berbew | d89a3588929ff18e99268bd23bebdfb5bedbf9010707c5d11175e0bf03ab286e

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Backdoor.Win32.Padodor.SK.exe
Size

72KB
MD5

61efc1759901f3fa0dbd30e0111fbd40
SHA1

7f6b7749faa432e03c546598bff80f909da777e2
SHA256

d89a3588929ff18e99268bd23bebdfb5bedbf9010707c5d11175e0bf03ab286e
SHA512

64e350b6fdb5c42da191921ec9d66758c04e0086bae3580dea409e7ebdcdbc2c5c24030dce2f4732cab1e96a646297eccb0faeb97ec83f377d980e7dc416ac4e
SSDEEP

1536:viC+RNoEVpAbeq8UFZ/ges4rr+gJ6GhuyKS:0uFu74rCg5kfS

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efnbachd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fgdele32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pegekmed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cchgnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcfcoiak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mggedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nikkiinl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgibjfil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igjdkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lacgkqbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enpaga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonfeqoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hncpklnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdajqn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enpaga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogikad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qoimja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnjmdnfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqkiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pldjmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aihcmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iamkbfcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbcpbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aicjbiok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdflbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgibjfil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amflcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcnpplf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbofgohb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbgpnd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kodahgao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpphka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Docank32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kobechda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpldao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfajogpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjjgipbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jadacemb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkapgjpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kandiceg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okbjlcee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhnjpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgacbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjgipbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplkjapg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oekoeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkbhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afenfnpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihpnoaqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iooofjdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkioof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdflbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aobopp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nefejiok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bekdnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnbefcil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfgnop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egdleg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpdclgbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnpejc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nefejiok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oapcdjcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpbeefk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
688	Oeqojnkl.exe
2312	Onicccam.exe
4148	Ofpldabo.exe
2740	Omjdak32.exe
3784	Obglib32.exe
4184	Oiqdflop.exe
2224	Ponmnc32.exe
2024	Pegekmed.exe
728	Plangg32.exe
2336	Pejbqmca.exe
2316	Pldjmg32.exe
3044	Pbnbja32.exe
3312	Pbpooq32.exe
2928	Pildaj32.exe
4892	Qoimja32.exe
800	Qioagj32.exe
4716	Qolipa32.exe
2252	Qeealk32.exe
2504	Alpjiepa.exe
3516	Aonfeqoe.exe
2728	Afenfnpg.exe
988	Aicjbiok.exe
180	Apmboc32.exe
1816	Aggklnnd.exe
2512	Amachhea.exe
3856	Aobopp32.exe
64	Abnkqoci.exe
1108	Aihcmi32.exe
2020	Aoelfp32.exe
4416	Aeodbjqj.exe
4124	Amflcg32.exe
1104	Bceaan32.exe
3000	Bpibkblj.exe
1112	Bonoln32.exe
1328	Bnoojfia.exe
2604	Bekdnh32.exe
1016	Bpphka32.exe
4036	Bemqdh32.exe
3788	Cpbeaq32.exe
388	Cfomigbg.exe
4072	Cpeafpbm.exe
2724	Cfajogpd.exe
1596	Cpgnlppj.exe
392	Cgafijgg.exe
540	Cjpbeefk.exe
4508	Cchgnk32.exe
3744	Cnmkkd32.exe
2980	Ccjdck32.exe
4000	Dnphqcko.exe
2936	Dqndmojb.exe
1684	Dghmii32.exe
3720	Dnbefcil.exe
1416	Docank32.exe
2692	Dgjioi32.exe
3024	Dmgbgpnd.exe
4088	Dcajdj32.exe
3528	Dmjomoka.exe
5044	Dccgii32.exe
2092	Dnikgbbd.exe
3400	Dcfcoiak.exe
1932	Emnhho32.exe
4164	Egdleg32.exe
2408	Efgladnl.exe
1976	Eooajjdm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pldjmg32.exe	Pejbqmca.exe
File created	C:\Windows\SysWOW64\Klncib32.dll	Aobopp32.exe
File created	C:\Windows\SysWOW64\Fckfafoc.exe	Fmandl32.exe
File created	C:\Windows\SysWOW64\Iojpbedc.dll	Kdajqn32.exe
File created	C:\Windows\SysWOW64\Kkamaanb.dll	Gpdclgbe.exe
File created	C:\Windows\SysWOW64\Iafebg32.exe	Hpgihdbp.exe
File created	C:\Windows\SysWOW64\Lgiich32.exe	Lhfiglpd.exe
File created	C:\Windows\SysWOW64\Nqmfojep.exe	Nbjfcm32.exe
File created	C:\Windows\SysWOW64\Pkplof32.dll	Aihcmi32.exe
File opened for modification	C:\Windows\SysWOW64\Dgjioi32.exe	Docank32.exe
File created	C:\Windows\SysWOW64\Dcajdj32.exe	Dmgbgpnd.exe
File opened for modification	C:\Windows\SysWOW64\Iamkbfcj.exe	Iooofjdf.exe
File created	C:\Windows\SysWOW64\Ooifdfhb.dll	Mkpepeek.exe
File created	C:\Windows\SysWOW64\Onicccam.exe	Oeqojnkl.exe
File created	C:\Windows\SysWOW64\Jknehf32.dll	Gacpej32.exe
File created	C:\Windows\SysWOW64\Gipdgc32.dll	Gnljjm32.exe
File created	C:\Windows\SysWOW64\Bigfff32.dll	Kgdphikd.exe
File created	C:\Windows\SysWOW64\Njpopa32.dll	Oapcdjcm.exe
File opened for modification	C:\Windows\SysWOW64\Jkmflj32.exe	Jhnjpo32.exe
File opened for modification	C:\Windows\SysWOW64\Oeqojnkl.exe	Backdoor.Win32.Padodor.SK.exe
File created	C:\Windows\SysWOW64\Cadjng32.dll	Aonfeqoe.exe
File created	C:\Windows\SysWOW64\Dnegeifb.dll	Aoelfp32.exe
File created	C:\Windows\SysWOW64\Ckajma32.dll	Aeodbjqj.exe
File opened for modification	C:\Windows\SysWOW64\Dnphqcko.exe	Ccjdck32.exe
File created	C:\Windows\SysWOW64\Gpdclgbe.exe	Gmfgpkca.exe
File created	C:\Windows\SysWOW64\Gfcecpel.exe	Gpimgf32.exe
File created	C:\Windows\SysWOW64\Egbfbp32.dll	Nbjfcm32.exe
File created	C:\Windows\SysWOW64\Eodjei32.exe	Enbnma32.exe
File created	C:\Windows\SysWOW64\Aalhoq32.dll	Epfgji32.exe
File created	C:\Windows\SysWOW64\Cmfmhd32.dll	Fckfafoc.exe
File created	C:\Windows\SysWOW64\Eldjon32.dll	Igmqql32.exe
File created	C:\Windows\SysWOW64\Lnenebli.exe	Lkfbigme.exe
File opened for modification	C:\Windows\SysWOW64\Nikkiinl.exe	Ndooij32.exe
File created	C:\Windows\SysWOW64\Cchgnk32.exe	Cjpbeefk.exe
File opened for modification	C:\Windows\SysWOW64\Ffeibb32.exe	Fqhpjk32.exe
File created	C:\Windows\SysWOW64\Aagdji32.dll	Fpmmkhhm.exe
File created	C:\Windows\SysWOW64\Iopjjnnh.dll	Obglib32.exe
File created	C:\Windows\SysWOW64\Jplkjapg.exe	Jaiknd32.exe
File created	C:\Windows\SysWOW64\Mholnjhj.exe	Mbecapqm.exe
File created	C:\Windows\SysWOW64\Iaofoffi.dll	Ponmnc32.exe
File created	C:\Windows\SysWOW64\Khhjob32.dll	Pejbqmca.exe
File created	C:\Windows\SysWOW64\Pejbqmca.exe	Plangg32.exe
File opened for modification	C:\Windows\SysWOW64\Enpaga32.exe	Efiifd32.exe
File created	C:\Windows\SysWOW64\Igjdkm32.exe	Iamkbfcj.exe
File opened for modification	C:\Windows\SysWOW64\Mholnjhj.exe	Mbecapqm.exe
File created	C:\Windows\SysWOW64\Nkigedmp.exe	Nikkiinl.exe
File created	C:\Windows\SysWOW64\Oopcdf32.dll	Ofpldabo.exe
File created	C:\Windows\SysWOW64\Cfajogpd.exe	Cpeafpbm.exe
File created	C:\Windows\SysWOW64\Knobfkmp.dll	Gcmbffmq.exe
File opened for modification	C:\Windows\SysWOW64\Hncpklnd.exe	Hjcjonjp.exe
File created	C:\Windows\SysWOW64\Lgpodgag.exe	Lacgkqbp.exe
File created	C:\Windows\SysWOW64\Lmchff32.dll	Lgpodgag.exe
File opened for modification	C:\Windows\SysWOW64\Nqmfojep.exe	Nbjfcm32.exe
File created	C:\Windows\SysWOW64\Hpimlpgk.dll	Dmgbgpnd.exe
File created	C:\Windows\SysWOW64\Cnicik32.dll	Gjgkcpdm.exe
File opened for modification	C:\Windows\SysWOW64\Iaibgf32.exe	Iojfkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bonoln32.exe	Bpibkblj.exe
File created	C:\Windows\SysWOW64\Icdeopdg.dll	Dgjioi32.exe
File created	C:\Windows\SysWOW64\Dcfcoiak.exe	Dnikgbbd.exe
File created	C:\Windows\SysWOW64\Afenfnpg.exe	Aonfeqoe.exe
File created	C:\Windows\SysWOW64\Ccjdck32.exe	Cnmkkd32.exe
File created	C:\Windows\SysWOW64\Dgjioi32.exe	Docank32.exe
File opened for modification	C:\Windows\SysWOW64\Fngghpfd.exe	Ffpogcfa.exe
File created	C:\Windows\SysWOW64\Mkpepeek.exe	Mdflbk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7404	7308	WerFault.exe	289

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcfcoiak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcmbffmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaphhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obglib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pegekmed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnbefcil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffpogcfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcdpqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffibmang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imdlhgio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaiknd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdjdpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoojfia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmkbhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqanlnmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nipedh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqkiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igjdkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmfimfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkpepeek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhdeijdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkgkpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpeafpbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqmfojep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnbja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoelfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjgko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lanmpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdcnpplf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabpjiaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emnhho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enbnma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mknhjfgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjomoka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaibgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkfbigme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbecapqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceaan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bekdnh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdflbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhfbni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbjfcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofpldabo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjdck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihegjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnenebli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpphka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpgihdbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oekoeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiigkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pildaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeodbjqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Docank32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dccgii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjjgipbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihpnoaqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkmflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onicccam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcajdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfomigbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnpejc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqcjankm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnikgbbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eghepgcl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aoelfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bceaan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imdlhgio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oniobdjc.dll"	Khhmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkpig32.dll"	Kgmjgjal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnoojfia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpdclgbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpgnlppj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjoinf32.dll"	Jmfimfgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpldao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbjmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cchgnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dopqhejm.dll"	Jkmflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdajqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbcpbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apcbhq32.dll"	Bpibkblj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmjqkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpldao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkigedmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oapcdjcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgjioi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elecphbo.dll"	Egdleg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fngghpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmoaolii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnnhec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geebddaf.dll"	Nknaqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Plangg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpphka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omgdoi32.dll"	Iaibgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplehglo.dll"	Oeqojnkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnphqcko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpodgag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffibmang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffibmang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfqhnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lacgkqbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pejbqmca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnikgbbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaeqq32.dll"	Hpgihdbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpqgod32.dll"	Iamkbfcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdqajq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdcnpplf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapmjg32.dll"	Bekdnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofajpik.dll"	Bemqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njpopa32.dll"	Oapcdjcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbnbja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abnkqoci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ihpnoaqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mknhjfgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeehkbog.dll"	Mggedf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmfojep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Okbjlcee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bekdnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Docank32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmfimfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpjgko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpepeek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pegekmed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffpogcfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmchff32.dll"	Lgpodgag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nefejiok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdfehlb.dll"	Aggklnnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efgladnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igmqql32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 688	2488	Backdoor.Win32.Padodor.SK.exe	89
PID 2488 wrote to memory of 688	2488	Backdoor.Win32.Padodor.SK.exe	89
PID 2488 wrote to memory of 688	2488	Backdoor.Win32.Padodor.SK.exe	89
PID 688 wrote to memory of 2312	688	Oeqojnkl.exe	90
PID 688 wrote to memory of 2312	688	Oeqojnkl.exe	90
PID 688 wrote to memory of 2312	688	Oeqojnkl.exe	90
PID 2312 wrote to memory of 4148	2312	Onicccam.exe	91
PID 2312 wrote to memory of 4148	2312	Onicccam.exe	91
PID 2312 wrote to memory of 4148	2312	Onicccam.exe	91
PID 4148 wrote to memory of 2740	4148	Ofpldabo.exe	92
PID 4148 wrote to memory of 2740	4148	Ofpldabo.exe	92
PID 4148 wrote to memory of 2740	4148	Ofpldabo.exe	92
PID 2740 wrote to memory of 3784	2740	Omjdak32.exe	93
PID 2740 wrote to memory of 3784	2740	Omjdak32.exe	93
PID 2740 wrote to memory of 3784	2740	Omjdak32.exe	93
PID 3784 wrote to memory of 4184	3784	Obglib32.exe	94
PID 3784 wrote to memory of 4184	3784	Obglib32.exe	94
PID 3784 wrote to memory of 4184	3784	Obglib32.exe	94
PID 4184 wrote to memory of 2224	4184	Oiqdflop.exe	95
PID 4184 wrote to memory of 2224	4184	Oiqdflop.exe	95
PID 4184 wrote to memory of 2224	4184	Oiqdflop.exe	95
PID 2224 wrote to memory of 2024	2224	Ponmnc32.exe	96
PID 2224 wrote to memory of 2024	2224	Ponmnc32.exe	96
PID 2224 wrote to memory of 2024	2224	Ponmnc32.exe	96
PID 2024 wrote to memory of 728	2024	Pegekmed.exe	97
PID 2024 wrote to memory of 728	2024	Pegekmed.exe	97
PID 2024 wrote to memory of 728	2024	Pegekmed.exe	97
PID 728 wrote to memory of 2336	728	Plangg32.exe	98
PID 728 wrote to memory of 2336	728	Plangg32.exe	98
PID 728 wrote to memory of 2336	728	Plangg32.exe	98
PID 2336 wrote to memory of 2316	2336	Pejbqmca.exe	99
PID 2336 wrote to memory of 2316	2336	Pejbqmca.exe	99
PID 2336 wrote to memory of 2316	2336	Pejbqmca.exe	99
PID 2316 wrote to memory of 3044	2316	Pldjmg32.exe	100
PID 2316 wrote to memory of 3044	2316	Pldjmg32.exe	100
PID 2316 wrote to memory of 3044	2316	Pldjmg32.exe	100
PID 3044 wrote to memory of 3312	3044	Pbnbja32.exe	101
PID 3044 wrote to memory of 3312	3044	Pbnbja32.exe	101
PID 3044 wrote to memory of 3312	3044	Pbnbja32.exe	101
PID 3312 wrote to memory of 2928	3312	Pbpooq32.exe	102
PID 3312 wrote to memory of 2928	3312	Pbpooq32.exe	102
PID 3312 wrote to memory of 2928	3312	Pbpooq32.exe	102
PID 2928 wrote to memory of 4892	2928	Pildaj32.exe	103
PID 2928 wrote to memory of 4892	2928	Pildaj32.exe	103
PID 2928 wrote to memory of 4892	2928	Pildaj32.exe	103
PID 4892 wrote to memory of 800	4892	Qoimja32.exe	104
PID 4892 wrote to memory of 800	4892	Qoimja32.exe	104
PID 4892 wrote to memory of 800	4892	Qoimja32.exe	104
PID 800 wrote to memory of 4716	800	Qioagj32.exe	105
PID 800 wrote to memory of 4716	800	Qioagj32.exe	105
PID 800 wrote to memory of 4716	800	Qioagj32.exe	105
PID 4716 wrote to memory of 2252	4716	Qolipa32.exe	106
PID 4716 wrote to memory of 2252	4716	Qolipa32.exe	106
PID 4716 wrote to memory of 2252	4716	Qolipa32.exe	106
PID 2252 wrote to memory of 2504	2252	Qeealk32.exe	107
PID 2252 wrote to memory of 2504	2252	Qeealk32.exe	107
PID 2252 wrote to memory of 2504	2252	Qeealk32.exe	107
PID 2504 wrote to memory of 3516	2504	Alpjiepa.exe	108
PID 2504 wrote to memory of 3516	2504	Alpjiepa.exe	108
PID 2504 wrote to memory of 3516	2504	Alpjiepa.exe	108
PID 3516 wrote to memory of 2728	3516	Aonfeqoe.exe	109
PID 3516 wrote to memory of 2728	3516	Aonfeqoe.exe	109
PID 3516 wrote to memory of 2728	3516	Aonfeqoe.exe	109
PID 2728 wrote to memory of 988	2728	Afenfnpg.exe	110

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\SysWOW64\Oeqojnkl.exe
  C:\Windows\system32\Oeqojnkl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\SysWOW64\Onicccam.exe
    C:\Windows\system32\Onicccam.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\Ofpldabo.exe
      C:\Windows\system32\Ofpldabo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4148
    - - C:\Windows\SysWOW64\Omjdak32.exe
        
        C:\Windows\system32\Omjdak32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Obglib32.exe
        
        C:\Windows\system32\Obglib32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Oiqdflop.exe
        
        C:\Windows\system32\Oiqdflop.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Ponmnc32.exe
        
        C:\Windows\system32\Ponmnc32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Pegekmed.exe
        
        C:\Windows\system32\Pegekmed.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Plangg32.exe
        
        C:\Windows\system32\Plangg32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Pejbqmca.exe
        
        C:\Windows\system32\Pejbqmca.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Pldjmg32.exe
        
        C:\Windows\system32\Pldjmg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Pbnbja32.exe
        
        C:\Windows\system32\Pbnbja32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Pbpooq32.exe
        
        C:\Windows\system32\Pbpooq32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Pildaj32.exe
        
        C:\Windows\system32\Pildaj32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Qoimja32.exe
        
        C:\Windows\system32\Qoimja32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Qioagj32.exe
        
        C:\Windows\system32\Qioagj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Qolipa32.exe
        
        C:\Windows\system32\Qolipa32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Qeealk32.exe
        
        C:\Windows\system32\Qeealk32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Alpjiepa.exe
        
        C:\Windows\system32\Alpjiepa.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Aonfeqoe.exe
        
        C:\Windows\system32\Aonfeqoe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Afenfnpg.exe
        
        C:\Windows\system32\Afenfnpg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Aicjbiok.exe
        
        C:\Windows\system32\Aicjbiok.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\Apmboc32.exe
        
        C:\Windows\system32\Apmboc32.exe
        24⤵
        Executes dropped EXE
        
        PID:180
        
        C:\Windows\SysWOW64\Aggklnnd.exe
        
        C:\Windows\system32\Aggklnnd.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Amachhea.exe
        
        C:\Windows\system32\Amachhea.exe
        26⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Aobopp32.exe
        
        C:\Windows\system32\Aobopp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3856
        
        C:\Windows\SysWOW64\Abnkqoci.exe
        
        C:\Windows\system32\Abnkqoci.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Aihcmi32.exe
        
        C:\Windows\system32\Aihcmi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\Aoelfp32.exe
        
        C:\Windows\system32\Aoelfp32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Aeodbjqj.exe
        
        C:\Windows\system32\Aeodbjqj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Amflcg32.exe
        
        C:\Windows\system32\Amflcg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\SysWOW64\Bceaan32.exe
        
        C:\Windows\system32\Bceaan32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Bpibkblj.exe
        
        C:\Windows\system32\Bpibkblj.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Bonoln32.exe
        
        C:\Windows\system32\Bonoln32.exe
        35⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Bnoojfia.exe
        
        C:\Windows\system32\Bnoojfia.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Bekdnh32.exe
        
        C:\Windows\system32\Bekdnh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Bpphka32.exe
        
        C:\Windows\system32\Bpphka32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Bemqdh32.exe
        
        C:\Windows\system32\Bemqdh32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Cpbeaq32.exe
        
        C:\Windows\system32\Cpbeaq32.exe
        40⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Cfomigbg.exe
        
        C:\Windows\system32\Cfomigbg.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Cpeafpbm.exe
        
        C:\Windows\system32\Cpeafpbm.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\Cfajogpd.exe
        
        C:\Windows\system32\Cfajogpd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Cpgnlppj.exe
        
        C:\Windows\system32\Cpgnlppj.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Cgafijgg.exe
        
        C:\Windows\system32\Cgafijgg.exe
        45⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Cjpbeefk.exe
        
        C:\Windows\system32\Cjpbeefk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Cchgnk32.exe
        
        C:\Windows\system32\Cchgnk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Cnmkkd32.exe
        
        C:\Windows\system32\Cnmkkd32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Ccjdck32.exe
        
        C:\Windows\system32\Ccjdck32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\Dnphqcko.exe
        
        C:\Windows\system32\Dnphqcko.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Dqndmojb.exe
        
        C:\Windows\system32\Dqndmojb.exe
        51⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\Dghmii32.exe
        
        C:\Windows\system32\Dghmii32.exe
        52⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\SysWOW64\Dnbefcil.exe
        
        C:\Windows\system32\Dnbefcil.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\Docank32.exe
        
        C:\Windows\system32\Docank32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Dgjioi32.exe
        
        C:\Windows\system32\Dgjioi32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Dmgbgpnd.exe
        
        C:\Windows\system32\Dmgbgpnd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Dcajdj32.exe
        
        C:\Windows\system32\Dcajdj32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Dmjomoka.exe
        
        C:\Windows\system32\Dmjomoka.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Dccgii32.exe
        
        C:\Windows\system32\Dccgii32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Dnikgbbd.exe
        
        C:\Windows\system32\Dnikgbbd.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Dcfcoiak.exe
        
        C:\Windows\system32\Dcfcoiak.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\Emnhho32.exe
        
        C:\Windows\system32\Emnhho32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Egdleg32.exe
        
        C:\Windows\system32\Egdleg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Efgladnl.exe
        
        C:\Windows\system32\Efgladnl.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Eooajjdm.exe
        
        C:\Windows\system32\Eooajjdm.exe
        65⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Efiifd32.exe
        
        C:\Windows\system32\Efiifd32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Enpaga32.exe
        
        C:\Windows\system32\Enpaga32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4660
        
        C:\Windows\SysWOW64\Eghepgcl.exe
        
        C:\Windows\system32\Eghepgcl.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\Enbnma32.exe
        
        C:\Windows\system32\Enbnma32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Eodjei32.exe
        
        C:\Windows\system32\Eodjei32.exe
        70⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Efnbachd.exe
        
        C:\Windows\system32\Efnbachd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2268
        
        C:\Windows\SysWOW64\Epfgji32.exe
        
        C:\Windows\system32\Epfgji32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Ffpogcfa.exe
        
        C:\Windows\system32\Ffpogcfa.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Fngghpfd.exe
        
        C:\Windows\system32\Fngghpfd.exe
        74⤵
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Fcdpqg32.exe
        
        C:\Windows\system32\Fcdpqg32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\Fjnhmalh.exe
        
        C:\Windows\system32\Fjnhmalh.exe
        76⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\Fqhpjk32.exe
        
        C:\Windows\system32\Fqhpjk32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Ffeibb32.exe
        
        C:\Windows\system32\Ffeibb32.exe
        78⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Fmoaolii.exe
        
        C:\Windows\system32\Fmoaolii.exe
        79⤵
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Fpmmkhhm.exe
        
        C:\Windows\system32\Fpmmkhhm.exe
        80⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Fgdele32.exe
        
        C:\Windows\system32\Fgdele32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Fmandl32.exe
        
        C:\Windows\system32\Fmandl32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Fckfafoc.exe
        
        C:\Windows\system32\Fckfafoc.exe
        83⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Ffibmang.exe
        
        C:\Windows\system32\Ffibmang.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Faofjjnm.exe
        
        C:\Windows\system32\Faofjjnm.exe
        85⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Gcmbffmq.exe
        
        C:\Windows\system32\Gcmbffmq.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Gjgkcpdm.exe
        
        C:\Windows\system32\Gjgkcpdm.exe
        87⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Gmfgpkca.exe
        
        C:\Windows\system32\Gmfgpkca.exe
        88⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Gpdclgbe.exe
        
        C:\Windows\system32\Gpdclgbe.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Gjjgipbk.exe
        
        C:\Windows\system32\Gjjgipbk.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Gmhcekao.exe
        
        C:\Windows\system32\Gmhcekao.exe
        91⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Gacpej32.exe
        
        C:\Windows\system32\Gacpej32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Gcblae32.exe
        
        C:\Windows\system32\Gcblae32.exe
        93⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Gfqhnq32.exe
        
        C:\Windows\system32\Gfqhnq32.exe
        94⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Gmjqkk32.exe
        
        C:\Windows\system32\Gmjqkk32.exe
        95⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Gpimgf32.exe
        
        C:\Windows\system32\Gpimgf32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Gfcecpel.exe
        
        C:\Windows\system32\Gfcecpel.exe
        97⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Gnjmdnfo.exe
        
        C:\Windows\system32\Gnjmdnfo.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Gnljjm32.exe
        
        C:\Windows\system32\Gnljjm32.exe
        99⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Hfgnop32.exe
        
        C:\Windows\system32\Hfgnop32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Hjcjonjp.exe
        
        C:\Windows\system32\Hjcjonjp.exe
        101⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Hncpklnd.exe
        
        C:\Windows\system32\Hncpklnd.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Hfodooko.exe
        
        C:\Windows\system32\Hfodooko.exe
        103⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Hpgihdbp.exe
        
        C:\Windows\system32\Hpgihdbp.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Iafebg32.exe
        
        C:\Windows\system32\Iafebg32.exe
        105⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Ihpnoaqo.exe
        
        C:\Windows\system32\Ihpnoaqo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Iojfkk32.exe
        
        C:\Windows\system32\Iojfkk32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Iaibgf32.exe
        
        C:\Windows\system32\Iaibgf32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Ihbjdq32.exe
        
        C:\Windows\system32\Ihbjdq32.exe
        109⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Impcmg32.exe
        
        C:\Windows\system32\Impcmg32.exe
        110⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Ihegjp32.exe
        
        C:\Windows\system32\Ihegjp32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Iooofjdf.exe
        
        C:\Windows\system32\Iooofjdf.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Iamkbfcj.exe
        
        C:\Windows\system32\Iamkbfcj.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Igjdkm32.exe
        
        C:\Windows\system32\Igjdkm32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Imdlhgio.exe
        
        C:\Windows\system32\Imdlhgio.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Iaphhe32.exe
        
        C:\Windows\system32\Iaphhe32.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Igmqql32.exe
        
        C:\Windows\system32\Igmqql32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Jmfimfgl.exe
        
        C:\Windows\system32\Jmfimfgl.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Jdqajq32.exe
        
        C:\Windows\system32\Jdqajq32.exe
        119⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Jkjifk32.exe
        
        C:\Windows\system32\Jkjifk32.exe
        120⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Jadacemb.exe
        
        C:\Windows\system32\Jadacemb.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Jdcnpplf.exe
        
        C:\Windows\system32\Jdcnpplf.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Jhnjpo32.exe
        
        C:\Windows\system32\Jhnjpo32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Jkmflj32.exe
        
        C:\Windows\system32\Jkmflj32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Jmkbhf32.exe
        
        C:\Windows\system32\Jmkbhf32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Jkocajap.exe
        
        C:\Windows\system32\Jkocajap.exe
        126⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Jaiknd32.exe
        
        C:\Windows\system32\Jaiknd32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Windows\SysWOW64\Jplkjapg.exe
        
        C:\Windows\system32\Jplkjapg.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Jkapgjpm.exe
        
        C:\Windows\system32\Jkapgjpm.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Jmplceoa.exe
        
        C:\Windows\system32\Jmplceoa.exe
        130⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Jdjdpo32.exe
        
        C:\Windows\system32\Jdjdpo32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Jghplk32.exe
        
        C:\Windows\system32\Jghplk32.exe
        132⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Kandiceg.exe
        
        C:\Windows\system32\Kandiceg.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Khhmfn32.exe
        
        C:\Windows\system32\Khhmfn32.exe
        134⤵
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Kobechda.exe
        
        C:\Windows\system32\Kobechda.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Kpcakp32.exe
        
        C:\Windows\system32\Kpcakp32.exe
        136⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Kgmjgjal.exe
        
        C:\Windows\system32\Kgmjgjal.exe
        137⤵
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Kodahgao.exe
        
        C:\Windows\system32\Kodahgao.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Kabndc32.exe
        
        C:\Windows\system32\Kabndc32.exe
        139⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Kdajqn32.exe
        
        C:\Windows\system32\Kdajqn32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Kgofmj32.exe
        
        C:\Windows\system32\Kgofmj32.exe
        141⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Kofnng32.exe
        
        C:\Windows\system32\Kofnng32.exe
        142⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Kgacbi32.exe
        
        C:\Windows\system32\Kgacbi32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6632
        
        C:\Windows\SysWOW64\Knlkocdd.exe
        
        C:\Windows\system32\Knlkocdd.exe
        144⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Kpjgko32.exe
        
        C:\Windows\system32\Kpjgko32.exe
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Kgdphikd.exe
        
        C:\Windows\system32\Kgdphikd.exe
        146⤵
        Drops file in System32 directory
        
        PID:6764
        
        C:\Windows\SysWOW64\Lnnhec32.exe
        
        C:\Windows\system32\Lnnhec32.exe
        147⤵
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Lpldao32.exe
        
        C:\Windows\system32\Lpldao32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Lkbhng32.exe
        
        C:\Windows\system32\Lkbhng32.exe
        149⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Lnpejc32.exe
        
        C:\Windows\system32\Lnpejc32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6940
        
        C:\Windows\SysWOW64\Lhfiglpd.exe
        
        C:\Windows\system32\Lhfiglpd.exe
        151⤵
        Drops file in System32 directory
        
        PID:6984
        
        C:\Windows\SysWOW64\Lgiich32.exe
        
        C:\Windows\system32\Lgiich32.exe
        152⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Lanmpa32.exe
        
        C:\Windows\system32\Lanmpa32.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:7076
        
        C:\Windows\SysWOW64\Lqanlnmp.exe
        
        C:\Windows\system32\Lqanlnmp.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:7120
        
        C:\Windows\SysWOW64\Lkfbigme.exe
        
        C:\Windows\system32\Lkfbigme.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Lnenebli.exe
        
        C:\Windows\system32\Lnenebli.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:6212
        
        C:\Windows\SysWOW64\Lqcjankm.exe
        
        C:\Windows\system32\Lqcjankm.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:6280
        
        C:\Windows\SysWOW64\Lkioof32.exe
        
        C:\Windows\system32\Lkioof32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6352
        
        C:\Windows\SysWOW64\Lacgkqbp.exe
        
        C:\Windows\system32\Lacgkqbp.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Lgpodgag.exe
        
        C:\Windows\system32\Lgpodgag.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Moggeeai.exe
        
        C:\Windows\system32\Moggeeai.exe
        161⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Mbecapqm.exe
        
        C:\Windows\system32\Mbecapqm.exe
        162⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6660
        
        C:\Windows\SysWOW64\Mholnjhj.exe
        
        C:\Windows\system32\Mholnjhj.exe
        163⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Mknhjfgm.exe
        
        C:\Windows\system32\Mknhjfgm.exe
        164⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Mbgpfp32.exe
        
        C:\Windows\system32\Mbgpfp32.exe
        165⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Mdflbk32.exe
        
        C:\Windows\system32\Mdflbk32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6924
        
        C:\Windows\SysWOW64\Mkpepeek.exe
        
        C:\Windows\system32\Mkpepeek.exe
        167⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Mbjmlp32.exe
        
        C:\Windows\system32\Mbjmlp32.exe
        168⤵
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Mhdeijdd.exe
        
        C:\Windows\system32\Mhdeijdd.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:7116
        
        C:\Windows\SysWOW64\Mggedf32.exe
        
        C:\Windows\system32\Mggedf32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Mbljaoje.exe
        
        C:\Windows\system32\Mbljaoje.exe
        171⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\Mhfbni32.exe
        
        C:\Windows\system32\Mhfbni32.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:6396
        
        C:\Windows\SysWOW64\Mgibjfil.exe
        
        C:\Windows\system32\Mgibjfil.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6512
        
        C:\Windows\SysWOW64\Mbofgohb.exe
        
        C:\Windows\system32\Mbofgohb.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Mhiodi32.exe
        
        C:\Windows\system32\Mhiodi32.exe
        175⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Nkgkpd32.exe
        
        C:\Windows\system32\Nkgkpd32.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:6828
        
        C:\Windows\SysWOW64\Nbacmo32.exe
        
        C:\Windows\system32\Nbacmo32.exe
        177⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Ndooij32.exe
        
        C:\Windows\system32\Ndooij32.exe
        178⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Nikkiinl.exe
        
        C:\Windows\system32\Nikkiinl.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Nkigedmp.exe
        
        C:\Windows\system32\Nkigedmp.exe
        180⤵
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Nbcpbn32.exe
        
        C:\Windows\system32\Nbcpbn32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Nqfpnkkg.exe
        
        C:\Windows\system32\Nqfpnkkg.exe
        182⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Nqhmck32.exe
        
        C:\Windows\system32\Nqhmck32.exe
        183⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Nipedh32.exe
        
        C:\Windows\system32\Nipedh32.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:7068
        
        C:\Windows\SysWOW64\Nknaqc32.exe
        
        C:\Windows\system32\Nknaqc32.exe
        185⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Nqkiij32.exe
        
        C:\Windows\system32\Nqkiij32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6516
        
        C:\Windows\SysWOW64\Nefejiok.exe
        
        C:\Windows\system32\Nefejiok.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Nbjfcm32.exe
        
        C:\Windows\system32\Nbjfcm32.exe
        188⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7164
        
        C:\Windows\SysWOW64\Nqmfojep.exe
        
        C:\Windows\system32\Nqmfojep.exe
        189⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Okbjlcee.exe
        
        C:\Windows\system32\Okbjlcee.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Oapcdjcm.exe
        
        C:\Windows\system32\Oapcdjcm.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7036
        
        C:\Windows\SysWOW64\Oekoeh32.exe
        
        C:\Windows\system32\Oekoeh32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6668
        
        C:\Windows\SysWOW64\Ogikad32.exe
        
        C:\Windows\system32\Ogikad32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7176
        
        C:\Windows\SysWOW64\Oabpjiaj.exe
        
        C:\Windows\system32\Oabpjiaj.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:7220
        
        C:\Windows\SysWOW64\Oiigkg32.exe
        
        C:\Windows\system32\Oiigkg32.exe
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:7256
        
        C:\Windows\SysWOW64\Opcpgaii.exe
        
        C:\Windows\system32\Opcpgaii.exe
        196⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7308 -s 412
        197⤵
        Program crash
        
        PID:7404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3988,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
1⤵
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7308 -ip 7308
1⤵
PID:7380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abnkqoci.exe

Filesize
72KB

MD5
4f21a16cfb2e63480fbd5f2c3cfa337f

SHA1
7f20edbcda46def99bef6da72943fe2c3ef4f263

SHA256
dc69d58a4edf129285a086d7e1b61ed21660f91f5f59fab7491b11e49ea9c1ce

SHA512
578e8df5f0cb6714e00a12e85e61e5f6913e4b5b2ff2040225e3da590ce4402a5611f49252ac0fb90ced6362123386ce4f6592ad821d37cbf2683c888b433fdc

Download Submit
C:\Windows\SysWOW64\Aeodbjqj.exe

Filesize
72KB

MD5
ce86c0d507bc7fbee19dff7f71847c70

SHA1
8589f387a5b384b9bf4c728eea7d6e4b8fcb5c38

SHA256
8132e572a5be466f7acc5ccd0213d52cdaf10de4721e8062c7cc34a203a00638

SHA512
cd1d1ee9af1a1aaa1dfee1d5e688cb64ae7011dde9857edba019e5bd2d0e567ec94036aa1e96681ddbe62714099be84362006e5bd80c36be976522f88b65bc9e

Download Submit
C:\Windows\SysWOW64\Afenfnpg.exe

Filesize
72KB

MD5
8a38f77175510a6b3720bc1e396ecfbd

SHA1
5f7efe17f6eb3fd6765556f3c96f406a42ba4903

SHA256
dc933f7352ef4ef52eb27fbfd2dd2d4ba88006d4f6b839d5f2623de620f792b4

SHA512
1d972f45f93d88c3537c0272f28ac875c29b5060189bc4068f32fec223b9a3481edbd5f393755cdfcc5259d6c5ce111194264ae5e9bf3c64f86df84fdd11513e

Download Submit
C:\Windows\SysWOW64\Aggklnnd.exe

Filesize
72KB

MD5
ea2327b14ac268c75ed3d1933cd948a5

SHA1
d7c2cac3350e1db8d8081a1ea14b7afba0a30870

SHA256
d451a0af8b9621a0bd399a02b84c68fff899811d2cde2198650351db601c03f7

SHA512
99844936ae47df3846d803ae1396441157004b757d430602508ae0c234a52b8d35ae7c807f0acd33fcbc998648e5dc1b80fb93515fdfdf453b164859c0d1bdd2

Download Submit
C:\Windows\SysWOW64\Aicjbiok.exe

Filesize
72KB

MD5
85c1a84b8d1ad07de699f4f8ddaeddc2

SHA1
7f322b3449d8c24de002d9651334760ea8017c9c

SHA256
0ead90bb08ebdf601d7151f5bef613bd5c4bc1213ed90b331723018774d9d691

SHA512
095fca75087d8c83cf110918677b3f5fe966d15e96df650b6cc792ea7b7856fbe660083479dd42825390eb5a03977190fa23304b188da8bdb5c70c3099d95904

Download Submit
C:\Windows\SysWOW64\Aihcmi32.exe

Filesize
72KB

MD5
4a467b9ab3f4731c06f2887a47738f9f

SHA1
51987eac9a4ad8bfec5d6b84c9c3dff18dc757e7

SHA256
bc631e22819519ac0a1f4f2ea65db844c9900de0ede14e25607fa6b057794f99

SHA512
6aed6bb68a4fab27dbaff399fbafd2d80f2269fb29b08991b5e9c88042239f43b6fbf1925dd46bf197064c0b47509860a579d8e9f1a335055aa0ed370b13fdb2

Download Submit
C:\Windows\SysWOW64\Alpjiepa.exe

Filesize
72KB

MD5
20fe2dfdfa7a4aae905a3f279be7737b

SHA1
27d8e6014f400503b67fa5a549eaa7b136edabb1

SHA256
6d65413d9e632a777dde3c192e247f44c7903277ca6e6dc987d2f5f67725afce

SHA512
33f6796ae21c1fbd1870f2a07092ac1a79aa5c5f509475db7b3e8a5ace040932f499fad8986327d1e32754970c78b65f6355d699330d16e15093754c4954ad3c

Download Submit
C:\Windows\SysWOW64\Amachhea.exe

Filesize
72KB

MD5
783c6204856ae324ec282843d95d9072

SHA1
730345c03371133d062d5f92292d03dcb77eab5e

SHA256
a82b415be35a9b87bddae575aebaa88fe0088f6c35164ef6bad4fc4241de50b7

SHA512
280aa4dda0a6b970ad504740ad98f5a68e5d32d5d42551865c28a119c36412b4ecef8efb6b2ded72cd400ce3b4225ba33f8cfa429613e407f8088051a3c23b64

Download Submit
C:\Windows\SysWOW64\Amflcg32.exe

Filesize
72KB

MD5
bbcba47a9dcf690d2bdaba4e855021c4

SHA1
74ecbe2ac7aaf1a676066098a9a02f33c64f4c88

SHA256
221f146c408bec33cbe9accee9df14a0694fa58498ef29855c1b970b444c8af2

SHA512
e71f4fbc71ef91dd159114f2753d42135d01acbe737333b07297b737f4e3b7ca615ba173e4a2134677f5db06b7c7cc99def5f4faf370a33fe1458a29626e2197

Download Submit
C:\Windows\SysWOW64\Aobopp32.exe

Filesize
72KB

MD5
1e44b0677c3b9056b1e601afe2ff48ee

SHA1
587a912c7266e153a6d6861beec870ed8762247a

SHA256
4a2ca610d7f9a353a00d08ee072e123e59149de2149d2d60684194a968de56ca

SHA512
77b7255f22f4797cc3ecadc848f9838f3339c33ead2d0680c9681e67e82dc6c15c02683090555506f9cf8d4c00a5546d611fe5df6645e3ec5ab37f7e40820ce5

Download Submit
C:\Windows\SysWOW64\Aoelfp32.exe

Filesize
72KB

MD5
5395d9868bf141719d9ae90f4caa770a

SHA1
720dc9659fff9f96666ca65d6ff278202f2cca7c

SHA256
f9383e2f96f6170375ac315a45387069610b87563c8f99e5fbaf6b0fbfd11a31

SHA512
5577b361f2b608d0c42416cd8d67dc18bba047141a637f4ceab6413c7b053ad93d816ae4090c1ece3c36820a6134234919dc22f928519d81408f37cb6a0aafa8

Download Submit
C:\Windows\SysWOW64\Aonfeqoe.exe

Filesize
72KB

MD5
abd89087d57b55c70a07bc4fd22af07b

SHA1
fc6970dcd3ace5d42c8928b7e99079cabef9feae

SHA256
1fafce47353ebecca9cf0387d4529062972241deff9af332b6920580404af738

SHA512
4296961c41c8c02dcc4bdeaf612bda6f5772c81d4471e6cf0ef7a64ddd68e2e4272637cfec1614478e2a243c4bd8f7c018c75aae593dcd25056b582be0882949

Download Submit
C:\Windows\SysWOW64\Apmboc32.exe

Filesize
72KB

MD5
82f3495121a617a17cc6b211aaf8a984

SHA1
956181ff7536fbaa6dcffabc0c863c2f83790ef1

SHA256
cb800cccb195f315f3d97b7825c4467f1c73fc36724be59971665583686c8189

SHA512
553df111ca164ed47a0ed0049bf25dd37a8fc14ce140e97f8c6b5cde5069235fddb2ae067cd19ace4bdd2ced8d8013783d95c840c17bc68e7ce427e28f009438

Download Submit
C:\Windows\SysWOW64\Bceaan32.exe

Filesize
72KB

MD5
61df2811024aeb3f9c5151a6f5186a9f

SHA1
45519cde9c5e55b93d6b4357f4a9e6f51ec7560e

SHA256
e17efa1e66e3440598bcc65a8ce759430c91c33cdec8af127dcd46b95f4a1f52

SHA512
19315d9522c9f3fb9c1146b3ecbfa15e37c18b6068ff863d22037397aeb6b6d84ae3cb6679d8ab600815b274b8e5768abffeefd82d80f7191a45b6fc463c9481

Download Submit
C:\Windows\SysWOW64\Bnoojfia.exe

Filesize
72KB

MD5
b3afb89c137e7f515a99ace60a5b7def

SHA1
921696e33f586b2bedec0b6f178413e152e8bf9d

SHA256
a33d64f9478d27536024189b4e12d77892f6d479bcdfca934b8a04f15591b40e

SHA512
3af442d09a5d5b1c2e35607b386fa64b8b5f793916e4995fb1a0cf637a0125fcd047a0a14ddb7f805d80fbf96a6df0cd23d700015d3a72d8aba79996b8b0cf5f

Download Submit
C:\Windows\SysWOW64\Cfajogpd.exe

Filesize
72KB

MD5
beda4bb31788d879931b3a6d9b0024ba

SHA1
d932ea6914fa6b13d001a99fffd783df2b15763b

SHA256
a5bead20465eb90ecac6ece54c340fb8d46db49a09674128c0c0d9571e31a0bf

SHA512
bded16dc53395be219654234dc6de735d50cce424723c5a81944d54ed3e875435481f4e8d350e29ee72f09c3a6b76611e2781f08f3b530ae88c7c3bcdf9a0c5d

Download Submit
C:\Windows\SysWOW64\Cnmkkd32.exe

Filesize
72KB

MD5
d1b00cbac33a78b5baaa2f9e95548242

SHA1
8304d89ec3d1bdbd46efa795c0df5dabddc8728b

SHA256
dd6b54d3173fb432049c11937ef966c25e3a69ced9d39c75652a1840104428f6

SHA512
216345ca1552ea458ef80bd71a1e5c48013a8e9b303a65e7280992d16d7a1b9305d92f4fefe8f7b3f4592805821b26164a4981deb545295cd09957114f1de419

Download Submit
C:\Windows\SysWOW64\Cpbeaq32.exe

Filesize
72KB

MD5
7d122735e363403dfeb5b11a59efa8dc

SHA1
81278c699e824c69a6c6c68699fb714b7e8b2952

SHA256
b0d0a9eeda114d9632fc134633fd33d1e166018d3c9460d9fc2e19fa78cadcf9

SHA512
d281fb98335073e4182de0c082528d72c14b0df4f4d813f17eb8fd778f7c666461dea6811331b2c1277402435482a3db9b2fba7cabffd068a3c28c48ba20674a

Download Submit
C:\Windows\SysWOW64\Eodjei32.exe

Filesize
72KB

MD5
f048f2316dbecdfc413ebb62488bef2c

SHA1
7e7873242cc3a692acbd286f258fa30026a68206

SHA256
4ba79251942a959c6ca50f6487353ae16725e2e005007a39aa66c73ca14fd279

SHA512
3c3c5bc7faabbafe2873233ae3c598dd37377c972e974deddcc2ea3da8c12fada48c6da123a7964c7677617b84a2c0c3fc0b8fedd54dcec49b726c99d8cf8fde

Download Submit
C:\Windows\SysWOW64\Fmoaolii.exe

Filesize
72KB

MD5
d361b43118a8ab44816910026b7aae8c

SHA1
1236d4d0333e9238cca002f0a96a6c9edd806eff

SHA256
5a78bee7c323c103a8cefcc0400923904dc3628c1228ed64161e308dc2b4d73a

SHA512
4586ec1f3eee5148f917f65b74baa8e4b0cf24f5ffa074e91194465cc1443a71dcb2913cc2a502020e379417599a2f094f9b30db8ca5200c033b62d65556c874

Download Submit
C:\Windows\SysWOW64\Gfqhnq32.exe

Filesize
72KB

MD5
478528574b0ee4220f7161b98e7e96e1

SHA1
799dbab13cdd9d82161163e14449707e4c5fcff3

SHA256
2269e1f66359b0523cbf272d8b38d3e9db8bd29005ca8466dc000adc2bb46b6b

SHA512
ed8f06cfeca498744a1f55ff7c3a8164635c961923d0ff5659f1b8854624820aac3865d379f169be199cb06451e5545c8376fa9a0ef152d68cacb9feca829c63

Download Submit
C:\Windows\SysWOW64\Gnjmdnfo.exe

Filesize
72KB

MD5
5864daef77dda9410fa4fc3f7ed649b0

SHA1
c640e8c213f0a062cdca2b43e50e0a5b9d435aba

SHA256
64739a846a3a7652010d6716fbc46a698776323af4cfca35bbf4367b222a3f92

SHA512
9da59ac01e72154b969b1f097d9331d35d6108b115fc4ad243241e3a9d5f99881eb9bf4aebc4c8a71f225ae0fce7eff414c1f9d9e1b3630870b4eb602be64b80

Download Submit
C:\Windows\SysWOW64\Hncpklnd.exe

Filesize
72KB

MD5
774bd187c8b91963ca9e156deb4708d3

SHA1
6636abf21064d348bd3784ac46a293b8483d9a32

SHA256
4fce1c8c1af9029f872eaf59c72bc58363b10991b89c2ce04bc503cece095fb3

SHA512
ca06ba63d8e60a0fc2cfb85612ee80c83f4657dbc0400e0957c9aa3d9b37fa1239956372799ddbaef8c509e7e50b0275ff049bc54d64a0ce78f28e0ef475f5dc

Download Submit
C:\Windows\SysWOW64\Igjdkm32.exe

Filesize
72KB

MD5
b6061e8ec82e571f4a4708ab9464cb8d

SHA1
cff46e5c99e315c00766fe96aeb4eb3c2ac860a5

SHA256
944a375a753df79a402e192879855fefa157e13676dbf376302971ac3e9634ff

SHA512
c2086b82ede218a22979f6abdb78981433accdf1459de675d342a97265125662156b857ca8e2c264dd1a07a19827574697b8592ab2a83c2664b82843fe607177

Download Submit
C:\Windows\SysWOW64\Ihegjp32.exe

Filesize
72KB

MD5
9cee77acd28290ac36c3878bf3458ca1

SHA1
4f66f5e575ceec7013e400e6cd73a9ce52a2b979

SHA256
25b6d8deb3d9b368e781c0008e60d5e376a3a18a374a5b36708cdd3d7b6b1e4a

SHA512
c4a3e1f80f622379460dee50187e7631c6a2229c53f127eb5e86d2af9ade8439a57b7b1a9f2261e1a141682b3f9409d4d720dedc159bc8bc3a0bd43e2d0842e2

Download Submit
C:\Windows\SysWOW64\Iojfkk32.exe

Filesize
72KB

MD5
ec79ff0d39ee65ae3bca16403e81a604

SHA1
659f813348d197e31363101c6f9e01a1a01c9ce5

SHA256
9f2cb527b779c1770eac2160554783ffe6063a055c5e0c619b10f8dd9b9f268f

SHA512
0ae6729c79d7eb59e29e7b35c53627027c1cf531c454be531b0a12e6f53013b3a3adac84884fb468f685a5d76e3b005a83e3ff653140aa42de6397236aa35638

Download Submit
C:\Windows\SysWOW64\Jalclnkd.dll

Filesize
7KB

MD5
619bfc6f15369897dbeb99999a190fe1

SHA1
fc7a28bff67bc1f1b0885f5cefb89009249c7e2c

SHA256
7516ef0556e3644b111126444d11e3dca814cd898f4627b811681ca881e73bda

SHA512
39aaf632fbf345d68dcadca4bcfb193a53903a12f735348c0fc33e4aaf570e51b8247b0a01be7b49c3d2915c137801f303fb218078e4e742211a9fb552014208

Download Submit
C:\Windows\SysWOW64\Jdjdpo32.exe

Filesize
72KB

MD5
bdf83c35fd9bbd207f6a3c053d9604db

SHA1
4a6937febaec2129766114e4e208353990bf7dfd

SHA256
18a7a29dd8fdbd105c728124025f9bf268a9d54b4e05c3084c812aca9e630c2a

SHA512
9e49bce03ee9a526cb4467185215235d3edbd98808a03ffe0796bc10521c90b96210940f670db220f9f5ba08a9203d1afa9ab178983068b9f3181cb0ae1a8959

Download Submit
C:\Windows\SysWOW64\Jdqajq32.exe

Filesize
72KB

MD5
b359b6bc82a0102927095b0bbef5ace3

SHA1
563777ace20bf3a2499d4b407c099c853a684b5f

SHA256
b68ad1cb849c48bad400c6518d56202e786481b0ba23d5df89e37bc118b85d1c

SHA512
ceba1a181f61b8458eec51c634471a352f547585bfe72acc7912306134254dfc16a2f120d5f12e6aa54dd089db4b6b69aec4a92142dafc04549ba4e9a02385c8

Download Submit
C:\Windows\SysWOW64\Jkapgjpm.exe

Filesize
72KB

MD5
083b01644e4d3b3776c6a6f6ed2cacc5

SHA1
22a763c93ca8bbf91d29760efe05d108ddc24746

SHA256
0e44cd65394b99a290e6ca8ec5b16dede20a971238dc8da71e5b5e7ac3bec9f0

SHA512
b840166f738e820262683df5043aea1bfe812096f4823fdc74952469ac553f24fe379ca513543fcb65aeedd973233aa6eada5fa60b4fafaf584b7eb1dcebb543

Download Submit
C:\Windows\SysWOW64\Jkmflj32.exe

Filesize
72KB

MD5
abb3057591a99bd1492690ad27d72308

SHA1
42d34bbf6df65f7e0d6d8f55308e97c61b3ba52c

SHA256
1e210dc096c2bc8e69beefa85c070dfbb375b269aad7bb5722aa8163475a35e0

SHA512
eb0bf2c8c54cbf5722e628d7f0ea4f80f498916bd773f23661cdc4357331884c516a98a74ef53b03933a1836f8c34d03ca3a73ada0f480230e3fc26367566168

Download Submit
C:\Windows\SysWOW64\Kgacbi32.exe

Filesize
72KB

MD5
d9a45d6e3bc2bc802561c688d236a56b

SHA1
afbbda28d651719550f1c69d684ab9da0a151d2c

SHA256
71454358295173cf8f9cb15b0ea5404c30ed147f2123af16a32f4a4c70ec4d20

SHA512
6fcb0d6463d4c4eef8d1a5cd6d0c191e75c7d7740bb012a3ace854bb596aea45cfccc82d1bfc71237602bcc5a60c05fe0574ddd1e50fe4590624f4589b5081ff

Download Submit
C:\Windows\SysWOW64\Kgdphikd.exe

Filesize
72KB

MD5
4f7011515d4584ce3a63fb059b0c9218

SHA1
95c395e63649e2a6b1949bc1e9d51c44405dd9eb

SHA256
f3a304e5beaeeab73480c6898b950637374f2a7f0214e188b6bfacadeee34688

SHA512
2ae2cdbd31a9bbb04e394f5f4a69d04b329e7963905a0f8f1a4a96f3fd9f48e642ba8e8acd55ae57112430d5407c3b12c0b2c41c9faab2bed0445be666f6c73f

Download Submit
C:\Windows\SysWOW64\Lanmpa32.exe

Filesize
72KB

MD5
b1fbf8ce8148f43094a17930dc1ed77f

SHA1
bb274607b6941b5f7eae9a0ce29263217dfb5745

SHA256
5c8cd203204b20ada21a216c1417c117b78ca90a7b52d0ea490c849b2ffb89ec

SHA512
c89fe02073ea68257e6f49a0b06adea9b6686a0b15e3e387039e8b01495bc7cafdde52b9d8356ad64c3fad13faf2fe5f3bce17a37ee5497d68fa6118f7c097e9

Download Submit
C:\Windows\SysWOW64\Lkbhng32.exe

Filesize
72KB

MD5
e875d7a4ee0b4184d23c83d8f4b64bc6

SHA1
21516a71b5739b0f3f157240d9f4201087e95978

SHA256
276567076d2eff4315f0c7aa78d763af57f092e618693267aa76839b612f0bcf

SHA512
85157d331cf14d96f871d4020a0d35fbb8aeeedbca5904acf1e35ceddaa81a9be688571e5af66752f0bf22227376f37fb0b699e49def87baa64a421f080ce497

Download Submit
C:\Windows\SysWOW64\Lkfbigme.exe

Filesize
72KB

MD5
b355020a54bbf684d7cee7f63d185fcf

SHA1
7c58f8f5dd63a456a73d5f3642dee9ebbdff696d

SHA256
4d8d8153782f361d4647cb4c0c249423186948a8d3e024e6a8c9afba5fd91c84

SHA512
41add1217542fe7ed5ee1c0434824344c4198d800f2f76a8a36856f36e21b5d7b856ee81ff0f948f1476c13729c96a96d6a7e21aa951427ceeb6a1702ae2ba23

Download Submit
C:\Windows\SysWOW64\Lkioof32.exe

Filesize
72KB

MD5
07ceff64f81fc7e29933f125a4361bce

SHA1
24af7902699e7235c8691a2aff6d6bbcdeeeb9b0

SHA256
ecbd14c417dd7e56fb3d471290b8238a121c03be135ec5fe6138755ed9b5b3df

SHA512
3a37023715754428992e148d379e9a590897f92bdd18a31a846a7f33d4045c815ba79f57a89ef0f6cedac5b541e4fa8647c4813144e02680b44ad5ee97f75fa0

Download Submit
C:\Windows\SysWOW64\Mbljaoje.exe

Filesize
72KB

MD5
b130dcde4ac41781b1d69e064c2b6ed3

SHA1
794f684058427905e101f5b36a46bc93252b84b8

SHA256
2710c1c18d676c078a89ee0781ee69da9b3e73930efd57cc2d5cad04c003e50d

SHA512
0909eeaae76666b1cd1819eafd1ce487a04fc954bca7c4a4ccedd078ab53aa52e3a658ea44cf7fb00197db0654d76cb77574348c630a08dbb436ca458bf63ef5

Download Submit
C:\Windows\SysWOW64\Mhiodi32.exe

Filesize
72KB

MD5
a9bf4258fa77720ee7de699daf72b0c8

SHA1
44e7ac6532dc6de144d7324ee891b1caaa746060

SHA256
c624eeeb3e7989c318e664937f68e11df415e701eaec3fd079c706b1d0ec9523

SHA512
97ef524cdd5ffbef1285a54902f696690750383bbfa0acefa86246a15183f722225dd5cf63a46225cd0f58344d4915ef97df2cb00b0b443c200bc9f0b12949e5

Download Submit
C:\Windows\SysWOW64\Mholnjhj.exe

Filesize
72KB

MD5
06ee8ce4f821db41ba42cbb10df1e125

SHA1
70ec86ae20c54265db4c8e5e78df7ee5c5b6fd24

SHA256
dea3c2e5cb25a9f44a531401055d244ce06204915a91bc68af869f0845de64f3

SHA512
ecd598a502c4f2c3e67b5a2716228bdfb0f10c016956eb39fe991562201be0df7b10d1c2b1a180461fcca39b20a19b3cc73b4040fc0a26ee73ef5aae02c530c5

Download Submit
C:\Windows\SysWOW64\Nbacmo32.exe

Filesize
72KB

MD5
fa507631a8b690071ab6309d2f92f616

SHA1
4d9f92c87fa330b6bb48eb624ae7b63efaf481e5

SHA256
3e1f5ff41517a17d8d21fd7504949462b586698cb2a72b0379a27d16b9d96e13

SHA512
5e1b9452915db56499bb00d379e63d576ebea7934d5319b756be4630aee2ab26b1064ad773c6c82a5d25680b769acf8818e3562b3b342941efbfbbb65de493f2

Download Submit
C:\Windows\SysWOW64\Nkigedmp.exe

Filesize
72KB

MD5
b0fa79b3f6ed7acd34c2523372560345

SHA1
d48054c770cf0096d459fc849758690125a53d3e

SHA256
87d18a970d207e46e2a261a293c06225b6bf899b1b9910771eab80212f3f100e

SHA512
25d72bd07a1068f7eee11dc9b444ed15d7404a2e5a1236a756eb90313720282405f542e8709a61c002b3ebed98604638bd96aeeccd73991e157c9643d7709db6

Download Submit
C:\Windows\SysWOW64\Nknaqc32.exe

Filesize
72KB

MD5
e7a72aa8d394c27e8d8f1c408e66e476

SHA1
c873cbdd81982ddb8d5d21601862596392180294

SHA256
50031909c42611194a2ae0073356f5dbf2798a906971ac6e930c5d27d91a0c3a

SHA512
c090b66f3dc1a4525479e2fec94fd53d36ce83fe2add2ec2e1b012c93f10d289d6ecfc62374138d59a9b57b8e352a9a9f465fab7e0749476ef5030ff04df0a5d

Download Submit
C:\Windows\SysWOW64\Nqfpnkkg.exe

Filesize
72KB

MD5
7bd55cd59b56168b6d67045a8b51eca3

SHA1
b4b2e0cb56ddcb1a8c3a97b567ec95e75dd4f0ff

SHA256
80d41a3d59c0eee0f65fe447e41e25f942808927f5be10615b716f1619295209

SHA512
3d278fd8e4b795f2511a7315805a302335aa0878b3228827b5e5fc4b9ff12ceb45b7d47874b42792dda4fec64899ec5f62410a6a5eac343d94ea8fa9639d1522

Download Submit
C:\Windows\SysWOW64\Nqhmck32.exe

Filesize
64KB

MD5
9cdbffe828e64378ed428be3a9b0bac8

SHA1
caac75d39729bf368e87fced06158cfe7bb2981f

SHA256
12b73b5f8bd7a0a67bcb6c5ead62f2e79febb040e989a45238a7bb75709fdd87

SHA512
366cb88dfc2d87bce463ba62c1e8a22da4c6e7fad8b8a65734b3e737f969c0b00fc35ec3fdcc2b30b7304f8ce5caecc4fa16cef0201040c6e7139088d5a3c3eb

Download Submit
C:\Windows\SysWOW64\Oabpjiaj.exe

Filesize
72KB

MD5
34c74de38480d8c12ab247e6fcf095b6

SHA1
fcc392ab2dbbb51c991e0979d29209f815a885da

SHA256
d93ea527c190c4565466ea68ac5c9f0690c9d4b3d10171af050c44400798e880

SHA512
572f374e06b84ba8f6057224abf7df98c4978e8ed26b48e16ea904afd83ca48abbc4ea6411d10100c6bbc1d3eac703ca47febb6746949cb622ade7dfaa17d5ae

Download Submit
C:\Windows\SysWOW64\Obglib32.exe

Filesize
72KB

MD5
41ef96a56aeef04357f31830e944737b

SHA1
b5943e80698fefa2f21440ce33ccc6638c0416ee

SHA256
32087d2fd511f4c39ec3469e7c0fdf828bc92bbc68f94c632775eb1cbe6e3d56

SHA512
f439367e5ba59a5c8c1ade2ea49878b3dfbb3bd35180982ceb16847a58070513bb59063554e667df3779d14a9c135769c9f221a830c5fcd7054e460811089b1e

Download Submit
C:\Windows\SysWOW64\Oeqojnkl.exe

Filesize
72KB

MD5
c6bd5433cc9ce8791d8bdac140f327e6

SHA1
bedbc57b3c9493667f4d09d9ea76ae86c2ab890b

SHA256
e9abde43ed9ca054a496850d9bdd52137c4694acbcc1735e20601f6be2b961d9

SHA512
99def3f75d254df644ab2cbca519dccd744f37cd993cdfc359fe616f8f349928b632b016e0002a1f63e862688e36bc9ee1c66862029beca5682f164636c8fa1c

Download Submit
C:\Windows\SysWOW64\Ofpldabo.exe

Filesize
72KB

MD5
c37fa7f55b588c27cfa0004da9b89446

SHA1
05a1bcd697a033833a03275128c38c87e0f78964

SHA256
b591241d4dfcdc0d480655cc12d08fd8f1b55f2f44a6a5523440663d118990ae

SHA512
3a8c183145a1a94b2537a72aea2440bcb247689f6098883e58b70616793ed34b9ae0f9ccda8a9eaedffc326b3ec191eefd81727d0f5941caf1abf76c02978809

Download Submit
C:\Windows\SysWOW64\Oiqdflop.exe

Filesize
72KB

MD5
c44b3be32ec106e540f6951828156916

SHA1
0fc3bddf9a1341aa525b7b2a7e9f8afb90fe0227

SHA256
cd4392fad9f3bed8b37fd55142f5468c9bf2cab70a0f7eee1f3cb29e814cec30

SHA512
d636257db5cfca91c841406d3755be78f1ebaa87529129c145185c6224a75d6321abe7813544b22f98d5831ec4f37c46b185916a58bd7f302fa3fb29c43b29c1

Download Submit
C:\Windows\SysWOW64\Okbjlcee.exe

Filesize
72KB

MD5
57ce67d94cce7596f78931369ce4489c

SHA1
6f764ff798206d6eef2324f77a761edcf6d0da71

SHA256
9066aa1333df55e3229a3ed8b94f581037d3eb4e725c95bf7600dc3fa5a2e459

SHA512
5f87bdd75b4809b35c181a90498d9689fe105ac87a639295d4a98b383617ed08ed33afae41a946433f8208e5df677e204e01516e0ee2253bf167587e827e0da2

Download Submit
C:\Windows\SysWOW64\Omjdak32.exe

Filesize
72KB

MD5
c484a9e508c674947c91840952ecea7e

SHA1
b0fc3fc5bb8007a65db19000a5612898c6f7de5d

SHA256
ff1b3ca96abba3f9ade840ae9c8df14f0319007cf4be1689f996433112ee2cac

SHA512
b5173b449850184440a3aa7de84d229451d8fc452e25a187146d5a01afaa81c9bfca9dd2a66c26383c171b8e07399b3189ba2fa97b945c47b0c7cc592d03a2c7

Download Submit
C:\Windows\SysWOW64\Onicccam.exe

Filesize
72KB

MD5
458fa0854d5f72c091b90f25d36e1778

SHA1
c0aa40d38b17898efc89aa86ba39bbdaeb2dc137

SHA256
1717fa06f7a7a3cce506c42e3c9d9d78dca2420af7e44a84f089ea8289690727

SHA512
fbcd081248d8eaa689a7990476a2cc8519d9c64bdb53fa000e8e3937efab97468e85955821929f69c6e70e87ac8011e2b553ee555761162169c38714eccf09ea

Download Submit
C:\Windows\SysWOW64\Opcpgaii.exe

Filesize
72KB

MD5
e845eb741f90b7420183b859720dce75

SHA1
7d6db48197aa912ce4bf1382e4479fce0d15eeb4

SHA256
ce5eadb2ec80327c189ed1c5d49c418853cafead27061a24a638c249f1f02b5e

SHA512
b677154799ff7bde38b286501c1cc6281edf32b9e92b0cfe7914daaae58592457142dfe5fd94de3cb5703be07b762961277b8212f7540e1fc17b67ff944847c9

Download Submit
C:\Windows\SysWOW64\Pbnbja32.exe

Filesize
72KB

MD5
b3eb76961a9b8a4f6da33807399cd894

SHA1
56509f0d363315bf2ea32c327b215e22a5c36223

SHA256
b51dc1282e18feb676df4f7a94f2c9932e538ca226269901004853c0c90f29d8

SHA512
e7c8dd530abb57065c19c9d4f2b621e39bdde1b42e4a592dfeee25f303892b0e115b888adc732e00073dad2bce30779b8b3181196f626be030fad49fa9b259c8

Download Submit
C:\Windows\SysWOW64\Pbpooq32.exe

Filesize
72KB

MD5
13c83bfbe667c30fd4c6e29956511767

SHA1
67c5515a10b9a647f49719a9eca7bcc131209446

SHA256
5e9b2a8da76cc8c0caf581cd9c903277d31795248478bdcb4a51e79374a43a5f

SHA512
307673ce82ea1dc29d6ffb78894b4212a7e1f6fc8f9d716274071630faa8f8559fc1ebe3debe651c49ce4dc63752ae5231ff1f8e0648f8a610af0c1048e5d1ef

Download Submit
C:\Windows\SysWOW64\Pegekmed.exe

Filesize
72KB

MD5
797e3e28a6c438207ad3e1234ff9ea23

SHA1
c7102d6857c5cfda8f6a614f0588418e26ef7231

SHA256
5a129abc25f8b46a19e4939ce362712933014b2593b1649a55aad8c505cd5e2a

SHA512
f9e379d8f0beca46ddd49bff90f5bad3692bdc747e3257f0215e3194fde0e1cc496bb43ddaceb514c707d90b0fb8484d518ee9a06322f34a6996efd8cfa0a9fe

Download Submit
C:\Windows\SysWOW64\Pejbqmca.exe

Filesize
72KB

MD5
d51b0935c36d590a8d7f7b84fac8cc09

SHA1
7f4ad3ceea9aec92c1d8b1ec395e021ddfcfb508

SHA256
0640ac04f01b1c98f6ae3a8e3222a6dcce17909539801fb138ef4460d5963116

SHA512
4af563082caac2a44429f72adf0794cfbca76b0061fbd79d7d636b6822b7bc0d6204e4214af93b1f4a3c772924823a927b48093f8e92c7d5e566fe6e777b24fb

Download Submit
C:\Windows\SysWOW64\Pildaj32.exe

Filesize
72KB

MD5
06087dfd5c5296bb81c535e5aec5e78d

SHA1
f674c41e499709b96628b0ba17a7ed731376bf8c

SHA256
4beccc1c65edce436a4da092bbf500c087499e04b6fdf73fd1fa0756044952a0

SHA512
5e169ff209bb716ea4933e29375544bba89a426aa76d92b625cccd21a150376398880bf7c12e55bb1a54c3761451773841f3d008c723015b2ba8e8e768c1cd52

Download Submit
C:\Windows\SysWOW64\Plangg32.exe

Filesize
72KB

MD5
966d618417c0b31adc1e324f2d82cbac

SHA1
5ebd46d92c44a7cded6bda450ec12ba059991572

SHA256
e0c0c2f2d358049aff925b7ac2e296c735b8ebed34181f1820307f15c756c3b0

SHA512
5759d23d955c5b4ff1c862535c92426a16f31a3793d910c5220141faa9278cf2f80dc71faf25cc06add68fa230f8b0a00c1212553e1bb55ec3a14e8666845134

Download Submit
C:\Windows\SysWOW64\Pldjmg32.exe

Filesize
72KB

MD5
e8564f547e28be724490f19948d4acdd

SHA1
3ea000751930cc9e8c3c9c3c4bf714584856a04b

SHA256
483d6bf94a7a2b8f92959dfc7192cace3d1378e6cc8aef9f1b531a5d3902bf17

SHA512
6343c5f10d5c7dcdbb7e8ae13268b3a41c41dcda7cc2de4190d0b02674ca27f2a68c835e66d3979dc829e50d36f1f13104055dabf25db3cb7b1728129d749550

Download Submit
C:\Windows\SysWOW64\Ponmnc32.exe

Filesize
72KB

MD5
9f6a31daea17f68bf5590ec0fd7525db

SHA1
2df04875965ecb7530504285ebf42a95de617a85

SHA256
1d1b46bdaa83b7630b06213035338ac84402ed7063f7c5e8c718ca82bbad553a

SHA512
ca0d55592a4f93c7b11156f9ec65467029f0e63af03aae16666ac43e019d92a097500f86a0bfa59e3dd7503396324f3dc1fb1c0cb093ee33576e259c4c611dab

Download Submit
C:\Windows\SysWOW64\Qeealk32.exe

Filesize
72KB

MD5
171b356d50883ace6494e3e7d01b0a29

SHA1
11d445c8aa44ad743476224e622733987e5f7213

SHA256
5152e227328af33bb098b414eb5aa9cd7485344722f40b7fae6716131bb2a38f

SHA512
49066587a08ba51d9f54d7ee3f40b985115f6f123d2a6a91cd6760ea955a97fe781bc3ac5f426e76c61400dc17234fc18c3661fbb276494084f7ce7eb8fe7d8f

Download Submit
C:\Windows\SysWOW64\Qioagj32.exe

Filesize
72KB

MD5
09355d419537191275802be1cf79ddf0

SHA1
d717a3ce4686871e409101fdcaf35638c1b1172c

SHA256
67b8804f76966d9e3ee9024e1c0c9fed2f92db969b6cbab8f3c7551e12b0d4e0

SHA512
6d8b2b4f3d5d7a1663eaf0f36d563e685e1fd0703f469f563a66945f20a20c6aa92f00cd89315bfb97d5a235417d351bfc4646f931cbcdfca94ac41b1cec17f3

Download Submit
C:\Windows\SysWOW64\Qoimja32.exe

Filesize
72KB

MD5
8560755ba49e1ae4d341b2424aa2d383

SHA1
0cf6cdb5d1ecf94c003a52de0618426d3961f931

SHA256
1ecea91a11c0c1d519c35d2ef1e836fa3fbe1c586ebbde280fa7fdaeaa958ea7

SHA512
4be672c14432fdebe6fe2d77bd408073f895390a2a0e7afc87ae7b00d97749727142e0126465bc3ec1c579858a04a87623e1412cc561bad215fe5b4f0407918b

Download Submit
C:\Windows\SysWOW64\Qolipa32.exe

Filesize
72KB

MD5
af85bacfba969226e79e696ef97a954d

SHA1
aea2c62cd7f66c1cf057ca0d9de7bcc5fc3ca940

SHA256
a80f669e0d6211eb0f48c5cec533b23e866e21cb525e7c527419b89f2da681d7

SHA512
4c4c653d061b3260578e43632811499ee291f6a2209cdae66a04dc77f2f15f129f0267c877b6b1cea7e43acadccf31879017387f990aed78a0094f96092bf949

Download Submit
memory/64-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/180-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/728-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/800-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/988-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1016-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1104-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1108-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1208-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2488-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3720-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3856-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4124-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5044-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5164-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5224-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5280-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5328-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5420-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5492-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5552-591-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5608-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6068-1424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6192-1397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6212-1423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6352-1420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6528-1449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads