berbew | 84b77e1744c0d9e545f46a6cbe354ff02c37d6b850283d0dc82b169a3c726679

Analysis

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84b77e1744c0d9e545f46a6cbe354ff02c37d6b850283d0dc82b169a3c726679.exe
Size

96KB
MD5

7dc00811c9fef735fc7eff24be63eaa8
SHA1

35d03e15b9754d778464d916fc5bae52644aca0f
SHA256

84b77e1744c0d9e545f46a6cbe354ff02c37d6b850283d0dc82b169a3c726679
SHA512

e75a6fafb42f822ba71a2bb3620e6a5097e0b463588839cf8fed293838b975ffcc16776dec1023febaf6229abb121bf712881b2d77a5ba8e813a77a2f98f3267
SSDEEP

3072:IjG/SqlhrSrCISDMnKLsrte+sHrtG9MW3+3l2X:zS+hnYKQrwttGDuMX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcbjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmijbcpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kboljk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofcmfodb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3908	Jpijnqkp.exe
4492	Jbhfjljd.exe
1420	Jfcbjk32.exe
5028	Jmmjgejj.exe
3216	Jlpkba32.exe
456	Jcgbco32.exe
3576	Jfeopj32.exe
4932	Jidklf32.exe
3412	Jlbgha32.exe
4416	Jcioiood.exe
1712	Jblpek32.exe
5016	Jifhaenk.exe
4084	Jlednamo.exe
2816	Jcllonma.exe
3492	Kboljk32.exe
4468	Kmdqgd32.exe
4496	Kpbmco32.exe
4712	Kbaipkbi.exe
828	Kfmepi32.exe
464	Kikame32.exe
2284	Klimip32.exe
716	Kdqejn32.exe
1264	Kfoafi32.exe
4872	Kmijbcpl.exe
2896	Kpgfooop.exe
2528	Kdcbom32.exe
1172	Kfankifm.exe
3500	Kipkhdeq.exe
4988	Klngdpdd.exe
4976	Kbhoqj32.exe
1724	Kefkme32.exe
3080	Kibgmdcn.exe
4536	Kplpjn32.exe
1784	Lbjlfi32.exe
2116	Leihbeib.exe
4284	Liddbc32.exe
3496	Lpnlpnih.exe
3580	Ldjhpl32.exe
768	Lbmhlihl.exe
4324	Lekehdgp.exe
4884	Lmbmibhb.exe
4076	Llemdo32.exe
2356	Lpqiemge.exe
2668	Ldleel32.exe
4820	Lboeaifi.exe
4624	Lenamdem.exe
116	Lmdina32.exe
4032	Lpcfkm32.exe
5064	Ldoaklml.exe
2916	Lgmngglp.exe
4444	Lepncd32.exe
2388	Likjcbkc.exe
4724	Lljfpnjg.exe
4564	Lbdolh32.exe
5024	Lebkhc32.exe
2764	Lmiciaaj.exe
1480	Lllcen32.exe
4400	Mdckfk32.exe
2272	Mgagbf32.exe
4956	Medgncoe.exe
3808	Mmlpoqpg.exe
3652	Mdehlk32.exe
4464	Mchhggno.exe
4036	Mgddhf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Jcioiood.exe	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Ffhoqj32.dll	Kfoafi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpnlpnih.exe	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Meiaib32.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Kbaipkbi.exe	Kpbmco32.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Kmdqgd32.exe	Kboljk32.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Ldleel32.exe	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Mcmabg32.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Jifhaenk.exe	Jblpek32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Kmijbcpl.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Gnbinq32.dll	Kbhoqj32.exe
File opened for modification	C:\Windows\SysWOW64\Medgncoe.exe	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpnhfhf.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Jidklf32.exe	Jfeopj32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Jlgbon32.dll	Leihbeib.exe
File opened for modification	C:\Windows\SysWOW64\Lmbmibhb.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mibpda32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7004	6852	WerFault.exe	284

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgddhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbaipkbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpijnqkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcioiood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlpkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkfmkdc.dll"	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll"	Meiaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoecnk32.dll"	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	84b77e1744c0d9e545f46a6cbe354ff02c37d6b850283d0dc82b169a3c726679.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnkjc32.dll"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Lpqiemge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klimip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oendmdab.dll"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoqj32.dll"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfgmjqop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 3908	916	84b77e1744c0d9e545f46a6cbe354ff02c37d6b850283d0dc82b169a3c726679.exe	82
PID 916 wrote to memory of 3908	916	84b77e1744c0d9e545f46a6cbe354ff02c37d6b850283d0dc82b169a3c726679.exe	82
PID 916 wrote to memory of 3908	916	84b77e1744c0d9e545f46a6cbe354ff02c37d6b850283d0dc82b169a3c726679.exe	82
PID 3908 wrote to memory of 4492	3908	Jpijnqkp.exe	83
PID 3908 wrote to memory of 4492	3908	Jpijnqkp.exe	83
PID 3908 wrote to memory of 4492	3908	Jpijnqkp.exe	83
PID 4492 wrote to memory of 1420	4492	Jbhfjljd.exe	84
PID 4492 wrote to memory of 1420	4492	Jbhfjljd.exe	84
PID 4492 wrote to memory of 1420	4492	Jbhfjljd.exe	84
PID 1420 wrote to memory of 5028	1420	Jfcbjk32.exe	85
PID 1420 wrote to memory of 5028	1420	Jfcbjk32.exe	85
PID 1420 wrote to memory of 5028	1420	Jfcbjk32.exe	85
PID 5028 wrote to memory of 3216	5028	Jmmjgejj.exe	86
PID 5028 wrote to memory of 3216	5028	Jmmjgejj.exe	86
PID 5028 wrote to memory of 3216	5028	Jmmjgejj.exe	86
PID 3216 wrote to memory of 456	3216	Jlpkba32.exe	87
PID 3216 wrote to memory of 456	3216	Jlpkba32.exe	87
PID 3216 wrote to memory of 456	3216	Jlpkba32.exe	87
PID 456 wrote to memory of 3576	456	Jcgbco32.exe	88
PID 456 wrote to memory of 3576	456	Jcgbco32.exe	88
PID 456 wrote to memory of 3576	456	Jcgbco32.exe	88
PID 3576 wrote to memory of 4932	3576	Jfeopj32.exe	89
PID 3576 wrote to memory of 4932	3576	Jfeopj32.exe	89
PID 3576 wrote to memory of 4932	3576	Jfeopj32.exe	89
PID 4932 wrote to memory of 3412	4932	Jidklf32.exe	90
PID 4932 wrote to memory of 3412	4932	Jidklf32.exe	90
PID 4932 wrote to memory of 3412	4932	Jidklf32.exe	90
PID 3412 wrote to memory of 4416	3412	Jlbgha32.exe	91
PID 3412 wrote to memory of 4416	3412	Jlbgha32.exe	91
PID 3412 wrote to memory of 4416	3412	Jlbgha32.exe	91
PID 4416 wrote to memory of 1712	4416	Jcioiood.exe	92
PID 4416 wrote to memory of 1712	4416	Jcioiood.exe	92
PID 4416 wrote to memory of 1712	4416	Jcioiood.exe	92
PID 1712 wrote to memory of 5016	1712	Jblpek32.exe	93
PID 1712 wrote to memory of 5016	1712	Jblpek32.exe	93
PID 1712 wrote to memory of 5016	1712	Jblpek32.exe	93
PID 5016 wrote to memory of 4084	5016	Jifhaenk.exe	94
PID 5016 wrote to memory of 4084	5016	Jifhaenk.exe	94
PID 5016 wrote to memory of 4084	5016	Jifhaenk.exe	94
PID 4084 wrote to memory of 2816	4084	Jlednamo.exe	95
PID 4084 wrote to memory of 2816	4084	Jlednamo.exe	95
PID 4084 wrote to memory of 2816	4084	Jlednamo.exe	95
PID 2816 wrote to memory of 3492	2816	Jcllonma.exe	96
PID 2816 wrote to memory of 3492	2816	Jcllonma.exe	96
PID 2816 wrote to memory of 3492	2816	Jcllonma.exe	96
PID 3492 wrote to memory of 4468	3492	Kboljk32.exe	97
PID 3492 wrote to memory of 4468	3492	Kboljk32.exe	97
PID 3492 wrote to memory of 4468	3492	Kboljk32.exe	97
PID 4468 wrote to memory of 4496	4468	Kmdqgd32.exe	98
PID 4468 wrote to memory of 4496	4468	Kmdqgd32.exe	98
PID 4468 wrote to memory of 4496	4468	Kmdqgd32.exe	98
PID 4496 wrote to memory of 4712	4496	Kpbmco32.exe	99
PID 4496 wrote to memory of 4712	4496	Kpbmco32.exe	99
PID 4496 wrote to memory of 4712	4496	Kpbmco32.exe	99
PID 4712 wrote to memory of 828	4712	Kbaipkbi.exe	100
PID 4712 wrote to memory of 828	4712	Kbaipkbi.exe	100
PID 4712 wrote to memory of 828	4712	Kbaipkbi.exe	100
PID 828 wrote to memory of 464	828	Kfmepi32.exe	101
PID 828 wrote to memory of 464	828	Kfmepi32.exe	101
PID 828 wrote to memory of 464	828	Kfmepi32.exe	101
PID 464 wrote to memory of 2284	464	Kikame32.exe	102
PID 464 wrote to memory of 2284	464	Kikame32.exe	102
PID 464 wrote to memory of 2284	464	Kikame32.exe	102
PID 2284 wrote to memory of 716	2284	Klimip32.exe	103

C:\Users\Admin\AppData\Local\Temp\2457068771\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\2457068771\zmstage.exe
1⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\84b77e1744c0d9e545f46a6cbe354ff02c37d6b850283d0dc82b169a3c726679.exe
"C:\Users\Admin\AppData\Local\Temp\84b77e1744c0d9e545f46a6cbe354ff02c37d6b850283d0dc82b169a3c726679.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\Jpijnqkp.exe
  C:\Windows\system32\Jpijnqkp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\Jbhfjljd.exe
    C:\Windows\system32\Jbhfjljd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\Jfcbjk32.exe
      C:\Windows\system32\Jfcbjk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
      - C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        26⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        27⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        28⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        33⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        38⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        46⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        50⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        51⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        52⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        56⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        57⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        61⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        64⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        67⤵
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        68⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        70⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        71⤵
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        72⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        74⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        75⤵
        
        PID:936
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        76⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1320
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        79⤵
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        80⤵
        
        PID:624
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        82⤵
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        83⤵
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        86⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        87⤵
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        88⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        94⤵
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        97⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4204
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:452
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3536
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        103⤵
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3008
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        105⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        106⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        108⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        112⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        113⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        114⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        115⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        118⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        124⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        127⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        128⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        129⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        130⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        132⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        133⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        139⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        141⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        142⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        144⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        146⤵
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        148⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        150⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        151⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        155⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        156⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        157⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        158⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        159⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        162⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        165⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        166⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        168⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        169⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        170⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6152
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        173⤵
        Drops file in System32 directory
        
        PID:6240
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        174⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        176⤵
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6420
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        178⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        179⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6508
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        180⤵
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        181⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6596
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6676
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        186⤵
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        187⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        188⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        189⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        190⤵
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        191⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:7084
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        193⤵
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        196⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:6416
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6504
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:6580
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6648
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        202⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        204⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6852 -s 416
        205⤵
        Program crash
        
        PID:7004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6852 -ip 6852
1⤵
PID:6956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
96KB

MD5
18388bfc9521b839c69d079188a4fa13

SHA1
0225de65ff5d00cdc501a23ee257db355c73497f

SHA256
304266863bc8392d17ff07302d12a7b8a8e5250376d1a85eaedd1d602b1f81be

SHA512
2711e7cfc4585fbfb73bdcb5c2484b46f1a5fb827033095a01cbe22cd4a697c336fc24d0b462f739576d92a6a6a28efc6f33a9862f5bbdbca1b5f139ca955be6

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
96KB

MD5
0a45d14f0f9f43b60223004a4b7d9b44

SHA1
c70c9f279c5e95b7e6d3a49642a90740c085ea44

SHA256
32a048611be156a3fca726d4ff64580cfd2a3001ded8efee1e29ce038e42dabe

SHA512
a6d7e3bbb154fdfe1764df3a8fb3dfa96b3fbc62d7ce87cba8e41d6bd99127b476b9f1a065d035ae7948376d84f95e39a018d33c733fbbe4604f8a744441b29c

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
96KB

MD5
419c7bb8bd8678a83c8a1248b38e338f

SHA1
9c7f4607ef806fa5b0bae93c61cb4e2bd007444f

SHA256
808a38cc29b54fe1e405a83c6d1b19f9a65e93879a21d5d88f2a549c8e7d3c62

SHA512
b8dc1d56ec43751b01f8f7fd0cec48f649a3953ee88985cf7e91ab207733ed26f2b0ef03d6f16662effeebf30e16667105e3d932ab4ed58b0ff99aca831d8fbd

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
96KB

MD5
29f644665619e1bf112c56a187183ff6

SHA1
9f2367ea0b5ac5fb524cb955c8b25b192b2881c2

SHA256
e400409f24c4ef013bb276f69c89cf2b7718e497c0b126e7fb4c005ffce80f50

SHA512
aa037c861b9fce631e08dd9d1172a0e1820d377f3ec0a02a62e999ae29d5d3750c0c3b14cfe04069603fe04b187df26f201fe169580fbe68abdfbe83e6c35b11

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
adab0d1ab60454d5a005949db265fb44

SHA1
b3416cd959efe910cac57278bf8613f94fcb8dd5

SHA256
a1b7a2aea1c258870454df785ce71f9fa67e2861958feabc389635b0133c845d

SHA512
3c6db274bc6e79051268020d95adfd8cd91ff202a7359922ffa76886fea78cbff59974d4bb901ed63e768cc23965f0004d98132aa4eb0f564619dfe1da308cff

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
96KB

MD5
4af6f06a04962bcf92a118ab3af950a3

SHA1
06862073c5bc1e5bb4365f81b2af1be14370c412

SHA256
4b1fd512b644356ad41f91518f37972b21dfbfb9b3d71911a9c4df0f3f385a76

SHA512
df472f827df4f35a0762faf4cf714f83f657e06120cf520d57576bea561414840c5dea03d40b55e58ba7892c0defda3d7dc4d464b632b683ecb506521246ad98

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
cd46a15e3d261699eca181cd5fcb1bfd

SHA1
6af28f0871abf6259c37b72d0551882a6d495012

SHA256
928191bcbadd87fa210c3d9b29fb7e17769293364878564b3e8783041a0bf9a5

SHA512
700b56cb5a0d35c7ce79c26cf10b493110050e50186243629eac9d3d17ca9dc8b8f34578ee2f5e5b1ff7437b9a5c3af567a4af25bb9898a9ff47b8d54c8f57e8

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
96KB

MD5
721346123402d841713b48113bd3aafa

SHA1
c68230f9a47609495b6a8cdaeb9b28af13019d75

SHA256
6dc7c9f3f81f0f25e0695c203c7b4969ce48f7b76e8e444a0c033b718c39e68a

SHA512
ff24a8c527f4f8ab0ffb35b5cb41f89cb90f9fd10ae19eee64736002d301b2864143753a9751801d3a599bc48927c3325915d7002b85c57c5bfc4dc8effee5ba

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
c7bec0f50cd2f5def82ac9f916e96985

SHA1
edbb8bf625158534e9d8100908c5a99c95bc5de1

SHA256
394247f36f12807b3efb6c964debbbb4e30c8f4b67b090b6feac2b19590972c0

SHA512
ad248116b08d101adc522265c95058b0eca7d70d8a889cc358e184c3af8d175577bad3b7ba68375066f29be299e62398500b8877718ea00f83f3bf5a0bea256c

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
96KB

MD5
c353215a54837b05b658688f4e01dfca

SHA1
826adcdc90b4fa70d05c018d5b49f04ab6cb2c93

SHA256
2b291884a850b8b8c2997264c7a501c2a8264b238cbd58d0d86cceba6c433987

SHA512
9d524ec7cd6ebf763ca94f40d0055a93ef8b9eabe4dd4427f10e5c27533563651acde1a2a95ccb02a6917630d190661d0bc5687600195f7d8f8da689279fca61

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
96KB

MD5
2ad6bb802380af6e169ec864006874a9

SHA1
8f6b310bfe50f00eb1a5ddde3b0f5a8e8a95a6ef

SHA256
8f0d9b185e338a51166f29bb76ad4576f9d83d1796ef2d9764e62fd2ea94167c

SHA512
6016e88e615306f32277ffa10585c00c98f78ae673724010f1a4fa955702e035bbff4c2dd9b972500ec26fba7d5b9988a1dcd9f9b19e59ef7312efdd4cf587fd

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
96KB

MD5
0c905c6d4a0f7af689310693a74fb33c

SHA1
9fcc3878821e32f8bd8fbbfac7cd2b9348625767

SHA256
b3c15994fe204f4e037f6c18ae6c73b996e70c1d34c4e0abbeeae97f95509b2f

SHA512
2f6aa2fde7b28c79751ed999eeeca1a097d8e97002c79004a6821dd43aa821cd16f251d59877057692a62489f1c6a29e29b412b85f67b2a85d585b4f0b467147

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
96KB

MD5
2972a1a182083ef2aaf9bbb17f1fb352

SHA1
dcf738f5df53e696c25c42aae8a22d4dea054661

SHA256
0979d1030f7d986396f6aa7ffb5cb889f089d21fb4c1acd37c08e07646e1518c

SHA512
a29f6646ed293c2180af007a2aee2b1803af8d65cf53db845f9c9ba079e10225da1a95731e7f8f69cfcfc737d408e9e2125ce88430a898d4152d214b0e3d4e3e

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
96KB

MD5
d0e5291fb09c17f7f187780fe073727f

SHA1
a0cbf77257766d4686cf9c027a6c0d2d01f94c0d

SHA256
233c7674f8a3a7d55a33559e9736673095b65975ae2aa77879f47588f07d3953

SHA512
365f4f00f6c38923f62215a76d6dc3cad3a97197d4f2c90d7998a7b741ccf38657624aaea4006406fc00c5e76f2e0c924995e3d1933f43ecfb845dae84911aef

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
96KB

MD5
1f68331dca8e491aee317fac0fd38642

SHA1
ab178cf2d217ecd39608dbb03f36a142a514526b

SHA256
bb2a28152864dbe381836750ec182cd7f69451e612023dd7af05aa71db2c11c9

SHA512
69e47ce4c7790b7944b51def187918f76ed90554ff2fd95496b05c0c86621bc1f0c37d3e27caded85e356367ed44239a5fbdb7f47128d4587daa2f7f4ca0aca0

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
96KB

MD5
ff48b663c3a196ea90bc6ac404539427

SHA1
4c962edaeb55893806cadd6cc1c548e56a6f3dc6

SHA256
96469c920a01a9cf5722b04491e298141b1458a4766c9bd78b8780bf9455fd9b

SHA512
8eafac02c3ebd56867fea9b8008cd548d6536097f25a35e0b2ee816af4bbb3c393c0e7701630d65c8835f2891a757a7e4889f33a54db7d5403e69b5d16f8ddeb

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
96KB

MD5
2976c89336c544cd88356eabfb2e8eb7

SHA1
abd575d2156189e1271bd9a2c43c9c52ec869a06

SHA256
698d6412ca03c2251f48769397679105d3a53e5f08f8da7203a6d3515150c0b7

SHA512
7e800933cdf5d7a2364c6858ea3a2b586db5527efbce7b555766e5ab70e8bcbfde88af486e9d64642631ecb5abe5310284ccb5c276fa62524e9f4f58ef595eff

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
96KB

MD5
6699b6d48888806c8ff034911089b29c

SHA1
c4d459947135ed6fa38e71b98c053537e914d522

SHA256
b974e1d9e06cd1f04e8a5ac065c40b5aed131a9aa0e516d45f006a4e2bcf1194

SHA512
b2f2addcb60e3f58cb2602bfded6681d328ecf1097b594462e2a0cbd285e3515a7bb83a4c7cfbd139914c5396b820c87a0feab8507b4287da31a7fc29f9fb77c

Download Submit
C:\Windows\SysWOW64\Jjbedgde.dll

Filesize
7KB

MD5
3341e07dc9508f195ac3123c6e17a50e

SHA1
89a7d904c99a0fdd1d869c73feb3822da856719a

SHA256
cddbea63f6619542040e73f6042fa34557f17605ec25f6195a1df9b0c85ff8a9

SHA512
cabeea00847817701d88a6ab24dabcdfad73e463d5b5679ebd401294d9f763c89242679e45b62e1e23003c48edf43e8f495b6b2fc0859bf25dbdfa50accb9ad4

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
96KB

MD5
9a13148d79ffa4cbb025765061f1f9bb

SHA1
a54ef3e279912ac0ad76fae36108ffa2fd369e5d

SHA256
c6e7ae933d1d8ce5535eb3860db333a2db61a90770273725414e80a1453a8533

SHA512
f2ce52c8df44dd7ed3deea3365bec3df6304898db2ebd5e9b582e19e89840eb74aff01962d2861eb707b2eafd164825c6e86d4bbeb011f980f5c88c1b6203711

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
96KB

MD5
a349f95f3d20e71bccae02cba779a0b1

SHA1
73a495459930d0ed8fb6aa0c2a2a18e7ccb26f00

SHA256
50e94e47e6ce4277cc2caa9825a9d40fe83102f3b8ed047b407d1bbad9c98662

SHA512
d38c346f7d161ddf05e3e14090265f1480964956c6196cd6c8e934ff42d3d9e7b1b8ef5adc3451b76f7ae5378c0633cc7d7ba51b4b6b52f6f66ecd4d472a0e16

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
96KB

MD5
eb9ef807221f85319ca5b66561057a84

SHA1
81e639bac2bafe7f8b71e9d13ec7736b1192df1e

SHA256
28188fea3e73d129d5efd45c2ff12df48dcf69cb742e5605f13576ca81e3a0cb

SHA512
355f3d0f0a6ecc8c0f267165afdc47bd8cd9c39c3a8bd2c7731dd00010e211847319f2daa239a0b1f4f9a01737fcdf78f1f27b863f6051507d67650aac08b434

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
96KB

MD5
73c14209eec16e23b19a13d093425eda

SHA1
3c78e4aea0b7fe956a2a517f41804ef82a62bf06

SHA256
450359e0567ddd191c6f04e221b7f27f75f4674cd6b84e80da50e8e4ad495fcf

SHA512
21150266e4a40aeff7ed876103e12602c339a91467e080a2c8bcb8f3891cc5d2c6e26178f90844716e664c165e3400d626394e239b98ea8dfe289b71e4dbd8e7

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
96KB

MD5
67e221262bd3c7907715114aabdfb59e

SHA1
b6b199728fbf2e8f2ee79ec947561992e032433d

SHA256
e1a7c85bf1e7eb1d3703b9b8c15d257491196f9e5d240b8a29893b32aec9fdfe

SHA512
b7fcc48b4349a434226b0e33428a0c9301708706b6db8ee5c6f5e0d75fcec97537b9f8df6bddcd324b159ea079209ff8aa740d165521d70dda192f521ca3ac7e

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
96KB

MD5
dbcc4cfb43bc6b0948d49d87f3043830

SHA1
ecb1c2dd897a804b0937d3f626f14955ca01058e

SHA256
24944064f2f9df41f5071975d118f8df20c921047fe6efc94fd4a38d3a5561f1

SHA512
4db698fdc999c958e7631d3129813c26314adf9d08fa736c39deada82bc750f401a4dcce38f3c1142251bcb8a1220c24138cbed6a8cccaa4f3001ab72e8d76de

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
96KB

MD5
48893e831322740475881a9c06d50e9d

SHA1
a69af179f065bfb93d4fa43386a47aad07add0b5

SHA256
d2dc6a1ebe72790e6d9ee3f5c41dfb74bc6ce775b75b56306fc3ec0d9a3df4ba

SHA512
e3342640ced1d0bc0d7a58ebef4bd5f2f98b8254eb4aa42a31a7196fcd5f04499a569ecc03a66bb817eb18a7e4d57cfe3d9791a387f01b80e7e58209e65cdc84

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
96KB

MD5
36bed73e636c0733da7559f53133402c

SHA1
e50edc6e49d957821d02cc8656371acee2d5aa0a

SHA256
ca08aaae998e6fed09b4adde4dd2a4ce55fa58f5dd2c02766a7511b6aa16826d

SHA512
0c10bfdeec64cca4a2a5e5aa0ea49837d4a4126745f58fc9ba77ed0ccb3b462d036215319de825be9f100b968073c7c778db4fded1ebf218b0341dcd1587b4a7

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
96KB

MD5
69098461c77fff6fd641e7fb0ae69057

SHA1
f04dac658bdc2b69ba1aee3ea9e31620d8eba590

SHA256
8af6f6c15340c19c5a926d525287bc87c1f6a46d7a54e78a1af739cbea8802e3

SHA512
84a667aad8a916cec674a0e1eba999a6f3c4d77ed72e1c1b99bac102fdd6505dd9a784f06e1e5386dd04464539f5d703e8c5ff3280e9749aabf5c2c58e922edf

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
96KB

MD5
f38389adeb819884d60f83116abfb9a2

SHA1
e694a57df6a525fe66e167993831871a849703f8

SHA256
13718d14cc980650d83a75b367e23a440c24f5441ac92c48f0bafc6659cab957

SHA512
9e4825280d49c058218e0adc541f4e6def9afc8f5339b7dcac1d0b83ef4056d7d09bf6f3fc53393300e575ec23460f577d5ca9f1d04441de19809052c2b990b8

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
96KB

MD5
12a1f524879bb27701d366d070a41a81

SHA1
6054e40d6adf81af133d0751e78846448f4e9a23

SHA256
8ee1593d88035cb48e63d4cc97600a183c36765353859dbd396f8212cf968cbb

SHA512
18c2398ac69da9db9612f01ac73a7ee098563f09818fe7633e9cf50e351d4ef7c5a2009961980f99fac695beb3e7d7bd5280749dce6f5101f0eb933d911f4948

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
96KB

MD5
d124c120ebd2e62da63ce26a4b367d63

SHA1
43367c8033dcc198e6e51e751f2a1f814b20d4f7

SHA256
5c09d97b3b2dfdf70471bc64a9a1dfa0990c7ff846082235ca9bc567a5dc0968

SHA512
4c381cac0f4184a8b9dcd98982d9bb01bd2b8fc5e14d519f2cd7052d2b6196be7cec1c8a802301447f2d9e604cddfb95dc077924db85c219a63fbb01aef7fd42

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
96KB

MD5
a67c95d87d8a4b70d86189d864c6edbf

SHA1
d9eb7f49a3ada7cfcaa0085b4832e801a04ac8c0

SHA256
48b01f0ac8beae0936894ccbd7c80a535add190e0679c00eee7444097ae9a4ed

SHA512
aba57bc13c5a3e63c14844332e17e02af2d204b1d0791ce309dc0ad07244e2a90920c64781a5c977d0209093fd271184fbb97dd7bac43e247fbdb41d76feea0b

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
96KB

MD5
500118de729b4b38f2546d0f486c1161

SHA1
37ab122f7aed977cd8f921c6f2fc7b4abd96320a

SHA256
2853a16afe7a81ac35b18ee7d351408a54c3aeed89dc5016cc3802cb7a6d23f5

SHA512
d6f7c11107e0545f2c57762220bfb7da7da35bd63d1c76a80b01ab3f0e4c97e07d69b1eda907345bb439257a9a170953e0115176025ef76119a70e29842424f6

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
96KB

MD5
8e3240d294172746826556aeb97c2264

SHA1
2f661431239fb3889486f5bb65b5f278a192b0fe

SHA256
9b9e8c1ff012cec89fbd9e6b3365dbc5148526b94a2e30bd8dc3875c937cde96

SHA512
d37220a5497f372b2e595858100f03a3c3920d6a8afc5333ef94e44e41cb41dbf98c255b2cb3453fa0ec4d89598ab3af5de9223294475f39443dc28be7cff205

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
96KB

MD5
2c78cb7cf23de59c413a2931f8e77a10

SHA1
be8dcbd3c43a661221527e3fb687e08bf2acf416

SHA256
182950acd76c6e107faf7ea78809647f8bf5b35ffc9507bb2f8bf1018ed38e2c

SHA512
5ec695e75c7f2e26f6b99c5a880b6a29ed6c7ac360e0b7de8165de89999361b166a1f4890b95a4239324c2697e90e711c187068a60ad7e1fb05ffba120bcf4b2

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
96KB

MD5
c83efcb164750179c01c9dad8192ce8e

SHA1
1b15ed6875497d79c9e024b70dc46426eefeea39

SHA256
ec951b9201b070d7ce63cb1933b0f19d73e7e0d9bc62bdac5f82d86c3dc754c8

SHA512
07871ebd29153a7c9e3d03f091bd72dfecf666de27941992ab7644202de8af9f4db3fa06d3472a8ca201fbfdad570bf5a38cdc314850e9d2123d76e1014b31c7

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
96KB

MD5
ebe2f851745e00d2924e8681c94bbfcd

SHA1
3ebedcd1e648aa11da01d7e0a8533d31072bd851

SHA256
980a07574a1ff7112915655e83380ab273dad9c8f418685f9025bfd3186403a4

SHA512
6284eb73cd4852862daf13d3fa669a7a28d39c72b8b1593f1d3dad3b2d246bb56e0a41b481e681f2f47cd6a6a83bb42f8b453d7356c86cf5a3d10036d7610165

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
96KB

MD5
bd7159f7817822177184b7dd180ae780

SHA1
1779280a7e2022e0e1a85f0e9653093348d71603

SHA256
70564b4a07e01e657d01f061d5f718b8454f24a09e97aa3ba7e49bd25ef17656

SHA512
437e785b8d1baa08c6d263221c872dfde3c8a49bbb6cdb00ea5da52e1ceb496e5e334bce1cb0c325ee87fbec784efb323afce137b52e60e6cb25873067d416d3

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
96KB

MD5
503f62ab48ab472fdf6dc9b88b658471

SHA1
3a4ef0d703d9cc3cf831ae0e146842488c0d1478

SHA256
1cc34b4905eefa60e4e0534a448077ab98897e0053989bb2f025e0654d133517

SHA512
470c0f5e40bc8de2e2e373dcf0a0409810753af4e30da985a6cce1dcf38b6a8a1c51fc881f25d527dbb32534555cfeec37eff704c182cf165632a71f156a0eff

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
96KB

MD5
100b28f3b07ac76afa289eca8c40ad2a

SHA1
d65ef4fee05cfbeb658e1d0b5360a3bf19be3b32

SHA256
f2850096523bdaf587fac139fa76dc9982bbaeaa841df2dbeee56fde1e89b2c2

SHA512
0a5a8af5de22461a2f3c89a847d082c5ced08ee8b3c1ce0543f0fc34ba0f3c6d4daae7d84955ad3495b19dfbcc148cc190069ef14fa8d7ab804ae0465c2f32d6

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
96KB

MD5
a983495be73245c7c4eab933aaf1191f

SHA1
7463579931b5353d83e0c0cb5975ac1b8b65c2fb

SHA256
351ae6c16e05825504ee8450193c6366de0d4c1e41c08e20495a033ee87615d4

SHA512
fd285b81ea0a759a867caadf53af0cd6df3bbc4dc0902fd947d265de420e2d693c66600e306a6934dcc23c60f279adf7256bf8437c2ffa780b226076422ade10

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
96KB

MD5
9633b855f5fb76ad47701f0bd6abccc4

SHA1
79ffcc744311e74e82547ffefa9c868889e2a397

SHA256
63f0249c60337c105dc20fda729a3b2d14267ec3339d3ab6c8b3631a057ce961

SHA512
a57d32c24279eb791f7953991993570883422c339ebb7e883f24d1b310908767df9ead0720d2a4f8668562abbea5a08462f52e9646429101e6277f82305c77b6

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
96KB

MD5
fc102bf0cd6be31f6bde23c803b95222

SHA1
44b77c20d8f28986ca3dea3b01ae70db37a398b4

SHA256
9cc9a1e510b3d834e81ab3c3326e9f298262cce1f05bb4c10b7203fc87767115

SHA512
d80aea1eb7d54f8f74124644bba3f1f269dfa06e46623d87f9b118c0e34682652200aba04f1f2e83292e17c7e1af8617e2dd6146bd4d69fa57da327701bab0f9

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
96KB

MD5
bc80c849f457794da1d19c087872f9f2

SHA1
5bcf9b2e0a5c6c08ff0ce0c8537d53a96c7baf7a

SHA256
3569bf8546a3ef8e6d016e1440759252261274cd3e81ebfe2c31cf73c293ffd5

SHA512
e75c068adbd42f7d88d783dfe3b2fa2ac5af87d025613bd7a53476824c9bfa4328682020f39b603b0c546726a30e28b81bbbe0c9574d58800f772d4fe23cdcf4

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
96KB

MD5
8212c32be790647ab26dc62f00385aca

SHA1
491554210240bfde928b2b41a96a228e6dc6da18

SHA256
ebe9ef6d956368bdb1aae720ff3006d54a2e0173b195ce072258aefee0039b0d

SHA512
ad3ee70c1c0d80dae38235ff720d420b0e37e952842a131f65c6e86878f0cfaf732b5a7a00bfdfa19a39333403a091442b5741d5cc8c8ec984824ccaa738dbc4

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
96KB

MD5
7d09fa6d05f48eeff263e6ebe3cf43d8

SHA1
79869f87f5135f85f066cd7bcbffeeefb7526818

SHA256
0180f644313cd95f298962cdf8d6b89c249c1066d2b6a5efea95519eb0c712cb

SHA512
ad922cdb63008f3bc35ed7e9d69e3e7688a2b5e2aef108361ce0cde0f67598482e47343fff303cfa1c09588ebb70a7669d4b39b3a64a5cadc556d5bbbdf6e7e8

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
96KB

MD5
052440d1e7b03b1b2cf9c8b13f3e78e4

SHA1
75b1ea60e530b570229ac8fd52de22ed72bdadfc

SHA256
0dff2c089e229f403e75cc3bcad87d520a15ffdca03fa22f1cd0a28d83517b56

SHA512
ed029013d1184898f88230ce43f7a445ae75d2984a27f2ea19fd39d5c06309f9eb6914506256eb0a4abf14e2d0f778075574f77bda74b11e45e577a1ecdbefac

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
96KB

MD5
139f1b29063c817b5c22e885aef97770

SHA1
f01ae7885c90e39c66c1b7d0c2336d80cb01f38a

SHA256
715092420966c5899062ad3ab4e82e15ca6078e6eb3f5c19d930d0c3fff384ef

SHA512
caf5e64938300934a9b428ff39eae6196e933fe1d5d583a2b7e1da62f28d567239cd54ad2105242cf55f999636570bc59e28778ee3cbd8282296f9d048affa27

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
96KB

MD5
bc3d76fb5275671c4e8c4058b5578723

SHA1
6404f1d53d8e0d35a970a2d7c7e7b1f205f0ad30

SHA256
f4b47df8ab48e9148c52df8993c4737866d17d91d668912d05b055c1d435fe89

SHA512
650314df3df0269dccfc854a97bb0817212959c5cc6cc1b924340744aed8bae31e701c90fc3f291ce0392957da926dff25d517ba660bed535f771ca459a11f56

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
96KB

MD5
c1b29618d448a6e37338d856725dbb13

SHA1
28b903fea90148c892ce6900d4db255f5db7d51c

SHA256
fd17f273e29397db5e3b3c5317ddb43071295835664e15128b8676da4adb8d1d

SHA512
a08b0180aa29b6bc526f71678056de1db7544d83c40b1b65b934f2679cf175df69498cf281d928598ecb59d469c8f6e350a038fd94f4c99b73b1b3968801324f

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
96KB

MD5
deddd820ae56c43d1be9e9480a60f790

SHA1
afb0e0659a6332ca92732f81a8dee79b47d462b3

SHA256
463100d167ae07a612cc4f32cd4bd4b39d4b36de5a5963d69982914ef5a0cd9e

SHA512
1e2722f9c871499f879cce0cd48fc2203b796c709ec39244c15a07dfc56ee177096f3131e15dc4c450c5db2b80b1fbb9bfca9ce8f911f4d3030549bc725debb5

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
96KB

MD5
067bea856135c00b8034f1df6a33ba4d

SHA1
912ffff7e998ed4ab927081d37229a77f4dd0d95

SHA256
3b34cd21420690e95a5c5dc2dc1b4ce5346acbfd7463b02134ff0320daad2967

SHA512
ac0c6aff2d521060b4a320071428247e47d5bf900d99211a880a8e65a8a423ee9abccc123692bbd4ad1db327d8cc832ecfb335711a85c33505670f4acc6b35b6

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
96KB

MD5
cf82f22b1db77c7bb86f46e44d02a120

SHA1
a410d2f2d8a03b3db8008a5ad562631e2b9f13f3

SHA256
b17c11c24db91258fa653853043f831e74b71f5b954608ba9e8b0ac27ef57cb2

SHA512
af7c2e6b0988b484aa69b5a4d3156bcc8549a3939fcfca8b5894b84067fe93783cb875b98d20782c4220190e61f692fc70757ea5997988a4d5d9c44d838151cc

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
96KB

MD5
49f629df7dc781a296703a73154d0a4c

SHA1
ee5952263c4ba1fae00c32639449fa858c840cce

SHA256
208604db7971bb5d2bc1e985a54ced475cda070fc3d09f57bfbf0287e670e449

SHA512
3cde569c85b1cadfdfadf263abbc3451e7a54344348066f500e0a6384d58e9c21bfbaac8699cc0a0b8d64040ff7904f909ea6caf7e0f2d9ae0159dd0dd9f9d27

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
96KB

MD5
455e98ec93c2eaa952d1e191cb9530d2

SHA1
18c5462fffb25b3a8d0242f66956222b485fe61a

SHA256
a164735f35f90f01a0f909fb3df9dc73188c4812d08678103963e91b440262ae

SHA512
c175537feb5f594a5e88d6948505d7b61dce2b6587b52255b1bceea14927b527c026ddcd3bac7227f439fb5fef6ca998e9cba269df8cb3af81c57e8e5035e140

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
96KB

MD5
ac5b23cc94ed7b942719349e3772f843

SHA1
54396c993b422632b8de306977e746bea549a78f

SHA256
33fb737dca89b963f529a8f2e148abd4a61b0a960c2877436d612ccbb3750638

SHA512
4b527032adecc2727409cb1599d0680bf849fe22f3c74cc6db84d5fe8ae6168160f117f9e000721f86ae5dfbff693f3fafbc4deec8468b0bea97075de2dfec20

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
96KB

MD5
3aa5c5e525c8f5dcb5815caf317764af

SHA1
7ae2b452c7e6c1945ea8fdf71516621d8f9f3b41

SHA256
f63026eca626dd922384933005c9e9f196559aaa60a40b15ddf1973a722a53dc

SHA512
cdf6481620d2b5228af852ab16badd45d321de713c90dffa776e5a0cfd6ac44b2a3d106e88dab250ddbc2ddd128b2617bda0151b1c809977926221fd50b50082

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
1789cc3ae82438887c0db86115f900c5

SHA1
6bc8fbaff6e9175bad03cc402b4251fdecab9b37

SHA256
9dbe39ed958550391170c7cc1de18029dc9997f8d0d9cd927f7dddef1d75b190

SHA512
823db30c9868bd637429ac38d9fac7a0ee53d9dd9034c87b982161a41873aa439c7fac9808f9e9de7f00b5852732b2884c1ce44828ace5b397c2e133f72b437e

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
96KB

MD5
fc95131160b356657eced247f5a948d6

SHA1
c137d464d474c8ae68ad3ca395d6652a21e4dc35

SHA256
ccfcc0f5939240ed5df0cc1b799372264789a47b9f6cb4536def2755a7b5f9de

SHA512
1f041ffe59d1dd72f14caf476fd9927f6d83896e41220cfb2f64fa839a9e1a9094ca3119c960ab4f21ae94892c8324c071bbe417c094135ada2c26e024ff73d8

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
96KB

MD5
1f9c767352ccb2d45c027520f1e6041f

SHA1
072fa94bb0cd677e30e1eead2e21150aee6a8ec7

SHA256
85be20c5668d59af90c93fe1e9a3c892c99f2d41153e3331fd2b28df5783c13f

SHA512
d90b934b0acbe9cf2eeb4a0159f51d2862447c6bc33c0def6b4799b8002c19f20255f608e1d7f3ddfd5e98c3056e34cd9db5014c9eed964baa6244fb94b24495

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
96KB

MD5
95956d1ce33c50cfe9644c1835de03b6

SHA1
b8bc310a2af9b61cf59fb41bc07ca96440055ffb

SHA256
4c739c4f1257e3eefc14c842efe7ad005db8f6a0d200dbdf89a749d7c9e3109f

SHA512
1ca0fd0151db378681e830476727edb9752fcba14b51ce811582d01de99e36208d4a85cc61cdd3d0e3cbfa1743d4fca245259058fa7ee7521ccd9d10052c1205

Download Submit
memory/116-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/456-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/456-581-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/464-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/624-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/716-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/768-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/828-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/916-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/916-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1172-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1264-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1296-540-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1320-521-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1420-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1420-560-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1464-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1480-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1724-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1784-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1984-554-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2096-575-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2272-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2292-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2356-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2388-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2528-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-589-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2732-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2764-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2948-561-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3080-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3216-574-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3216-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3412-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3492-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3500-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3576-588-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3576-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3612-485-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3652-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3700-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3808-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3908-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3908-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4032-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4036-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4076-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4284-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4352-547-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4400-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4416-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-568-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4464-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4468-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4492-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4492-553-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4496-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4536-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-582-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4624-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4712-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4724-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4820-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4884-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4932-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4936-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4956-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4976-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4988-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5016-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5024-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5028-567-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5028-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5048-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-465-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads