berbew | 8df62b86aa7d947bad07ac68f777f5562acf05fa4b12c820b74e860f5dc04290

Analysis

max time kernel
115s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8df62b86aa7d947bad07ac68f777f5562acf05fa4b12c820b74e860f5dc04290N.exe
Size

45KB
MD5

42a56bfe3aff21e6039988c84134fdc0
SHA1

d1ced2804b30f84a75bede25b93a682cda27ee81
SHA256

8df62b86aa7d947bad07ac68f777f5562acf05fa4b12c820b74e860f5dc04290
SHA512

d72082c1c20425a8c44294d72e18711803cd9f7210adfc64d34834ed53062f65c28cae34b03b9b3cb7a025730c00d54ab494acad806cd45478660e852ef6c3fa
SSDEEP

768:tbTGC3MxFpji/RWHpyekciD8di4H0J/1H5w:EC87Ww2b8dPH0DS

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flfkkhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geaepk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jljbeali.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpode32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpanan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kngkqbgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjgfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Modgdicm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjdqmng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jebfng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mogcihaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhclmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhkdmlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpcjgnhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fneggdhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipoheakj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jenmcggo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgmjmjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiahnnph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhndpol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jljbeali.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmqlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chqogq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkfadkgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fefedmil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nadleilm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjknfnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8df62b86aa7d947bad07ac68f777f5562acf05fa4b12c820b74e860f5dc04290N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fngcmcfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfeaopqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imiehfao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnmmboed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmojkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgmjmjnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqojclne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nglhld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4636	Chnbbqpn.exe
2956	Cohkokgj.exe
1020	Cfbcke32.exe
3160	Chqogq32.exe
4608	Dnmhpg32.exe
824	Dhclmp32.exe
1888	Dkahilkl.exe
2532	Dfglfdkb.exe
2776	Dmadco32.exe
4992	Dnbakghm.exe
1388	Digehphc.exe
2124	Dkfadkgf.exe
2736	Ddnfmqng.exe
1844	Dmennnni.exe
4756	Dfnbgc32.exe
700	Emhkdmlg.exe
2380	Enigke32.exe
3144	Eiokinbk.exe
4708	Enkdaepb.exe
4104	Eiahnnph.exe
1752	Eokqkh32.exe
1392	Efeihb32.exe
2192	Emoadlfo.exe
1680	Eblimcdf.exe
1860	Efgemb32.exe
3328	Emanjldl.exe
2400	Enbjad32.exe
4264	Felbnn32.exe
3912	Flfkkhid.exe
1468	Fneggdhg.exe
5020	Fijkdmhn.exe
4376	Fngcmcfe.exe
4516	Ffnknafg.exe
3044	Fealin32.exe
3880	Flkdfh32.exe
1676	Fbelcblk.exe
4360	Fiodpl32.exe
4000	Flmqlg32.exe
2600	Fbgihaji.exe
2936	Fefedmil.exe
3212	Fpkibf32.exe
1400	Fnnjmbpm.exe
3388	Gfeaopqo.exe
316	Gmojkj32.exe
212	Gpnfge32.exe
372	Gfhndpol.exe
3480	Gmafajfi.exe
4036	Gldglf32.exe
2508	Gfjkjo32.exe
2280	Gihgfk32.exe
3188	Glgcbf32.exe
2348	Gbalopbn.exe
3408	Geohklaa.exe
1188	Gmfplibd.exe
4932	Gbchdp32.exe
4292	Geaepk32.exe
3832	Gmimai32.exe
4624	Gojiiafp.exe
4928	Hmkigh32.exe
2804	Hefnkkkj.exe
1500	Hffken32.exe
3740	Hlbcnd32.exe
3892	Hblkjo32.exe
2336	Hfjdqmng.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Geaepk32.exe	Gbchdp32.exe
File created	C:\Windows\SysWOW64\Ljceqb32.exe	Lgdidgjg.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Paiogf32.exe
File opened for modification	C:\Windows\SysWOW64\Qjiipk32.exe	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Nokpod32.dll	Ickglm32.exe
File created	C:\Windows\SysWOW64\Jebfng32.exe	Jljbeali.exe
File opened for modification	C:\Windows\SysWOW64\Koodbl32.exe	Klahfp32.exe
File created	C:\Windows\SysWOW64\Ngjkfd32.exe	Npbceggm.exe
File created	C:\Windows\SysWOW64\Ifomef32.dll	Opnbae32.exe
File opened for modification	C:\Windows\SysWOW64\Aphnnafb.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Aablof32.dll	Kpoalo32.exe
File created	C:\Windows\SysWOW64\Mnhdgpii.exe	Mogcihaj.exe
File created	C:\Windows\SysWOW64\Qhjmdp32.exe	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Qpeahb32.exe	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Jgmjmjnb.exe	Jenmcggo.exe
File created	C:\Windows\SysWOW64\Jljbeali.exe	Jgmjmjnb.exe
File created	C:\Windows\SysWOW64\Dckajh32.dll	Mnegbp32.exe
File created	C:\Windows\SysWOW64\Jgqjbf32.dll	Mnhdgpii.exe
File opened for modification	C:\Windows\SysWOW64\Pfandnla.exe	Paeelgnj.exe
File opened for modification	C:\Windows\SysWOW64\Bhhiemoj.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Ldklgegb.dll	Fiodpl32.exe
File created	C:\Windows\SysWOW64\Mgbefe32.exe	Mqimikfj.exe
File created	C:\Windows\SysWOW64\Qpeahb32.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Bmijpchc.dll	Amnlme32.exe
File opened for modification	C:\Windows\SysWOW64\Fneggdhg.exe	Flfkkhid.exe
File opened for modification	C:\Windows\SysWOW64\Hefnkkkj.exe	Hmkigh32.exe
File opened for modification	C:\Windows\SysWOW64\Hblkjo32.exe	Hlbcnd32.exe
File created	C:\Windows\SysWOW64\Iidphgcn.exe	Ickglm32.exe
File created	C:\Windows\SysWOW64\Eehmok32.dll	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Flmqlg32.exe	Fiodpl32.exe
File created	C:\Windows\SysWOW64\Gfhndpol.exe	Gpnfge32.exe
File created	C:\Windows\SysWOW64\Fkngke32.dll	Jekqmhia.exe
File opened for modification	C:\Windows\SysWOW64\Klahfp32.exe	Kcidmkpq.exe
File created	C:\Windows\SysWOW64\Kcbfcigf.exe	Kpcjgnhb.exe
File opened for modification	C:\Windows\SysWOW64\Mnhdgpii.exe	Mogcihaj.exe
File created	C:\Windows\SysWOW64\Oghghb32.exe	Opqofe32.exe
File created	C:\Windows\SysWOW64\Nhhlki32.dll	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Chdialdl.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Dnbakghm.exe	Dmadco32.exe
File created	C:\Windows\SysWOW64\Efgemb32.exe	Eblimcdf.exe
File opened for modification	C:\Windows\SysWOW64\Hfjdqmng.exe	Hblkjo32.exe
File opened for modification	C:\Windows\SysWOW64\Jniood32.exe	Jebfng32.exe
File created	C:\Windows\SysWOW64\Bgagea32.dll	Nglhld32.exe
File opened for modification	C:\Windows\SysWOW64\Opnbae32.exe	Ogcnmc32.exe
File created	C:\Windows\SysWOW64\Kfbdfl32.dll	Eiahnnph.exe
File created	C:\Windows\SysWOW64\Mogcihaj.exe	Mnegbp32.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Didmdo32.dll	Iipfmggc.exe
File created	C:\Windows\SysWOW64\Cajdjn32.dll	Knqepc32.exe
File created	C:\Windows\SysWOW64\Pmikmcgp.dll	Ofhknodl.exe
File opened for modification	C:\Windows\SysWOW64\Amlogfel.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Ndnljbeg.dll	Lgdidgjg.exe
File created	C:\Windows\SysWOW64\Mkfoeejd.dll	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Ieoigp32.dll	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Pghien32.dll	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Dmennnni.exe	Ddnfmqng.exe
File opened for modification	C:\Windows\SysWOW64\Fefedmil.exe	Fbgihaji.exe
File opened for modification	C:\Windows\SysWOW64\Dkahilkl.exe	Dhclmp32.exe
File created	C:\Windows\SysWOW64\Mfhbga32.exe	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Phlepppi.dll	Akdilipp.exe
File created	C:\Windows\SysWOW64\Hicpnnio.dll	Dkfadkgf.exe
File created	C:\Windows\SysWOW64\Lejgpb32.dll	Gbalopbn.exe
File created	C:\Windows\SysWOW64\Ojenek32.dll	Opqofe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6172	7040	WerFault.exe	276

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cohkokgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gldglf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gihgfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hffken32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjgeedch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnmmboed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eokqkh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knqepc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pagbaglh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlbcnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klahfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kngkqbgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lckiihok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbcke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkahilkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enigke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipjoja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfnfjehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqojclne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngjkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofhknodl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eiahnnph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gfjkjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgbchj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modgdicm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njhgbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqbpojnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkqjmdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmennnni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbelcblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpnfge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jocefm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhpimhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caageq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emoadlfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flmqlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmafajfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcidmkpq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgdidgjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nadleilm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqagcag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Digehphc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hblkjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfeljd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqimikfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhclmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eblimcdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fngcmcfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmimai32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enigke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll"	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgihaji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fefedmil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpanan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moipoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfglfdkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfjkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbchdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbklgfdh.dll"	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgbchj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klahfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gikgni32.dll"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flfkkhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodolnaf.dll"	Fneggdhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqcmdnk.dll"	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Modgdicm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfjdqmng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaagldf.dll"	Fngcmcfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffnknafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngqkhda.dll"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmadco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enbjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimhbfpl.dll"	Ffnknafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnhdgpii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icinkkcp.dll"	Dhclmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddnfmqng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chflphjh.dll"	Ipjoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemikcpm.dll"	Kcbfcigf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmojkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcleff32.dll"	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgbbckh.dll"	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flmqlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gojiiafp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikikigb.dll"	8df62b86aa7d947bad07ac68f777f5562acf05fa4b12c820b74e860f5dc04290N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaafn32.dll"	Gihgfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jocefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbblcj32.dll"	Emoadlfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhpimhp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4636	5052	8df62b86aa7d947bad07ac68f777f5562acf05fa4b12c820b74e860f5dc04290N.exe	84
PID 5052 wrote to memory of 4636	5052	8df62b86aa7d947bad07ac68f777f5562acf05fa4b12c820b74e860f5dc04290N.exe	84
PID 5052 wrote to memory of 4636	5052	8df62b86aa7d947bad07ac68f777f5562acf05fa4b12c820b74e860f5dc04290N.exe	84
PID 4636 wrote to memory of 2956	4636	Chnbbqpn.exe	85
PID 4636 wrote to memory of 2956	4636	Chnbbqpn.exe	85
PID 4636 wrote to memory of 2956	4636	Chnbbqpn.exe	85
PID 2956 wrote to memory of 1020	2956	Cohkokgj.exe	86
PID 2956 wrote to memory of 1020	2956	Cohkokgj.exe	86
PID 2956 wrote to memory of 1020	2956	Cohkokgj.exe	86
PID 1020 wrote to memory of 3160	1020	Cfbcke32.exe	87
PID 1020 wrote to memory of 3160	1020	Cfbcke32.exe	87
PID 1020 wrote to memory of 3160	1020	Cfbcke32.exe	87
PID 3160 wrote to memory of 4608	3160	Chqogq32.exe	88
PID 3160 wrote to memory of 4608	3160	Chqogq32.exe	88
PID 3160 wrote to memory of 4608	3160	Chqogq32.exe	88
PID 4608 wrote to memory of 824	4608	Dnmhpg32.exe	89
PID 4608 wrote to memory of 824	4608	Dnmhpg32.exe	89
PID 4608 wrote to memory of 824	4608	Dnmhpg32.exe	89
PID 824 wrote to memory of 1888	824	Dhclmp32.exe	90
PID 824 wrote to memory of 1888	824	Dhclmp32.exe	90
PID 824 wrote to memory of 1888	824	Dhclmp32.exe	90
PID 1888 wrote to memory of 2532	1888	Dkahilkl.exe	91
PID 1888 wrote to memory of 2532	1888	Dkahilkl.exe	91
PID 1888 wrote to memory of 2532	1888	Dkahilkl.exe	91
PID 2532 wrote to memory of 2776	2532	Dfglfdkb.exe	92
PID 2532 wrote to memory of 2776	2532	Dfglfdkb.exe	92
PID 2532 wrote to memory of 2776	2532	Dfglfdkb.exe	92
PID 2776 wrote to memory of 4992	2776	Dmadco32.exe	93
PID 2776 wrote to memory of 4992	2776	Dmadco32.exe	93
PID 2776 wrote to memory of 4992	2776	Dmadco32.exe	93
PID 4992 wrote to memory of 1388	4992	Dnbakghm.exe	94
PID 4992 wrote to memory of 1388	4992	Dnbakghm.exe	94
PID 4992 wrote to memory of 1388	4992	Dnbakghm.exe	94
PID 1388 wrote to memory of 2124	1388	Digehphc.exe	95
PID 1388 wrote to memory of 2124	1388	Digehphc.exe	95
PID 1388 wrote to memory of 2124	1388	Digehphc.exe	95
PID 2124 wrote to memory of 2736	2124	Dkfadkgf.exe	96
PID 2124 wrote to memory of 2736	2124	Dkfadkgf.exe	96
PID 2124 wrote to memory of 2736	2124	Dkfadkgf.exe	96
PID 2736 wrote to memory of 1844	2736	Ddnfmqng.exe	97
PID 2736 wrote to memory of 1844	2736	Ddnfmqng.exe	97
PID 2736 wrote to memory of 1844	2736	Ddnfmqng.exe	97
PID 1844 wrote to memory of 4756	1844	Dmennnni.exe	99
PID 1844 wrote to memory of 4756	1844	Dmennnni.exe	99
PID 1844 wrote to memory of 4756	1844	Dmennnni.exe	99
PID 4756 wrote to memory of 700	4756	Dfnbgc32.exe	100
PID 4756 wrote to memory of 700	4756	Dfnbgc32.exe	100
PID 4756 wrote to memory of 700	4756	Dfnbgc32.exe	100
PID 700 wrote to memory of 2380	700	Emhkdmlg.exe	101
PID 700 wrote to memory of 2380	700	Emhkdmlg.exe	101
PID 700 wrote to memory of 2380	700	Emhkdmlg.exe	101
PID 2380 wrote to memory of 3144	2380	Enigke32.exe	102
PID 2380 wrote to memory of 3144	2380	Enigke32.exe	102
PID 2380 wrote to memory of 3144	2380	Enigke32.exe	102
PID 3144 wrote to memory of 4708	3144	Eiokinbk.exe	104
PID 3144 wrote to memory of 4708	3144	Eiokinbk.exe	104
PID 3144 wrote to memory of 4708	3144	Eiokinbk.exe	104
PID 4708 wrote to memory of 4104	4708	Enkdaepb.exe	105
PID 4708 wrote to memory of 4104	4708	Enkdaepb.exe	105
PID 4708 wrote to memory of 4104	4708	Enkdaepb.exe	105
PID 4104 wrote to memory of 1752	4104	Eiahnnph.exe	106
PID 4104 wrote to memory of 1752	4104	Eiahnnph.exe	106
PID 4104 wrote to memory of 1752	4104	Eiahnnph.exe	106
PID 1752 wrote to memory of 1392	1752	Eokqkh32.exe	107

C:\Users\Admin\AppData\Local\Temp\8df62b86aa7d947bad07ac68f777f5562acf05fa4b12c820b74e860f5dc04290N.exe
"C:\Users\Admin\AppData\Local\Temp\8df62b86aa7d947bad07ac68f777f5562acf05fa4b12c820b74e860f5dc04290N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SysWOW64\Chnbbqpn.exe
  C:\Windows\system32\Chnbbqpn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\SysWOW64\Cohkokgj.exe
    C:\Windows\system32\Cohkokgj.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\Cfbcke32.exe
      C:\Windows\system32\Cfbcke32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\SysWOW64\Chqogq32.exe
        
        C:\Windows\system32\Chqogq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3160
      - C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Ddnfmqng.exe
        
        C:\Windows\system32\Ddnfmqng.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Emhkdmlg.exe
        
        C:\Windows\system32\Emhkdmlg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        23⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        26⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        27⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        29⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        32⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        35⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        36⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        43⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3388
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Gpnfge32.exe
        
        C:\Windows\system32\Gpnfge32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:372
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Gfjkjo32.exe
        
        C:\Windows\system32\Gfjkjo32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Glgcbf32.exe
        
        C:\Windows\system32\Glgcbf32.exe
        52⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        54⤵
        Executes dropped EXE
        
        PID:3408
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        55⤵
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\Gbchdp32.exe
        
        C:\Windows\system32\Gbchdp32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Hefnkkkj.exe
        
        C:\Windows\system32\Hefnkkkj.exe
        61⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        66⤵
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        67⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2904
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        69⤵
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        71⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        73⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:776
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        75⤵
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        81⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4604
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        86⤵
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        87⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        89⤵
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Kpcjgnhb.exe
        
        C:\Windows\system32\Kpcjgnhb.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        94⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        99⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        103⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        105⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        107⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        111⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        115⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        116⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        117⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        123⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        129⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        132⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        134⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        135⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        137⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        140⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        142⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        144⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        146⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        148⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        150⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        153⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        155⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        157⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6204
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6372
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        162⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        164⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        165⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6556
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        166⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:6644
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        168⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        169⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6816
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        172⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        173⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        174⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        175⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        176⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        178⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        180⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6300
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:6364
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        183⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6504
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        185⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        186⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        187⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6900
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:6976
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:7040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 408
        192⤵
        Program crash
        
        PID:6172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7040 -ip 7040
1⤵
PID:7148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adhdjpjf.exe

Filesize
45KB

MD5
c3eebc77f6fee33a19b37ba49dec39d0

SHA1
7f81837f35bf576b8fa3dd447d95fe92734abeed

SHA256
35d8a5e930be3c88f7223bfdecfd5fca3b7cdd3b818b39300ad770368871f7c8

SHA512
70188c2ce015861c7c25de01ed460974349c8179859973a65d989ba3818b777b406efb1489770e9292f4c04e6505a5a3f1c8cc903cb1a0acb4fe511d3404c31b

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
45KB

MD5
61a68afd7d0ab5671e29ef88d5618600

SHA1
2c86a3caf00736b476f4c621cd73693f4c80310e

SHA256
48f5796a59142d7c434587e44f1c65dea19acc6bc44724fe7d440c4068875156

SHA512
84fe88982c46c88075ff8b2b9627e9568c00b2739b143540cd85d85ddd282ba7e87ab99c6177def1c51219df6cd9dd7ee5effb943fc5bf05a40120fd8e79267b

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
45KB

MD5
84f2d7f34dd7d5e93603f3534a1f5ed3

SHA1
879a45045e5512dd0f97e654fdeebf479b5d6b76

SHA256
975f84fdb1b83dec8ea0d260174171f444e6755f621c2ca25e029badd77a2f38

SHA512
2cd82f22f8f350cd62543602f34630e8da1e3fef3c798618930aa61f123a2dab7036d7cb4ac4d9a0acba43bf827601608a8f0d7bbe784880209ad53067fc9868

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
45KB

MD5
982a355f31958ea8c86a9b61dec39e92

SHA1
11c1d6e60ee69ab30b3ceaa28d87ae51c4e70d25

SHA256
dc58a551771321240e505a78c05e464ab64d27d50b2b0352e35010a4179c30e5

SHA512
8d5eb9d346983b826ffd226fa24782807fbf73e2e6397c5244ccec2e26d78769a19f0bea0e1665b0888540520e226ef3dcf242f71b79fb29d0dea2df761460c3

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
45KB

MD5
ff43167e4a6b21594194d90daac1ac4d

SHA1
a6a24a839981d9c3a910b6fb20186a4f9b5bc90e

SHA256
68b07225aa5fbee900b6c134d19845294ec57d087817c816fd44a96d58583c68

SHA512
b37547dae93eb11b140cf903edb43f04177f79c16f214c03b69fbc7ea666854b75374ab700a651bba1ce3f1cf65a3646f23fc5f8554753d5bdd3e6287dc11499

Download Submit
C:\Windows\SysWOW64\Cfbcke32.exe

Filesize
45KB

MD5
b70a6e2d8a075a216aebe36e8f6f5d5b

SHA1
78b326c045db1445bad738d7d59edf16062edc00

SHA256
f4f99a31bdecc29b097e7ac850ecd28d05ce17b8e5041b1bd2df73e9e38fc499

SHA512
416a9409a56cbb256526b5cb828160256b45e976faf97085781c594583c99b883bd97f60d0ade1d0fed795a876d9213f55b2c81d83e577b7a6f8d93410b3dcad

Download Submit
C:\Windows\SysWOW64\Chnbbqpn.exe

Filesize
45KB

MD5
ef99537c13f0aaed390d6ae62e4716d9

SHA1
2577a82d0543ce2eab0a9ab5da6c217510aab065

SHA256
ab3b98d11b2465e5441211c4b873bcb44689a681cc8b8c9d3bcb831a3c863121

SHA512
4c5a70e258985e157f4ca513ea0d44b92883a08cd7d4fe73236b61258441a17a4a46dc7c8629e45fd4694b3f9a9fa936653434c993c12e5327de592e80ec3084

Download Submit
C:\Windows\SysWOW64\Chqogq32.exe

Filesize
45KB

MD5
32fb2013e7a797e5db1d14db88af0966

SHA1
b54a41e84ad849302a57c7bc0f3d6e3aae7c0251

SHA256
28fadcda9645e7d13390007e3c17c00f630ba28738e2ad52bef7693ae771509f

SHA512
255a5a08cff908e0c8146779a4fc6239c54b475e1a249de0a68cdc1a20bbf5b5daf04db5a9858d524b95b26cbfefcea41931792a76ca13c8f16e41d5843065cc

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
45KB

MD5
371af64ab11adc522286b24df5bbd77f

SHA1
44836e42c63355700d991d51280162f48c225762

SHA256
9f26b59a39228e2d44d02f7402aee9ed1e5aa6131c96ff619e07ee7552aaa03e

SHA512
1557d5bb0ce6f08e140183cec2519eab55ab8e6894354eafdf58c080c1d9d172a991c7387a97f5f25cc538909bbf60d6519daf4f214a068d971100c8c749d0cd

Download Submit
C:\Windows\SysWOW64\Cohkokgj.exe

Filesize
45KB

MD5
f197489b366a42e3058f5b0fa926b6d9

SHA1
4189340b2015806e69922624091ed6690e33bf5b

SHA256
b9328195e9ec9a5222a214318ce93e4c25a96290c5ff5f9f58859f64fabeae96

SHA512
726603ec1180ebb701119a509811d28953e46c74672f982ecac70a8e71655c6a7c6d8f96764054b3e0a7eff879e4c9f15742181690a26b7af251814b106f3e2a

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
45KB

MD5
b13f61c49d150473d1de8e7208fd2e10

SHA1
754d6b5c1224639c53b6e58c020d1b34e3114774

SHA256
180d68b4c109cad987fd4d9a78ab9387c8f6db6b93b24f4163704fee5608048d

SHA512
bfbae9d87b648bc649728ec0cd0acd77e972f949cfe07be8507204bc89c051617473ff78a928c627768d3ed1ba9753ed9b3532b61719cf60a9cfd29712a6bc7f

Download Submit
C:\Windows\SysWOW64\Ddnfmqng.exe

Filesize
45KB

MD5
f63c589c342c4b566a560618f1b9cab8

SHA1
d9cd8a9f8eb270c710c5489ff7d738531c7fb379

SHA256
9b089a58f26514068c05452c9fe374c95d59b98371a7579f6127dbceffff9a9e

SHA512
fc4d2fb73d4a72afb9f03d2e8d805c89fae64e89a2fa120ef974d91589aa14d753ab7391cd097c39eff8bef28def2d28906ffb72d031a2edb9ed97c3ce5251ae

Download Submit
C:\Windows\SysWOW64\Dfglfdkb.exe

Filesize
45KB

MD5
4bd7f644b39ece3f33781b9bc17749ad

SHA1
e2a3b785e29290e1758c31821c80d50e5e0d6527

SHA256
cd88bd391ba08c7b2261d212402ce8020847209c421cf4c16feeb9b0a5e0aa7b

SHA512
115ba577ceb7a914524d5d837793c8dfa01fe5cafdd9c810f95a847eeef0e5319e9b203642e06db7d281eb3280c365ee20c776fddc240d632767e1329b385c01

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
45KB

MD5
f308d890232d9f0cc3d366ad879e7e9c

SHA1
85bc0496e2a94cd743a934cd4cc2b1362fca4a51

SHA256
f1830e86f07e68e36f6d6bf4b6ca0eee2c9693f71a12fe0156ffa6823e664e80

SHA512
3a5301d50ab5d77dbfa251c42a3ec97e649889fa30cea48f203a19e3137f01898d51ba6f2358a7b202dd17aa40de4bbb692dd94277116e6296acc0b5fd0b7541

Download Submit
C:\Windows\SysWOW64\Dhclmp32.exe

Filesize
45KB

MD5
cd141b3a8ce3fc63023673c3d49684a5

SHA1
30933134fa4af333bc471e2bf43e881d40917740

SHA256
3fb21e40b8eb15d7201d71171150a487150f0537947dcaa455210ec5c1a4bf5f

SHA512
0dbce158c3cb05a904d7e36926d39184d5ec3eff863ae4aee1260176e0811ccbe0e63b1ba3e27bb1c3b31f295d0f6b969a1ac10de856fad2f3d8b391f3fd85ae

Download Submit
C:\Windows\SysWOW64\Digehphc.exe

Filesize
45KB

MD5
36e1201ca8daed9e8b42728ec70eb60d

SHA1
f82244ffea61f71a855b81b21b403f3dc044c5f2

SHA256
db8641dc6f1121002cd497513b9bc96babe568425b5118635e5e301280e1cff9

SHA512
a4693a2e98b3447a144974e8e101ee3f80f17528962b94919c6b78368015838a8d4afb612ad75d8758d4436a2945b7936afe913b94fdfd1ce4b97e59f96f7c5b

Download Submit
C:\Windows\SysWOW64\Dkahilkl.exe

Filesize
45KB

MD5
f2e02e845ccd5f9664bef9325f2f01c8

SHA1
8704d8034ca93677f0fc7d491b0a288996a8d361

SHA256
691fb90e082c630102819a558b4cc4895fc323705a6fc1b891a88017e2e7ba1f

SHA512
32e06b5421104961656afc8acf85e04b327811fa8ec6e8bb12b81e4c201781396afd1dc007b88df1382afdc389efcb8104cf5271f69fc40ba24bca4b8200e3d4

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
45KB

MD5
cd967f04448ff216080f98c7855d5074

SHA1
ae98bfa5070ab07f845cc933e0e370f35f33df91

SHA256
bf03490d347d28b8e31962db4ef771d9c9528ea5cf91177816ebddeaebdf1ea4

SHA512
c13f8f3db08c285f0f335f7316e18723122e9d3aeb651e5d334f135a5c03ca29406f816448354388b4e0d6485f109891cef5ce149a95a9259171742e9c668d54

Download Submit
C:\Windows\SysWOW64\Dmadco32.exe

Filesize
45KB

MD5
65bf0080b50ffbacbf7fd9fbcdce2cf8

SHA1
9eb46055140b1cd6b27a4945e24ef75b5e9d48a8

SHA256
3a95718b07eed2158a7f07bae6b04fcf373e8cd8e72e2001bc4c7300024a191f

SHA512
5b12e9e776137082d4faffb93a9ac5416d6edd7f014c4dbce1f16537a7940001abbe964f11283fd4acf8c508d582b6da664ffcebdade2336205368f89c81fb09

Download Submit
C:\Windows\SysWOW64\Dmennnni.exe

Filesize
45KB

MD5
d96a3454ae0047b4a38ffc2ee26ca680

SHA1
ee3d6c7fa5089746a0dc3a5a877a899343f3fba0

SHA256
3407ce6a82d1ee5d3bee45d5a0f5ea078c27dcc0c865244b64e085372ce84a3d

SHA512
63b100d05deca3b1399bae4eccc49c08c8f73dbcd2d73507facdd47b7f8849d184e53fe6a25fd2c223398d1111d4da459c035caff7d494d2ba87e0abcaccd523

Download Submit
C:\Windows\SysWOW64\Dnbakghm.exe

Filesize
45KB

MD5
ec9693927121b4814efb9d0311b5453c

SHA1
0a55dc2d096b9329f42a96876d0f5442a603252b

SHA256
613caf6c55cb9e78fad36d20d9f8b2aa7dd59a9c655b61f311511e7f4e234092

SHA512
8481419ccec02b24a28a37cba5996b8b3963b855d73e480898276e25d2974d69bf7c414a6118b1b6b8864e45af42219b770fb94c51463fac122edbdc99aa66a8

Download Submit
C:\Windows\SysWOW64\Dnmhpg32.exe

Filesize
45KB

MD5
1748ca39dd0cb86ac622289bcdb01102

SHA1
e2fc7739e171023c45064cccd534a21a9503b7f6

SHA256
24fb233e8383a5942de596bbbb540a6f48756b041a241672f54882bae8883721

SHA512
f3cc1e6365178bfb420b08855c2b2d33139576c5ab0e32560169a347d2df3a669321aafc2abb9b54e1b8845d46a53ad2be3a16322009d0037f33568c71442ff3

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
45KB

MD5
c45493789c6ae1ad19c3f0d5a74c4383

SHA1
0ae72387939ac93f17b6333b8c7f29caa89ec65c

SHA256
5ca1251f49c8b39f8d6d4b813bc16592793fe9e88850cf76aa4f9ef726cac9c7

SHA512
17fb8894b1662c3c96694c267a149ec40e790493c4cb8e0e42652d6b1a77b5d472afd150429ba7bc40b9fb3a898f0c018dd2fee45df65b469adc72f5d9c7a62b

Download Submit
C:\Windows\SysWOW64\Eblimcdf.exe

Filesize
45KB

MD5
45540d7bf6f9adf551af7a0bfc32ff54

SHA1
366760805ac5d99ed4e9d431813e4a83af7de4bb

SHA256
99c0494924816d8c4519eb87b6d8dd8e8395eb19bd554890aa8959bb54973eff

SHA512
30f403a17a8415d6d9a6f574b6d261855b32602e9475ddc897e909d3370d39373ca97c415af8fa763eb9bd8077aea9bbcc1db74ed736669eb10c89d89d4cf2bc

Download Submit
C:\Windows\SysWOW64\Efeihb32.exe

Filesize
45KB

MD5
88862d3db17b4ab9f6304385c7297ae9

SHA1
b4c6d815bc4a5c5329a4b13ffd5cac63ba4f7492

SHA256
aea94b1078c84b6ca0a169bb6a8a300f3f55d62b8051e58fea22ab68e72ae362

SHA512
2fb764dd07c92f4ebefa7fab5a0b0606cf8544bc85d50400692b513b6b22e23629237de10fb227b28e0315fdcea3e1620fc057aac0b9b8488e56f56648c7d230

Download Submit
C:\Windows\SysWOW64\Efgemb32.exe

Filesize
45KB

MD5
c450d37ce2471a771fcf30eb04b82284

SHA1
adf1807bd0f8364283eec10178fb53aa765c0be0

SHA256
e329610df9ecc71f3f5755653e9c56d7d2fc5b6fa3b27425db323873854fc8a3

SHA512
8f9e1c3e367c5a173989693b5b3a27633bc2fa804199f0cf013adacd412eb5d2546e9335e2e4305471ad50f989e8991693777b617fbe5257a108ec3d0bf960f7

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
45KB

MD5
a2f1bf595b1a12b3e7c7878ef2f7f54e

SHA1
d708cb5ca4882eb1f2c63e288e0a07a094c56795

SHA256
60336359ec0cf77061424df9f74bb0be86121aafb7ae914ecec57aeaeec11de2

SHA512
45d9874f0edf47743ef2ad58c30ec70cc5f98cc3ceb79d0248bd73e274e4d9f0c96fb4e61a1a589ff2dd81a73527163b6159000342ee01c0e3b15dfa2eec3d5a

Download Submit
C:\Windows\SysWOW64\Eiokinbk.exe

Filesize
45KB

MD5
8168a90340b0c081369eab432a840595

SHA1
4e124c5ff7613288d5504553f768cff0c1d2769b

SHA256
4a471b02194e3c8ea4408b6623bcbf95ec78270e61ee8d5facec84486fe84196

SHA512
a806bada1582004cd54ee8b732df0db77763db1a515d4dbc74f3bbdde3e335c1152565e5e476cec0c5e2cc31c896fbcbb30afa273e1e7640742665688b688490

Download Submit
C:\Windows\SysWOW64\Emanjldl.exe

Filesize
45KB

MD5
50b5ce73d2b5075d55470af215ef98a7

SHA1
0983472d0b64e4260a5387dec09e89ab4f2c055b

SHA256
8c3c5d2997f2cc8b1b5537620467b5227733ad94664ae578dd249401e2187e15

SHA512
7e9cb9c9e9264e3e5a9cbc67734fe52c99223a4e35b3943ff0e7b60dcd3e0029fd3a509646954d3292092548eb24345ca170d2aff85f241b4af4d9bf1f79876a

Download Submit
C:\Windows\SysWOW64\Emhkdmlg.exe

Filesize
45KB

MD5
9908bca7f3a5c6f46f9df36898ebd763

SHA1
8663297d5752ca3f523c1029df9894d0c054423d

SHA256
5de13e6bfea39f741ac202fc4132410b769a0b84b045504e27b2a2128dde8999

SHA512
8eba698f6f3bf006e083065cd90564bd98e46a3fdb28029e5a076accdae2f992e3e553346bd8b63333aaf7a920622dc2530ae560788dd5cbe7d61dc29f7b9763

Download Submit
C:\Windows\SysWOW64\Emoadlfo.exe

Filesize
45KB

MD5
49e8c6368df3b099f57386016f4bfea2

SHA1
acd2cb08ac03668fbcaf915862fb2e35732a56a3

SHA256
7e607a4afec54cfc18733bd87f26b16a7e739a4e3c92114b89049a19908ede09

SHA512
13180c2d9967b63f67ddad89c425a05ea86f738b1efba08c1fbbdcc41103a952f459d3e8bf6d9d7d9e4f777e84f778ce11deaf4fac1f6b901a13af36cc7e0d7d

Download Submit
C:\Windows\SysWOW64\Enbjad32.exe

Filesize
45KB

MD5
a01bf28fed1b866b45e759ef4e847c55

SHA1
d15783b6e744d214099a6f53b8796a0f424f11eb

SHA256
690c5af4b5610889ca99012b13c5c801ea4d512e65a1cf702849b3311ecf3850

SHA512
949c0b4d257f875e73f67f1b9a8fad1b2d84cdf483b6d94e3506057e5356b6718a86db56e604395488932740145dd8779c9a93953b94bd2cd22c313dccd5c6b2

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
45KB

MD5
de9a71c876b4e43c9f834af70e989a91

SHA1
c0daeca8ba2c90db1d2df8345dbf0a67c80a3797

SHA256
9a9430d57dc1ba6835f3c7d4a8f8e2ade2eb2a5d97cce499d7a89e184e22c89b

SHA512
4b15fc33babd0ec027b9a6b9d90a484be39f4ab072f8e673d26b4db113288ce4656dbf648d1256fad66f46c445312760ac6a49991e0c346f54fd19dceac8176d

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
45KB

MD5
4f003017dcd04698abf6113a2824f4ba

SHA1
ab4111b9d78fc207cbd7ef53a6e17541e077c5c2

SHA256
dc39b16b4de8ee497bfdffd3c9c74732ed5ec01196fc0f59a14a7b8d560dd866

SHA512
302075170c2ef77bddeb20d7d68b03b0eff3c062922a56f795e1ca0ae7b19faa9cdf7a0a6679a66a253d4e65fe058e0bc6e62815e4f98179ffa1147226a0733f

Download Submit
C:\Windows\SysWOW64\Eokqkh32.exe

Filesize
45KB

MD5
4f505bb26f38632c07b123437a56e8d4

SHA1
c014e10a7ef972a4f68c3a7c49a17ecdf23d39df

SHA256
9f4b6803903d85e7dd6bf5d8062ad05cba34d165dbed7fbfae4feae6be032ad3

SHA512
424b7186f429c8a2d2fe4f156ae479c204ff8a72c7b6cf8ecc42344cd9ffced4277e5da9781fbc660d76a20395f73d00941cb7185dfd7003212112256bff40c9

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
45KB

MD5
6098fb0edf241170d5ef45457731ef3a

SHA1
e72c0d991d449ad4222a1a890bdd9d3a9c6f13a4

SHA256
b6a8f423c3e5e90858972e9fcd5bbfb594baf03b9f949c185634914fe6eb9d5c

SHA512
3386af5033475ee40c575a810fdd3209d308078df62f1b28fc259fc71ddcc45a9a70ba28e58b06ecba4a927447399fd6f5fa76345b423d061c5883fdc2a41c04

Download Submit
C:\Windows\SysWOW64\Fijkdmhn.exe

Filesize
45KB

MD5
87b8496639ea82507aa9d8ff8a82db34

SHA1
fc0da042611c319961f6418c75c486abf18804dd

SHA256
4967418485b854ffeb65f4f89b51cd465637c6799d14fbda442de0f0437532bf

SHA512
a2525d1997bdbf22db2732de89ac7a738e277964c94113f735597a37f34196a095935b991a96246654b7820f879c5d726759388fa6b0828107aef1145a23e8e5

Download Submit
C:\Windows\SysWOW64\Flfkkhid.exe

Filesize
45KB

MD5
ce45a7092211a9da328aab37fffd6cf2

SHA1
c7cfb8e1e6167097409d75c2fd3451623a211c75

SHA256
3597c15c5d57075a3aaac945b606a8273f5935fcbcb459477e729521e48ca5e2

SHA512
ffae5a53321784e10f57d09dde3995c02d50c328fbae1a791dedae6f10a1a930068dfb151e4cdde8d1bfcf464f1c14fd02b0f513264a600712342ce69c53d922

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
45KB

MD5
b8266427f79afd45c05aa9898b366b15

SHA1
ed042de9def81dc82e77ccaa163cfc1ceca454bc

SHA256
d6eede7ed4e7443962b3e0993cae551635951565a4f99c414c6cc6af2db3ec27

SHA512
ac09c51b0b53606aca890f9f246db8f339218b6143be3339f0822d531b7112ea5263a47e2d673b4ed423ef3f2fcd94f7b740f3e7d1ecda65fdd0aaebb174864d

Download Submit
C:\Windows\SysWOW64\Fneggdhg.exe

Filesize
45KB

MD5
bf1c706885f8e22f07005a94ab6d5293

SHA1
cb60ee8e6751050e900aaf276fc5e3cc45611987

SHA256
18cfd752c820016f45f19b6c45a6d66391fbda5806023d4ec9c12365da09351e

SHA512
2ac9e05703fab678434eeade046591fe2578d2b95552490f14c6406225a1c555ce9665caceb1c8b858fe39729d381eb9e193d08c0e7bd90461dbee52eb666cc6

Download Submit
C:\Windows\SysWOW64\Fngcmcfe.exe

Filesize
45KB

MD5
6a2ede5cf08002dd0e7bdc44958258d4

SHA1
a9d1e06a7a2ffc4086be7138b20fe9b7bebf463c

SHA256
05002315c7ce9bc738d83d2355fdd61d545253bd694cfd22cade7b539848d593

SHA512
bd46d143fbc4c8135c98ac1260f9b423c55332b2f41b469458662216ec5314f1e6d65134a3266ae019e7cf62313e89e4a8f4d1a58eceaa7a1123a37b70a9c603

Download Submit
C:\Windows\SysWOW64\Gmojkj32.exe

Filesize
45KB

MD5
3b85840ad6b767d51a6428fefc3ad81f

SHA1
45225995b4e5c5fe493cfc5de859b256988872ce

SHA256
86993b454eba27244b44c5cd31e72ae1b8b9b3827fa701e75f84a0369546cb34

SHA512
0f00f558742d43eb4cbada435766c06bc3128107e3589b1be023e7159a1067d87495066d938c317c34bcf1ca7582b75afdb1a0b30f912451f7c1d8b3631ff6a1

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
45KB

MD5
e015dcc6d6396d1a02a013235e63b152

SHA1
56e192dd016852e514ce52f171e152803aafe5ec

SHA256
5e37383a57e5f67f399e8463c6ea3e2c2fd693bdd6f5cfb7c6ff49f930b7b40b

SHA512
bf3f1290a4067439e0262d8ad48146d8bdb8fc2da7fcde6070aa09130fc042b03c187da25a546367bae75d0937fd62f7b35ca82fae6d1f22e0429e2e979a86bd

Download Submit
C:\Windows\SysWOW64\Jenmcggo.exe

Filesize
45KB

MD5
79733976433ec67aaf0665f94012211d

SHA1
9a57aff4009943b19a9a7b0115910e944979c98c

SHA256
fde8d0da00e377a214933a552c2df6e2e8820197d185ab4637b98f42f576c180

SHA512
f33c4c15bed5cdc6e005fa5832f1029465e46a2c11d285342554ef6148387e9055aafb98fab685ca1efb398b200b244eb56bffdf2bc0dd2a1e79649c0d249fea

Download Submit
C:\Windows\SysWOW64\Jgbchj32.exe

Filesize
45KB

MD5
8735582bddaae7b825dbd02fc928381f

SHA1
5b46f2702591b1f9225ad8a670dac59ff759bc64

SHA256
1f351de63da93b156fc83086f194b36cba277f1f040db6fe39b79e3c1af3f1a3

SHA512
8b5d7e732b3ff0d1be9220cd354c8e194d1d0303d161aaeb28e3d6f70d75dda55fbbdc0bd5b034686e793e12f7548275fb8b7a23c9a6db3386ab9374bfbbc637

Download Submit
C:\Windows\SysWOW64\Kngkqbgl.exe

Filesize
45KB

MD5
959a8cfefd7b7275961e11bdc6668b81

SHA1
584aa993b8185b7e435f97977e230e91fe9b82f9

SHA256
d1247344ebd2c79d3e7b6e778abe04eef6263538150d7aa6580548b8a2a16972

SHA512
d742d2cba6ceaf00726673c6beecb03e3930edce9803cd30dc471a30a608dc78f029bc2dc344a430766818b97e288c1fbc6885f5dce542db0bce94b8834af64c

Download Submit
C:\Windows\SysWOW64\Kpanan32.exe

Filesize
45KB

MD5
10b52e49dcbe32796b28f175ea22b4d0

SHA1
fe74b058fdc7398b0ea59c8c0714316b28f29911

SHA256
5088c3e1f8c21ef099f78efd29e9f340ffc4027d2e48c2288b23d12c3edbd014

SHA512
a4a7bfa57ac35bc44dc23b48314e9efc9cd1acc266ef2c50eb5256d335ccc9a97bb68d180496620bdb4705db8e8ecc3422cfc4aad1a28c7f7e60ebb799c5018b

Download Submit
C:\Windows\SysWOW64\Ljceqb32.exe

Filesize
45KB

MD5
1fb9ff2a3b042b2a92337050f5e422c1

SHA1
55a4bb397644ae2db4c66a5205fe128fae1d3bd8

SHA256
fe00133ebaa9e1f2adaf20dfee2f248063b715f01beabebd3828a086cf0ac225

SHA512
2ce80194570adacc6f0eff84ee73b64ab95e8fee4d78115199883b4fadd2307baa89b51da3b90ede3c58eec5384ddbffe6c8a6b3ed696366482bdedf69241724

Download Submit
C:\Windows\SysWOW64\Lqojclne.exe

Filesize
45KB

MD5
1ed2adba23e3ed06f665547fb95d66db

SHA1
60996c2180abb63c71f3ae6cc683d74164eae69d

SHA256
461f80f50868f608eb91de4cfcb8d2a4d5dc6261a921393e77933faff0aa58d2

SHA512
1998786440fc08151b7bcd4cd16fc0abcc87f14d09b3ffb48d1109567ba524ca9f8a9a89093252dbd21afd75e42e8ed95f14f876cb2602b9c34c7f5ce48e1a88

Download Submit
C:\Windows\SysWOW64\Mfnoqc32.exe

Filesize
45KB

MD5
70a6da7bf4c6469e051f14c7b24487c0

SHA1
54f936bc7c83b3e821d95aae1602c186d7c676f2

SHA256
66fcd05b71b8bc1b2eba72059be377a6a60a94f5f66b773b75e6a9a1dcb1cddf

SHA512
3abda97f8004226ae048369577840f48ef89d8bf1c5aea469bfdaca04e6af2f090c4ae53f1b48dd3b12d7bcbef4cedb3d37dfd5a11d2e1d24b3d9a8b2e401ac7

Download Submit
C:\Windows\SysWOW64\Mogcihaj.exe

Filesize
45KB

MD5
7d09b50dcf74edcf8c038767aa5a5ce2

SHA1
2061ef57579a7d80c2e5c4ecf53a8cda010d8873

SHA256
d7bd3886ac0503b7e6970db5cb1a75d5baf2dc2111323508bcab84eb94b029dd

SHA512
fe9b0634398cd1ba6e61bd33e7bde58dbf41a529f178f863539057fd6f75552c93dc4cbec7023c42164254a735cb7a321c425b6de878442c345a940cfbe72a3f

Download Submit
C:\Windows\SysWOW64\Mqimikfj.exe

Filesize
45KB

MD5
89236010731ce6efb140a96595060840

SHA1
0b7e7337fef7690b64f22330dd7aa8f60ea1fad4

SHA256
47a15cbcf7e848781e92b0e2b489cee57454db962063949243f013a9ef52f32b

SHA512
4210d79a39c43423689fec3e0ab1546a95fac754e53254949de2418a5178ff8cb50e70eb4dcdfd89a2a9bd22c53256bc2ef49753e48dc4a1910a5f293f026ce0

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
45KB

MD5
bf84c369cd0b4119b9b50bd0b431de86

SHA1
8b0d9906522bf9dfb04a3460842040769a5f84e4

SHA256
6f9c9b77995697446e1efc37dcf23ab80fce0b79647e0938fe36a0985449da91

SHA512
fb8fb52709a79d72368131b1c9befb7f965de828faa43d5a792fd56424d25a5efd5fc508176f6a1d9172b425fecca89ce26503ac59be360e5cc511edcd60c581

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
45KB

MD5
cbfa8bb33b64dde04321e02f49a1dc8b

SHA1
31614e21fb51ca71940ce95de08c0cfc91515ffb

SHA256
c1e9c9628dfc4f69108957528b13076ba890f96d2eeba43f40574c63a2edf2eb

SHA512
29368226a23e271e02ae5a9fea7df8ac672f943b13c042e508a55c86dff0f5c0d463b29b0c22755bbcc7998d7d053989110b8f9ab3f115cc3ac1253d17b116c2

Download Submit
C:\Windows\SysWOW64\Ojhpimhp.exe

Filesize
45KB

MD5
4ba96b4bdee86a30a62b970f02837afd

SHA1
377f680816694f2a90d92eb0230027d82ae198b5

SHA256
0c7b274e544978341654d7c9167af974d27e1a6684c79a777df258138f91bfef

SHA512
d2d26863d8c3f31ea158225239a6b5a14fab7dd438b4e62c1a0e38d7dabd353ffaa8404a35c9a8875b190dd60d174d5bdbba2439bafff144cd940f42e13cc914

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

Filesize
45KB

MD5
7c447440bf546e0b608afb3008656823

SHA1
60cccd767e4e78dcb6ea645427aa54497c8a661b

SHA256
84cab1f57a0aba8d9c228b3c8d27c9afba9d3ac203903c5e17c43d2ca4851574

SHA512
8b06fec974fc515a604a502affb0d6d0f294d503a6e54219aed9be7f184b9f555447594846a807082c4da0d859b52558db9732d7a55ed31b4b1a53b728e036e7

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
45KB

MD5
ca9f8f098af57e350ae29c1fc429559b

SHA1
ff1b29f20bd55f76a639262876b39d737ffc671f

SHA256
5164cb3801433b48f669a5542df48ff078eb3fb4539999d85fb561d0de3b06e7

SHA512
cd7d7b060430c84fd1baa5ea64510af990aaabd4e39891e5f7aa698a131e155c8bacc0d0f1a68b81dd1fb9516a5a653c4e1048e97efa494220f53d80e0b45673

Download Submit
C:\Windows\SysWOW64\Pnfiplog.exe

Filesize
45KB

MD5
c4b2aa1e8607f542c23a404d5ad9a8b1

SHA1
0d6418fb32ecdad4535d38ec84e14b2c03cd1258

SHA256
63ba0adc7ab43c8c66efa82b36d2de6c58ae4dd3c1499dcc228f983d79f22d1f

SHA512
69555435402278261ab517672f7e78f43cab60f581bd8568313f92f88e251564f6f3202c6668b5dddc78f55424eb10b093990e23df19adfe344e1b04db59db50

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
45KB

MD5
17052c11af673f84daa24cfa8b471b3f

SHA1
27960bef35f9122ca70ba8fff9953a99baeaee30

SHA256
68375a464f7bbeebf896dec05fe57ebf0abbd75959b71b59b63d971e997ae52c

SHA512
49b8d520080f911e702a220143ae0e56b316b9425d16e2297a404937be228fab35f20d364b7deec1a5feec5176a6586ebfb0e1de895793633eb25b43f6b0b928

Download Submit
memory/212-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/700-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/776-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/824-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/824-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1092-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1132-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1140-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1188-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1400-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2336-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2508-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2988-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3160-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3160-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3188-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3248-591-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3328-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3388-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3408-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3428-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3480-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3832-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3880-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3892-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4000-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4036-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4256-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4264-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4292-403-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4624-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4756-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5372-1395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5856-1407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5952-1418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6584-1328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6736-1325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads