berbew | f543eed0c7371fcbd903fc56baf1e270d25bfb450517c0d04ad00bd0978156c4

Analysis

max time kernel
90s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f543eed0c7371fcbd903fc56baf1e270d25bfb450517c0d04ad00bd0978156c4.exe
Size

1.2MB
MD5

acf87fdde06d8595286eeaa0a2b25013
SHA1

1f01499b2738d136f8f382a27e791d59206acf3d
SHA256

f543eed0c7371fcbd903fc56baf1e270d25bfb450517c0d04ad00bd0978156c4
SHA512

36996f31af3373854760995ca0e41d9437a972f8dafbae55729d9a13a7e8c61744648ed8ad1560e6607c10dea9d26875964f987f1ef31ffcee5f9c3967f92b41
SSDEEP

6144:gPSELE5ZC2npb+oB+Zz2HG8t0DoEWufVuvw0HBHY8rQ+6bPD3wPSk8ymLT:GJAbaz22cWfVaw0HBHY8r8ABw

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Joekag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggepalof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgbqkhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfiokmkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckkfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfogbjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dajbaika.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f543eed0c7371fcbd903fc56baf1e270d25bfb450517c0d04ad00bd0978156c4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jihbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jahqiaeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kamjda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljdai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcclncbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mledmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apjdikqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpochfji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcdeeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmhijd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplmliko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Padnaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkpjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhifomdj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2720	Iehmmb32.exe
3292	Jlbejloe.exe
2576	Jblmgf32.exe
3908	Jekjcaef.exe
1472	Jhifomdj.exe
2532	Jocnlg32.exe
2064	Jaajhb32.exe
1084	Jihbip32.exe
4068	Jlgoek32.exe
4736	Joekag32.exe
2220	Jadgnb32.exe
3824	Jikoopij.exe
1692	Jlikkkhn.exe
1276	Johggfha.exe
3368	Jafdcbge.exe
3384	Jimldogg.exe
4144	Jllhpkfk.exe
4176	Jojdlfeo.exe
916	Jahqiaeb.exe
2140	Kiphjo32.exe
1396	Klndfj32.exe
1044	Kolabf32.exe
1388	Kakmna32.exe
2424	Kibeoo32.exe
3732	Kplmliko.exe
1816	Kamjda32.exe
320	Khgbqkhj.exe
2296	Koajmepf.exe
1708	Kapfiqoj.exe
4748	Kifojnol.exe
2944	Kpqggh32.exe
404	Kabcopmg.exe
976	Kiikpnmj.exe
3436	Klggli32.exe
3792	Kcapicdj.exe
2492	Lljdai32.exe
3848	Lcclncbh.exe
116	Lebijnak.exe
4876	Lhqefjpo.exe
2164	Lpgmhg32.exe
2184	Laiipofp.exe
2884	Ljpaqmgb.exe
4040	Llnnmhfe.exe
3988	Lchfib32.exe
2628	Legben32.exe
5072	Lhenai32.exe
4676	Loofnccf.exe
4512	Lfiokmkc.exe
5076	Lhgkgijg.exe
4108	Lpochfji.exe
1664	Mledmg32.exe
3716	Mcoljagj.exe
2188	Mfnhfm32.exe
1516	Mhldbh32.exe
1988	Mpclce32.exe
3640	Mbdiknlb.exe
5044	Mjlalkmd.exe
3472	Mpeiie32.exe
4664	Mcdeeq32.exe
676	Mfbaalbi.exe
4884	Mlljnf32.exe
2920	Mokfja32.exe
5156	Mbibfm32.exe
5196	Mjpjgj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lcclncbh.exe	Lljdai32.exe
File created	C:\Windows\SysWOW64\Qidpon32.dll	Njgqhicg.exe
File opened for modification	C:\Windows\SysWOW64\Ojnfihmo.exe	Obgohklm.exe
File created	C:\Windows\SysWOW64\Gdgdeppb.exe	Gnmlhf32.exe
File opened for modification	C:\Windows\SysWOW64\Jimldogg.exe	Jafdcbge.exe
File created	C:\Windows\SysWOW64\Pkbcikkp.dll	Lpochfji.exe
File created	C:\Windows\SysWOW64\Ebdoljdi.dll	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Ojqhdcii.dll	Mlofcf32.exe
File opened for modification	C:\Windows\SysWOW64\Njgqhicg.exe	Nbphglbe.exe
File created	C:\Windows\SysWOW64\Hejeak32.dll	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Ncmkcc32.dll	Acccdj32.exe
File created	C:\Windows\SysWOW64\Aammfkln.dll	Cgiohbfi.exe
File opened for modification	C:\Windows\SysWOW64\Jaajhb32.exe	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Nphnbpql.dll	Kpqggh32.exe
File created	C:\Windows\SysWOW64\Bpldbefn.dll	Ommceclc.exe
File opened for modification	C:\Windows\SysWOW64\Qfjjpf32.exe	Qclmck32.exe
File created	C:\Windows\SysWOW64\Qapnmopa.exe	Qiiflaoo.exe
File created	C:\Windows\SysWOW64\Aldclhie.dll	Bbdpad32.exe
File opened for modification	C:\Windows\SysWOW64\Dcphdqmj.exe	Daollh32.exe
File created	C:\Windows\SysWOW64\Icembg32.dll	Edoencdm.exe
File opened for modification	C:\Windows\SysWOW64\Kamjda32.exe	Kplmliko.exe
File opened for modification	C:\Windows\SysWOW64\Kapfiqoj.exe	Koajmepf.exe
File created	C:\Windows\SysWOW64\Eeclnmik.dll	Lcclncbh.exe
File created	C:\Windows\SysWOW64\Njgqhicg.exe	Nbphglbe.exe
File created	C:\Windows\SysWOW64\Emkbpmep.dll	Niojoeel.exe
File created	C:\Windows\SysWOW64\Agolng32.dll	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Dhlbgmif.dll	Pbjddh32.exe
File created	C:\Windows\SysWOW64\Afappe32.exe	Acccdj32.exe
File created	C:\Windows\SysWOW64\Lkpemq32.dll	Jikoopij.exe
File created	C:\Windows\SysWOW64\Nofefp32.exe	Nmhijd32.exe
File created	C:\Windows\SysWOW64\Ljkdeeod.dll	Qclmck32.exe
File created	C:\Windows\SysWOW64\Amnebo32.exe	Ajohfcpj.exe
File created	C:\Windows\SysWOW64\Bejceb32.dll	Fbaahf32.exe
File created	C:\Windows\SysWOW64\Fklcgk32.exe	Fbdnne32.exe
File created	C:\Windows\SysWOW64\Bbjlpn32.dll	Gnmlhf32.exe
File created	C:\Windows\SysWOW64\Iehmmb32.exe	f543eed0c7371fcbd903fc56baf1e270d25bfb450517c0d04ad00bd0978156c4.exe
File created	C:\Windows\SysWOW64\Jaajhb32.exe	Jocnlg32.exe
File opened for modification	C:\Windows\SysWOW64\Mfnhfm32.exe	Mcoljagj.exe
File created	C:\Windows\SysWOW64\Mcdeeq32.exe	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Oqmhqapg.exe	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Eapjpi32.dll	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Knaodd32.dll	Aadghn32.exe
File created	C:\Windows\SysWOW64\Bfmolc32.exe	Bdocph32.exe
File created	C:\Windows\SysWOW64\Obnehj32.exe	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Dgihop32.exe	Dalofi32.exe
File created	C:\Windows\SysWOW64\Edoencdm.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Dodfed32.dll	Eahobg32.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gjficg32.exe
File created	C:\Windows\SysWOW64\Obgohklm.exe	Nqfbpb32.exe
File opened for modification	C:\Windows\SysWOW64\Ofgdcipq.exe	Oonlfo32.exe
File opened for modification	C:\Windows\SysWOW64\Aidehpea.exe	Abjmkf32.exe
File created	C:\Windows\SysWOW64\Mkddhfnh.dll	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Kafkmp32.dll	Jihbip32.exe
File created	C:\Windows\SysWOW64\Nfihbk32.exe	Nckkfp32.exe
File created	C:\Windows\SysWOW64\Niojoeel.exe	Nfqnbjfi.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbpb32.exe	Niojoeel.exe
File created	C:\Windows\SysWOW64\Abcgjg32.exe	Apeknk32.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Njogfipp.dll	Nofefp32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Efehkimj.dll	Dajbaika.exe
File created	C:\Windows\SysWOW64\Iokifhcf.dll	Jocnlg32.exe
File created	C:\Windows\SysWOW64\Apeknk32.exe	Amfobp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5464	5580	WerFault.exe	292

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edoencdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekljpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klndfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmdkcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eajlhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggepalof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaajhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpgmhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljpaqmgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhhdnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oonlfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjlcjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmjqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqikob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlikkkhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kolabf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqmojd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhiogdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qclmck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajohfcpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnalmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iehmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbejloe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kakmna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kabcopmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgklkoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfjjpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abjmkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jocnlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbphglbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padnaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biklho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjficg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llnnmhfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojqcnhkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkfbcpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daollh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mledmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abcgjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banjnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdocph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdpad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecdbop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiphjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcoljagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcdeeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfobp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjdikqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllhpkfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jahqiaeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfihbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noblkqca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obqanjdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omfekbdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjfgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekngemhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koajmepf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daollh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qglobbdg.dll"	f543eed0c7371fcbd903fc56baf1e270d25bfb450517c0d04ad00bd0978156c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Joekag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhcbhh32.dll"	Qcnjijoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amnebo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqhdcii.dll"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll"	Ojnfihmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilcjbag.dll"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahkpm32.dll"	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kiphjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qclmck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbdnne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjliff32.dll"	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efehkimj.dll"	Dajbaika.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jikoopij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhenai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjlalkmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdaih32.dll"	Kabcopmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll"	Obnehj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ggepalof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kifojnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnele32.dll"	Kiikpnmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lebijnak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhbacd32.dll"	Lepleocn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlljnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lchfib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpjfgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjlcjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chjjqebm.dll"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbhcl32.dll"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Johggfha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amfobp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abmjqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibeoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kplmliko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jblmgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcdeeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfogbjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiahpo32.dll"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jllhpkfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcbmgnb.dll"	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjgbbnj.dll"	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhcpepk.dll"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofobm32.dll"	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldgkp32.dll"	Klggli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhapb32.dll"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfqnbjfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ommceclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Obqanjdb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2720	2144	f543eed0c7371fcbd903fc56baf1e270d25bfb450517c0d04ad00bd0978156c4.exe	87
PID 2144 wrote to memory of 2720	2144	f543eed0c7371fcbd903fc56baf1e270d25bfb450517c0d04ad00bd0978156c4.exe	87
PID 2144 wrote to memory of 2720	2144	f543eed0c7371fcbd903fc56baf1e270d25bfb450517c0d04ad00bd0978156c4.exe	87
PID 2720 wrote to memory of 3292	2720	Iehmmb32.exe	88
PID 2720 wrote to memory of 3292	2720	Iehmmb32.exe	88
PID 2720 wrote to memory of 3292	2720	Iehmmb32.exe	88
PID 3292 wrote to memory of 2576	3292	Jlbejloe.exe	89
PID 3292 wrote to memory of 2576	3292	Jlbejloe.exe	89
PID 3292 wrote to memory of 2576	3292	Jlbejloe.exe	89
PID 2576 wrote to memory of 3908	2576	Jblmgf32.exe	90
PID 2576 wrote to memory of 3908	2576	Jblmgf32.exe	90
PID 2576 wrote to memory of 3908	2576	Jblmgf32.exe	90
PID 3908 wrote to memory of 1472	3908	Jekjcaef.exe	91
PID 3908 wrote to memory of 1472	3908	Jekjcaef.exe	91
PID 3908 wrote to memory of 1472	3908	Jekjcaef.exe	91
PID 1472 wrote to memory of 2532	1472	Jhifomdj.exe	92
PID 1472 wrote to memory of 2532	1472	Jhifomdj.exe	92
PID 1472 wrote to memory of 2532	1472	Jhifomdj.exe	92
PID 2532 wrote to memory of 2064	2532	Jocnlg32.exe	93
PID 2532 wrote to memory of 2064	2532	Jocnlg32.exe	93
PID 2532 wrote to memory of 2064	2532	Jocnlg32.exe	93
PID 2064 wrote to memory of 1084	2064	Jaajhb32.exe	94
PID 2064 wrote to memory of 1084	2064	Jaajhb32.exe	94
PID 2064 wrote to memory of 1084	2064	Jaajhb32.exe	94
PID 1084 wrote to memory of 4068	1084	Jihbip32.exe	95
PID 1084 wrote to memory of 4068	1084	Jihbip32.exe	95
PID 1084 wrote to memory of 4068	1084	Jihbip32.exe	95
PID 4068 wrote to memory of 4736	4068	Jlgoek32.exe	96
PID 4068 wrote to memory of 4736	4068	Jlgoek32.exe	96
PID 4068 wrote to memory of 4736	4068	Jlgoek32.exe	96
PID 4736 wrote to memory of 2220	4736	Joekag32.exe	97
PID 4736 wrote to memory of 2220	4736	Joekag32.exe	97
PID 4736 wrote to memory of 2220	4736	Joekag32.exe	97
PID 2220 wrote to memory of 3824	2220	Jadgnb32.exe	98
PID 2220 wrote to memory of 3824	2220	Jadgnb32.exe	98
PID 2220 wrote to memory of 3824	2220	Jadgnb32.exe	98
PID 3824 wrote to memory of 1692	3824	Jikoopij.exe	99
PID 3824 wrote to memory of 1692	3824	Jikoopij.exe	99
PID 3824 wrote to memory of 1692	3824	Jikoopij.exe	99
PID 1692 wrote to memory of 1276	1692	Jlikkkhn.exe	100
PID 1692 wrote to memory of 1276	1692	Jlikkkhn.exe	100
PID 1692 wrote to memory of 1276	1692	Jlikkkhn.exe	100
PID 1276 wrote to memory of 3368	1276	Johggfha.exe	101
PID 1276 wrote to memory of 3368	1276	Johggfha.exe	101
PID 1276 wrote to memory of 3368	1276	Johggfha.exe	101
PID 3368 wrote to memory of 3384	3368	Jafdcbge.exe	102
PID 3368 wrote to memory of 3384	3368	Jafdcbge.exe	102
PID 3368 wrote to memory of 3384	3368	Jafdcbge.exe	102
PID 3384 wrote to memory of 4144	3384	Jimldogg.exe	103
PID 3384 wrote to memory of 4144	3384	Jimldogg.exe	103
PID 3384 wrote to memory of 4144	3384	Jimldogg.exe	103
PID 4144 wrote to memory of 4176	4144	Jllhpkfk.exe	104
PID 4144 wrote to memory of 4176	4144	Jllhpkfk.exe	104
PID 4144 wrote to memory of 4176	4144	Jllhpkfk.exe	104
PID 4176 wrote to memory of 916	4176	Jojdlfeo.exe	105
PID 4176 wrote to memory of 916	4176	Jojdlfeo.exe	105
PID 4176 wrote to memory of 916	4176	Jojdlfeo.exe	105
PID 916 wrote to memory of 2140	916	Jahqiaeb.exe	106
PID 916 wrote to memory of 2140	916	Jahqiaeb.exe	106
PID 916 wrote to memory of 2140	916	Jahqiaeb.exe	106
PID 2140 wrote to memory of 1396	2140	Kiphjo32.exe	107
PID 2140 wrote to memory of 1396	2140	Kiphjo32.exe	107
PID 2140 wrote to memory of 1396	2140	Kiphjo32.exe	107
PID 1396 wrote to memory of 1044	1396	Klndfj32.exe	108

C:\Users\Admin\AppData\Local\Temp\f543eed0c7371fcbd903fc56baf1e270d25bfb450517c0d04ad00bd0978156c4.exe
"C:\Users\Admin\AppData\Local\Temp\f543eed0c7371fcbd903fc56baf1e270d25bfb450517c0d04ad00bd0978156c4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\Iehmmb32.exe
  C:\Windows\system32\Iehmmb32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\Jlbejloe.exe
    C:\Windows\system32\Jlbejloe.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\SysWOW64\Jblmgf32.exe
      C:\Windows\system32\Jblmgf32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3908
      - C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Jihbip32.exe
        
        C:\Windows\system32\Jihbip32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Jikoopij.exe
        
        C:\Windows\system32\Jikoopij.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Johggfha.exe
        
        C:\Windows\system32\Johggfha.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Jllhpkfk.exe
        
        C:\Windows\system32\Jllhpkfk.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Jahqiaeb.exe
        
        C:\Windows\system32\Jahqiaeb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\Kakmna32.exe
        
        C:\Windows\system32\Kakmna32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:320
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        30⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\Kifojnol.exe
        
        C:\Windows\system32\Kifojnol.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        36⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Lepleocn.exe
        
        C:\Windows\system32\Lepleocn.exe
        37⤵
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        43⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Legben32.exe
        
        C:\Windows\system32\Legben32.exe
        47⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Loofnccf.exe
        
        C:\Windows\system32\Loofnccf.exe
        49⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Lfiokmkc.exe
        
        C:\Windows\system32\Lfiokmkc.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        51⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        55⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        56⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        57⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Mcdeeq32.exe
        
        C:\Windows\system32\Mcdeeq32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        62⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        64⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5156
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5196
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        70⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Nckkfp32.exe
        
        C:\Windows\system32\Nckkfp32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        77⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Nmfmde32.exe
        
        C:\Windows\system32\Nmfmde32.exe
        78⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        79⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        80⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Nmhijd32.exe
        
        C:\Windows\system32\Nmhijd32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        84⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        86⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        91⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        93⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        95⤵
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        96⤵
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        98⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        103⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Ppikbm32.exe
        
        C:\Windows\system32\Ppikbm32.exe
        108⤵
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        109⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        110⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        111⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        113⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        114⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4472
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        116⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Pmbegqjk.exe
        
        C:\Windows\system32\Pmbegqjk.exe
        117⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Qclmck32.exe
        
        C:\Windows\system32\Qclmck32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Qfjjpf32.exe
        
        C:\Windows\system32\Qfjjpf32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Qapnmopa.exe
        
        C:\Windows\system32\Qapnmopa.exe
        121⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Qcnjijoe.exe
        
        C:\Windows\system32\Qcnjijoe.exe
        122⤵
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Qjhbfd32.exe
        
        C:\Windows\system32\Qjhbfd32.exe
        123⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        125⤵
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        127⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Aadghn32.exe
        
        C:\Windows\system32\Aadghn32.exe
        128⤵
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Acccdj32.exe
        
        C:\Windows\system32\Acccdj32.exe
        129⤵
        Drops file in System32 directory
        
        PID:6544
        
        C:\Windows\SysWOW64\Afappe32.exe
        
        C:\Windows\system32\Afappe32.exe
        130⤵
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        131⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Apjdikqd.exe
        
        C:\Windows\system32\Apjdikqd.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6664
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        133⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6744
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        136⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Abjmkf32.exe
        
        C:\Windows\system32\Abjmkf32.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6864
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        138⤵
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6944
        
        C:\Windows\SysWOW64\Abmjqe32.exe
        
        C:\Windows\system32\Abmjqe32.exe
        140⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        141⤵
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:7064
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        143⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Bjfogbjb.exe
        
        C:\Windows\system32\Bjfogbjb.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        147⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        149⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1660
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        152⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        153⤵
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        154⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        155⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        158⤵
        
        PID:624
        
        C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        159⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        161⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        162⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        163⤵
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        164⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        166⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        167⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Dkpjdo32.exe
        
        C:\Windows\system32\Dkpjdo32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Dajbaika.exe
        
        C:\Windows\system32\Dajbaika.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6928
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6972
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        172⤵
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\Dgihop32.exe
        
        C:\Windows\system32\Dgihop32.exe
        173⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        174⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        175⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        176⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        177⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Enhifi32.exe
        
        C:\Windows\system32\Enhifi32.exe
        178⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Ekljpm32.exe
        
        C:\Windows\system32\Ekljpm32.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1636
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5048
        
        C:\Windows\SysWOW64\Ekngemhd.exe
        
        C:\Windows\system32\Ekngemhd.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        184⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        185⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        186⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        187⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        189⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\Fbaahf32.exe
        
        C:\Windows\system32\Fbaahf32.exe
        192⤵
        Drops file in System32 directory
        
        PID:7020
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        193⤵
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        194⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        195⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4088
        
        C:\Windows\SysWOW64\Fqikob32.exe
        
        C:\Windows\system32\Fqikob32.exe
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        198⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2936
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2248
        
        C:\Windows\SysWOW64\Gggmgk32.exe
        
        C:\Windows\system32\Gggmgk32.exe
        202⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        203⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7116
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        204⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 412
        205⤵
        Program crash
        
        PID:5464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5580 -ip 5580
1⤵
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dalofi32.exe

Filesize
1.2MB

MD5
9728da39810543545739bbaffe2c0840

SHA1
0a3518d9a0b4ba58b4ea34c9efc287e92182dff1

SHA256
2f31ade865330db2c42a17688413557651149482dac7d6a221e9c4d8e3636366

SHA512
c3afe54d0240d3c7e9e9b5756b8e412d1ca2c64c93abb89c828348dacbfc699ee3173819047c287b96aea21ebf6fd0c4473552e17f1e09e0f8acf8a78f24ea25

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe

Filesize
1.2MB

MD5
d3620c116dde918a474967f080406aec

SHA1
476bb82c961e59f05ab04f8a67cd36513d3fac49

SHA256
141bfa588b20bbe5c24ba16b9b475fce5fa4e5a7776f9c94ce903c749741454a

SHA512
6599ba28b3ce8eb0ab86bf4fec916081f12c2c62f821f8015e2a4314a1e7a8476414780cfe07f2fd339400829c73df979e6d19aea4743034ac131a610554d85b

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
1.2MB

MD5
590724404b37579e595d3f60d7a43954

SHA1
38181c05a17c5c5ba9edf78e35a39812d0f96807

SHA256
d6f282bbfc3750ec352a42459972b86cb3611c0d5f83a2be1aa784d45a52554a

SHA512
c057635da281814245e47d3919c24b48fed90ffae2dfd670f8b47e5c6c04e12c2616bffc1e1fb8bdb727ac6fde4c32d8526cae2964e06010a3029f29339b2d16

Download Submit
C:\Windows\SysWOW64\Ejjaqk32.exe

Filesize
1.2MB

MD5
931cdf91978b05a2c92841a1f1633c20

SHA1
e43505bedfc1a9728ffa89fd68b0bd633f74ba05

SHA256
45c0b6c245ac35179424536b10a888b26f6138d537d119b8aaf9c4d7ec227287

SHA512
4422b463dc6d4c08ef6489a4809a997c695c94659d9d536ca698504ea8f4c10044c62ae01fd706de05f05309910e6f7de48d9a1ba23631b28c5e0172cdae4b73

Download Submit
C:\Windows\SysWOW64\Fbdnne32.exe

Filesize
1.2MB

MD5
178bf0e8e6e41befa4c96d977c2cd4c0

SHA1
31cec76fdf7081b7e8f3acbfe20f393ee978da60

SHA256
3d1bda19a3aef9e21be767c067106b3b02dbbe376a735cdaa99595114632f701

SHA512
5f5ce6695b1faf4e636850c7fa617d518c96f32507dbcb3dca9dc2b13fa9f29e2560a656ec124fafe419b0954f292a41bee5be068107887cb67b905ffdce9a1e

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
1.2MB

MD5
0869f057ce3526a8cd9471845934eaee

SHA1
dc043c313326c3cab5682776e14a42f7ca97f906

SHA256
1595663dfddba5d0690950773508eec8ca56be2770daea61b097218739744460

SHA512
ad46dd90f3d3320b76e198827a514937a785c851e48319a8ad93d4a126603ddfd6f4ca23719202b1de29f86090b91e8f462010281c3810b8a2fcb4578ff1f43a

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
1.2MB

MD5
0315bd1e0672d89fd80cc6ee5ff48d8a

SHA1
d7f62e86d35efc571e9cbefdc8877c0022b1f219

SHA256
f88f6d24c9f3f70273b5dcbcfa019fb881ad1aa9536d9435362624ebdc3f1df1

SHA512
a4d51f8bf37bd2d0a5409c51f3150115156b21304a3c348a7e469d4f3016db6ccbf9027e32fe20b3948fd5216221f109463966d448b06b2a1216de27f3e13953

Download Submit
C:\Windows\SysWOW64\Fqikob32.exe

Filesize
1.2MB

MD5
89560d8b5c7bd9c2d617154cd698b5f6

SHA1
63af68ac044ea4ebefc708fd38b52b1a577d3432

SHA256
8c438dc9bb93a3c1e7a2027e7a06544f6934a25f000901f532484bf6cbbfac43

SHA512
42be5bd82338849a171c773748ecfd3cf9b375b71960abfbb6604b329c22a8e58e31eb3105e11d4e6e3378dc41be52ce1af8f85bc6b9163edff17bf86287d197

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
1.2MB

MD5
f0a1f053707ba144b9eec47a8c7ef28c

SHA1
0f0715c94b9930a0aa394c751810bbd555e95ae9

SHA256
1c671cc73e4cc3bff32107a80341074eb86e71dd51c2b4228463e334e0f0aba8

SHA512
187ef071afc50620e5d31456ade6c6e852f8c7b96d7b88689d9132607969bc0190a109199eec3e57676415927d1b89ad2833eb1c8e4c0c22eb1993a100361f61

Download Submit
C:\Windows\SysWOW64\Gnohnffc.exe

Filesize
1.2MB

MD5
12ebfc0d0410b8be3e9f67d8b4af48be

SHA1
b3522f63f778da464a6e5fa4c5e8dadc08cb3d26

SHA256
915e9703a7deab9fc61e82f083e95f8766a3bde13a0a8f039d4ac5c32f2a9624

SHA512
07c7f7b9ccf74f8bd1d4176e99b1fc1062dc997c66083689fcc27a887453370c218d4253442bf4a433e10564605d9dee2a9aeb00986bd4a2d4a0d70059e859b8

Download Submit
C:\Windows\SysWOW64\Hfibla32.dll

Filesize
7KB

MD5
0a1f1985b7156139976edfd242eae075

SHA1
a9a63c4c10113d471e474f602226a1b21aa94df7

SHA256
a3fac53bb935b28a6664677e80253f12c182fd631d298cf3049d1a4691a3c3a8

SHA512
0aa8771e430d455e5fa6e8118dff4d4911f2d3cd1c585448e5c1f67ed5a0b1e3186d3ebe1223af73e9d4fc0d767a23ae8333b91f7ba7079f016b5785be1d3128

Download Submit
C:\Windows\SysWOW64\Iehmmb32.exe

Filesize
1.2MB

MD5
cec0d94d562a6fb48a6f42f94f0a4dfc

SHA1
9c67395ac8e0cc72711bcde63da129bd50c3c76b

SHA256
80ef5f09dda7540bda3252e86977dc50ff13ef74a123e962dbb4847882b71486

SHA512
b055a0e2752d730eb1cf4bdfeb31a464831f646e9cdf873aa3ab057d35f572e82551c846dbbd6753f38e4c98571578a62813bb3bb0af82812fc707fd5477ed03

Download Submit
C:\Windows\SysWOW64\Jaajhb32.exe

Filesize
1.2MB

MD5
b6de28004da592d59a05ea5d1b33c3a2

SHA1
c7b3924c21c4fe1e301085496d77c66036bdbc59

SHA256
d44b51f4bdd6837b713974bea2676b63a2868d0bcec7ecadb385bb7cd12a1727

SHA512
0b922761260b4fffe1b141f396149335bc5e4e7132862d34de8634e11a0e93e5412ba9d0bd2822b86dfada828ad4d7bcb1b8403ef7286549bcc31ed9270e09d2

Download Submit
C:\Windows\SysWOW64\Jadgnb32.exe

Filesize
1.2MB

MD5
6c32c0e4997c9187530bf7257605b800

SHA1
8d3a495e819421b162d628a2befc252db5fea55c

SHA256
5f6e8dcd0441ec9db4435d64d19ddee6cd06f6cb733bea00a70ba053bb9248e2

SHA512
f0d1543c518ef5f71394c8225e67589b121e177332e40fe734e2e867227bf9b1e9c44c70bd10c3ee003c4f5a9c0a360df3ba97dbf6425a70ef82dd8108ffa9e7

Download Submit
C:\Windows\SysWOW64\Jafdcbge.exe

Filesize
1.2MB

MD5
c280ae7c2f2604b1962a15a62e3e63d0

SHA1
93efad9f5e579b4f4b66fe7dc2a7106318a528ef

SHA256
9ea1b2ed594b0a1135d7928da8f4be80f7d416759f021c1b38e43968940d5f17

SHA512
96ee3480ee2354a9b45e77825450c7a0f837a7c36c295e92579c68aa54635699b7b7e054a244cc276f9cf46b4087e4c29e7ab4f0bb43a03d845ec25d8b97e93a

Download Submit
C:\Windows\SysWOW64\Jahqiaeb.exe

Filesize
1.2MB

MD5
7c04bf89b8830ded2fe7e52812cda5f0

SHA1
e5b92d34d157a9b3d734c34c516b27e33b70af8a

SHA256
2961f0b22efb492144e09caf2d41244e8c6734e88d81f1c7bd2d4815538a0ac9

SHA512
e2a3470641fd031bff7d2cc8b636df2692ad62c95b362d76cbc4c8a9174df3e2b9db39daccb1a871db2346bb3035a0c43f2a69310ec58416ca05355e6e957c8f

Download Submit
C:\Windows\SysWOW64\Jblmgf32.exe

Filesize
1.2MB

MD5
00f9c0c9a0874fa0a174af92f4a8b877

SHA1
bcc535a47f1a7a71e9e01eeffdd8a362c025cd58

SHA256
5dfe1f45fb04b6f450bca713c0bc49bce6a2fc019d2c5d15d4dfb85b708ed323

SHA512
77ad1babf263b53a9d5867c781d80f82f276b6f45dd6eb0a2270a5d1ad461190cc88d4830a9465fb0d0cb2ddfe8a9061a6317874f9e4256cb0da109cd3276962

Download Submit
C:\Windows\SysWOW64\Jekjcaef.exe

Filesize
1.2MB

MD5
a31cee65ae1c061df30912ab81940c92

SHA1
5b4c1a3cd49cd592773c8cb3bf9cb3fd82ac2e84

SHA256
eed0a59d80baa9c4b406cf9fdef30ca53212e9c60fb44c5ac6e269b41baba4f2

SHA512
d41596400e3b33eee01712edd7f0151619ace82f6090044e876dff2c89888587f8921c8b0604e09f4361c81d1911bd8e901c8b7c963754734410f385323a07f5

Download Submit
C:\Windows\SysWOW64\Jhifomdj.exe

Filesize
1.2MB

MD5
6f8da985928b187103f9a5bbc305e573

SHA1
c7e0c12b517f154f8d97de6de2dda487ed448488

SHA256
289deb20ccb22585f933bb757e5a54c66f689ea10de61277da631a148a03ffd5

SHA512
5bd323c5f6c2b922ca46d42ff3e8348b97410e9e59a0d53ba039f8bb028c1113cd43628ed85b04ca500b4fcaa0a342d431807210409c892d55a6a13ce16741e2

Download Submit
C:\Windows\SysWOW64\Jihbip32.exe

Filesize
1.2MB

MD5
f4ad60459e826641f98573a45ba9fe6b

SHA1
64821a26e902d16baa2b1147a0da217c6cdd2ae2

SHA256
50213800bd8c0c44f2a56ec49c553fc788b6d45ba27c27ac8298266eef5e2cf5

SHA512
768413daccc7f161e974c8d287d78927b3184e47a56d448baf77150e56c60efaad3ea30be4a4a04b24b901bfa0e63add381273964ffe27b588aa7bfff2016cf7

Download Submit
C:\Windows\SysWOW64\Jikoopij.exe

Filesize
1.2MB

MD5
c081a9cf6812ec3e6641362b587f6693

SHA1
1a9161e4ad915bc6c1edd90cb4c4db39a8fe789a

SHA256
105729371d04e12e08956dd220f50b09ac9a78894b6aa14d7f8ee98e5c94cd5f

SHA512
52baa09148402de176c591037c19247b156751dab1c182966a167018ebd7464026089ff108f84c95f4802177321bcac9e18f23825cd09a4953fed333373cdfe9

Download Submit
C:\Windows\SysWOW64\Jimldogg.exe

Filesize
1.2MB

MD5
2a05f9d5f0538574b5009c87815c5ef6

SHA1
fee282adc0818bf1c8523e1606dfc3e7fed2ce34

SHA256
3c27f2c38531efbc012220ee48e974dc4382c3b154145bae008ca618ab9aead8

SHA512
214164934ebf6b4f4524717f85ebf708db59ebb61202d951d41b2248fb33ea62ca8afdd7a326e7b60f0e323148de252d2411d960876c1c04500d1a5ea422f88b

Download Submit
C:\Windows\SysWOW64\Jlbejloe.exe

Filesize
1.2MB

MD5
34462d04156c21e0265a47dd6afe29fd

SHA1
383c771d62e1d98d7560fa863cd8210c9d3dd345

SHA256
6b22ebd941952e3e3e85fe6f1874f567d4aea6b76c8a4b7a76703a8816bfcc18

SHA512
2abc878291ae12111b94cfecf54630cd2b158683cd3865610936c7aba21c7ebae934c293a735ef76b4130f06bc15a9b8bdc8057a278b9003199e062d51497401

Download Submit
C:\Windows\SysWOW64\Jlgoek32.exe

Filesize
1.2MB

MD5
3642243540a26c4927edc3dfd683db76

SHA1
4ea090a187ee089e7171aa2c7f1321abf8e545f8

SHA256
41219bd90181665c175d816fa5f93809b17f896dd500426647acf9396a8f007d

SHA512
59706d952c931f9d41be96e05e76d2cdd442e3bd0cfb5d179c381662fd977b209e7cc32d333bad61d591f4800befb86516c2823ba29bb69d960806f1d99fd038

Download Submit
C:\Windows\SysWOW64\Jlikkkhn.exe

Filesize
1.2MB

MD5
0062f7407555ce3ee5c9920eadeb2164

SHA1
8a9da78f7e6893de9cf7ee873b28234c0f3f97b8

SHA256
9f236805e7af7bf047a8e88af12c7a13f4cf16f374b2a8a61bbbe1ebb222ead6

SHA512
40fe86bcc060033c0b1cae8ebc96a1a9b7d6725febdc8d5493033e84eb05c9415db4a32ed02774b9ec310e361bde0a041145efae28a19c4579c3d78375993f33

Download Submit
C:\Windows\SysWOW64\Jllhpkfk.exe

Filesize
1.2MB

MD5
c15ae7c562732725870a5932554f8bbc

SHA1
a71e06702b274883591cefc4d4a7bb8e5537c991

SHA256
fe0202f3f0631ca7e2da4abf756393b10f722074ac185ae69d752a72031b416a

SHA512
5d0bf7a9811d8e8dfee236df6f35ac818877d292b2d9a13aff2bca18dd096532ef2c4b5c05de45a82e40b385744107f2f513ee96acf981f628b10fee23e508e5

Download Submit
C:\Windows\SysWOW64\Jocnlg32.exe

Filesize
1.2MB

MD5
7bf4962cbd1f96140c625ba0e8f37ea2

SHA1
08e4a1a019c6565b90bcd4244b2264eee9e35764

SHA256
f43c50ca348f126fff5e218f7435052a6a324b5c096b440f06833c0d0084f212

SHA512
ffe8f420f4580523b6bb02ef2fb0ab9dc9e54eb88da2922a91a21886e02275effc88a30b1b14a1ca70df112e93378db27ff11a2dced82f559e116a53c1e68982

Download Submit
C:\Windows\SysWOW64\Joekag32.exe

Filesize
1.2MB

MD5
40313b94f4f08f020972defb4cd98ad4

SHA1
7687f81924331483bcffc3f02a883e4dae759c0f

SHA256
38dd37b3ead94d3c4925bcf7c4c530ad468d5f40041f9ac63bb5a8985e7ec975

SHA512
691229d84f2083c73c64370c82f83717933b44930fc8a597a95f7ec1f60d9fa33359b8022465f1efec70fe3c485a41ce4a2de18ad776f65ac4693729940a9414

Download Submit
C:\Windows\SysWOW64\Johggfha.exe

Filesize
1.2MB

MD5
5d7812bfca4f6940bce561bc33e8da7e

SHA1
5273e4d3edfa6a920ccc1adafc8d94ead718952c

SHA256
b46e9b5805337e331e365cd874fa4c830bc9b5c4d0f5c6af59c0e65415ab3ea9

SHA512
407184487083a875dba9576f1173f7da95440bc10746ba9b49bb964d9b499402da8d9ce2b360d77af50fd2245a9a614da96754686d764de1869077d9794e62dd

Download Submit
C:\Windows\SysWOW64\Jojdlfeo.exe

Filesize
1.2MB

MD5
3164da3ac331ecb2927e87bd177e8f6b

SHA1
55e28c9f4680ca72ae43befdf17ea5e6f4217e22

SHA256
73bfed1c6aa2e8d3f20d0cd0ff7ac95d4167f3993125bffe7ebea0f2b9b71999

SHA512
428f10941c9af0a68292520a258c327473144f3718235920619d71e9e61d5fa922ed6888f59d3ef2fc05c485a75e78c7d9369f5811839a006725aaa3c994b97b

Download Submit
C:\Windows\SysWOW64\Kabcopmg.exe

Filesize
1.2MB

MD5
a48ef2cbfc9222e15280584b722d676e

SHA1
3e4a371860c25c18cca5d4746b471aa5f998414b

SHA256
9a9cca6547027ddb7c3fb7ece76644c895cae377eab1c7aab2df56ce9bd01f7f

SHA512
c8342938e0d2ad72f7abf18bacd7d4852391c754483b63caef2258f4a765ae691a486e12085ddb9448f6decf79101a4c6127c72349dbd378896a60b4185348ad

Download Submit
C:\Windows\SysWOW64\Kakmna32.exe

Filesize
1.2MB

MD5
39c6bdddc14a20002f2cf1252a0c5ea9

SHA1
27ae6e454917c3bfd76dd2779d2528b655313b5b

SHA256
cd209aedf97045afd0198ae0303117f82faf97701c24fe8c1f6c953dcc77974a

SHA512
1f95e6c79bd34eddae69b311283c5b6b6511b1eac32a15aa46981d7ec5566372959e2b56570f7fcd21475b89235500e54170d74299ec60ad4144331c724528d1

Download Submit
C:\Windows\SysWOW64\Kamjda32.exe

Filesize
1.2MB

MD5
08ad8ce9a6f9a06a6e86df1d66ea8c23

SHA1
e80719b30f3c2d601728b8b28e289698e02ff7c8

SHA256
b6b01afd0bbba23da3a3017797384aad18a1160e8e6255a3682b1387a9de8caa

SHA512
ad418c54f728f99d13e8021e3efa8e16ddeb98cd5a69474cc43d814143445c6ab942816f5b5547aa9a31a86ce704a8680178acc435e5c0bb040c9fbfe44487b3

Download Submit
C:\Windows\SysWOW64\Kapfiqoj.exe

Filesize
1.2MB

MD5
bc785f575065d8a144b1bef27d61b914

SHA1
06c5b63bb2145edd3c038c71d028317affd5b276

SHA256
351a13bfbe3659335417e71bcc42708d30520da1e3e9dac0d2ab847b1e5a25fb

SHA512
46d8561ff523d462d5ee56502aecfeb3509adbe510a633ecb2acc1615baeb37b3765f3bc39bcce9d87683c487793f55f2316a21ab0fecea5603dc4d273b1d6f6

Download Submit
C:\Windows\SysWOW64\Khgbqkhj.exe

Filesize
1.2MB

MD5
a51db6090712bc0920679e8954262906

SHA1
3beeed946716e1112cfbac98a81bbc43f1d94122

SHA256
ae0cf01208889b3fedbc2e70d79472c60844200a2ce908c62730bf5b8c36d8cf

SHA512
13c1c06545dd388d36a8b5b4e853efb10f3f8c0a616712f529196e53266939c87f2a10896af2696b18371cf986c8adc05a89ac62052fbece9419c8afd3e28ca6

Download Submit
C:\Windows\SysWOW64\Kibeoo32.exe

Filesize
1.2MB

MD5
cc87eeda13dc7d5897df249b4e6a8087

SHA1
1ff0c41c7ed86d4673650cf66adcccd26a3f89a5

SHA256
167d0ffe23308b5f3bfe3498d59774fbfbd7cc12bdc7fc65d6c7dedef249ae89

SHA512
c1b10668565cd66dfd85ef2d5022d3ae810d89ff0dfc8e9febd97ed5ab74c13d4b728e625b1409fec3e67c1aff2cb824bd34887a94b7b04a1c4b3fe9ede9ecae

Download Submit
C:\Windows\SysWOW64\Kifojnol.exe

Filesize
1.2MB

MD5
2624b2d5050429448a2cfd128c151329

SHA1
79c281f09f32297dfd30b35c6f3e247a1ea5075b

SHA256
71d9cb02ac8f9090333cc0dd22c3e380f6b8cfb33fdccc1e16448fd365ef0056

SHA512
901d340ce91b08cc752e5d27e92272afe310a801ab18bf78940ff419c345213707b609e1ff7a719a37a59790879a47563ee12411a10b266f6d2b59a85117778f

Download Submit
C:\Windows\SysWOW64\Kiphjo32.exe

Filesize
1.2MB

MD5
e0e89b11bf2e5e07d7b78215625292a7

SHA1
77787706984c2d76311f99fbd9fa4c7305e0f675

SHA256
71eee6781f83b14f219ee58fce8404733d7ea112864454a4f8d64c8802fc444b

SHA512
a5deaa505d5971b1ddb44c2830307e5c75f95b3172bc0461fabda8110c941d1559866150793a4bd7aa0bc3dedbe08b58a9b19a4f8ade3ce6d70c5c705ced3c84

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
1.2MB

MD5
48076c0294d91aa5e825d5cea42b377b

SHA1
304d508d94179dae3fe56115dd3560c34e760003

SHA256
ada3bd20eb54055c551c80663ecfce9d47dcc40d37b3829bd367955801468104

SHA512
e7b76fc5dfc3c8d02585ffaf21f6be457c5b62b2c4c288de509634f42de1f02e081d5ee54e2d48d7504d2a7d1e424fdfde46bbecf5db756dd49f99116184378e

Download Submit
C:\Windows\SysWOW64\Koajmepf.exe

Filesize
1.2MB

MD5
ea3adcb366ac423b6da91787c350aa50

SHA1
e9bcdf0fa86539fb9dea8ddab8c92d1341d2eae7

SHA256
1e085a5c006e646e9c1d14a2ac26e590f0fb2696e4907a601766f24f447774b0

SHA512
7a996a4b57587c8edb6d390b025e25c5c3252898b225481e648d3b9c0781ba86cf065db8145ba3740b1c9cae9839dcb1147b5060a91ed360e39f108f245a6ce7

Download Submit
C:\Windows\SysWOW64\Kolabf32.exe

Filesize
1.2MB

MD5
4193f5f46ebc854336fb02874e302699

SHA1
4f0d2b2ed92c264a3fbd09602091f0f3147fbde4

SHA256
f977b3888e270eb167c8f65464001227a74aec82dc411b8b8396838d9be6d9e2

SHA512
b8445a13467a4e7e7eb373240bc7fe7325f5883cb3a1810524e66a57692e3d70a75faadc4f08a75912e70af8c50e14d15558f9d2e167989f571b4de04333911e

Download Submit
C:\Windows\SysWOW64\Kplmliko.exe

Filesize
1.2MB

MD5
58127da1b59cf2ae2c3a094468bc39b1

SHA1
17bd5f1c444067bb2db78239cea650f70e02d05d

SHA256
2cf67de89f03d67f170c45ea55a893f20367be66b7f61922cdb210572d5e9c78

SHA512
6234c7ae115fda1d0be2b8ff1a0cb4c7a2dd017c04fbf5ca84317e46d098041947fb36457f81522ddd4f945a1322f960900fccb75754eb2222d106a2dd28d996

Download Submit
C:\Windows\SysWOW64\Kpqggh32.exe

Filesize
1.2MB

MD5
09e74c67ff6f4ce9b23ad9819a5b0740

SHA1
5e4091591aed6edcd0d9cd344b43959aec50be1a

SHA256
9d8bb0d3348a2548dda6885173d7077cf3a58838884e99d1cc790a68058d8369

SHA512
fbbfad67e00320dbef4e25049f1c7ece1e5463008c4ebda563b06265d1f18d1dc9080cab04d3627e54cd20089dee803cc26f72e5469901384c723a7789c12358

Download Submit
memory/116-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/320-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/404-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1276-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-607-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-613-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-619-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2576-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-1342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-1327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3716-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3824-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4040-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4108-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-605-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4176-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5156-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5196-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5236-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5276-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5316-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5356-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5396-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5436-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5476-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5516-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5556-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5580-1281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5596-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5636-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5676-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5716-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5756-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5796-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5836-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5880-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5924-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5968-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6008-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6048-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6088-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6128-595-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads