719e6fe2c675e896ead601e8de8f8676c21a1f8a9dea3a781b4cea265a34afd14d5c4eaa289853c3b6faa59c1c55c3f

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
80KB

MD5
7d78525256c00ffec25080d7615e6461

SHA1
bf322e68056200c2a6bc5ccc480e020c6109a9d2

SHA256
0396381d67540806991a11ea4e631ef446156ce6a1d0e10ec42d0b298fbab5a2

SHA512
f078fd987c4a17e2648e3a5a3c1a377e266863dee4b2822d1965e918118200c0c52a020c5703af107d2f611dc0d6936f6a755fd0a622846f7447f8aad77f501c

Download Submit
C:\Windows\SysWOW64\Fmmmfj32.exe

Filesize
80KB

MD5
e5f56c77340c576d4dda02baa8390d13

SHA1
d04fde70ad999a13fcef9254f86a7c5870765bd5

SHA256
c805183063ff25834e0c0c2b05e40038e127e1b21a47c5840166372924b2c1b1

SHA512
332c170b63d89ea13e88397100ace7f15f239f41bd7da9a48957155290ef2cee214136c5bba64577e9ce445f195b69f5df0e4b9057122cfbb46d5cab52f534a4

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe

Filesize
80KB

MD5
1ae319519ff25a766b4e029c890d5f43

SHA1
bc9e9082f831951c1547ad9ad396a76e6e95591a

SHA256
093067d39d6604110b2aaea6aeafbc763a7f9da56e6fe6220a57041b6817ff69

SHA512
986611f519dbc79e8400a6af0234d91756a61b904d9afc2f0f0563447d23d6dc9e4482427e707f8233b482c90eb72ccbd52e42d5e99af586a5a19c505df1bed2

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
80KB

MD5
0e32ad871877727420cb560e50034e49

SHA1
3ecc5894ea650ad4c57cbadfc8d5dc28580660e1

SHA256
33f0916b05910d85e4f1c2c60ec724f099b19aeff5ecebafb83c228437cc1fb7

SHA512
6263c1b332ff9fa653ae506c682b12821e9edbec158d668d322a15a3f7fd1e9b1b6fcb556186f8af7e1c1bc9a7a2c14ac0d81e80f035cb69d707c40ddb627167

Download Submit
C:\Windows\SysWOW64\Fpgpgfmh.exe

Filesize
80KB

MD5
75103789972359ddd60d7870da250418

SHA1
64f0a5e82173ce21df94a5db3465e4c8d6e21d66

SHA256
e02d6e96bd3a6d578456c8987550eb8ecc1b5b1688d3a6338f13d900f94a54d1

SHA512
9bef3296753aa8dfc1e8c5100d335ff3d488f11c4a2852c698154242a95cc38c09a60eaeb2be12f1c6d28eb627eb7bcdeb53f937a27a4053ba0ef7d5813df1d5

Download Submit
C:\Windows\SysWOW64\Fpimlfke.exe

Filesize
80KB

MD5
5ff0ad0f71813639a6a14120c6acc3dd

SHA1
1e0cb3139479b35be1875969b66aa33cb7a7bdc9

SHA256
a567eabfb56ce0909ed6803ea5eeacbacb870880696dfee974f228539bf0351d

SHA512
0f84918ebb1a28e1673901a1b0cb70ff16050046240e2d89915b3f819aac7acf960818cb3e8bb13f70527f552328f446a0d3ceebbb2d6922b789a9aaae4cb14a

Download Submit
C:\Windows\SysWOW64\Gbnoiqdq.exe

Filesize
80KB

MD5
974a269bbf8a5b53117d7e02d2a142cf

SHA1
b58dbd115d30edc99af3133b8b429580d95023ee

SHA256
aa786a403914bcb631d99a63dcae3a256b8768e86fd270a560c5c0d90059db81

SHA512
ff341f84879b64cf4563023df6225864b6fe82c0514277ca41a6579fcdc117c7793e718f32ea8848e02c0e0ab48c45de1dac02078fac447d1964238437f40692

Download Submit
C:\Windows\SysWOW64\Gejopl32.exe

Filesize
80KB

MD5
ce0e28498dd6c40a77ef13bdbf3282dc

SHA1
01f97dae5c667608f0a290d8817964748d823e59

SHA256
b231a83c393440bcad84cbc2ab313ad4e4e4e73034f0cac38788d4077276661a

SHA512
5b0c0be82b348276d0384283273274c521158f4b886a7ee08a2e2e44dd142399efc11af09e61d6106a553e3ea3baaf77f2cf7bf9b619498cf9477838c88c1041

Download Submit
C:\Windows\SysWOW64\Gflhoo32.exe

Filesize
80KB

MD5
e90a3ed3e48a09dfd2a7afb053d7425d

SHA1
44910ba9ab1e2ee91f20f004159145ec5b1df22c

SHA256
a29c38284abdae0b7b4dac732bc9773f2167711b1d79a4df639bb2d875523b27

SHA512
9fa39527aedb538639df95da22fcaa0e57e7cc74b71f8b4a5a756fdbaa61a6dd298150e14dd6084288a8d3660169669f33d54d8a4cdf5783ca16d46d26e22c6c

Download Submit
C:\Windows\SysWOW64\Gfodeohd.exe

Filesize
80KB

MD5
2adaaa7c6080af0cbc8a89b7db64321d

SHA1
df1e7f6369894a36fe4cd8c3468edb2cd4aca497

SHA256
9c74ef88c6920e7eca03ffd40a3deaece32b103bf5e05eca146ca318a22eb197

SHA512
d2ed41038e6c86602b7cc1739e9dab049b480a8e6de7916e7a0f592874539daa5d88f0a418cd45b5de94319547a7458ce80a504a014f9e030e02f4df00d82b0c

Download Submit
C:\Windows\SysWOW64\Gidnkkpc.exe

Filesize
80KB

MD5
ab696a001951f7a23bb2b2e3b2330eb1

SHA1
7a684c5523edfde23999317577270a0d7103231a

SHA256
7415c7b5dd2659ca972de82e8b9c31d196ae5a3ac8d5ede9f618895b89b07661

SHA512
1630460cdbe8b7fc84bf710165ee1b2a210efda9ad5101e3a650d889291e1a83233f59cad67dfdcf14196c4e8757fb367784eb6e7157497ed515fbc00c8a8c1f

Download Submit
C:\Windows\SysWOW64\Gihgfk32.exe

Filesize
80KB

MD5
5b16d61b0ebce834cc73c0f411b75d50

SHA1
8fb3f7185eb31b44dddf3aee504b44e95d4d760b

SHA256
a2b8ddaaf4521f4e52d2d7cfa0d31ada84fa2b9dc87d31f70ed79ce6685af86f

SHA512
28e9cd53bea91e1759e5aa400d2fe6737701589d89c071b3a6821f1fa45a569a1e08bd83a5d2f0b65d60f12c1702e3024adcf82491af8344dcb58815819d75e6

Download Submit
C:\Windows\SysWOW64\Gikdkj32.exe

Filesize
80KB

MD5
576db9fb6ee8a300fea82dfa3786719e

SHA1
51847b2d4f97e1d0a03d94e72390460ba8c44380

SHA256
01ac0e2e83d1c9d436ef98d54e32ed44c05ffb607f7163f856016f6cf0a52a1c

SHA512
d86ca63a475116c2c51f7032a87763fa2eb95314ec69de7cd8e271d9689d573cb260bd9001f447bde2661f748211f17fc3ac39a372a6ae9e2ee5095b4d1779f0

Download Submit
C:\Windows\SysWOW64\Gimqajgh.exe

Filesize
80KB

MD5
6b0a1b2d4707bf4cbbecc13eb2f25b5e

SHA1
0c5a0e4cd5d5e282c3ef74e0ef455398b209c7e9

SHA256
78c89726490b66083bb4d9a5e691056a466a725c603082ac355a6026f42f0cbc

SHA512
8902afb1a272d6c8008f7ea7645170322bb2d260bd8c60e3a0ccf0e8f65ce029d0e05021398e6e383126fe45c6732598205fe975504b8839bb8decce9cf34902

Download Submit
C:\Windows\SysWOW64\Gldglf32.exe

Filesize
80KB

MD5
caed4f9f21830407a52e6703f5be066f

SHA1
2cb3a651d7f3c6e2267ef23093f6f81b2fe52ab4

SHA256
c2ffe68163ad773fc0939a3ec3812d47c88d36b60cb83163740a25fc3b2298d8

SHA512
eee934b64ab47b42aadd671f041c0c09b024b9143ea922bee70c6aac157887d364f9897f0025267af1ee38e322d8bc6c0e66a65ea0ad68f196cd8883a1c53607

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe

Filesize
80KB

MD5
0d8119259cdb6c1f56f9386b7ba0ba22

SHA1
fd141255fcaf2f148a24e19021596e079a5f1432

SHA256
fc0ccdde2780dd095899bca24c8f3de410de3f02d70e3431f96b149a5d918a4b

SHA512
da508dacee9d2a6c244837ba6a401434247f828a665954a5757b7193b467dec8f8a702f32a8bf6e324bf86b8ad3e1be97399c7eb8d3c1e7b8f1be9937511b209

Download Submit
C:\Windows\SysWOW64\Gojiiafp.exe

Filesize
80KB

MD5
d405d6dc80073666b960231a6a88557b

SHA1
cefd9fe061ea20ff1a69e1dc5918102451b0180c

SHA256
7c1c0cdf899c586ebfe1743a525aa3ecbc7cf336bc0a4a318a90c92364b6e050

SHA512
8fec75d2263eff3ed8e7925d24475f774757641a3a4faf4d1edbe294da1c6df191e0c85d35d475ae4e48c5045b515a2b0e4a29966de3f9cf7f92312a90c3556c

Download Submit
C:\Windows\SysWOW64\Hbohpn32.exe

Filesize
80KB

MD5
ba267c00f233a9933370fe4e5f7d622e

SHA1
44ea9474de4a5bbcfc708257b5da4c20fbe7b5bf

SHA256
6473cd07f5200297fdaf50fe0e1436941ca2cedb923d3f934499d48a8c6d8ad2

SHA512
d37f7b95e5fb2689c9cd7b090c6506306ad3c1f943b5190d0df306bc77deae1ae27f93fbea4fbbab732a1e45793c1906898cf36d1b581bdb51266c5c8f4709a5

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
80KB

MD5
943bef76a7021d8de923662752c69a31

SHA1
9b532fc7721086520cecdd8de8b4a1072d6407b2

SHA256
d8aad0fe096fa4dc4f0a363c74e4419eba59a61ee2c67f0c0ae6c5c730b4f7ee

SHA512
46df0a7bcf4edc6fceeb6ebbcc29033198c0cc8214825a448843186613edd9f889653cbabafc06bfbfd2bcaa0cdcd5d7ce146221ea489dbb350fc8a3e0487656

Download Submit
C:\Windows\SysWOW64\Hibjli32.exe

Filesize
80KB

MD5
0b089b20b5e55e286fd73a1069a0dafe

SHA1
abdf44d495ae6035d2354f613e455ff25cc0c4b9

SHA256
86d35190624dc5125f27caccd51177ebfaba7c53dff4f8b3d79c407fc07916dd

SHA512
0462d5bb33917ebec042de5f29b1fdeb41f2ca03de552a129fa69038f916a75beedbf272fa9dca7ed30956d70de691d624725c06ccc020d2f8d24462d129055b

Download Submit
C:\Windows\SysWOW64\Hidgai32.exe

Filesize
80KB

MD5
b369fc1be05bbbdc1b96689af85eefe1

SHA1
3d555ab782542186568a26a6f42271c6fda3f817

SHA256
c8a9782af67e15665bf3439f445ae36d0deb9d90e35691da1b8cff2faadd6460

SHA512
87e3e4ddc407194138b68ab42ff29d8d2b81149a3a7cb304aef9173a8bf43203fa797961262855fe57c6cef8b45f483de4a523fbb2e9083b329b022803a5dbc2

Download Submit
C:\Windows\SysWOW64\Hifcgion.exe

Filesize
80KB

MD5
0ddef4a41051c777f29d0df7c652c216

SHA1
b37cb7a08d731e097621a0661c63557a1a248fce

SHA256
e696efb299b79c4857007a48ced8125adfbad8f66c4ae7f746a264fa70d47ccd

SHA512
ac5cdc393c4d299d58ed1aeffedf61fa8d938f3b7716424dd7562000072ec728b1b31aafb34a36800681868dcabed7555ed5f268f3fe8b153128f2fa6750b29f

Download Submit
C:\Windows\SysWOW64\Hipmfjee.exe

Filesize
80KB

MD5
9a785f53224c0ce3aa0f5277fc833d83

SHA1
a64078be4785ea5a3af8f7a0e962e56a830acfbe

SHA256
b21bc4e804eb458130e9cfd771f96ec54866417ad8f7da8ea360a19de4e62f58

SHA512
e9e28b4cc87f25d3f924b85dff2c13511e57827a0f8074c9a6761b9f67af9be32c368b2436b8ed3f970c82f31ae150877921e627032fed216d021d426770d9b1

Download Submit
C:\Windows\SysWOW64\Hlbcnd32.exe

Filesize
80KB

MD5
a5493bf687ea34f08cc03bb320eefb11

SHA1
7685bb639849779d93bb3d61a3f6f8a542c95ead

SHA256
86d6db8ca4c100e98f03dfca2a4a39f06c0ee704ef3c14b51934ca0c4c7f2e0d

SHA512
4efc3fdbf2fc687d3c8af6c712ba4b71f70af5d535d0fc672195bff96b9af93b854635b5e221b77ad9772bb8a1e67f21549d9c0bb9f578dc084401aa7c444001

Download Submit
C:\Windows\SysWOW64\Hlglidlo.exe

Filesize
80KB

MD5
a16e99d61d4ee914d2332777b5b9458c

SHA1
6138d5a5bb2470ccf13a37f9bd1945b742a8d8fb

SHA256
2df1b2b31fbe536e8615171fbc9bd055a9c5cb902756e47a753b3a80575dcac6

SHA512
c1ba25c3c73b6e30cc95776a061fc571b41c551706202151c2209217f5c5c9bcbce7e2c3ea1985290a0ed94dae266cdfe97561bd9e4a6e39f2ba0b1707ed82a3

Download Submit
C:\Windows\SysWOW64\Hoclopne.exe

Filesize
80KB

MD5
3342a7c22ac009950679edd975ea7eda

SHA1
d946b2b5ec5a48bf7a4c16682831a8e24325af15

SHA256
350a6b898673cad039b851bd931d3b331b20240ed146a1949a3c194629c6c90d

SHA512
9345267670ef8c0af2ed1962a1011063728ae3d0ca19c1847ddbadad6b01708f749cb42584e9f72b05c09cbb72fe666cc50a7612bb79393a2a0414880510891b

Download Submit
C:\Windows\SysWOW64\Hoeieolb.exe

Filesize
80KB

MD5
b547d72d8d69d6edeab74e9d3d1a71ad

SHA1
8182eb6faa532053e28aabd144d47c58bf4e2d7e

SHA256
9194437773cede6719cd6d16b2ce4e2ed40a67e0b8ad6fdde528a8589066c9e4

SHA512
cbedc141863b5636a6579977de0e96f6553d83f14d5fa115e16b51407d74c6ca68392d24fce576de029b76f287acc63bfcaa3b3bed6b5a4e01caaaad31d4ee0d

Download Submit
C:\Windows\SysWOW64\Holfoqcm.exe

Filesize
80KB

MD5
05f0bdcbca7ba00b696488bae6cd384a

SHA1
5e62c287731ecc91a65e8801264c312f0f3e6cb5

SHA256
7924434cd737b56cdb4442e0b07b0a662c43ff9b304f7a800f4e27ca7d2662d8

SHA512
ef44dd459df9562ba6e6e84e3e4504b75e0d174184ee11868d5a3d75a19d9927d7a45c98a1c38f448eab860c323a9081a6fae7ab39c795d799a79b446b463569

Download Submit
C:\Windows\SysWOW64\Hplbickp.exe

Filesize
80KB

MD5
93c5234cc7d9b5ba91c7f55a6244ce38

SHA1
da6769ab357dd561455561de6cb9f6c876b63e0b

SHA256
c786043ed1a113adcba318f4c2b8d80f52d510728ac142a50ccd1505cfa250b7

SHA512
b4371fa1595f535fc4e70e27617225e2212c70676a05d4264de42cbc1cba5c693f9fa15e3b199e60b24e277e5cba89c07733d675c4f286723c456ff478b8cf11

Download Submit
C:\Windows\SysWOW64\Iikmbh32.exe

Filesize
80KB

MD5
f3a44540616178bce540dc70e821864a

SHA1
34650e011d2143948be7e252b5a4b92ce250c3db

SHA256
4f38db8dde8b546f7248ca9acee55610de3f33d4d686c555de2169c9c4a60799

SHA512
e1742ee6430ff0785fe17f002eed300115d73f5dde614d45ae075376659f6353689302efd8356763cbf81f50aafe1664bf2bedb0b52a6c80181cd6eebc4a1ba1

Download Submit
C:\Windows\SysWOW64\Mmmqhl32.exe

Filesize
80KB

MD5
f4bef2523bd4e0873efe4df405fd0707

SHA1
5410962eeccfca31032373050b336de05ffff363

SHA256
afe96c4adc86896812e2fd9e1f9353700fe0473426003ad79f6ba2a5e2672a40

SHA512
09a4738cf9d516c17b600dca14ffe734f1be95203de801d521a1c969cac634dd5771381c4bcf43c26b8fdb89b114e23083dc9ccd88d9e906dbcd1497dc049263

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
80KB

MD5
3e4077b05d9b3150a9b086149150f473

SHA1
a4bd63febcc9eaca6275b7d2711f1a5a71cf481c

SHA256
bcbc8c43a3fc798ff1c30129f7d19b9ad2c29952c8a359a37d0c3a07ae8855b1

SHA512
7ea364d8fe6f5958923f50a7445e25b9176408f1606c5b24c9c058e3a7fe6210f74e6d93f35617573cf6fe1967450d37739bac1dd4c96ba741ca81e2011bf89a

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
80KB

MD5
280e4cb4fde36de3170afc071cfbf13b

SHA1
e73b19398edae5ada58a0d535ca1d5fa765648ce

SHA256
b0885728dec71f1e7c35492585d30bd37a104eb67c58b6e8e46a72c8fce2b55c

SHA512
535515e199da1f34e7f5f63450a8de23c829a8e91f98cbd428d8c30f998fab43f6f8cc1da9718f0f3aad3db0dd8db739d89ce13d4aa29c48d2498d87a5dfc444

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
80KB

MD5
9fb4cc0eaa835c7202fa244ef674828a

SHA1
2f31b701c52a86c321bc723158a234a16c456718

SHA256
d4d414d6ded12298ffc89ca45d3d4d87168f6d593e39529c22ad22a7da65e5e3

SHA512
b983221c91c4d34bcbf7ea1c98256fc425cb102c8d57f221d7ae4b7ea9171671f27f32cb68379d8f720851b4da4f389d2471b089e86faf3b2ac530b1ec996730

Download Submit
memory/100-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/116-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/224-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/416-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/440-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/660-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/776-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/908-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/916-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1048-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1096-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1156-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1324-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1360-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1412-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1472-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1492-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1568-513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1796-588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1816-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1956-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2116-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2180-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2652-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2852-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3012-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3040-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3088-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3124-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3160-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3220-466-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3244-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3276-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3420-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3624-205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3696-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3820-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3940-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3944-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3980-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4040-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4052-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4080-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4084-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4104-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4112-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4156-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4220-483-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4272-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4312-550-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-453-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4356-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4392-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4392-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4492-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4848-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4848-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4856-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4856-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4868-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4932-246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads