berbew | 7ae7ce39291290215866f09ac37a2e92c95d586b1c56d32c393b2009acd255fe

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ae7ce39291290215866f09ac37a2e92c95d586b1c56d32c393b2009acd255fe.exe
Size

92KB
MD5

80c953f291671ceb29b02dd9c1a3ffd1
SHA1

ed542ded365ea819b8d9be3c283c3be762f6e464
SHA256

7ae7ce39291290215866f09ac37a2e92c95d586b1c56d32c393b2009acd255fe
SHA512

0d9d002e8d040e579f04bcd9744396ce42985ca1db3460040e58f0015f087775f936f57cf55f29e27bea87a509eb2dac41d4c9fe22cbe20947a22a442ef06920
SSDEEP

1536:WbR31h6knPzkzPhArjGoljoU8KamRoCdG7oGnvsZWsOLnKQrUoR24HsUu:WbpdrkzZArljramRo2G7QIsZ6THsP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phonha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddligq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpelhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7ae7ce39291290215866f09ac37a2e92c95d586b1c56d32c393b2009acd255fe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gehbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klhnfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cljobphg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hidgai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpanan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmimai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljklo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pagbaglh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbkqfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enbjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpbpbecj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emjgim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjgfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klhnfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkidm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eifaim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpqldc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcnfohmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjlopc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iohejo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iplkpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojajin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Komhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljeafb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnqfcbnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iikmbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2376	Cljobphg.exe
4852	Cnkkjh32.exe
4616	Dmlkhofd.exe
1712	Dfdpad32.exe
3880	Dmohno32.exe
4928	Dbkqfe32.exe
744	Dmadco32.exe
3588	Dbnmke32.exe
4092	Ddligq32.exe
3924	Dkfadkgf.exe
3740	Dbpjaeoc.exe
2816	Dkhnjk32.exe
3652	Dfnbgc32.exe
1580	Ekkkoj32.exe
888	Ebdcld32.exe
1748	Emjgim32.exe
4652	Eoideh32.exe
4764	Eiahnnph.exe
3048	Ennqfenp.exe
2628	Emoadlfo.exe
2180	Enpmld32.exe
1392	Eifaim32.exe
2696	Enbjad32.exe
5072	Felbnn32.exe
748	Fbpchb32.exe
4088	Fijkdmhn.exe
1708	Fligqhga.exe
1140	Fbbpmb32.exe
3248	Fmhdkknd.exe
3000	Ffqhcq32.exe
1468	Flmqlg32.exe
4384	Fbgihaji.exe
1032	Fmmmfj32.exe
2956	Fbjena32.exe
1660	Gehbjm32.exe
2328	Glbjggof.exe
824	Gnqfcbnj.exe
1808	Gifkpknp.exe
3236	Gncchb32.exe
648	Gbnoiqdq.exe
1892	Gmdcfidg.exe
1984	Gpbpbecj.exe
4544	Gikdkj32.exe
452	Gpelhd32.exe
2640	Gmimai32.exe
220	Gojiiafp.exe
5040	Hipmfjee.exe
4464	Hpiecd32.exe
3420	Holfoqcm.exe
1012	Hlpfhe32.exe
2160	Hffken32.exe
912	Hidgai32.exe
2752	Hblkjo32.exe
2196	Hpqldc32.exe
1132	Hfjdqmng.exe
4200	Hmdlmg32.exe
1688	Hpchib32.exe
4000	Iikmbh32.exe
428	Iohejo32.exe
2940	Iebngial.exe
1560	Imiehfao.exe
4156	Ipgbdbqb.exe
1388	Igajal32.exe
4832	Imkbnf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jljbeali.exe	Jepjhg32.exe
File created	C:\Windows\SysWOW64\Pmpockdl.dll	Aphnnafb.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Felbnn32.exe	Enbjad32.exe
File created	C:\Windows\SysWOW64\Hblkjo32.exe	Hidgai32.exe
File created	C:\Windows\SysWOW64\Imiehfao.exe	Iebngial.exe
File opened for modification	C:\Windows\SysWOW64\Ombcji32.exe	Ofhknodl.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Ffiipfmi.dll	Eifaim32.exe
File created	C:\Windows\SysWOW64\Nnfpinmi.exe	Nglhld32.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Nfaemp32.exe
File created	C:\Windows\SysWOW64\Mcgiefen.exe	Mnjqmpgg.exe
File opened for modification	C:\Windows\SysWOW64\Nfaemp32.exe	Ncchae32.exe
File opened for modification	C:\Windows\SysWOW64\Panhbfep.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Aphnnafb.exe	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Kdebopdl.dll	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Gmdcfidg.exe	Gbnoiqdq.exe
File created	C:\Windows\SysWOW64\Hpiecd32.exe	Hipmfjee.exe
File created	C:\Windows\SysWOW64\Gkoafbld.dll	Lqmmmmph.exe
File created	C:\Windows\SysWOW64\Eklikcef.dll	Gpbpbecj.exe
File created	C:\Windows\SysWOW64\Qcbhah32.dll	Cnkkjh32.exe
File created	C:\Windows\SysWOW64\Emoadlfo.exe	Ennqfenp.exe
File opened for modification	C:\Windows\SysWOW64\Gncchb32.exe	Gifkpknp.exe
File created	C:\Windows\SysWOW64\Ifomef32.dll	Ogekbb32.exe
File opened for modification	C:\Windows\SysWOW64\Cgifbhid.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Dgfpihkg.dll	Opclldhj.exe
File opened for modification	C:\Windows\SysWOW64\Cljobphg.exe	7ae7ce39291290215866f09ac37a2e92c95d586b1c56d32c393b2009acd255fe.exe
File opened for modification	C:\Windows\SysWOW64\Lomqcjie.exe	Lnldla32.exe
File opened for modification	C:\Windows\SysWOW64\Nopfpgip.exe	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Kldbpfio.dll	Emoadlfo.exe
File created	C:\Windows\SysWOW64\Ckbaokim.dll	Hipmfjee.exe
File created	C:\Windows\SysWOW64\Jiglnf32.exe	Jcmdaljn.exe
File opened for modification	C:\Windows\SysWOW64\Pagbaglh.exe	Pjmjdm32.exe
File opened for modification	C:\Windows\SysWOW64\Pjpfjl32.exe	Pagbaglh.exe
File opened for modification	C:\Windows\SysWOW64\Bknlbhhe.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Ldjcfk32.dll	Koaagkcb.exe
File created	C:\Windows\SysWOW64\Kjjbjd32.exe	Kcpjnjii.exe
File created	C:\Windows\SysWOW64\Kofkbk32.exe	Klhnfo32.exe
File created	C:\Windows\SysWOW64\Kfcfimfi.dll	Pjpfjl32.exe
File created	C:\Windows\SysWOW64\Dbpjaeoc.exe	Dkfadkgf.exe
File created	C:\Windows\SysWOW64\Gpcpel32.dll	Jjpode32.exe
File created	C:\Windows\SysWOW64\Njgigo32.dll	Komhll32.exe
File opened for modification	C:\Windows\SysWOW64\Jmeede32.exe	Jgkmgk32.exe
File opened for modification	C:\Windows\SysWOW64\Lljklo32.exe	Kjlopc32.exe
File opened for modification	C:\Windows\SysWOW64\Nqpcjj32.exe	Nnafno32.exe
File created	C:\Windows\SysWOW64\Njhgbp32.exe	Ngjkfd32.exe
File created	C:\Windows\SysWOW64\Dempqa32.dll	Nfaemp32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkqfe32.exe	Dmohno32.exe
File created	C:\Windows\SysWOW64\Glbjggof.exe	Gehbjm32.exe
File created	C:\Windows\SysWOW64\Pmhkafda.dll	Imiehfao.exe
File created	C:\Windows\SysWOW64\Oghghb32.exe	Ombcji32.exe
File opened for modification	C:\Windows\SysWOW64\Pmiikh32.exe	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Fdahdiml.dll	Igajal32.exe
File created	C:\Windows\SysWOW64\Hhblffgn.dll	Panhbfep.exe
File created	C:\Windows\SysWOW64\Hpchib32.exe	Hmdlmg32.exe
File created	C:\Windows\SysWOW64\Nglhld32.exe	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Qobhkjdi.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Dbkqfe32.exe	Dmohno32.exe
File created	C:\Windows\SysWOW64\Eiahnnph.exe	Eoideh32.exe
File created	C:\Windows\SysWOW64\Klhnfo32.exe	Kjjbjd32.exe
File created	C:\Windows\SysWOW64\Flmqlg32.exe	Ffqhcq32.exe
File created	C:\Windows\SysWOW64\Pbegml32.dll	Hblkjo32.exe
File created	C:\Windows\SysWOW64\Phonha32.exe	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Mqdcnl32.exe	Mnegbp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7096	6548	WerFault.exe	282

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojfcdnjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipgbdbqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klhnfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lomqcjie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcifkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkfadkgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmeede32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnldla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojajin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opclldhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogjdmbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fijkdmhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljklo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljeafb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqpcjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmohno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gikdkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imnocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ondljl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emoadlfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcidmkpq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koodbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcnfohmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jepjhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpanan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjaabq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplfkeob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdpad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glbjggof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbnoiqdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imkbnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpfjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqbpojnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdppiif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmiikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkkjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmdcfidg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilcldb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcmdaljn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcpjnjii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncqlkemc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncchae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggimh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ae7ce39291290215866f09ac37a2e92c95d586b1c56d32c393b2009acd255fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddligq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hblkjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcmmhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fligqhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Modgdicm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnegbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnjqmpgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofkbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nopfpgip.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opclldhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enbjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnldla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqnbqh32.dll"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jocefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjokon32.dll"	Mnegbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cljobphg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffiipfmi.dll"	Eifaim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfhgch.dll"	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnbgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lflbkcll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbbpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbpchb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glbjggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kofkbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbqjjf.dll"	Dmadco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfjdqmng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfgipd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njhgbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fijkdmhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbfan32.dll"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcbfcigf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iohejo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cljobphg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnegbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iojmqe32.dll"	7ae7ce39291290215866f09ac37a2e92c95d586b1c56d32c393b2009acd255fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcidmkpq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enbjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkmlmnl.dll"	Gnqfcbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcmdaljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll"	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcbfe32.dll"	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Filclgic.dll"	Gpelhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiglnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koaagkcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobkpkdh.dll"	Dkfadkgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkdjo32.dll"	Nopfpgip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfdpad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmadco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdaklmfn.dll"	Fijkdmhn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 2376	3972	7ae7ce39291290215866f09ac37a2e92c95d586b1c56d32c393b2009acd255fe.exe	83
PID 3972 wrote to memory of 2376	3972	7ae7ce39291290215866f09ac37a2e92c95d586b1c56d32c393b2009acd255fe.exe	83
PID 3972 wrote to memory of 2376	3972	7ae7ce39291290215866f09ac37a2e92c95d586b1c56d32c393b2009acd255fe.exe	83
PID 2376 wrote to memory of 4852	2376	Cljobphg.exe	84
PID 2376 wrote to memory of 4852	2376	Cljobphg.exe	84
PID 2376 wrote to memory of 4852	2376	Cljobphg.exe	84
PID 4852 wrote to memory of 4616	4852	Cnkkjh32.exe	85
PID 4852 wrote to memory of 4616	4852	Cnkkjh32.exe	85
PID 4852 wrote to memory of 4616	4852	Cnkkjh32.exe	85
PID 4616 wrote to memory of 1712	4616	Dmlkhofd.exe	86
PID 4616 wrote to memory of 1712	4616	Dmlkhofd.exe	86
PID 4616 wrote to memory of 1712	4616	Dmlkhofd.exe	86
PID 1712 wrote to memory of 3880	1712	Dfdpad32.exe	87
PID 1712 wrote to memory of 3880	1712	Dfdpad32.exe	87
PID 1712 wrote to memory of 3880	1712	Dfdpad32.exe	87
PID 3880 wrote to memory of 4928	3880	Dmohno32.exe	88
PID 3880 wrote to memory of 4928	3880	Dmohno32.exe	88
PID 3880 wrote to memory of 4928	3880	Dmohno32.exe	88
PID 4928 wrote to memory of 744	4928	Dbkqfe32.exe	89
PID 4928 wrote to memory of 744	4928	Dbkqfe32.exe	89
PID 4928 wrote to memory of 744	4928	Dbkqfe32.exe	89
PID 744 wrote to memory of 3588	744	Dmadco32.exe	90
PID 744 wrote to memory of 3588	744	Dmadco32.exe	90
PID 744 wrote to memory of 3588	744	Dmadco32.exe	90
PID 3588 wrote to memory of 4092	3588	Dbnmke32.exe	91
PID 3588 wrote to memory of 4092	3588	Dbnmke32.exe	91
PID 3588 wrote to memory of 4092	3588	Dbnmke32.exe	91
PID 4092 wrote to memory of 3924	4092	Ddligq32.exe	93
PID 4092 wrote to memory of 3924	4092	Ddligq32.exe	93
PID 4092 wrote to memory of 3924	4092	Ddligq32.exe	93
PID 3924 wrote to memory of 3740	3924	Dkfadkgf.exe	94
PID 3924 wrote to memory of 3740	3924	Dkfadkgf.exe	94
PID 3924 wrote to memory of 3740	3924	Dkfadkgf.exe	94
PID 3740 wrote to memory of 2816	3740	Dbpjaeoc.exe	95
PID 3740 wrote to memory of 2816	3740	Dbpjaeoc.exe	95
PID 3740 wrote to memory of 2816	3740	Dbpjaeoc.exe	95
PID 2816 wrote to memory of 3652	2816	Dkhnjk32.exe	96
PID 2816 wrote to memory of 3652	2816	Dkhnjk32.exe	96
PID 2816 wrote to memory of 3652	2816	Dkhnjk32.exe	96
PID 3652 wrote to memory of 1580	3652	Dfnbgc32.exe	98
PID 3652 wrote to memory of 1580	3652	Dfnbgc32.exe	98
PID 3652 wrote to memory of 1580	3652	Dfnbgc32.exe	98
PID 1580 wrote to memory of 888	1580	Ekkkoj32.exe	99
PID 1580 wrote to memory of 888	1580	Ekkkoj32.exe	99
PID 1580 wrote to memory of 888	1580	Ekkkoj32.exe	99
PID 888 wrote to memory of 1748	888	Ebdcld32.exe	100
PID 888 wrote to memory of 1748	888	Ebdcld32.exe	100
PID 888 wrote to memory of 1748	888	Ebdcld32.exe	100
PID 1748 wrote to memory of 4652	1748	Emjgim32.exe	101
PID 1748 wrote to memory of 4652	1748	Emjgim32.exe	101
PID 1748 wrote to memory of 4652	1748	Emjgim32.exe	101
PID 4652 wrote to memory of 4764	4652	Eoideh32.exe	102
PID 4652 wrote to memory of 4764	4652	Eoideh32.exe	102
PID 4652 wrote to memory of 4764	4652	Eoideh32.exe	102
PID 4764 wrote to memory of 3048	4764	Eiahnnph.exe	103
PID 4764 wrote to memory of 3048	4764	Eiahnnph.exe	103
PID 4764 wrote to memory of 3048	4764	Eiahnnph.exe	103
PID 3048 wrote to memory of 2628	3048	Ennqfenp.exe	104
PID 3048 wrote to memory of 2628	3048	Ennqfenp.exe	104
PID 3048 wrote to memory of 2628	3048	Ennqfenp.exe	104
PID 2628 wrote to memory of 2180	2628	Emoadlfo.exe	106
PID 2628 wrote to memory of 2180	2628	Emoadlfo.exe	106
PID 2628 wrote to memory of 2180	2628	Emoadlfo.exe	106
PID 2180 wrote to memory of 1392	2180	Enpmld32.exe	107

C:\Users\Admin\AppData\Local\Temp\7ae7ce39291290215866f09ac37a2e92c95d586b1c56d32c393b2009acd255fe.exe
"C:\Users\Admin\AppData\Local\Temp\7ae7ce39291290215866f09ac37a2e92c95d586b1c56d32c393b2009acd255fe.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\SysWOW64\Cljobphg.exe
  C:\Windows\system32\Cljobphg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\Cnkkjh32.exe
    C:\Windows\system32\Cnkkjh32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\SysWOW64\Dmlkhofd.exe
      C:\Windows\system32\Dmlkhofd.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Windows\SysWOW64\Dfdpad32.exe
        
        C:\Windows\system32\Dfdpad32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Dbkqfe32.exe
        
        C:\Windows\system32\Dbkqfe32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Dmadco32.exe
        
        C:\Windows\system32\Dmadco32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Emoadlfo.exe
        
        C:\Windows\system32\Emoadlfo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Eifaim32.exe
        
        C:\Windows\system32\Eifaim32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        25⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        30⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        32⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Fbgihaji.exe
        
        C:\Windows\system32\Fbgihaji.exe
        33⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Fmmmfj32.exe
        
        C:\Windows\system32\Fmmmfj32.exe
        34⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        35⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        40⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        47⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Hpiecd32.exe
        
        C:\Windows\system32\Hpiecd32.exe
        49⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        50⤵
        Executes dropped EXE
        
        PID:3420
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        51⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        52⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        58⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4204
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3292
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        71⤵
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        72⤵
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        75⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        77⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        78⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        79⤵
        
        PID:856
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        80⤵
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2476
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Komhll32.exe
        
        C:\Windows\system32\Komhll32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        86⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5332
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        94⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        97⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Llmhaold.exe
        
        C:\Windows\system32\Llmhaold.exe
        99⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        100⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        103⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Lnoaaaad.exe
        
        C:\Windows\system32\Lnoaaaad.exe
        104⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        105⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        106⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        107⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        111⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        115⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        117⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        119⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        122⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        123⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        124⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        127⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        133⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        134⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        141⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        142⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        149⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6420
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        156⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6508
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        157⤵
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        158⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6648
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        160⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6748
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        162⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6844
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        165⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        167⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        169⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        170⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        171⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:6408
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        177⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:6684
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:6832
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        182⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6908
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6972
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        184⤵
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7068
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:7136
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        188⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        189⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        191⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6548 -s 412
        192⤵
        Program crash
        
        PID:7096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6548 -ip 6548
1⤵
PID:6904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baegibae.exe

Filesize
92KB

MD5
b0a56edb281fa10597526fb5e18dc38b

SHA1
fd777637b9a9760c78ae545d5cd3a0dc9f228407

SHA256
713a31d2b39c133a968894a7a2af368485a5d359248ee4d2a043cbbeac1aa30a

SHA512
37b00820ee6e9a2fe289971812a278667bcdfa8b957b29f6119abcefe15346cfcbffb830eeae7328af2554fcbf3ab4cff95a78175feb3986d3bc9b520b2bdc82

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
92KB

MD5
95089c3767e24ecbef3f1feed0a3b23e

SHA1
04f7b710944b892d69dde9a0f5c3451d868368a4

SHA256
a78155297c8e8aa075f626a6888adbf400c7e1a44e9ee06d9c5e0596058eba2b

SHA512
d2366485cfbdb3377f322adf0e2b87f05d2c201ef8e97bcb9f03dd4f39533685ca3f712485436a0b79841d995d43e7c27e5db8c7453009e505a7dffc0c7aa05f

Download Submit
C:\Windows\SysWOW64\Cggimh32.exe

Filesize
92KB

MD5
ab4d140587bf8b9f70e4d01ba87e8b9e

SHA1
617e2c81e65a959902807b1fd476227e9e95c272

SHA256
ceb9f0cb423c5e3dc52da7098d4b09b9cf5029c0ab47744670b205d7e5f9f316

SHA512
1087a2acb52f59102e5afddecf83f669b2837afd08afb9984412885859aac884b4d90dae2da095da38e177cbd25a33e572ec1e249279d8bde23a4309d5b9f6c4

Download Submit
C:\Windows\SysWOW64\Cljobphg.exe

Filesize
92KB

MD5
fbc83a033f1cda30797bf17cc11053b5

SHA1
6b0ca8f30582ba0824a85887db37e4b70cb07be1

SHA256
ef47224447fa25b0f9aa0c1af48640e00f99fd05b5143a9be418f47b20746626

SHA512
02e0566efa2d3b4aa36fe15ebb6390ea66d96d5c6f37cce21d3a5f463f5f2b51aff979b5c6cb7dc1f4d7558f449ae46939fee541399dd3a1844206ac52eddf89

Download Submit
C:\Windows\SysWOW64\Cnkkjh32.exe

Filesize
92KB

MD5
92b00ce20e1315734f5e5eab6fc0de34

SHA1
7d5e43e43d2b4d7da10fd71d755ab903fca2bdba

SHA256
09dca8c31f3b2e5910017f017c52edbcaeff5945521b5a27488fc927e759dabc

SHA512
15d2df7f537fac3ff848e7ec850c1ee485b9e8a5fadf560796af1ea0a15b3c03c4b548d0b8a448d15ec21289b962f3b71729bec41296d61587605d3fadea79fc

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
92KB

MD5
c759383a4846a637bc50db95564a9a83

SHA1
d38c674a3a7c34d8b8e3b25f6d560c840a70502f

SHA256
f0095a63ffa2b5833e4316a41f87dbc78d272a4ebaca9c3ccbecc3a4493b9ac4

SHA512
8dd37c7fe99fb113073a52e79ddd30d5f690f56796e4d04718bfb85042cdd39a38e85dc7dc71b98771694a1491332c567317556473b532b7eb93eb6a49391968

Download Submit
C:\Windows\SysWOW64\Dbkqfe32.exe

Filesize
92KB

MD5
bd048d112ad890f1407ac7dcf130320d

SHA1
989cb96a5b68186e1287a46e182304fc58823529

SHA256
f4e990be31a5da6dff731738ee66203a0d1c687cd60f9fdbd771b24ea7cf979f

SHA512
1efa6eeb5092c337c0dd204030e86a6cb3f58661d0c367bc24706399497ed02ef1dd38a65a4f9a20937a90b2b59106769758eb1b068be52261510a655b3bcb10

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
92KB

MD5
8daef264d6cc82fc9ebf6f429d895208

SHA1
323a2548699ba2a75d7d1a94679893f6a8950aef

SHA256
7f2f2ee634a588f46b900a3e4b5f3991a5e726cdf99d32ee5ab75f9cc8c0aa6d

SHA512
0249819d9e93d780320ac6851f3ed5e3001bc9c728a4a86804ca4c01ef1476e8270d9558257ece01a5a2adc642cc6cef70c31224a3390682cf050462dedb8514

Download Submit
C:\Windows\SysWOW64\Dbpjaeoc.exe

Filesize
92KB

MD5
d595e1f528de11213ae8b4e7d99da47a

SHA1
0303dc7685a0ec937dac9caa7fde3e33a51c7ac2

SHA256
95472f7559132110c1107d5f954d866922dc1aba537a8c48439f1a922acf44e7

SHA512
99b58ea90450e4e8f6cddb1d1ee638ffb4d766cc65b9bfc80a59eda7cf3ffa4662eaf6d58bdd4335104d0f8bb31fc16d2459ea30ca6ecb8c86a06a68f1447654

Download Submit
C:\Windows\SysWOW64\Ddligq32.exe

Filesize
92KB

MD5
675d9dfffe0f33dd4f9bde1200ac6cab

SHA1
e0b7d29b3e09af2e645cb7dbca16415062bd4a69

SHA256
2c0c1a370cce9cde54050460c29163827937a96484d172984cf58c8350b9535e

SHA512
5db020c25da219f4e09e9df78169b753d3d862d9d5eaa06949ccd61cf29ea70ffc66d524a28edf25c41332f0a1416bb2457232ae2627a476a8545d08dacab72f

Download Submit
C:\Windows\SysWOW64\Dfdpad32.exe

Filesize
92KB

MD5
3ab0b0c89088ae3863f26f30352fe586

SHA1
d84f4e5d33ebd09442c277d0cf270cdac6997fe6

SHA256
079a9fc64ece9290b295cf7d71076c7de63f24fd8ec79febe488c4c31fe27726

SHA512
a82b29173c0498dffd2d87c3308121b4a28817784deb3162dd18193364626c37fdade2e983c6fc8eb5f0f6c48d7873da3d8cd791d2edb4b29849021d88fe03cc

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
92KB

MD5
df608f6dbdeccab31b579129f3e17efc

SHA1
c481b373ea48ee9762301e1b226fbb2499b33b99

SHA256
5cb3f2696c96a57511b3b000963fd2d61021c742df01e0a475260871e9d7cf8d

SHA512
ffcb4d0ad2ecb97ca51871c8a45490300c2ed885674618386de64aa0dd1ba9c2237d3e05f3b05b5392622da827d400c219694b4611afff6677de4ebaa49c1ae3

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
92KB

MD5
4018f9b48a40bc791646263d31e15645

SHA1
47a21344ed071e4bda6b8e66fe49b20a8c34978b

SHA256
3414c2e2c1baf11ad1c87cd815c34235ad526909ff83ab8ba67f1f4eb2d51b85

SHA512
1773516de3e33038d428416ad52e210e3199133508ba949743f2b627803d52dbcd95cadfeb33d8d115a35610b40234627b264664959d35374302cc71c04d14dc

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
92KB

MD5
11a973fbbbff5e53af455bdc1a4e5d08

SHA1
c6ff45a19d8362a6631735c1e58aea6e9d93d3d1

SHA256
4f93386bd56d94d8d442d10ce57e0571c23cf57f36e195638cb22888a2561611

SHA512
6f94dd1c55cb8e68186a6df82fa46d01d19ce264c1983d425c1f5ef6988e5b268e124d709b870667f35b8eb8118a1e444639dcb75c1ec11a2989a6ccbc95cbd5

Download Submit
C:\Windows\SysWOW64\Dmadco32.exe

Filesize
92KB

MD5
6fc56193063e981fddc1d03492ed05c4

SHA1
1f598b8967ad70cf289e818edc4898ae7b971e1c

SHA256
bf9981700439c31e4ceca1d8e6ee419857aeacb720d50742df81c4a199693188

SHA512
dd29594a4b37ec5d4815f1ec34e85484ae8b5e620edae738338b3bb96352640a80508decf062bf73818c786105e7bd38885f68842b7ba021bf42b33a0a429fb8

Download Submit
C:\Windows\SysWOW64\Dmlkhofd.exe

Filesize
92KB

MD5
9674048e14bf53885a05e83170296e60

SHA1
713ba545d987267123a38e3edaddf0d0ca48bdae

SHA256
7e44c1ebe6a41b70e498de6f4f54941dfbb3665491d44531628e088d8a4c54a4

SHA512
e4b52241542dc47b502bad85c8644dcc2a198beca9aa1d1743253820b0a792fafc2d148daa48cb6aae62a100ca49f33f89772247ff95f01a69ffa5ba0d0a74c2

Download Submit
C:\Windows\SysWOW64\Dmohno32.exe

Filesize
92KB

MD5
756ee9e3a91ed0d731641fc8c38658b8

SHA1
ba2a45e4ad1552780f186201583e0f2b3fbc7730

SHA256
4ef51a87b82ab0caa3070810dbbc350546a76b5e6a519e6dae0c376666accf49

SHA512
51892acff7bb5dfff895ebef769f6be6549214ee9fb4ee9b8beaa4cc8bf0ebb8d47221f11ac3f6a3b50644e4ee9485c326a7a8a675bfa8f347e3cb404e455902

Download Submit
C:\Windows\SysWOW64\Ebdcld32.exe

Filesize
92KB

MD5
745dd512aacfaff9027a2f081bbc63cc

SHA1
13bd72b6c7c837c0c8083d4136fd2fcd1a15f4b0

SHA256
50b58fe3d39bd7979db4b6b227f55fa68a6a2e4a271b6e8f4b9daf495823f4af

SHA512
9e5a866740b38cef125050bbb93d27f0837011b22d22b89e2b772d7e528e640f1ff1d0707d86a447baf0709e37067cf95a7e6198812e0009bb07a737531f6c0e

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
92KB

MD5
3973b11df1e388e66b8323a8a6dbbe52

SHA1
9fc631b5d64d094a05051e1dfe860f7eba19eaac

SHA256
44cb3415ddcef4ce1796e784a7c76b0d5062674a6ba17c0ab2ee93b2ff25acaf

SHA512
10c82861567861689aa760784683aa39c00c7dc16ad710c2b0af8c0027601fb84611ccfa5db01d178a57df651556962911e189d48eed548ce6e8ab8459291815

Download Submit
C:\Windows\SysWOW64\Eifaim32.exe

Filesize
92KB

MD5
f806efc7ba1cf6d4a71b83b7b78fee8e

SHA1
61c4db2e78427736baecf2930482f892a37ebd1f

SHA256
df834c3ced1af5e39bc021b21450d450aa34fd2c6dec484cb08a87c5c6594e23

SHA512
7bb663bb6b02f880afa823f5eb1f0c7d5cb396fee21ea3f338e8aeae757ad6eddf7a732ee774f2abd3704cd32ef1540e731263af6a570d6f8cef1dc7976300d3

Download Submit
C:\Windows\SysWOW64\Ekkkoj32.exe

Filesize
92KB

MD5
5fc04b2fb5efae01f3746d9e36820d77

SHA1
3b680c4c9abb923019f33d6cbed697e9486c2fad

SHA256
2d117be3f51bf2c4d3acf8b54e92e29dd3041f0313b6582c50148574a53895c6

SHA512
f0c98320947d4acb9dfb2d018925e1ce466bccd8f8ea80c27659c2a4ee9e3ec0da5a9dc7ccb125bcf18af6ba3e4e85ad2acfc70e31fa293e08e2c8aee7a17ffa

Download Submit
C:\Windows\SysWOW64\Emjgim32.exe

Filesize
92KB

MD5
50391746a75a890e9a0276c4ca4605e4

SHA1
7672a9edec9c5165d1968674d17a16247f35abab

SHA256
eee24f9f4801e9dc0a3f964b6e073e8ca5b33ddf703195d8355d29c15cf89e6e

SHA512
15aa329c442516a9fd8ce24b5560d38295b08de1a8557a9b97c054ec8f93f680d4029df9145d0d1f40d81b47a8a1dc1d31c58b95335632637ae2c7c683282dc4

Download Submit
C:\Windows\SysWOW64\Emoadlfo.exe

Filesize
92KB

MD5
58bef3e77a74d0ef77659c5b492f4554

SHA1
42265dec357166755a90d0b37b9d046ffa1a0097

SHA256
18b79f5c47d624267a73b739270266c463903cff56daeb92b15dd8532f24c496

SHA512
d693aa62a029f3486d84f5ac3f84fb7e975c7362c4215c1f59812d00b270a2279c8e5c7b7abb97c819f96260da9d8b24d8295b0d3b5d4f4cf48cd94ef6254727

Download Submit
C:\Windows\SysWOW64\Enbjad32.exe

Filesize
92KB

MD5
473ffc27e55330449caca811011414df

SHA1
0f58d51356379a988a218208183a58b5cede6315

SHA256
f38c2b2a8df69e8e365f304a536279d49a4f8f936a441db5f975e238e6c49529

SHA512
07ccc4ab42ac562088f56f27d9ec55985c02ffe351da56df3066981357a1ad0aee47338ac32514d6d39d5819aa4965095d19f0ab15fe2f997e6a475e718e4d6b

Download Submit
C:\Windows\SysWOW64\Ennqfenp.exe

Filesize
92KB

MD5
a81edcd3c9ef0c96f16f2cdb93d1f33d

SHA1
8b36a8f08b95fec736a03851a34613e439fbf28a

SHA256
268d15980966140b3640cc8af12223740f2e19932a081c2e85872afbb062964c

SHA512
85e8f2c7ef505a6851d745ce8653813b22b01979898babeba6d023c23ee923f60d3011ab94b06ac2acbf630cc07c73d9e7ee814dcbc26ba6bd0856b32f9d8633

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
92KB

MD5
043a5105d7d2ca6166a48f6999b16d8c

SHA1
21276c370d533b514d679de9f8e9ef048795477e

SHA256
b7b9cc52af763eeceeb2d6de202336c423322ba727979365217d17c9ac41c97d

SHA512
dead837c88730b327f92e7eb0086bbe52cab72ab7f9bc05ef563db6479d4e2c845d32f92897f4800f3fc2b0410199b4ab31e2c612a03a3c5838ba0f3f0629a21

Download Submit
C:\Windows\SysWOW64\Eoideh32.exe

Filesize
92KB

MD5
d8aec44279198d86c4c27232ccaea10e

SHA1
f1fac1c015919d387af6af3221449a57fcce09cb

SHA256
bb699a781eb90bcda9ea4a8339bdb9c9d0ce527dd0d06cd085a6ddb0549a99ae

SHA512
d70aac42e610d9a6d030f34c0ef29f0f4497f43e5d946daab7f2e1f9b437c23acad560d9f15afa4b64fd84e98a17320770dbab70d418928694a5546012a461d3

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
92KB

MD5
4a6b48dc365fdaca768f02d768302f58

SHA1
b6ec79fe114eed4caf7cfe61f38dbfee061a12b6

SHA256
d33837989968868d9ef0138b123ef893887678697fd08c7b7affd97478005800

SHA512
7e4b3444f0a24ffe9897a7a5aca076417a554484fbc28ec6e79d9580fb018fb15ebe7ced00262c175c38e976d192f466481e64109c1acefae4364f919f87270f

Download Submit
C:\Windows\SysWOW64\Fbgihaji.exe

Filesize
92KB

MD5
7f63e8d714e24f431443fd8d3b988857

SHA1
7a57e9a7c90317ae2c691ea8e74113942ef6e741

SHA256
6afba5ff20c7784da126b7f3e891032e3103a98575ddc80c39782982c92551ec

SHA512
1aa0af84853f2e708154bbc89e643832b656e51695db881a88726753796521fe9830b0e2e7a891b2fdfd609e33b52b04a14f1d01d5190c6c0d5590641ab8b297

Download Submit
C:\Windows\SysWOW64\Fbpchb32.exe

Filesize
92KB

MD5
725b44bf7912e223d163994e67f20726

SHA1
c36939ef57e28a9f262890e92cf94d89b37cd568

SHA256
bb23edf3fbc3b595f0a6574c40fa8756de3576b6f4747ecaa426f249936081dd

SHA512
84e24a4f78fbbeef06847416db1b432d6eba3f9e002f399c0e23da08d0f240c04c061f7e1c412e7575bfc516493fb8fd95156728c68f42810483d91240abf6a5

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
92KB

MD5
da0e8b8d77cf9cb9e076cbf92ee4abd1

SHA1
b522dfec276b635aae69b7ce28be3f9716b5f8e2

SHA256
f23b9a1fde6217afd5e672f81d404dcff84d4a0779d96a40fc1e9aa91dcf3b2f

SHA512
b3322a73b35df23125722755bc4172d0a5e82faf5601724448eedb6834324067d35216a698c5c060f8c3a3164ccd8053c6df059216c2ff1e116f83b6eba499a4

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
92KB

MD5
9b889f76ce5144c4706b92a7f50224b8

SHA1
7d5103373ce7967a7d42f07aa37a214c64cb8e54

SHA256
ef49fed1fb1fb5be7aea21a46f2a54534762e5365d5664d50308b292ebaec2c1

SHA512
550fe4a69d04c97b85360a546818103ab875f55a835f29a2b2990126ad89d1340d73fc15d75034e5b2991bbb58207cb65c568fb5082875712e60035cc61b5667

Download Submit
C:\Windows\SysWOW64\Fijkdmhn.exe

Filesize
92KB

MD5
81678c576a91fa9e1b06fd0072834cc7

SHA1
2e5b88b6e4780c86632a245f0c429dda4b94def6

SHA256
453556b90085f92c9ffe5d3b9590984d24bcad7a821645a0d3fa60370f5d3d65

SHA512
312cf7a353618a5c66f71a8c786d89aef391cf9de77a718bf88cc7f4e2c57a9743108e11245b81fae5deca4f0cb01d6220abd6a76447071736b4223172db43db

Download Submit
C:\Windows\SysWOW64\Fimgpahk.dll

Filesize
7KB

MD5
201e3ede77be72db3e2669530ca49f36

SHA1
65cfb566b9aa8324d9e96c959c8a5eb1d139b4d2

SHA256
4ad4988e513edcaa82146029aa62931ec4280f3687090ae2239dba5e43518c69

SHA512
a3039e0a8169c090528262c4b43f554995d65914f9bdfaa38137f74d99dcdc2a844d4b52a06aa7f8403484d5044dd5d462541cc756643d873254a26910474b82

Download Submit
C:\Windows\SysWOW64\Fligqhga.exe

Filesize
92KB

MD5
114eeaa561a9ee4f2d3aeadf728c784d

SHA1
da71ed32c7bf8359af7af78cbc3021bd381be297

SHA256
bc64abd0dd98c02b1e5ac36cad9ba7a5c9cf6f0e4fdedc76866b82c6e855d559

SHA512
69eb08488717c9a82cbb2606fe7420880a3996d59721d88bbf97df161d8474e89cba7777a247157ea3a18579bd1098594840c2d63176bcd14ced175403a43df9

Download Submit
C:\Windows\SysWOW64\Flmqlg32.exe

Filesize
92KB

MD5
c6e64c3fb49717ead6fdebb8971e7457

SHA1
79b8a5b788fc79537b34a655416d38d2e049750e

SHA256
3d782c9c10d64f30745038c46bd437c894319b3c34cd7fcf0c237adc7f075a83

SHA512
9c01b6e648cb80f362539da2e051d2c1e1f8b9908fa253460d82ddc6b752cd4966b468db67909e6a1f11e5b5ad76be307376333a185086f9b117819f062ce9e9

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe

Filesize
92KB

MD5
0018c921073c42c1ee20d2fafb2903d6

SHA1
be3200e1fa8cf943de6541407779dcac7a28b4fa

SHA256
41913731ecde6d5f4150601e68f99bf5099c9861ceca654871cf4095f877e481

SHA512
903d6f20783f2c51f7fbe921984cce251d472124b297309855487334f1680de00cbf81bf5fcd79f0fc01c6204354e12371eee5bc958b75a8f2f659feb7583f40

Download Submit
C:\Windows\SysWOW64\Glbjggof.exe

Filesize
92KB

MD5
736129b0fc0d9bbff083ad0d0629f8da

SHA1
c4f00bb875b93e54fb85cd1d20511f495c6fa84a

SHA256
a72b61dfd5aafd73afc8895de4d79d8367b51df956aaaae2efc1e582f14616cc

SHA512
172baf2ebcd0b1dd339c792be21ab9c1e6a477486cb61faf13b7b5db031cffeb6acd556b21c94f9bf3e162a60f58bee6552da2f237752543483f89691225a7bd

Download Submit
C:\Windows\SysWOW64\Holfoqcm.exe

Filesize
92KB

MD5
8ffd433c7f8fc779049f151671a6aa9a

SHA1
9bc82c6aeb4288e32994de6be9fda173279e6d80

SHA256
b0a198f5bb4dd7e01644a3e1c328eb6d8e7006c15d377a70e0c9e5ab3884d96e

SHA512
46ea3f247895ea054bcfdd7ecca26146b453afac4012142a74c09e60de9fbcb5fead1ab13955e15b30efaa7210c70540bc330a07ffff28ec690b7c0b3d0b9cbf

Download Submit
C:\Windows\SysWOW64\Imkbnf32.exe

Filesize
92KB

MD5
74b7e101ed577f369f858813c98aa15f

SHA1
5b029353a873262f6b46b466a48a66a8ea91aefe

SHA256
2acf1c257e0116f1b136865f2fd0b0afc852ab31dacf7da2359b3cc73cd2df85

SHA512
709dc5118e4a8d63bafb1b5bcfdebc07ff9eb86acbc80aad332abe232fccb30861f4b508e66b23ebfb27d168c654b979abe9a2293b55776c4fc17066b3294372

Download Submit
C:\Windows\SysWOW64\Lnjgfb32.exe

Filesize
92KB

MD5
b32a22fb760cddb9da06812cae32a1a3

SHA1
cccf59dae073705baebebf8c275b317814124f86

SHA256
a331793e879b61e8f702d92b2b277b99c6cfd95f632c10fbeaf318d3062ade56

SHA512
b5355fb17f3bf62e49d2aca52b2dc5f6c882ef225eba536035a8d165329ebc391216e1cb84a106287abcf11d4197c11d3dfbb1fb8310c86a4783ebd6a31d655d

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
92KB

MD5
493e1f95f1dcb7d315c519a64adaa34c

SHA1
460399c5aeb2b4b897a112bcc68f344112797679

SHA256
f9eff33e219c63c187adab8ac5a40624a211c4fb3721c21681f34b8432fb069e

SHA512
b96fc86944abbe499ff721a131ad624d0c995a0fa936408bb4505dd83253180918d5e46d8ed86dfe9aa445afc92022fd195608933aaf559ec5dee2f93fcc6d23

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
92KB

MD5
7e320e37fad91ef328be9877aaa48c8c

SHA1
e557f7706f2a1a506b554ca098602e181c807af7

SHA256
532cac4e8fa2deaf10cbf8db0b95e3d72563ef2cd798a82a6d62dc76f2e55537

SHA512
0c84629f063d98aa8b3d697744b5941e87d0c7e212f5930d6e6f5e0d0bc83e43330767944a13186afa01dc97a20fdaf2e822c5530439abf1fd5b5b4f56b52e67

Download Submit
C:\Windows\SysWOW64\Nfaemp32.exe

Filesize
92KB

MD5
7dd204ff78404ad5f1c8c9bd2acf0661

SHA1
e7cfb2059be6e740452feda9586ea0b58710e96c

SHA256
c9a0d2bb7430fac9f8b2b357a15386e4f26aedca80bdd1955d9c19407dc84ac0

SHA512
078374dd0dd81f54d3acf50ff14ce03ca6a23d6e5eb4948eb586f575295f517c1eaf1c98207afc0d98e71d957979f372fa33e386f30da56c7f5f3f32d3c34c45

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe

Filesize
92KB

MD5
078b76eeae565c72eceae5b4c76422eb

SHA1
027b271ba7d629166dbbe42af2191ba765eb318a

SHA256
23e4ceaaa480e0253bd44bc2e20405becb6bd08f5171e8aca18351d0965cf438

SHA512
bbb33a15b585630d6f55ff03bcc93763c88d8798d1ff265c932ddacc196f953aad42774fb3dc2c58b3da548b52634712d002a988881e07c1aa6410526825dc89

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
92KB

MD5
76cdb5de06149f373872d50cee710b61

SHA1
c195962316757398ad58f928b32fb254fbc9cc46

SHA256
72c41218127a98f653a3231449f5c406080cd12e186a82a3fc5abf0a723308f0

SHA512
c9b22d30515210e07a85c78d72fa81bc98b36c1e6329343ddaf96d790a2e1b26249b02b5d08fefd814835b63d2e60185913501b03b54b3b52ff706027f4e7c23

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
92KB

MD5
eaf70c211460d201dd93c22a67c241c6

SHA1
86579c7d456992fc812f2f6272e0c68d5c3e8935

SHA256
f60d0b44246d4d7de0a197b5e32406ded9e95d973535ca04a2fce8cd69d4e4fb

SHA512
fce429f825b5b68575809f15a8fb2fb47076397aabe16a70afb607822f157afee3703a650eb0d56187d38962b11cd51b18b63639ba8f6f0b44d0623e05c20d24

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
92KB

MD5
489a04ecd74431313ca8e791435a6b29

SHA1
13b357ea7bd79cd89b83ea8b8d0efe9e9f60cd4b

SHA256
6bf88c5684f04c976114b89dc9650d3ed5c25531857cc1c5b1ae09804915137c

SHA512
4bd6e03ee0aa37fc171fc7ab88cb340790ce5dfc95a76f37e109c5771360549f97e9ff82488d91effd14999ba67c375a22932ccc9ef92e7c0adfc6c8183cb35c

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
92KB

MD5
696aa5b33a0eb225048dd7a0828fb16a

SHA1
e432b2afedeaf6b2117d271dd3a63cbb6348b7f3

SHA256
ea609c6da56ac9a8dc1effe43cbaba7fb096550c876ae5bca72e87c3407cb94c

SHA512
a589eb10a9bd2d2bf22b9103c82827ea847657f58f16347b14106dbfcdf6e91cb289fe0a17e779c8707bb73ee0da252421b3a929546d6ddf47154a596ec31c77

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
92KB

MD5
e993397bdcc1dc483f7d3250596cc02f

SHA1
45d62c4a961e64497a1aa979fade022bdd286e0e

SHA256
bafd5b584db8d6990baecf747b6a491b0c201188c6350d70d4dfd22566809509

SHA512
a5ad1020a0cb50423aa087a9138fa7c5fc5976b9dc90f95568988320f71c1779f98a7dbe67dda14ce49d5194c8c4104b9d9f31f36aa6e4ee54ee26ff88d4d7a8

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
92KB

MD5
5babc431c8359cf1ad44284a2cf1b080

SHA1
c86ef065c56ab65b7a87c51765c38ea2c3e78de7

SHA256
7f779ea9c4a255f446b952d8c8b203c6ec868c93f86b4cdf2f63562fac3baad2

SHA512
142e1be14f4ebef9d6bb7df36c2d7f74eeebabffc541e8e81064deabd91b4f36a6079d08a2f6669c3fabdd42238a9a13d8c3d8fc2d97004d600d58c1579c30d8

Download Submit
memory/220-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/428-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/452-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/648-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/744-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/744-593-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/748-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/824-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/856-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/888-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/912-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1012-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1032-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1116-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1132-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1140-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1328-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1388-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1392-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1468-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1560-434-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1660-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1708-216-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1712-572-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1712-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1748-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1808-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1872-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1892-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-566-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1984-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2180-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2196-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2224-559-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-580-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2476-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2628-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2640-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2752-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2940-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2956-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-494-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3000-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3048-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3236-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3248-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3292-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3420-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3588-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3644-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3740-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3880-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3880-579-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3924-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3972-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3972-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4000-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4088-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4092-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4156-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4200-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4204-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4232-524-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4264-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4292-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4312-526-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4384-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4464-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4488-587-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4544-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4616-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4616-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4652-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4752-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4764-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4852-558-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4852-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-573-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4928-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4928-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5008-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5072-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5136-594-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads