berbew | d233d01b8f87084ad53a16794b317b04f5ea899d7202cf820429de791722f66e

Analysis

max time kernel
92s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d233d01b8f87084ad53a16794b317b04f5ea899d7202cf820429de791722f66e.exe
Size

64KB
MD5

a1a28a4604c1ff1a6dc8cf5600c1735a
SHA1

3811102d9cf45480685feb4f4036552793607e9b
SHA256

d233d01b8f87084ad53a16794b317b04f5ea899d7202cf820429de791722f66e
SHA512

8e17ccb89aacae7e0e62631d1706322d1b8b79b68f1dce0ebb21125dfaf01aa472c2834654f5fe6869ecc2c29171d0443a85f8492e3e2d4efb0aa737bdb573f0
SSDEEP

1536:6jkPRqcDrBfyunAHVPGyzNPlwM8CHgBqw72LFrDWB2:6Mr9ysA7NPlwM8CHgBFYF2B2

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkfhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblpek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4516	Jlnnmb32.exe
2108	Jbhfjljd.exe
1672	Jfcbjk32.exe
4332	Jmmjgejj.exe
2464	Jplfcpin.exe
1808	Jfeopj32.exe
3392	Jidklf32.exe
2692	Jlbgha32.exe
4576	Jblpek32.exe
552	Jifhaenk.exe
2944	Jpppnp32.exe
1596	Kemhff32.exe
2864	Klgqcqkl.exe
1364	Kbaipkbi.exe
4032	Klimip32.exe
4964	Kebbafoj.exe
3420	Kpgfooop.exe
5104	Kfankifm.exe
3916	Kmkfhc32.exe
4252	Kdeoemeg.exe
2228	Kfckahdj.exe
1092	Kibgmdcn.exe
4980	Klqcioba.exe
4372	Lffhfh32.exe
4956	Liddbc32.exe
1908	Lmppcbjd.exe
2616	Llcpoo32.exe
1460	Ldjhpl32.exe
1648	Ldjhpl32.exe
2572	Lbmhlihl.exe
5008	Lfhdlh32.exe
316	Lekehdgp.exe
3904	Ligqhc32.exe
4432	Lmbmibhb.exe
4216	Lpqiemge.exe
2192	Ldleel32.exe
1736	Lfkaag32.exe
3636	Lenamdem.exe
1704	Liimncmf.exe
3436	Lmdina32.exe
3412	Llgjjnlj.exe
4076	Lpcfkm32.exe
3092	Ldoaklml.exe
3656	Lbabgh32.exe
2404	Likjcbkc.exe
440	Lmgfda32.exe
3848	Ldanqkki.exe
4496	Lmiciaaj.exe
4236	Mgagbf32.exe
3408	Mgddhf32.exe
980	Mplhql32.exe
2276	Miemjaci.exe
4724	Mmbfpp32.exe
1300	Menjdbgj.exe
4892	Mlhbal32.exe
1040	Ncbknfed.exe
3464	Nngokoej.exe
848	Ngpccdlj.exe
4104	Nnjlpo32.exe
4976	Ndcdmikd.exe
2732	Ngbpidjh.exe
3456	Nnlhfn32.exe
456	Npjebj32.exe
944	Ncianepl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ippohl32.dll	Jmmjgejj.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kbaipkbi.exe
File created	C:\Windows\SysWOW64\Eiecmmbf.dll	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Klimip32.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Jjhijoaa.dll	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Jfeopj32.exe	Jplfcpin.exe
File created	C:\Windows\SysWOW64\Gebgohck.dll	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Jlineehd.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Gdkkfn32.dll	Ldanqkki.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bpdkcl32.dll	Kmkfhc32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Kibgmdcn.exe	Kfckahdj.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dgdelcpg.dll	Jbhfjljd.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Lenamdem.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Kibgmdcn.exe	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Nhgaocmg.dll	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Lffhfh32.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Llgjjnlj.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqcqkl.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kfankifm.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jblpek32.exe	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6884	6736	WerFault.exe	274

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppcbjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfcpin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpppnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfeopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d233d01b8f87084ad53a16794b317b04f5ea899d7202cf820429de791722f66e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkahqga.dll"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfaklh32.dll"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlbgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojhkmkj.dll"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhaoapj.dll"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll"	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmcpemd.dll"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibgmdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 4516	916	d233d01b8f87084ad53a16794b317b04f5ea899d7202cf820429de791722f66e.exe	82
PID 916 wrote to memory of 4516	916	d233d01b8f87084ad53a16794b317b04f5ea899d7202cf820429de791722f66e.exe	82
PID 916 wrote to memory of 4516	916	d233d01b8f87084ad53a16794b317b04f5ea899d7202cf820429de791722f66e.exe	82
PID 4516 wrote to memory of 2108	4516	Jlnnmb32.exe	83
PID 4516 wrote to memory of 2108	4516	Jlnnmb32.exe	83
PID 4516 wrote to memory of 2108	4516	Jlnnmb32.exe	83
PID 2108 wrote to memory of 1672	2108	Jbhfjljd.exe	84
PID 2108 wrote to memory of 1672	2108	Jbhfjljd.exe	84
PID 2108 wrote to memory of 1672	2108	Jbhfjljd.exe	84
PID 1672 wrote to memory of 4332	1672	Jfcbjk32.exe	85
PID 1672 wrote to memory of 4332	1672	Jfcbjk32.exe	85
PID 1672 wrote to memory of 4332	1672	Jfcbjk32.exe	85
PID 4332 wrote to memory of 2464	4332	Jmmjgejj.exe	86
PID 4332 wrote to memory of 2464	4332	Jmmjgejj.exe	86
PID 4332 wrote to memory of 2464	4332	Jmmjgejj.exe	86
PID 2464 wrote to memory of 1808	2464	Jplfcpin.exe	87
PID 2464 wrote to memory of 1808	2464	Jplfcpin.exe	87
PID 2464 wrote to memory of 1808	2464	Jplfcpin.exe	87
PID 1808 wrote to memory of 3392	1808	Jfeopj32.exe	88
PID 1808 wrote to memory of 3392	1808	Jfeopj32.exe	88
PID 1808 wrote to memory of 3392	1808	Jfeopj32.exe	88
PID 3392 wrote to memory of 2692	3392	Jidklf32.exe	89
PID 3392 wrote to memory of 2692	3392	Jidklf32.exe	89
PID 3392 wrote to memory of 2692	3392	Jidklf32.exe	89
PID 2692 wrote to memory of 4576	2692	Jlbgha32.exe	90
PID 2692 wrote to memory of 4576	2692	Jlbgha32.exe	90
PID 2692 wrote to memory of 4576	2692	Jlbgha32.exe	90
PID 4576 wrote to memory of 552	4576	Jblpek32.exe	91
PID 4576 wrote to memory of 552	4576	Jblpek32.exe	91
PID 4576 wrote to memory of 552	4576	Jblpek32.exe	91
PID 552 wrote to memory of 2944	552	Jifhaenk.exe	92
PID 552 wrote to memory of 2944	552	Jifhaenk.exe	92
PID 552 wrote to memory of 2944	552	Jifhaenk.exe	92
PID 2944 wrote to memory of 1596	2944	Jpppnp32.exe	93
PID 2944 wrote to memory of 1596	2944	Jpppnp32.exe	93
PID 2944 wrote to memory of 1596	2944	Jpppnp32.exe	93
PID 1596 wrote to memory of 2864	1596	Kemhff32.exe	94
PID 1596 wrote to memory of 2864	1596	Kemhff32.exe	94
PID 1596 wrote to memory of 2864	1596	Kemhff32.exe	94
PID 2864 wrote to memory of 1364	2864	Klgqcqkl.exe	95
PID 2864 wrote to memory of 1364	2864	Klgqcqkl.exe	95
PID 2864 wrote to memory of 1364	2864	Klgqcqkl.exe	95
PID 1364 wrote to memory of 4032	1364	Kbaipkbi.exe	96
PID 1364 wrote to memory of 4032	1364	Kbaipkbi.exe	96
PID 1364 wrote to memory of 4032	1364	Kbaipkbi.exe	96
PID 4032 wrote to memory of 4964	4032	Klimip32.exe	97
PID 4032 wrote to memory of 4964	4032	Klimip32.exe	97
PID 4032 wrote to memory of 4964	4032	Klimip32.exe	97
PID 4964 wrote to memory of 3420	4964	Kebbafoj.exe	98
PID 4964 wrote to memory of 3420	4964	Kebbafoj.exe	98
PID 4964 wrote to memory of 3420	4964	Kebbafoj.exe	98
PID 3420 wrote to memory of 5104	3420	Kpgfooop.exe	99
PID 3420 wrote to memory of 5104	3420	Kpgfooop.exe	99
PID 3420 wrote to memory of 5104	3420	Kpgfooop.exe	99
PID 5104 wrote to memory of 3916	5104	Kfankifm.exe	100
PID 5104 wrote to memory of 3916	5104	Kfankifm.exe	100
PID 5104 wrote to memory of 3916	5104	Kfankifm.exe	100
PID 3916 wrote to memory of 4252	3916	Kmkfhc32.exe	101
PID 3916 wrote to memory of 4252	3916	Kmkfhc32.exe	101
PID 3916 wrote to memory of 4252	3916	Kmkfhc32.exe	101
PID 4252 wrote to memory of 2228	4252	Kdeoemeg.exe	102
PID 4252 wrote to memory of 2228	4252	Kdeoemeg.exe	102
PID 4252 wrote to memory of 2228	4252	Kdeoemeg.exe	102
PID 2228 wrote to memory of 1092	2228	Kfckahdj.exe	103

C:\Users\Admin\AppData\Local\Temp\d233d01b8f87084ad53a16794b317b04f5ea899d7202cf820429de791722f66e.exe
"C:\Users\Admin\AppData\Local\Temp\d233d01b8f87084ad53a16794b317b04f5ea899d7202cf820429de791722f66e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\Jlnnmb32.exe
  C:\Windows\system32\Jlnnmb32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\Jbhfjljd.exe
    C:\Windows\system32\Jbhfjljd.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\Jfcbjk32.exe
      C:\Windows\system32\Jfcbjk32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        28⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        30⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        33⤵
        Executes dropped EXE
        
        PID:316
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        37⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        40⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        41⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        50⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3408
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        52⤵
        Executes dropped EXE
        
        PID:980
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        53⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        55⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        56⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        62⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        66⤵
        
        PID:220
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        67⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        68⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        70⤵
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        73⤵
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2456
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        77⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        78⤵
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3908
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        81⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        82⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        83⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3876
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        87⤵
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        88⤵
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        89⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        90⤵
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5112
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        95⤵
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4932
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        98⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2424
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        103⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        105⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        109⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        110⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        114⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        115⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        121⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        122⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        125⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        128⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        131⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        133⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        135⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        138⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        139⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        140⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        143⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        144⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        145⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        146⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        147⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        149⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5428
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        152⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        157⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        159⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6212
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        161⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        163⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        165⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6480
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:6568
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        169⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        170⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6700
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        172⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6788
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        175⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        176⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        177⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6972
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        178⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        179⤵
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:7104
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7148
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        182⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        183⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:6344
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        185⤵
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        186⤵
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        188⤵
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        189⤵
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        190⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6736 -s 216
        191⤵
        Program crash
        
        PID:6884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6736 -ip 6736
1⤵
PID:6840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
64KB

MD5
0b5da8db017a8ad4747d10565a1f9d62

SHA1
5f496d066282c20913d219270b350ce1999a73f7

SHA256
650ba069830bcfd05f3e4b05a016bf9aae556ed1ef7fd467536efeb1343d917a

SHA512
9660a56ecbaf51553b453cf080e8b98540337d2787a0b400e89bbf8e4700803b08ef46223ad8d6e680dc1efe98845b9e6652330b520ebd762359fddf8a6742b6

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
64KB

MD5
8559896c96654f7bd01fbf5d19704362

SHA1
8fefec51b172be2f053cf6a693b77aa4dd7d2051

SHA256
f4fede16c185cabf6f9cb68e1a34348460beda1d101f8884fe7f8053272fd860

SHA512
878e24c46ab79bef99353d15654d72903683ae51b90be5edb3d885793818d99e6ac2c1ae156df4f744c206002f3fbd6ba68c7cb1f7add0364b4b06ddc1945bf1

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
64KB

MD5
870233b1bdabfb4984896bda3e99a264

SHA1
0355468648867e0c8a65ba1d2aea9d47fe60cf76

SHA256
2610712b97eb5291c189751a23bb263080040416f36573fd1ea3a449a86514df

SHA512
4327551ee060ded95ffdf784788adc2e019dfd37d848625a4ef1b40138df8b5766d918fbc10e46e772b48780e2a982f9288f9e90b17634725bca9847c80f4c83

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
64KB

MD5
68d54bef142b8a799687374461a42a65

SHA1
6ef05c1cb5c440ca467536e2b17f1e0beabe1d28

SHA256
4649bf7a78c64f07cd0c8560a2ee6f9fb8f2acdcc914b9b8544d23831576e988

SHA512
2b89066db219149980cca446c21d79e887f60acee7a60f32063eab27d3663d814ccb2c47a057103af6d67f6146f13db1b2b789bae9ad43915f11f0ac294a324f

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
64KB

MD5
d6d2893d1b07b70136aa17b0532c715a

SHA1
2a88b8c8d365d0df38f2f01cedf019816c13d55d

SHA256
6e2a0f07f4fd67d980dc5206d4caa731402681f6674732bc599bb4529032dabe

SHA512
afdfc865626a1582502b63cdb985f1ea1ee4f57e595a42166a9419372830b4097ba470590b1a826c5e27f28dd413cd00d95584d307df9d2da443e849cba375f0

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
64KB

MD5
e7f5ef3720d62de8ce3eee012974f41a

SHA1
9e13eb84c1d96a576bd03e92a73e0b754e5eb355

SHA256
4f829a70236a3f97b19a06126f8374705c2fb0a194a94034d6a1cbff93089371

SHA512
1fcdc2c94fd365699878122d3e596e389347823c6adf6cc047c6c3d4fd77a4c9e944ca19d6387d1510a8546e2ad93ad61c6e401f8c6f2503ea2ddd54a5e63fa3

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
64KB

MD5
59134024e97ab1b5fc45b6cd7d761f34

SHA1
595fbf833369a7a50759332dce5760cff27d58d0

SHA256
3d60f3a3f854d9b10d5570383bfa41c124cbaf3200def65efe752856b92bb366

SHA512
8ff127d4730e97d8b6c2f1032d4c6501c9a4309ca997b69e9b459f9c122f76df4e9722b7924510868457972d213a0741e390333fbb93429c6acce424d4e88623

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
64KB

MD5
55fc6ef25f6da1c1cc134e6033461774

SHA1
89183b8ab16b2db0a115f62fc875fcb70358cc69

SHA256
ca3f5c1bf7ff4aee9ec8f6b71466f6fe15639c080d50149794499f8c77cf57b9

SHA512
5ba0112639318829a1db7b6776134a7a4cd0ebd021e74aeb21e73c094cd735d82c37c3cfbbdab40cf0d485fc35ff09d3c3be50c679aee3bd32f24d7e7b6baa54

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
64KB

MD5
de34ae3cc875114df62f9fff2b66f479

SHA1
9c4cfd235b2633da281512478f9b6f6fcbbd98ad

SHA256
2dcd56456b06794de996e07463e2fddea126741e730daea6993b3a0fe355eddf

SHA512
8394cab1f40bf07424e5ade8009a8e0eaf7ff66bf6ff36f2ba7a9b0ba917f2f63f40b0b59c552b2db2cccbd6453d89d9a2393c61f32fe9cf1fcf9dfe423001f9

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
64KB

MD5
d40d1409580181252d71882018e7056d

SHA1
9fecac6103be52ee3ae3bbedb642ac4572b7b18c

SHA256
decb5e08c8580e8fb368b9991470d057a0e3dd704a17694c477dc847adb3bcb2

SHA512
4a6bbdeecc6ab25ed474a443f9103c94037a58ee017542c4c9c6b347a8a7d2d6bc56746d9886b4a3e208fd0ff26ef44ea1462ffd52f2fe0dc8f8c039dad68d4d

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
b66ade14ee637adacea635ec183cb34b

SHA1
6937ecb89f8d2afd200259f005ffb2e0de04cd19

SHA256
e8e89b7e9c36a4604b32baf6521172f1c93d6dcff1349b3474667343dea41ffa

SHA512
461e938af35d0105e6e12499e2b47e0dfa8dcc50da3035868db29de629a82509f5d22462bcf9c14a4a62b6eb9d79ac7ee0e338388cfcb5e753084562b041d262

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
64KB

MD5
eb18f3b5426f5c8e28dd64d688bd0659

SHA1
557a53d7c778e9a548911e2af5b19a065c443e4c

SHA256
eb27f5e56cffb6b51dbf8842b86b7ade68248e16ad5b7a013bf4bd3944d4020c

SHA512
8402df7197e808e86ab743cc8d6b7cf51a8fd381c062753c840ad31581db67d4528e512f11766bc34b01e10cbefdfa884fc02586adb42e22ed8df88691dba2bd

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
64KB

MD5
c0c22f02d224096f4131a22a65380e65

SHA1
c12e3540e03f74135c311a1ccfabb1f82294c379

SHA256
1f98f044010c22d7328ba165bb0ccb897caeeafa2c303a9a1243c98a4f848a32

SHA512
1c9fc62f5f186feb30a6c6cde7b984a535eb59835f0cac83e8231d565d107fc86e6a809e1bee01132980b4e4ac5cf7dcaba78c135ab4ad3f895ecc3db837608b

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
64KB

MD5
084d9449b45065aef04c9d0686bc7a32

SHA1
26cd42679f621947674b9822c26c6518a88e911e

SHA256
ed30a327b8939ad5ed21d30c6acf79074a7b7f9dbf0da649581716484396c7b9

SHA512
8a1cf9eb580f09054de6e8862a8e186516d0db044cb0467f3a061b039f9a957bdc3ac15e013c72f7287e7dbfd4ed197a71101c51b4c4f27a89c36c7991ccf156

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
64KB

MD5
0263f00dca45c6dd2f52f6fc288dcf6f

SHA1
3bb4a0ffd34593ccfe0184f7e8aacf620f2fbb29

SHA256
5bfbae486d417a2c222c4fdee5b1435821bd18e69d4bfe8f6852fcc74c58fc11

SHA512
46e7a0ec052848010f8ffb1e8d450d4a9b45061ca56310ecf8827927d4b8fcd12420a1dd810b8759cd7fff3e2524e2ab8efd0e16206873a579a16b13e463dfc2

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
64KB

MD5
290b797ca2ab13875c6a350418cb3305

SHA1
1f94495308d3ab7fac4c19b9665e334f08324a90

SHA256
9005dc62c16232f251e28a6cae82971c13e68d8dadfc93637079eb32dcafc82e

SHA512
89dcaf43156ca038f96788471952239c18f1a114cd533a249e309fbeb4f903bf35b89ff96cb7d8516f3cfb2c31aa2c820498150c23ae195521212f8c2b553a91

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
64KB

MD5
fe9d1a11a034ca1d0f9ed538d0af8f9d

SHA1
edb0d3653a422225587fa4c2cd742da3d41ce3ea

SHA256
0244fd057b79db028c2a437810173d76ade43d1acbf2e15d7dbc3aebb1be272d

SHA512
0363912a090b154a444f2ebb529564f10b38ba876b1de23b9c8222cc3c172b486f95ee941b11bd2e291628b8982c3d34cf118cecd2119a1ece211da138658a5a

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
64KB

MD5
107403ae2a6a08a8f84e8a07ab781183

SHA1
e09feb020b29cd30bbe8409278ec6adbe852d68f

SHA256
5c7d5fdd81f5c21d0d71a92793428718fef53e7eb2df2004815dd2c8fe76c21b

SHA512
76f5a483713818a3ab18dbe1002ded40bf8e61fac9e56f2c1e305dc6544e9f38164408dec8ae73707bd13f1beaa7ff9292825063a6692ce95287a6b488aba0ef

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
64KB

MD5
8a0c7e1129ee4b26ce39b798aa437582

SHA1
ed6e365ffd6f13d64b6da87868c442996b18c324

SHA256
06d19cef6ec6a3b553d89240888512a3366363926b11cc64a995c5c14960dd59

SHA512
d286ce8af1c731300de9f46ab487a4c143387c3e502b76188b1b0d835228179566df45415f7b0c18e9d4702285ccce1c65d4d0286da9253bcbeed4cea67c45fe

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
64KB

MD5
1466c39586bea31587c0bf5242e9d526

SHA1
d238986bc990b1298b77e8b496582ccbfb3d1b42

SHA256
f0cc771ab67b5a8e808980a5cb704e4ff0a2b254eb367d00055b8b7c59115f00

SHA512
b012272d998bb0cd79929379a98bc1b4e3d84f959cd1477f7a091699eb04d5d770fb7e603866e342ec66b8615f0f197f1899a342bee4e99df2ef86f9ceb30aef

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
64KB

MD5
d1e18b1a8169ff334e54574ea2a833eb

SHA1
27e0d1209f43e3c757999553e7de13050368f3c0

SHA256
4595e2e0fb52d62a93467b6cebae6b299bf7f1d2dd3047aceb1051559d9e737b

SHA512
79a0cd871d8d4eb6c4ec562f266dbdcbc1df67514405fd7d19051af998320df7086749587ee25a62bee7e324cfb39180a0b52c4fd8079ad0a1408003a6da5eef

Download Submit
C:\Windows\SysWOW64\Jlineehd.dll

Filesize
6KB

MD5
fec29c3d3e081db16783496c1826991f

SHA1
b0842d5be3ccdded0615e47b323f54331e519944

SHA256
7852199aab36caf6f594d9e2bfb50277b42d90e4305bf47f9d1f10aa6e26b612

SHA512
40842a1bd2dd70997ad22c6bd9b1ffd12bc0276ddbc1bf7f2d2766f7881384afb85afc9adb56c29462a98d9b2731851d42256fd2bc4174408420f8a3f346f081

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
64KB

MD5
6c232e0846392cee5df704c89cc450f7

SHA1
cafeafc1394d2a3efaa4d90351bd85f56f757db9

SHA256
71ffcc7e74a74d0ddabbb2446ee95938580614d258340c8be98a116be60f10f7

SHA512
c4c6480fa2b2b8421e9a5e151bd6ec3595fc0165a13504f6850f73b89154199239f66fd7f67eca84d1b700bf596afbf9a07c71fc6f2885e8143e322e65e4874b

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
64KB

MD5
cbcb23a9005e20a753c9f863f7c2827c

SHA1
f63dde4c42591dc5dbeae28bca6f9ad10bf9094b

SHA256
948b02652be58bd389e8a3b40b214b174a09a0c722ce3183391c17ad084d711c

SHA512
d71fe71f53d39238b8db8a0b369804143396df473c7250e43a188244667bb539a98c8acc6c68ba9a79320c995d1ef21df439c044fd686da959830570e67ada96

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
64KB

MD5
7dc4d6468319f7f472611b3eb58fcb91

SHA1
f297fc0a9ba4488485510616d18c97a37bf4cc28

SHA256
7812a44b8553f812c5143ff0388175efb502d1a54606457c96c72669ea38b3c7

SHA512
e013ce5a115a6c2b7bc988d4c9616a5b6b94b07ae9179352482adb4526b9d98e4897bb24d6ef86660b33b5f7a6f81369d23b21098bdde3ebc1d37dc8b052c008

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
64KB

MD5
ad0f82bde9fa5317ea1d789b7bea8251

SHA1
6637888cf3f0bd1c2508afa159ddee041526a420

SHA256
a200c231cdaaebcb780479fe999d9744ed28bb46bbcef672f550be81fe914646

SHA512
86d56d541dee4f00c552aad5badede6b7874af47e07d47c3f83cc68cc546583cf28661422a389dc9567f854a41b72ef165e3493e90cb23d97fa3f606ebc510f2

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
64KB

MD5
0282706475ee75251e4605ce973f5f02

SHA1
88936c996c246e9b5e8deb03b2d927da2fb976df

SHA256
f4b0caee069d9ca20ca2abf950be3cd289fd232990d279ac2295750f8fb5e317

SHA512
85dcaa9820936afc00c1e441d7b983aad2127595188d89f93c632be73d394af11018d0b2432d8a92abc1ebdc1b2d06f278a046a4bfa091ea7117bf7ba592995c

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
64KB

MD5
60e10b1100b1639df3d1085cb578e2b6

SHA1
470ff613791fe21173087471c2c3ea61436f5cc3

SHA256
6a56fae8d236514563049cf89a71a7f20137a3d006678ac4b3b599bd7d3bbb4a

SHA512
e6a72c3c012211a948850d3bc61db98732e61738367f59165d67a910274d4dc6e5232c700c0e3723e8e1c824c5e00e0e00e4daf042441e8f2d78e025ac845238

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
64KB

MD5
e734c826dae8cbeef19189839a19f510

SHA1
f010d5647bf68a30ef10f710b9acd26569c319c8

SHA256
8da97983add3a47952a1627c9b01076ee933af5b2ccfefd5b9dd14bd2784cb9a

SHA512
35f44fdde457787d60e08ae52db01eb5b3392b8415d12f8017761982a32ef4786a92a2f033618059cbfebb9046c20b123ca0da4d5abf5915375116cdabe78cff

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
64KB

MD5
e3e43f9c7e4632e9c33d07b21ad51c88

SHA1
3cdde420bec0ebf4c02ebf62a3601b2da234776a

SHA256
65d6dc454be64fe6ec35b9a867875165604445db9bc92449108fbc3d8e78293f

SHA512
6e3a4f4056c1c28eb92222fba3f0e2162816260ae60fcff59cf9fcd0285aa64773300dbd9e079681e7f4034e3eea09be74b6d804914f56532d648403c9fc6c03

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
64KB

MD5
c35a6baee71db68be97203df6d151b1f

SHA1
2cb6f422be20d65081c4976ea1723c1d57700b20

SHA256
65940534edcff35ace095b277239778014231ec5cb4472eb4cceb3217cb3a9b9

SHA512
071262cefcbf398922e791dccc2c0fb62169eb9911399f7cb977e4da828b994461ac9d18ff62679d13036c18f50b716cee186c03374a20753dc8e55cb3dd64f0

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
64KB

MD5
ccbed90de6fb172984ce2c4669e61753

SHA1
0f627288dc5aeadc55eeecd8ee52f54ea0f24935

SHA256
9c9aee267f3a847a823b477a163826ec955c11f3389ba1b40c538c4a1c653b64

SHA512
93c862f3ca519be961cdcf2de9dbc284060bbb4565fa2f2dea5090958d3068286bfb2323fc9814acb59b869b71060f77d985fdf5d64a481793de80c11cb4093b

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
64KB

MD5
2ff24c45968a1fee2cd2aed996a859f5

SHA1
e4e18849a2565a6e27de8914e6c8f2b93ec20112

SHA256
b484acdf3681fd8459898c299e8da11b562a9e2a09797d8d27d5778251dbce27

SHA512
4f0805461d1ec78d0347f37032d3b482d6e3085d2616344daa0e6905dbe0ef6d4e91e3370952380295896badff790142019e3375b5f0ec0283806a448c63c84d

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
64KB

MD5
c40c10968751d4c55f4351a981fb6b7a

SHA1
3e956cc14cf3df533c2491c56cce0afd4750d4bd

SHA256
d30e79a2368dd584a1d440fc8e95aef07b4b21a9e881327be03a778cd2a4e63c

SHA512
4467b6547d543f58a6db018e8bcc44eabae91b45202d0ba02c80d1a6d1f13a858544b70c4e125d33a050f253c5887a79a580f1aa23ed5dc5abba16fdaef04d13

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
64KB

MD5
58d2b139732bf616fd916c4572d471aa

SHA1
58b41c0451819faed6db185df7d41dbfbbb17815

SHA256
c652a44726279508b727e026adb051629ed1044c83b836670f1ff47d85fc7a85

SHA512
ea02586c0829dd771b406025ad12b5189dd8bbab2aa22c60216876e740a8a32919fbadbe83185767f8c2073a02f0baec58d6fd7c8a3b26709c3776f7e03ff973

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
64KB

MD5
534a6a6f0932b199ba5b2f19e67e798a

SHA1
dd70f606f4507024afac364f38d1cc84f66c87e2

SHA256
aaa783eda0d30fec9307aab15577a086c34d2dc6c222dbb95d4cd01774ac354d

SHA512
444fd2cbeaf0bf1317a0df56a4ff6c2f0779d5330fbc0e38df3f5f6e82977950fbf7423495a1f5aa31b143f7857f79cc76ddd130e6f7443bdb356e9003445ab3

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
64KB

MD5
4fc5915aa2524b9be54be687d687073b

SHA1
5e4728dc9759ddb5b293a1d1798890301791ec70

SHA256
b1cabcd998614b0bcd6549fc84d16d27c6955a7321ff7155ab5bda92591b23d6

SHA512
1035624c6ceb1e91bf009d000091685e03aaa5256919295f5dfc6882f95f5e08f5ecc566f20cd44d6729ef9f0429114d219360e062e0c9a3866c5c84c7b65609

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
64KB

MD5
72bfaef8113b7fc8b5865808b84b0a36

SHA1
8fb0ab48ed07798d2714d9838502f1e4880823d7

SHA256
9a036ce7d9adcc0b80182e2384f0706be58ca5f909a6863a9b0b7600ce532690

SHA512
8a68361b2570517378c5b0000ba4033c183955790279a60f57118a6bc1216b27366197599f0d157eb7d2d2d64ce0eac57f2c9d14b404625d448153a7d7ed6ce8

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
64KB

MD5
864bca0615086a47700ab529fe010ed1

SHA1
a5e7f63f8efaa123886c29b91b2168de4cccc484

SHA256
9ceafc6d9fa87ec321e796de6190d47c4760e877ac01e84f949602cac969def0

SHA512
47d5e542fa603ab8d53d67bdaa9e462af4ae3262fff04ec045013bc410afb9f59f079d9141e857e8cdcfa33849f61a00e5004671a7df4d310ee05610b21b06d7

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
64KB

MD5
8c7167c1bdbcc64344321427d7e23469

SHA1
2d8b468be25e578703ced5887fb7b876d3f91338

SHA256
c032f5f6fbef81eafcbd08871769e0eac7f4325246f7575684623405234ef6b2

SHA512
2466aeda47298ad6c918b54808fccf450439021c2cdece4cf0a97d66cd785b2833e9c4afd7b91263e8d65182dd713a637351985336e4dd1edfcb657bb3fbf3a6

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
64KB

MD5
4f37d7aea9598e728ed38c6cef382b70

SHA1
05bbcf9bf674f9da2ee2e594b45d37dc44818461

SHA256
c5764c2f80db89ee151d365bfe78d44cb37ac852ecc308e5ec60c59fac5ccfda

SHA512
da7aee4d85f86ddf41eb22da839bc5e375b99956c7b598163b791c0a363ed17e9a333fccc3f29c0682b2e62f8f5643f7b3daffef728e14fbecb55eea789b2ed5

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
64KB

MD5
5636641522478af1e690aa6590036044

SHA1
4b5e265e89c130529db529a36cab787b7c98ffd3

SHA256
b7683bdc03a88dc5b186c442319ddccf10fcc66a99b0347502244845b03ef33d

SHA512
6c753ffa1fd0c480da427f4124c6dfc137e65a41b254e784c0d12fac6cc6f495f49d818560fc931df238576c86b893bbcced4f1b0210dd453f62118144f7726a

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
64KB

MD5
49748064716072b7cac214acbc47754f

SHA1
7816ef5d971cbce1ccc587c4c13e30b409729250

SHA256
463091f31b917bbc362f8d0d023f0de651639c4d245ebbcd70b8cb85e9433773

SHA512
e4476796afc55d9d5c9e0b6438ac54366991d8bfad985a3415ca82c64b80e78185f369796220dbd5c283cc4d2c1d368f2606371507d7d20932a4115d737920a1

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
64KB

MD5
f20ea9a60ef519c28db6bce1c9df809d

SHA1
0fb84d5febedd1e3c66050dd97784c64c7324532

SHA256
9acd6aadea141bb07128ae85fa8405c2f4f312b4578506550772ef2c6416f7d8

SHA512
79274bb2b0f500e62613f0aba6f2e2ae20e34f1f017f52b79ad84ba4dc88d22da2c980f4e8e8fa3ab40598c3b0f9c1d4a1820d9826ab4563cedc2fb6ac40734c

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
64KB

MD5
fbb7c4d6a6dd9aff86033e7d94aaf8f6

SHA1
c31e4cf973b57c994683ee64d0a29f09a57208ff

SHA256
e406b7e63a67521f4c034b00b742f80e5e8c7b8d4da7b66e1066240e0c04709e

SHA512
57f4de203cbc3667ae7b49b84c6879a85f0ef6a43097906dbda63fff2afbb22336b4e79666063f86bf20c79832af8cb1400344e8a8cd537b2ada3e8f596d4b5e

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
64KB

MD5
6b1958942c3d3cb8ac1ed82f4fecf40c

SHA1
a75fc46bd6cdf1ebb6cbdb7ca36f5f97d13afb31

SHA256
0b851c681a6c3cc32279feed6e007e2e65c34c622dbb719b9eb0a6681287b968

SHA512
e63c772a866f8cb3e02c3a2de0afd755aca2a8b5b25914a788747ffd277dd11fc089baad9593af484ce79547c10bb5a63bcb7e70b18227ecf1af513ed1be8bb2

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
64KB

MD5
afbba512bd95026fd4af164287c8b453

SHA1
2fc1f11e6ab21e5a5f93dca7c2229d88783f054f

SHA256
ab94774fd949778411698fd2767344438080bbdec4f41f79b86edf96d3408ce1

SHA512
8ebeeb2225e20e42516c7a943818a3bdddf2107d8350208088b1afed83cbb472a411818163c7e9992698f7e305edf70b5827447d4104666fe4d15ad054af6edb

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
64KB

MD5
08b06754848ca2b3efade63f90886bdf

SHA1
6c42e960b1544679277adb15c403db27b3e094c2

SHA256
494162c72119255135bf1bdbace73d279920399c296364a55d691b5e9452a895

SHA512
4a930e622b4d64696b5e710c12bca1c5d762c4ec9ac68eb603140e0b0bce4df058bf6b86e8d5092d6a0d195490af4a3d8fe9ad384f6505d11deefffca83b7fd1

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
64KB

MD5
7b79eb1a3bf9a8e39cbe10ed1d195b49

SHA1
0a5fd85abdd9ad02f6b2d3c3fe6effb19259cdb2

SHA256
4d9cd89a9252c2c2eecb2a82bf735b635eedc4e4ad13338e4a8dad2606ae80b5

SHA512
6eb747f8305184c8a8a4383dd3f8131ec28ac7c802dcac1409663bc1e280c30b0da7918d84b27894d28218b64d5a59d8a2782c75b3bfa93129a9efeb5399a060

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
64KB

MD5
7e4bd82b6e66446ac451375aae3b32dd

SHA1
4ceb3f5a049519ab456490b93129a18f6c54dd6c

SHA256
74c701ebd767e888b618480e91d491ec21dd1c152d6cf184e2f58b5f8d7f64ae

SHA512
ababeefd877ec00c13d1acfb63f1613ede2d6f3ebc747f09ad4c5068d71d827d6cc1ed8c2cd7c7995c3016bb61d2cb32f0ddfa0a0d1f5218e05a26650a9489d9

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
64KB

MD5
99117ad128344dc65646a491a09a477a

SHA1
cd54e9622291dfc7299f8a2974e7d1e4c6f73ffd

SHA256
64b6eae0bd9cd10659618a7081384cc0ad5916a111d94230884aec25e8e5dd55

SHA512
3ed4a9ec9046f473bfed94eacf15c604a130cbeaa37ce74ef9912ee02a4de9961aa679f401caf06fed6e21804aadd57813c5831b1e185d342fa33a01db1d12d8

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
64KB

MD5
67563ed2f44d17e2cc2e7736e8db1dac

SHA1
c0c949a62104366f356f269f616d8a216cd71b80

SHA256
606840531c25efc135e6de2bdda1c820d148f0ab1b9242808749bac325bfe6c8

SHA512
5348efa0a5d612d6ceae629c649c6ba64a69156eb771444bd87856c1dc9fbfb4017d4420ea6d9b06320cd2a0ec3f8a08b728523580a12b674adae9f09f64aec7

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
64KB

MD5
fe5af16454b3a2f7fa1d71ddd44d7e6b

SHA1
5afaeec9fdb42ce545e3fee063c57e50176a9a21

SHA256
8f7c797ea06aa2601ed5a89e3959cc42da34a33f802c383e7e651d64658c9c4a

SHA512
67db182551773c1a825199bc3003c7ad680b091e4687a78b97379f220b30b1cfc04d75098d73c502b5ba364e86a18261974a1a391bc2d3e3cedf7deaaf3104e6

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
64KB

MD5
e87311985be90299f8bca722e6e25c28

SHA1
3609919495bf9a53c22cb3bf87f02998f17d6b46

SHA256
86c7dc410ad7f64c9d4ab9e2d501d67cb1a292b18a825cd5a521a3b6421204f4

SHA512
f08bbfa82780920a666a6d85c335d4130fa574d87280e00bef680f4ec3d914d3843382a438cefc12b393f700d74996bfd254337775eb84b4e1cc3c3bb2a46210

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
64KB

MD5
ab3e1e6d76dc5fdb5f6a23a8b28e8896

SHA1
8c7e6ea481337d316a9ca32247bb37f224bb4d36

SHA256
a4ba46cdd122435ccaae27d0c06dbb8684c5b9fa85995477e32255b4bed61f2e

SHA512
503257583eee96932d5a6d72c12fc8d3f038a58666bedfecd9ff3abb7dcfefb6f8a2ab70b29ecb7af69c6d000bf509898156d36ec588556d2bf0aef3b3e74fa3

Download Submit
memory/316-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/916-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3848-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads