81a7f3b01e3f81e00ee4b65ed0192e8e835dfe403eb23cc8c0509c8a84e411fb

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81a7f3b01e3f81e00ee4b65ed0192e8e835dfe403eb23cc8c0509c8a84e411fb.exe
Size

240KB
MD5

a883300742712dd84d76f32961017920
SHA1

7c2b148867efd0b6feb7e1e0ef8fc1d5c2f5db25
SHA256

81a7f3b01e3f81e00ee4b65ed0192e8e835dfe403eb23cc8c0509c8a84e411fb
SHA512

16fb751dbc78efe631e4abcc519f954f026bd8bb5d3aa1017218593055e043a32f243abf1503cdea470bef20018d24f6ff2c6611921a85bbff67e3425f4678de
SSDEEP

6144:QSEEkLGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEA:QJE2GyXu1jGG1wsGeBgRTGA

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	81a7f3b01e3f81e00ee4b65ed0192e8e835dfe403eb23cc8c0509c8a84e411fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kikame32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hoiafcic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hodgkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iemppiab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe

Executes dropped EXE 64 IoCs

pid	Process
1888	Hbpgbo32.exe
2872	Hmfkoh32.exe
4740	Hodgkc32.exe
2740	Himldi32.exe
4540	Hofdacke.exe
3648	Hfqlnm32.exe
2472	Hioiji32.exe
1992	Hoiafcic.exe
4028	Iefioj32.exe
4388	Ipknlb32.exe
1448	Iehfdi32.exe
2944	Ipnjab32.exe
336	Iejcji32.exe
1316	Imakkfdg.exe
2952	Iemppiab.exe
1704	Imdgqfbd.exe
1216	Icnpmp32.exe
4340	Ieolehop.exe
3084	Icplcpgo.exe
4360	Jimekgff.exe
4412	Jpgmha32.exe
2356	Jfaedkdp.exe
2672	Jioaqfcc.exe
3308	Jmknaell.exe
1768	Jfcbjk32.exe
4832	Jefbfgig.exe
4276	Jplfcpin.exe
1728	Jfeopj32.exe
640	Jlbgha32.exe
4484	Jblpek32.exe
2428	Jifhaenk.exe
988	Jcllonma.exe
1516	Kemhff32.exe
4760	Kmdqgd32.exe
3400	Kdnidn32.exe
4912	Kfmepi32.exe
4396	Kikame32.exe
5000	Kpeiioac.exe
3380	Kbceejpf.exe
2648	Kimnbd32.exe
2200	Klljnp32.exe
2992	Kdcbom32.exe
2168	Kfankifm.exe
1656	Kipkhdeq.exe
2344	Kdeoemeg.exe
4304	Kefkme32.exe
1616	Kibgmdcn.exe
4684	Kdgljmcd.exe
2920	Lmppcbjd.exe
4128	Lpnlpnih.exe
1816	Lekehdgp.exe
4788	Lmbmibhb.exe
3100	Lboeaifi.exe
4600	Lmdina32.exe
3048	Ldoaklml.exe
4404	Likjcbkc.exe
4376	Lebkhc32.exe
3976	Lphoelqn.exe
1364	Mgagbf32.exe
4772	Mipcob32.exe
2204	Mmlpoqpg.exe
2796	Mdehlk32.exe
4792	Mgddhf32.exe
2268	Mmnldp32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Neeqea32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Kemhff32.exe	Jcllonma.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Hjakkfbf.dll	Iejcji32.exe
File created	C:\Windows\SysWOW64\Kdgljmcd.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kikame32.exe	Kfmepi32.exe
File opened for modification	C:\Windows\SysWOW64\Klljnp32.exe	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Kdcbom32.exe	Klljnp32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Kdcbom32.exe	Klljnp32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Ipknlb32.exe	Iefioj32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Jefbfgig.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Aceghl32.dll	Kikame32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Iefioj32.exe	Hoiafcic.exe
File created	C:\Windows\SysWOW64\Abckpb32.dll	Jimekgff.exe
File created	C:\Windows\SysWOW64\Dgdelcpg.dll	Jmknaell.exe
File created	C:\Windows\SysWOW64\Mgddhf32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Hioiji32.exe	Hfqlnm32.exe
File opened for modification	C:\Windows\SysWOW64\Imdgqfbd.exe	Iemppiab.exe
File opened for modification	C:\Windows\SysWOW64\Likjcbkc.exe	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Ipknlb32.exe	Iefioj32.exe
File created	C:\Windows\SysWOW64\Docjlc32.dll	Iefioj32.exe
File created	C:\Windows\SysWOW64\Bjjplc32.dll	Jcllonma.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Hodgkc32.exe	Hmfkoh32.exe
File created	C:\Windows\SysWOW64\Mmnldp32.exe	Mgddhf32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Gjdlbifk.dll	Jplfcpin.exe
File opened for modification	C:\Windows\SysWOW64\Kimnbd32.exe	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Bgpmhl32.dll	Iehfdi32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaedkdp.exe	Jpgmha32.exe
File opened for modification	C:\Windows\SysWOW64\Kbceejpf.exe	Kpeiioac.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hqdeld32.dll	Kimnbd32.exe
File created	C:\Windows\SysWOW64\Hflheb32.dll	Lmdina32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6204	2616	WerFault.exe	283

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimekgff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iehfdi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imdgqfbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Himldi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblpek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klljnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbfgig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipnjab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icplcpgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Lboeaifi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iemppiab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll"	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibgmdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iehfdi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgmha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Likjcbkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imdgqfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjplc32.dll"	Jcllonma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbpgbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgaocmg.dll"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Pnlaml32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1888	1536	81a7f3b01e3f81e00ee4b65ed0192e8e835dfe403eb23cc8c0509c8a84e411fb.exe	84
PID 1536 wrote to memory of 1888	1536	81a7f3b01e3f81e00ee4b65ed0192e8e835dfe403eb23cc8c0509c8a84e411fb.exe	84
PID 1536 wrote to memory of 1888	1536	81a7f3b01e3f81e00ee4b65ed0192e8e835dfe403eb23cc8c0509c8a84e411fb.exe	84
PID 1888 wrote to memory of 2872	1888	Hbpgbo32.exe	85
PID 1888 wrote to memory of 2872	1888	Hbpgbo32.exe	85
PID 1888 wrote to memory of 2872	1888	Hbpgbo32.exe	85
PID 2872 wrote to memory of 4740	2872	Hmfkoh32.exe	86
PID 2872 wrote to memory of 4740	2872	Hmfkoh32.exe	86
PID 2872 wrote to memory of 4740	2872	Hmfkoh32.exe	86
PID 4740 wrote to memory of 2740	4740	Hodgkc32.exe	87
PID 4740 wrote to memory of 2740	4740	Hodgkc32.exe	87
PID 4740 wrote to memory of 2740	4740	Hodgkc32.exe	87
PID 2740 wrote to memory of 4540	2740	Himldi32.exe	88
PID 2740 wrote to memory of 4540	2740	Himldi32.exe	88
PID 2740 wrote to memory of 4540	2740	Himldi32.exe	88
PID 4540 wrote to memory of 3648	4540	Hofdacke.exe	90
PID 4540 wrote to memory of 3648	4540	Hofdacke.exe	90
PID 4540 wrote to memory of 3648	4540	Hofdacke.exe	90
PID 3648 wrote to memory of 2472	3648	Hfqlnm32.exe	91
PID 3648 wrote to memory of 2472	3648	Hfqlnm32.exe	91
PID 3648 wrote to memory of 2472	3648	Hfqlnm32.exe	91
PID 2472 wrote to memory of 1992	2472	Hioiji32.exe	92
PID 2472 wrote to memory of 1992	2472	Hioiji32.exe	92
PID 2472 wrote to memory of 1992	2472	Hioiji32.exe	92
PID 1992 wrote to memory of 4028	1992	Hoiafcic.exe	93
PID 1992 wrote to memory of 4028	1992	Hoiafcic.exe	93
PID 1992 wrote to memory of 4028	1992	Hoiafcic.exe	93
PID 4028 wrote to memory of 4388	4028	Iefioj32.exe	94
PID 4028 wrote to memory of 4388	4028	Iefioj32.exe	94
PID 4028 wrote to memory of 4388	4028	Iefioj32.exe	94
PID 4388 wrote to memory of 1448	4388	Ipknlb32.exe	95
PID 4388 wrote to memory of 1448	4388	Ipknlb32.exe	95
PID 4388 wrote to memory of 1448	4388	Ipknlb32.exe	95
PID 1448 wrote to memory of 2944	1448	Iehfdi32.exe	96
PID 1448 wrote to memory of 2944	1448	Iehfdi32.exe	96
PID 1448 wrote to memory of 2944	1448	Iehfdi32.exe	96
PID 2944 wrote to memory of 336	2944	Ipnjab32.exe	97
PID 2944 wrote to memory of 336	2944	Ipnjab32.exe	97
PID 2944 wrote to memory of 336	2944	Ipnjab32.exe	97
PID 336 wrote to memory of 1316	336	Iejcji32.exe	99
PID 336 wrote to memory of 1316	336	Iejcji32.exe	99
PID 336 wrote to memory of 1316	336	Iejcji32.exe	99
PID 1316 wrote to memory of 2952	1316	Imakkfdg.exe	100
PID 1316 wrote to memory of 2952	1316	Imakkfdg.exe	100
PID 1316 wrote to memory of 2952	1316	Imakkfdg.exe	100
PID 2952 wrote to memory of 1704	2952	Iemppiab.exe	101
PID 2952 wrote to memory of 1704	2952	Iemppiab.exe	101
PID 2952 wrote to memory of 1704	2952	Iemppiab.exe	101
PID 1704 wrote to memory of 1216	1704	Imdgqfbd.exe	102
PID 1704 wrote to memory of 1216	1704	Imdgqfbd.exe	102
PID 1704 wrote to memory of 1216	1704	Imdgqfbd.exe	102
PID 1216 wrote to memory of 4340	1216	Icnpmp32.exe	103
PID 1216 wrote to memory of 4340	1216	Icnpmp32.exe	103
PID 1216 wrote to memory of 4340	1216	Icnpmp32.exe	103
PID 4340 wrote to memory of 3084	4340	Ieolehop.exe	105
PID 4340 wrote to memory of 3084	4340	Ieolehop.exe	105
PID 4340 wrote to memory of 3084	4340	Ieolehop.exe	105
PID 3084 wrote to memory of 4360	3084	Icplcpgo.exe	106
PID 3084 wrote to memory of 4360	3084	Icplcpgo.exe	106
PID 3084 wrote to memory of 4360	3084	Icplcpgo.exe	106
PID 4360 wrote to memory of 4412	4360	Jimekgff.exe	107
PID 4360 wrote to memory of 4412	4360	Jimekgff.exe	107
PID 4360 wrote to memory of 4412	4360	Jimekgff.exe	107
PID 4412 wrote to memory of 2356	4412	Jpgmha32.exe	108

C:\Users\Admin\AppData\Local\Temp\81a7f3b01e3f81e00ee4b65ed0192e8e835dfe403eb23cc8c0509c8a84e411fb.exe
"C:\Users\Admin\AppData\Local\Temp\81a7f3b01e3f81e00ee4b65ed0192e8e835dfe403eb23cc8c0509c8a84e411fb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\Hbpgbo32.exe
  C:\Windows\system32\Hbpgbo32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\Hmfkoh32.exe
    C:\Windows\system32\Hmfkoh32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\Hodgkc32.exe
      C:\Windows\system32\Hodgkc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Iefioj32.exe
        
        C:\Windows\system32\Iefioj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Iejcji32.exe
        
        C:\Windows\system32\Iejcji32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Jpgmha32.exe
        
        C:\Windows\system32\Jpgmha32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        23⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        24⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Jmknaell.exe
        
        C:\Windows\system32\Jmknaell.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        29⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        34⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        43⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        44⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        49⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        50⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        51⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        52⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        60⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        62⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        65⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        67⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        68⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        69⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        70⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        73⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        74⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3684
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        82⤵
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        84⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        88⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        92⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        101⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        107⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        109⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        111⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        113⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        116⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        117⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        119⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        122⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        124⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        129⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        131⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        132⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        133⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        135⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        137⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        139⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        140⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        141⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:6472
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        144⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        146⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        148⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6736
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        150⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        151⤵
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6864
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6908
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        155⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        159⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        160⤵
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        161⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        162⤵
        Drops file in System32 directory
        
        PID:6360
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        163⤵
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6504
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6572
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        167⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        168⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6856
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        170⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        171⤵
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        173⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7128
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        174⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6316
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        177⤵
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        178⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        181⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        182⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6272
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        184⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:6700
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        186⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2488
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6876
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        189⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:6488
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        192⤵
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        193⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 420
        194⤵
        Program crash
        
        PID:6204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2616 -ip 2616
1⤵
PID:7020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
240KB

MD5
2952d955b192e40352fed4af4187bfc1

SHA1
d6fa73ce89976910672b4faafb0e21a79b0ba413

SHA256
aec9cfc31e6a5f6f1553d88d6658677febe66e3207a4879a99863f138475fcbf

SHA512
75bf2d82fac43184404d6750c6ae605bc9892a74cfeab8424a1d26dce645c976a769cda85978168b6e0b4c3a598e6968c1b3ecdf61feb64e21c1d2992cc69a58

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
240KB

MD5
c56e68b2f9d4f912960771af2e801e1a

SHA1
046c84bff2d312a549f1a7ff790368b9071f9a2c

SHA256
51c5c7670f54e9f4412f18ed58ccef6b73fe958290626b9a18e2413c549c9286

SHA512
7fda911c83f92bae00904928707d3465e0b439a17747c3896c197d9a3bef3542ad7c7cd72390a8f721a1e8cbae5d36778c41f681c51ae17630f7395d32f86f7d

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
240KB

MD5
93f61269d35f9d17c1bc48f6197bc594

SHA1
1547f013b7a56edd059f8e53c5236e8464744f82

SHA256
ab56440412c8a289a5e38351aac25b12c0a97fe168bc7cef29544093a3d745cb

SHA512
a7e4ec970b377ab963dc125d6d6e561031ed2fd99e95def8f19b3107b1e354ab82d426e68b8b4a6219075fe49213d554425ae1d02a544864383db7cd46a4a0a7

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
240KB

MD5
edee7c2500be04675aa2e7c07bc2bf79

SHA1
351d333922300f96cbc33c7af253fb708630d7bb

SHA256
19abe5bbf9f6f26e6bd7942da2548e16c4a4652c93ed86baf72c3730627f9097

SHA512
41b91d7e7b0e65ec612332de08ea075cc96555078c52e8a233f05acf06aae931a849bfc3fdb9610731270fc68c7a1b5495cb32554fce1d2646874be137cc3405

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
240KB

MD5
5b589eb4fdadab4ee55199a601a82f49

SHA1
b48ea0b28e18aced3d17f14368f45cfc8bddf6de

SHA256
041765bdcdeafcea3b06de6a3aee35184efb86ed63eaf570cc4fb6767740b2e8

SHA512
3ed40f5e942b26e8ffcc85967b53f2624cbcd5cc4b39d6a8dac27e88a8673c041defb7bd8fe79628036b718c8ae5613bd5370766a4e3e5fba1302a97eb239984

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
240KB

MD5
4775c3e0495a14c8e64f297f55477f8c

SHA1
ba1fd5d0e3188e589cbd46f847f55d212809010b

SHA256
79e9d5d39f2339e8c14a18206d8b9ff3a4f83f49b2c3607016a3ca2a83773020

SHA512
a43a47884985ae56517d07bc894ee49e82c2554fb79cad7b21853db22cccf358e16a08beb87e3823a528f6b02b61321bbf201fe8d98be8066a5617190e1817e1

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
240KB

MD5
e88830561074985a8dfaa7cd07722128

SHA1
91ad7385e7f87343adb639e85bdabf6b85bface8

SHA256
2540d0ed37ff0479527c0ef6a94a1a98a3e969213d5e25ef73a178e2c41bea01

SHA512
0588799f8c6aea7bae693e3153ac240a102e567aa5f6a1490b421530f79816f28b302ce9ff60e61b6f1d2f84418281d7e670397ac21919763a2f9eeeed4866ce

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
240KB

MD5
42cbdf1912287f38ec49b9459067b74a

SHA1
e9ef96588ee1ffa65209d900665d9ef37af21c46

SHA256
195f49a3796516bf05e542e18f8e5299b4254cde02543082765d7a03159c2ad3

SHA512
ef5ffccfb29460a0036fc94e5d8fe1ba4ad8e4f6e6a67c9a2f32131ebaba11a096e0c18fffba1b17cbce9788632bb56f46026cfdf97ddb7f1a58805dae78f757

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
240KB

MD5
be2751328c3cb7a92ad28ce9fabf0fee

SHA1
b0d20819af08e444ab66c3b13ea81c80ec4af4a3

SHA256
481cb32a19a5bcee43babbec9b6a04e523366e2edce5e770c0b51905cf6389e6

SHA512
65b216e4b8a71422d2dd4db5dffd2eff4901e0615b7de37fbb1901d71c142929d571534ae1e26be76f10f2a13da0b77eb78c263964a019f45d75c8163c8200d3

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
240KB

MD5
58ccac943f76c84d4185b5ebd7f52375

SHA1
c2630c63e4b699ac3f3978951c165a93b87f67c8

SHA256
9e4501d8051de17c6d634fc7a659513979622e58e3938707ff7ee2dfae13db9e

SHA512
7855cb1947b6745d9541fe47daf16f81b5c9fcdbb8e8c62c8c80e7b82aa3cf7b63d74b54e88e2ba6028551ddbd549c59c5c143e2be1abc93b4f125bda18bfded

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
240KB

MD5
4499f863b821e1d0245f5a31108ed44c

SHA1
8e9d78a13a5df0fabf7055fa54a7b995eb72c7f6

SHA256
14f8486405aa4196c4ace06995e618883cadfddd35c44321d73778ecfc177e7e

SHA512
7bd94924894c6470f591682e9fc6a858dde8ef6d6591bfe69b9745b76bcfebe6f43f8f86564889439ba56296d5c8a8cb2bf8c88a381890cb5dfc4a32ce698a99

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
128KB

MD5
e95d5c11e9663acf658106ed4b9b8bb3

SHA1
b0be20d01feb0f66c07d569dcaaaaa567e1e9e12

SHA256
f2eb105e21725b57586f3960fa248943dbca8be2027dcbe923fe6148492d8663

SHA512
4493faaf6c7c24956ccdbc90977060ecb50d93f47beda4d4f1201904225b66e4d8011101aa76ee7e54715b29e61057121e2c1d7adb393589f9b0caadbf5a4180

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
128KB

MD5
55f11e06f35fd04888d627953976761d

SHA1
c7f1f5b5abb23cb80b0f9a613dbb0c4d79630d22

SHA256
9b625c2c8e5de914c5cf497d87894c338a9c7d1087797d6cdf4fcb5f3212ac2a

SHA512
00ab80f8c7036c601ae90e9fe476811320c8aca4eafaa50cbce69872325526dde915b4695cbca6dc029cbb07a73aad2c4c83753486d3594c9029f78487c5a3f1

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
240KB

MD5
47e8fef576f9d2a6cf84197d501e6116

SHA1
0cf645e0f2871e08bb0c7faf56bb87cf47a03b84

SHA256
72d9ea1e2d60d1b07421b87fe3d622b6d04a5dc18b84c1e60149f3ccf0fee22e

SHA512
44764871972c8084295f417b906d2944b036ee52910fb0644c8d6d893b5a6aa2fc3bd405f92c68cee3e8e6c01510c614195623b7725942cce604ad8d04d8d83b

Download Submit
C:\Windows\SysWOW64\Hbpgbo32.exe

Filesize
240KB

MD5
c2227c1ba3883a8a0fa5e188ff27ce30

SHA1
68341e15147c545a6871e88cc0702e259542961a

SHA256
f578e975261c9970788975cb0c0c7235a6173d9249967116cef0ac049214a681

SHA512
2ec7eeba4d6effae3698b2c8764d90a49a55b248d419981452e2e16d3282924b779bec8fd2fe1dbb03c50b00a5994a9ab25c3d9f7dad8534d0fad907e39788db

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
240KB

MD5
c6e74270ded6775da73d3e0cb95f81d7

SHA1
f94739e57338d6a669da3841c2d3f01b35c527c4

SHA256
e7c750b63835d00ce612709cc24f793dce2366c1a8f68292a6a8c75a1bb48782

SHA512
aa9d9556d5581d6bce11572161799354c01cc8d9b40312417321553687b83d0512c2cc6bab7be558ad87411e06b22469caf2f1a379e5fd64686b696d5991d091

Download Submit
C:\Windows\SysWOW64\Himldi32.exe

Filesize
240KB

MD5
449d3c413974fe8898e61c628ae881d4

SHA1
577571bf6e135d3dc97cff929bd534973051aa9d

SHA256
2ea4424aa095075d1de5a5b42dff9fe89df6fcb2906d8073018360f6ed5ec4d7

SHA512
8b6bd299e3c55b02209d7e67a13991ae7b14996ee15381525c9acb75f229ebf05e877dda7d39a6e182b4d8025edc7ba3363c09052c18147400dd9ae9015788d9

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
240KB

MD5
7a3c8e9522be3b1ab81efb3ac42b8dc5

SHA1
291c82eae24620448cc82c3c8c3a7afe42669ef2

SHA256
9e1bb5d101493ea90de2ea484d38e6527cce2e58885fc8a90c62af6c52b73557

SHA512
a880017e442d8cbf1abfaab665d0b32bce7ad6e0cb2eef46ddbcae4e280963ea46de385134e92ed85cccab6dddfef8c5baeae63f0f5869d8e95945f61f70c02c

Download Submit
C:\Windows\SysWOW64\Hmfkoh32.exe

Filesize
240KB

MD5
06de5e5b1a32ec1d4313a88682868cea

SHA1
94e9426b0504a9f0414ae5be778356e22f147cff

SHA256
cd3a7df9166500d5e944e8218c5ff0bbed4af9b4eff846a1dc5a8ef6a8c958db

SHA512
db98424c0aed6c3ec5bcbfff8c5d2424d082ae4d24757158ef5116774d9c2b35246f7aec99e745f0868aa377f3da61f8b7fdcaa328df1e60a9f5e45a2ad4bba4

Download Submit
C:\Windows\SysWOW64\Hodgkc32.exe

Filesize
240KB

MD5
468452f5369079f120256a3b765977fd

SHA1
d5c420f150d30e87384e26cb52b0e39eef0dae0b

SHA256
143e2f0f750787a4bdeeb7a696c4fd693147059e9be7a0daded782596a6d9a81

SHA512
6f83134861439fe3722324ffa7c025be86fdcccfe41ecde833689df66d012aa0f3a7e815f28f2dd6ecc76d586214c4735d33ba38da6a5fb734530c8476ca9f0b

Download Submit
C:\Windows\SysWOW64\Hofdacke.exe

Filesize
240KB

MD5
4b25db642ad57fa114608d3091e27ce4

SHA1
0bb4def0f790b207a0eb117812e923bafdda01fb

SHA256
a89de158910fa79955ce7893ecbd3f521dabc3cc820aab063020abd8c9b708c6

SHA512
35e44ad2da7f5b04aa95e8517bb2f3bdcf70977f6f90605c61c49dd8c44e17cc430e461628f9b5003a3e9fb7ebbb9e6f407dbbbf0ff0d6e9121b793f3c0a63d3

Download Submit
C:\Windows\SysWOW64\Hoiafcic.exe

Filesize
240KB

MD5
019921c243f8e7d4bd0dda7f2731c30a

SHA1
380d694660808d228ecf9c70153744775d5a37ab

SHA256
0eb15aff607ff7626b26867cf9c83f45eec0f4b1afdb2406ea407b434de97bfa

SHA512
58956df1dd157806fe2dc1c1a27661c68f0c58bf69003ca70fa81a85270b2e797f2716b864257f0f31ecbc047a8ebf1a414979486e46a53df8e65fb7cf9720b5

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
240KB

MD5
3f722066f0cff5a75eba87f1b3468d71

SHA1
215510e14653a5f358ff7ffd7fe28bfba4754c0b

SHA256
1d8b59104b32f176859b36c187304ac17160891015336dc891c88cb2998d368d

SHA512
2b5258a54d3dd9f2d95906fff0f6df2d183172fc3d273ed43cd84ebd04db0ca7e0ee75ed0b65b0bb1e96b0820113500936589d79927ea5bfc5ac943ac09c5895

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
240KB

MD5
08bb6db93fc97fdc4a0829d279bd79ee

SHA1
2787d5a9ca458670cb88c004ed769ce33200648d

SHA256
294e56b41be3685e40e11360f4a57a99a0ca8925713fac14afd0f4ec5b5f852b

SHA512
2ec5f89249ee424b74e2aac1b543c477f6a0b66d992ac9365753589dd472b4444ddbc05ff58080566e1492b3eddb4630880634850d61fcbe0c54e39ebc5346c8

Download Submit
C:\Windows\SysWOW64\Iefioj32.exe

Filesize
240KB

MD5
efa59256948585de18f2f0c0904bc488

SHA1
7f220171191119542b5e12a6eac55dd95b932dc2

SHA256
da228ab5b10532a0ac21e5e2610f5b80512187aa115e7203866063ba36b10f19

SHA512
91506b07de1f8d60c560ed380d45802a61d917d2f934df62f6e7fb4092b646c91be9f93cfbb449460a6a707d4677301904533b9b7320724cbd2a4d1751729c5b

Download Submit
C:\Windows\SysWOW64\Iehfdi32.exe

Filesize
240KB

MD5
4c30ff46e360ea90e5ef9e576234b037

SHA1
9a2ad4870c878253f1f2df3d17544e0b8508405d

SHA256
065f46c593b0a850c91399fb13a5266213f9f4a26261ab971dbfae12b8c82b37

SHA512
5169ddc61c3a5157bc85b7646242d59b7a23881323f899d6133f941f3278da56d058ee828ae8a236b8312c0da82c9fcdfd522b238efbec94a5e1766c5d6b1e6c

Download Submit
C:\Windows\SysWOW64\Iejcji32.exe

Filesize
240KB

MD5
1798fb7a41dd5a7b341e90982e0b7b10

SHA1
c4407605490558a11fccaee4f51d5307fe43b2de

SHA256
94c37e46d46063f63a053a7de62bc3867350619eaf6a5cca84efae16057ea882

SHA512
56dcc128e92a9773ba43bb5621557d55d86c4c082bcdc9bf7881e7462f6401f7d26106445cdc6fbd457b930c730617a0159692f874d20bf1cd34f4ba16732603

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
240KB

MD5
a1e2d4f46c989790b7c5328672158936

SHA1
9658f8425bae4c40f8bdc19763687375c698df08

SHA256
5ebd8d9ef660af70183f0901ad2fcbb0e254f0b8302f7028f0342cddeb941d5b

SHA512
3fe1837fc7b33f1152b705a9d5787bca950117de18c00aea05d0941bbf766eb4bdb3ce6dfb62ecafa4e5635afffea0bc57d4b41dfca5eac46205ec9c18d6bf95

Download Submit
C:\Windows\SysWOW64\Ieolehop.exe

Filesize
240KB

MD5
7062deec943470cbf19b5eb1f628a631

SHA1
2a951eeb5df6991403736349a6e4098c9d4e6182

SHA256
24834889e4d3b8ac6fe878ef65d7e1a7f3a3a35791476cc54c7844ee9aa97cae

SHA512
745513ecf975d0b6b6ac41ec40063d5b9a658ffa7ba03f2858ba95c852935d5d4cb67f97c69367b66311e78cd07e97ca72ad582469bca7f67e822116d30a81a4

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
240KB

MD5
ca1c1597839d922586c206559ea9e7c6

SHA1
aff06e1e37bb2c985e3bf958f6981274ab70dc24

SHA256
ebaaca26daa90743af33352a77d32b6b83c5a7ef23e3fbe10b3b8195232a6762

SHA512
ad7dd397f482f2a49f8f32dddc8db4ff049a16fe2561bf5124376eb8e00e2ba309eb5d680dfb678cbcf9dbbce73d7c4e537f3ec2603883762cf6df990cda7c9a

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
240KB

MD5
cc6fad23754042071d8e40614cfc03c8

SHA1
62247f1d6abe9bc6a2691f7eb73fcb038024db0b

SHA256
50f42c9603d59caf7b0719b431e30169b0e82d83349441678814a5c7b4aeccdf

SHA512
8416eed81d246ef8bb8efa342c8108d4f1528a9e7aa0a552fc9d17258b25825b927fd6fdaf053705b9e424247ded7601d63e085dbe39579fdfbc556c7372e301

Download Submit
C:\Windows\SysWOW64\Ipknlb32.exe

Filesize
240KB

MD5
f87589aeaa5ca823b0eae997c11aeccb

SHA1
b5761b252146a23f5783c7169a546f8efe8922d7

SHA256
bdffaaee09d7b404d20a1e5eb77b6e3dc25e1ff79693d8c59e6e0dfce3237a69

SHA512
7a9cc798bb4bf65a958db4b2511465ca0fd247c1659c2f7c7dc4e5c162985a6a87ba7036e8489fb41e358c3c233a95c9592989c010e9100c5fe1c7cbf4f228da

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
240KB

MD5
3839b2daa96746dd59629ec71abe2e25

SHA1
5e40a3fa1e340d974d1b26fd9919e4510f670aeb

SHA256
62ecee3d2ecf83d7622c18035c7626d64beda6be1c25f0a33fb0d8b52da8c55e

SHA512
073a9c636f26cf9bf550ed8a736d89c75224c18a5c823bb2f5167e5f082f1ccac7afca1f3ab9d7dc5f6539cdaa39305470c26f43b76af30d2ce86ca05407022d

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
240KB

MD5
f6da91acedec89d235a05f76a7027c36

SHA1
6cec04b0aa57b4d8089cc5b387f4dce8191ae724

SHA256
c77ce686b442beb75f72c40387b7c906f359b2f5313ff79c05a95c37cc9710ac

SHA512
a34fe28be4236db49f65eb7982ce1d8ed70f2fa6b018f530678d0507d9d3b9d1373e7733e5ba0da0796058cd48bb5f5eb8770af72e082f42bb906b7b11fdc365

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
240KB

MD5
68ed473c34def1dd529187584f680611

SHA1
c52658cbc86226fcb25154438d668437165e2e53

SHA256
e6f241a67cca55b466b17cc0e28efa1304f537b5250b19ff3dc29c72748a2a5b

SHA512
09bc2ff289a71d4956b093648904df0080d6f79d1dec5db86ccba9c366e6773e637154936f132fe204cac202e6c619d014d85485cd7cc810a75130603387c3cb

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
240KB

MD5
47bcdab1ecf0a2ee141545d039a50024

SHA1
747c367a89c3cc44146407fcdefeb4843e66c92f

SHA256
b5753e8934c00c96c139f5512d9eff55842e5f5bac87be06073bf8a6d5c57984

SHA512
c5407f5194d8cc519aa7902f39647f944706f261e125d1ddcc5a7eb8343107fd480ff33bc551e9a9691b07b4b31d17746dcdf86d9be8e0ed043c9c4c14882a53

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
240KB

MD5
5ff12995840025baea67f8cb8f1f65c6

SHA1
8685f92badea8cb0cb8ea848417b16c298e54928

SHA256
5aefba0658764334cab05bd9dfdc827edb307e131c5c5ec28f25c1a352156197

SHA512
d209fae2f7dcf41771f9295c83b2d3a2c840a54d9ae69d31103e1069b42b3027ee33112f2772993ded861b450dc7a1be51c962ac0bec960c1fe4fc61fec54927

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
240KB

MD5
721ccb5c3d053c8785c8c1ed0a9bbcb0

SHA1
520e72dfdbb000d0c0f254d74bf1c57fa9571ae5

SHA256
2194189577d5e5103f339093203e96a1d1f97977fc636f2b7450cb13dbbc3d7f

SHA512
cc1334946fdff35a8a75db296e148693d995bda749331168f3e7d8cb0b8bbd1f4c02af77e89d0f524aaa390db4974d26d60aad342f9b47fc70c56ae8f519dcb1

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
240KB

MD5
aa6233c2f3d89ac667c5584742dbba0f

SHA1
bcfc4afea3671d25346f095098dac51b30e45e54

SHA256
6d98f65111931b7ebcc77b9cb9def2f88e52cd31cd9cbff12346edfcbb611739

SHA512
4be764581285dc46f99cc9bc4c0c00ac15ec056546cabf18927ecc809e48d560cee238bc1e3f6781b19a149deb295a46d49b7dc01c25a73121eb59e9e330ff4b

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
240KB

MD5
0da1f91163697ce96740d34d0e07db28

SHA1
f64db5d35b1975702e999836b62ad18f83f03047

SHA256
822b702f046f9be26fa7e99ba132d2071e5ca1b9047319da5bf514df6e9e3f59

SHA512
035c1904917d99ede52e046db88611e1f75b6494788cf3f93a039aef4e6c03ba8c7348103056f418da0b306506a6496b3703d18793aa20a1c5794b83ba8d5e83

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
240KB

MD5
ec8aad6cc783f2d0daffe6b4d63c5b3f

SHA1
1d8f303f334ebf8a0a65a6d68a27ca166b87ce49

SHA256
444e7c4519a30965a28ad8409e4aeb2d667ac58efe179fb26b8db46e5428f2d7

SHA512
1fb606722f666109a99a210dd3cc995e126846bc596dd66b4f13142a7f4d2cf000c6501cd1cf222bd0ce5fa771944842c64a292485d1b50df9de0e90ba3e1abd

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
240KB

MD5
7d1299d543542621e73e20ea20b22266

SHA1
003d1eb2a2f3b3fcfd84a986958b7c5fe3b9a7b6

SHA256
73e946dcd5986f2763d2dde547f9276ece8bf9564b05333c65af32fe6b658636

SHA512
c4ef924f243a21df498adc9e2816d8766a7cc1f5ffc6e5f16677da98f3965495c2321793104776176a8c6c635368468db03c32da5427737f741d1830fb854a8b

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
240KB

MD5
0b5289a55b103a07fcbbc8eb0e57e2d4

SHA1
8de2bfddd7835ee1eca0860f5c14a50555c8e17a

SHA256
4194aa839942c3221daa972b914c0f7d18116c3ef71e29f99e7c64eace3b1a13

SHA512
4a7eb26dc016e3a1dfd10fad3e6140cea25c015e53a8428c9587b075bff588cb80c32c5e1a41d7fe5214ab8ce3ea5b0c50220687d838a42b45bf69611ae0acd6

Download Submit
C:\Windows\SysWOW64\Jmknaell.exe

Filesize
240KB

MD5
a1df1f3b62d7bae598936fbdcf5958bd

SHA1
2a908be117ef7f20e88efb4c1dfee16ed3116fec

SHA256
ceccfd7d8a4ed84c025c27cfa5dc5b30df3376e18ad70957fe859ea821170e3a

SHA512
73901fc53dc1a3e035390a5804d8435f9758a90539583b5a4210512279fbd650364cf0d9395e825e0ba8190548f43ab0ca9f03c558aaf0715589ad1404dd9ee9

Download Submit
C:\Windows\SysWOW64\Jpgmha32.exe

Filesize
240KB

MD5
9dca05bb49c7e1474702cfd3661bb120

SHA1
05f5bd4a522f3cb3274f89a2e2289dcff8634635

SHA256
659c11150c1578208d2b69e520d678799a6befa00ec809f53b701ec2645b866f

SHA512
338eea76b78e2cfc60c5641aac2aff6a5a75e8f6bbe4cd53a05100dda93ca351f49f84a5d1b25591019cc2838204d837f03fc4a45ad8359916ef55d1091e7278

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
240KB

MD5
37dd99b444ab71c530484184a2eeb45e

SHA1
f76cab00a48acca1af14a877c8e9f1ce4fd7d2be

SHA256
b23601c9318f073087563e07cdeb96d4722ad4524e52fa3eb292d6a34450fb62

SHA512
671d67d40cafb500114400322f4ad08640f75e9aa54be7ed6dff20dfe26d6ad91aa3785d810850bb60e588e41ecff838a39cb4c5ffc8b008973fe7ee92d4fad8

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
240KB

MD5
332d722b2b6ea3c3dd485aa5287fae20

SHA1
f5a40d47f08e3da0d76b4328364fc68a1d695e64

SHA256
a4f8f6c61cac78999967a878a97a00f561d9e1b7cb8e130863a27fbcbb0fe6f7

SHA512
f3b84897dda3afea4e58da7c40faf14de8ead6858b8dd25c59065e2d1b8e18c3ff568b1b1e4af842532a1230cbc9ac249cefb02eb30bd2741c47e0856624a31b

Download Submit
C:\Windows\SysWOW64\Laffdj32.dll

Filesize
7KB

MD5
c1bd73ac0bffc1c5bdae0c4c134582e5

SHA1
056ab7b4008f03bbb7adaeafca15530a577b07b5

SHA256
16f5c2124f246a455692bbcd4929d2d3116a3c629024a068fafad5c90cbdccc4

SHA512
719dad91993a257cb3fcb6034bf59e493ddc14983e99c6acb57dba55022c2c27eb8723d809016b53ed76e31d63d828c17f3c7f87cfeccc819634595c88f0962d

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
240KB

MD5
eca164ae5d6cf58c532f7ed0e5921ac9

SHA1
7f1eb9203f066368a3aabd5c1cf52377c6c83913

SHA256
6ac6e14e3e4332d947273f13e7be568f9c8b32cc8d8c1cf473a11327f4f8fd9b

SHA512
01f748bc8e92263b3689f93334a3dfb9d8516b83c0c2ac10d9459500edfcdd38960deba15ea76dfeee51da193cd22daba73efdaec2340a4ebba873d0914d1626

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
240KB

MD5
731d48d91e5c44914856084948518a50

SHA1
cda4a178235b597e4c302340920c837dfce74a93

SHA256
4b47b9ac29a8f6299dc726b0a3565246a2dfc0b38cbae1a4f23a2a9ab7b1f406

SHA512
6517125fe3be42cc3dbf4ee833dee7498ab7bdbcc25259b7f285588b997825ded28c628c8ee0fbfac08b861866d4cb922278c4afd832b7ed48e06b19ad36a21e

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
240KB

MD5
1d5bd17827209bdc1e719475f2cfbad1

SHA1
714f6cda2c60dcf3eb3dba2274fb29b1db1f1ec9

SHA256
9f0270ddd4eadfb0efb2fdf75ccb83c47ec8a52ab0828185f711c3c50f37bf8c

SHA512
af0ad28d86b98ee2792745ab9ab62c9deaababf29f06a7271c78ca55f336f8b9aafe5773b9e8bd7fd9e9991e40d710ff91852ea7c1ca820ea7879f31f5b24d10

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
240KB

MD5
382d32c3fcc163e7002b3f5be399855b

SHA1
3ecf80c7bb679e3b585d3e017ee513be224bc781

SHA256
96b1fd86a7aa3779d4e7c02c53f9f0fdd9174da90536cecea1e5101f92f12a83

SHA512
c652e53379cda422c08cae41a4127553a9ef44184995af7351d747dd74ba0973726aaf89d8d3ea2a1ad694cd0f5c8a2e7da61831bef6940ade8b791e746e0c89

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
240KB

MD5
428399f7a7530ee9c16b8046b1a81412

SHA1
dc1b6e85c6e7c008db9fa3946966ae8157015395

SHA256
964b044303d53f3a14032bda0899b596e4b2867b29bb36116ccd3a6ebdc14091

SHA512
db468131f0711faf2ba9af1bd10e82f465fb3077b1e04649ac6efd469f6add149af104b90ac49f95bcda48c1b27f4f03c09ad8bc5f146c1502ef5f0b67332a35

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
128KB

MD5
215280b98179692849a3dbdae5e66d31

SHA1
fd69ea14cba8666c38ae7162e5b7b9a0c6322f55

SHA256
9e6b23ba6ec9a8d96af6cd8839bad7bc9045c045c5622ff605869d8c707d293f

SHA512
919cc24a8e8a935797b2fe81d211f91347277a44f4ace1faf1c96222808a6ae7d7191f8a3ee7f02f2a7101f16f582a3a311b4f99364264495be774cc6c93ca63

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
240KB

MD5
aa9b593ca87579d41a269f1da0f81efb

SHA1
eceaf7f28f6cc5850009877ac72a9a5dac1d4246

SHA256
71c8c2a207709e6a305f405946c20b871cbedd265c76cb77908d76239b5ad87f

SHA512
12fca3d7a715ae42f23c4854b3aae5dc7c80db784c343fb93033bf56c0c355ea3e58b8302a8e5664c9a157fcb945067feb65928c51c485db72ba5f84df77d961

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
240KB

MD5
e2037ce4b50b7c3f12763cabf6f088f5

SHA1
174aabc8057cc33b8dfcbcc57578f775a0513441

SHA256
79a8b79d14f71bf2027af96ad88473b8fdb0ce0c78eb33316e730d0fbf7ae494

SHA512
b398459e9322f319c7d7ea23b6236cf78e0f2cfa1f48c09c53cc7caf5f8385ed6c2dda0e06055a0116af1d281659ff9cfa1811d443da0c67390d738585f852e1

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
240KB

MD5
30294131a2fcc10c654fcea935f75762

SHA1
0594a95f686a7cb47c629a2e110dc59fd42dea9d

SHA256
f6855e32ac905d9858758e69b514d38f1ea9566b98f3493d7119baac2e3528ff

SHA512
96982fd5749c158f93def70ac3ac4e77f10a93cf3986705f5cbe7b78f683a92eb7ebe31cd6d4f6ac9df2e4d278d4222ffb34840f1704d70479764fb3ddc7da2c

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
240KB

MD5
2563c7207a0b0f7ccc075450296afba3

SHA1
3a3193dbb961b158c55f7bd50423d14d19f7672b

SHA256
34edb576496be0f620072b8bd5ec29c89d1d0d55b0355878dadbb3db94e6ea82

SHA512
ea9bae4ebf64f75d517a91433e76ddacdb206043c763adc526eb55f651c6d87ab54957633c8dde90daa2f59a98c5f9b180d28b4e63368c9ce4087a087e91fc10

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
240KB

MD5
12704dcb8ea70297000de8949426d8b8

SHA1
0c6f289b283d92dd5484606a0f2cb45e1cde4e2d

SHA256
f0099befdd9e6f99f49b2dd504d154f0bcedb7cbfbb77552240ae3f3f165e27f

SHA512
2b5479c492f6ebd34bf4304d9f60eb455b5e0103e374fa17f84d840e7515b775ff000a03fcc9643a83830c899944269c98ce0f244bf8b2a6bea7dd628de87770

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
240KB

MD5
fe10f9ab9b2a993fef1bfdb3ec073d4e

SHA1
16b024f3ca939304d20c11efaf48fa9e23cc5527

SHA256
7e815dfad1aeef3074a5410d401eb9159da2084efaebef2335294949f1fa7d54

SHA512
b02be33530bd8d2ccedda837ac868806eb6a777e3a426856c01bc6b61021e29abe9307754197536cea39a7f15681adcc511437be11030f9fe9f2804b0c452eca

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
240KB

MD5
c82fa8af59c18e41eab9a35a963dd0c1

SHA1
5525e43ca2de892aaf8dd3f5a4a6a36565ab7a67

SHA256
4a44807ddaed486e34d09043b43d2db4dd55ebdeb194641e7f2ae016e67cf3a5

SHA512
9691c353a35d9d4b9e6cc44c509a69e2cfdcaaeb51e2db4aca49c485204885e2eb01edbe12784bc86bcc996a109b9d0d50dbaf601cf86f6a209407e64e27e5f3

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
240KB

MD5
a9ca1ef9b9172fb660f2261316c4270e

SHA1
b4695be8cad17e55b189cde3610a21809d68c694

SHA256
a66952bdc95a16a1713e904716559586fe53fec6406e9177e4ea4dca5eab5867

SHA512
f11c26467fe22eadb9abe712582e8840f36f976e2f42f03954cc3a5137dd913ad643dbbd42eb184c0bd9f73a3b0b3a3a217b2ac960636626969cacda35d85d86

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
240KB

MD5
0094734aed493976e7145269972de146

SHA1
f61c41b7acae38cb812ba2202d7caf09c692b79f

SHA256
cee13a8937d98af462b9d3dc62469217c760c899f93678aa4dfdad16e9b81fe2

SHA512
15e15f93d43c042814b4118d3a3e071894d275ba0a263eb8c2274a98ce713c6030114edbc808ba1b8be4c1352c034a8dbbe4699dbba6b42aec94c0fc54608a51

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
240KB

MD5
7397b86c7c9b58fedef9316b4bd0e6c1

SHA1
41c69d9e9cbab92500a023bd381378a77ee97a98

SHA256
0c812e3b70c2391be5d28278e71a8179af081dfdcd376733fd2c9b6148490bec

SHA512
cd38badb5ee581e3c4a6802e3e82b9d930094a007f1f76faee6d0b4e52989f7ea3c6c3f82be93d95f77b0131612957b89502335f6262ec2e6a01a9a5e8fb7530

Download Submit
memory/336-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/988-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-1324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3976-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4832-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5156-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5200-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5244-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5288-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5332-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6304-1426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6348-1424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6392-1425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6432-1423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6472-1422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads