berbew | adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
Size

72KB
MD5

0f9a1988d13c9c4530791c5ff81ac023
SHA1

f4139a24ffdc34dcb8fdad1d585f287aaa36d831
SHA256

adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15
SHA512

da12e86bc21d624a60becdb6d71422cf5c38204fa3fab41bdde77e321cd7de69e428de0e3c15e454c162a6667f6b0a5f071ff6408c8d8f3b591c480b4a06aec3
SSDEEP

768:ONEaPyHnWFGfYPRHv0F/ca43Mn03CvDiC81JmiaISH90SGLhjQ/6DAv8Q5:iPKWsov0F0HMn03U43and0SGLhj06q

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbped32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nadleilm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hblkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjjbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlnjbedi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iomoenej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnoqc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hoeieolb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjgaoqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enigke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefgbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipgbdbqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igajal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjola32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geohklaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lqhdbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpqldc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofkbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmfdj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npepkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkkjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbnmke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqdcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmfcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfcabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omnjojpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiokinbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jleijb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3508	Cnkkjh32.exe
4596	Chqogq32.exe
4636	Dnmhpg32.exe
2956	Ddgplado.exe
3044	Domdjj32.exe
4132	Dfglfdkb.exe
2232	Dheibpje.exe
3644	Dbnmke32.exe
4804	Digehphc.exe
3844	Dmcain32.exe
3064	Dbpjaeoc.exe
4848	Dijbno32.exe
4232	Dngjff32.exe
3740	Dfnbgc32.exe
2308	Eiloco32.exe
1288	Enigke32.exe
3988	Eiokinbk.exe
4312	Enkdaepb.exe
772	Eiahnnph.exe
1748	Ennqfenp.exe
4652	Ekaapi32.exe
804	Eejeiocj.exe
4956	Ekdnei32.exe
5056	Felbnn32.exe
336	Fflohaij.exe
2316	Fngcmcfe.exe
4256	Fimhjl32.exe
2792	Flmqlg32.exe
4080	Fefedmil.exe
1900	Fpkibf32.exe
2196	Gehbjm32.exe
3076	Glbjggof.exe
2864	Gejopl32.exe
3548	Gbnoiqdq.exe
3992	Gihgfk32.exe
3528	Geohklaa.exe
3876	Goglcahb.exe
4292	Gfodeohd.exe
1148	Gbeejp32.exe
5052	Hipmfjee.exe
2212	Hlnjbedi.exe
4516	Hibjli32.exe
1976	Hplbickp.exe
2940	Hehkajig.exe
3436	Hmpcbhji.exe
1888	Hblkjo32.exe
3980	Hifcgion.exe
3836	Hpqldc32.exe
2324	Hoclopne.exe
1892	Hiipmhmk.exe
1608	Hoeieolb.exe
4628	Ibaeen32.exe
4120	Imgicgca.exe
4416	Ibcaknbi.exe
4824	Iebngial.exe
3144	Illfdc32.exe
2284	Ipgbdbqb.exe
948	Igajal32.exe
3408	Imkbnf32.exe
3012	Iomoenej.exe
2008	Iefgbh32.exe
1920	Imnocf32.exe
1860	Ioolkncg.exe
3396	Igfclkdj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dheibpje.exe	Dfglfdkb.exe
File opened for modification	C:\Windows\SysWOW64\Goglcahb.exe	Geohklaa.exe
File created	C:\Windows\SysWOW64\Pccopc32.dll	Hoclopne.exe
File opened for modification	C:\Windows\SysWOW64\Nfaemp32.exe	Npgmpf32.exe
File created	C:\Windows\SysWOW64\Opnbae32.exe	Oakbehfe.exe
File created	C:\Windows\SysWOW64\Dnmhpg32.exe	Chqogq32.exe
File created	C:\Windows\SysWOW64\Ldjcfk32.dll	Kjeiodek.exe
File opened for modification	C:\Windows\SysWOW64\Dheibpje.exe	Dfglfdkb.exe
File created	C:\Windows\SysWOW64\Ddpapmqq.dll	Digehphc.exe
File opened for modification	C:\Windows\SysWOW64\Glbjggof.exe	Gehbjm32.exe
File created	C:\Windows\SysWOW64\Kgnbdh32.exe	Kofkbk32.exe
File created	C:\Windows\SysWOW64\Lbandhne.dll	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Ngidlo32.dll	Lggejg32.exe
File created	C:\Windows\SysWOW64\Mfeeabda.exe	Mokmdh32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbjcljl.exe	Mfhbga32.exe
File created	C:\Windows\SysWOW64\Nfohgqlg.exe	Npepkf32.exe
File created	C:\Windows\SysWOW64\Kibohd32.dll	Oclkgccf.exe
File opened for modification	C:\Windows\SysWOW64\Imnocf32.exe	Iefgbh32.exe
File created	C:\Windows\SysWOW64\Cnocia32.dll	Mmmqhl32.exe
File created	C:\Windows\SysWOW64\Ghndhd32.dll	Mfhbga32.exe
File created	C:\Windows\SysWOW64\Qfmmplad.exe	Qdoacabq.exe
File created	C:\Windows\SysWOW64\Dfnbgc32.exe	Dngjff32.exe
File created	C:\Windows\SysWOW64\Fnadil32.dll	Enkdaepb.exe
File created	C:\Windows\SysWOW64\Ennqfenp.exe	Eiahnnph.exe
File created	C:\Windows\SysWOW64\Ekdnei32.exe	Eejeiocj.exe
File opened for modification	C:\Windows\SysWOW64\Lgibpf32.exe	Ljeafb32.exe
File created	C:\Windows\SysWOW64\Ahdpjn32.exe	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Jinboekc.exe	Jpenfp32.exe
File created	C:\Windows\SysWOW64\Imnbiq32.dll	Mqdcnl32.exe
File created	C:\Windows\SysWOW64\Qnbidcgp.dll	Bkgeainn.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Conanfli.exe
File opened for modification	C:\Windows\SysWOW64\Gehbjm32.exe	Fpkibf32.exe
File opened for modification	C:\Windows\SysWOW64\Kcmmhj32.exe	Kjeiodek.exe
File created	C:\Windows\SysWOW64\Jhpicj32.dll	Nfcabp32.exe
File created	C:\Windows\SysWOW64\Ilgonc32.dll	Pfdjinjo.exe
File created	C:\Windows\SysWOW64\Ofkhal32.dll	Bhkfkmmg.exe
File opened for modification	C:\Windows\SysWOW64\Dbnmke32.exe	Dheibpje.exe
File created	C:\Windows\SysWOW64\Nfaemp32.exe	Npgmpf32.exe
File opened for modification	C:\Windows\SysWOW64\Kjeiodek.exe	Koodbl32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjola32.exe	Nqmfdj32.exe
File created	C:\Windows\SysWOW64\Cklgfgfg.dll	Boldhf32.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Ddgplado.exe	Dnmhpg32.exe
File created	C:\Windows\SysWOW64\Hmpcbhji.exe	Hehkajig.exe
File created	C:\Windows\SysWOW64\Omnjojpo.exe	Nfcabp32.exe
File opened for modification	C:\Windows\SysWOW64\Oakbehfe.exe	Ogcnmc32.exe
File opened for modification	C:\Windows\SysWOW64\Chqogq32.exe	Cnkkjh32.exe
File created	C:\Windows\SysWOW64\Iebngial.exe	Ibcaknbi.exe
File opened for modification	C:\Windows\SysWOW64\Ppahmb32.exe	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Kbjodaqj.dll	Fefedmil.exe
File created	C:\Windows\SysWOW64\Pqknpl32.dll	Hlnjbedi.exe
File opened for modification	C:\Windows\SysWOW64\Llodgnja.exe	Lgbloglj.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bdfpkm32.exe
File opened for modification	C:\Windows\SysWOW64\Coqncejg.exe	Cgifbhid.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Coqncejg.exe
File opened for modification	C:\Windows\SysWOW64\Domdjj32.exe	Ddgplado.exe
File opened for modification	C:\Windows\SysWOW64\Ibaeen32.exe	Hoeieolb.exe
File opened for modification	C:\Windows\SysWOW64\Jleijb32.exe	Joahqn32.exe
File opened for modification	C:\Windows\SysWOW64\Digehphc.exe	Dbnmke32.exe
File opened for modification	C:\Windows\SysWOW64\Enigke32.exe	Eiloco32.exe
File created	C:\Windows\SysWOW64\Oaabap32.dll	Imgicgca.exe
File created	C:\Windows\SysWOW64\Ebmenh32.dll	Dbpjaeoc.exe
File created	C:\Windows\SysWOW64\Ekaapi32.exe	Ennqfenp.exe
File created	C:\Windows\SysWOW64\Jongga32.dll	Gehbjm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7116	6876	WerFault.exe	284

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlnjbedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfhbga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfcabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ennqfenp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oakbehfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjbbfgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebngial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfbped32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llodgnja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogcnmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dngjff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekaapi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flmqlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpkibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfohgqlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aogbfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkibgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfnoqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclkgccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onapdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omgmeigd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chqogq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmhpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioolkncg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpfgmnfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jleijb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ondljl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkkjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbnoiqdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iomoenej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqmfdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Illfdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipgbdbqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqafhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mokmdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Digehphc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lggejg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbemgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igajal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljceqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgnlkfal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbjcljl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgplado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Domdjj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiiicf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehmlqi.dll"	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll"	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqmiic32.dll"	Ibaeen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhmleng.dll"	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibcaknbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Illfdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgloefco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklinjmj.dll"	Dbnmke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jinboekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgloefco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll"	Chkobkod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibaeen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhpg32.dll"	Omnjojpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oingap32.dll"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjjbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojncj32.dll"	Ekdnei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlnjbedi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koodbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcmmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfglfdkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhblffgn.dll"	Pdmdnadc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glbjggof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilpobpd.dll"	Monjjgkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjinf32.dll"	Gejopl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omnjojpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbegml32.dll"	Hifcgion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmpmnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dngjff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gihgfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfbped32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimkic32.dll"	Nfjola32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npepkf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaciolc.dll"	Enigke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdcemd.dll"	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgphpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll"	Lgibpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iebngial.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 3508	2156	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe	83
PID 2156 wrote to memory of 3508	2156	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe	83
PID 2156 wrote to memory of 3508	2156	adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe	83
PID 3508 wrote to memory of 4596	3508	Cnkkjh32.exe	84
PID 3508 wrote to memory of 4596	3508	Cnkkjh32.exe	84
PID 3508 wrote to memory of 4596	3508	Cnkkjh32.exe	84
PID 4596 wrote to memory of 4636	4596	Chqogq32.exe	85
PID 4596 wrote to memory of 4636	4596	Chqogq32.exe	85
PID 4596 wrote to memory of 4636	4596	Chqogq32.exe	85
PID 4636 wrote to memory of 2956	4636	Dnmhpg32.exe	86
PID 4636 wrote to memory of 2956	4636	Dnmhpg32.exe	86
PID 4636 wrote to memory of 2956	4636	Dnmhpg32.exe	86
PID 2956 wrote to memory of 3044	2956	Ddgplado.exe	87
PID 2956 wrote to memory of 3044	2956	Ddgplado.exe	87
PID 2956 wrote to memory of 3044	2956	Ddgplado.exe	87
PID 3044 wrote to memory of 4132	3044	Domdjj32.exe	88
PID 3044 wrote to memory of 4132	3044	Domdjj32.exe	88
PID 3044 wrote to memory of 4132	3044	Domdjj32.exe	88
PID 4132 wrote to memory of 2232	4132	Dfglfdkb.exe	89
PID 4132 wrote to memory of 2232	4132	Dfglfdkb.exe	89
PID 4132 wrote to memory of 2232	4132	Dfglfdkb.exe	89
PID 2232 wrote to memory of 3644	2232	Dheibpje.exe	90
PID 2232 wrote to memory of 3644	2232	Dheibpje.exe	90
PID 2232 wrote to memory of 3644	2232	Dheibpje.exe	90
PID 3644 wrote to memory of 4804	3644	Dbnmke32.exe	91
PID 3644 wrote to memory of 4804	3644	Dbnmke32.exe	91
PID 3644 wrote to memory of 4804	3644	Dbnmke32.exe	91
PID 4804 wrote to memory of 3844	4804	Digehphc.exe	92
PID 4804 wrote to memory of 3844	4804	Digehphc.exe	92
PID 4804 wrote to memory of 3844	4804	Digehphc.exe	92
PID 3844 wrote to memory of 3064	3844	Dmcain32.exe	93
PID 3844 wrote to memory of 3064	3844	Dmcain32.exe	93
PID 3844 wrote to memory of 3064	3844	Dmcain32.exe	93
PID 3064 wrote to memory of 4848	3064	Dbpjaeoc.exe	94
PID 3064 wrote to memory of 4848	3064	Dbpjaeoc.exe	94
PID 3064 wrote to memory of 4848	3064	Dbpjaeoc.exe	94
PID 4848 wrote to memory of 4232	4848	Dijbno32.exe	95
PID 4848 wrote to memory of 4232	4848	Dijbno32.exe	95
PID 4848 wrote to memory of 4232	4848	Dijbno32.exe	95
PID 4232 wrote to memory of 3740	4232	Dngjff32.exe	96
PID 4232 wrote to memory of 3740	4232	Dngjff32.exe	96
PID 4232 wrote to memory of 3740	4232	Dngjff32.exe	96
PID 3740 wrote to memory of 2308	3740	Dfnbgc32.exe	97
PID 3740 wrote to memory of 2308	3740	Dfnbgc32.exe	97
PID 3740 wrote to memory of 2308	3740	Dfnbgc32.exe	97
PID 2308 wrote to memory of 1288	2308	Eiloco32.exe	98
PID 2308 wrote to memory of 1288	2308	Eiloco32.exe	98
PID 2308 wrote to memory of 1288	2308	Eiloco32.exe	98
PID 1288 wrote to memory of 3988	1288	Enigke32.exe	99
PID 1288 wrote to memory of 3988	1288	Enigke32.exe	99
PID 1288 wrote to memory of 3988	1288	Enigke32.exe	99
PID 3988 wrote to memory of 4312	3988	Eiokinbk.exe	100
PID 3988 wrote to memory of 4312	3988	Eiokinbk.exe	100
PID 3988 wrote to memory of 4312	3988	Eiokinbk.exe	100
PID 4312 wrote to memory of 772	4312	Enkdaepb.exe	101
PID 4312 wrote to memory of 772	4312	Enkdaepb.exe	101
PID 4312 wrote to memory of 772	4312	Enkdaepb.exe	101
PID 772 wrote to memory of 1748	772	Eiahnnph.exe	102
PID 772 wrote to memory of 1748	772	Eiahnnph.exe	102
PID 772 wrote to memory of 1748	772	Eiahnnph.exe	102
PID 1748 wrote to memory of 4652	1748	Ennqfenp.exe	103
PID 1748 wrote to memory of 4652	1748	Ennqfenp.exe	103
PID 1748 wrote to memory of 4652	1748	Ennqfenp.exe	103
PID 4652 wrote to memory of 804	4652	Ekaapi32.exe	104

C:\Users\Admin\AppData\Local\Temp\adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe
"C:\Users\Admin\AppData\Local\Temp\adbeef9fc3b02f1d3e7fbdfc8dac525430641858cef491d28a07e211afb05e15.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\Cnkkjh32.exe
  C:\Windows\system32\Cnkkjh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\Chqogq32.exe
    C:\Windows\system32\Chqogq32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\Dnmhpg32.exe
      C:\Windows\system32\Dnmhpg32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4636
    - - C:\Windows\SysWOW64\Ddgplado.exe
        
        C:\Windows\system32\Ddgplado.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\SysWOW64\Domdjj32.exe
        
        C:\Windows\system32\Domdjj32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Dfglfdkb.exe
        
        C:\Windows\system32\Dfglfdkb.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Dbnmke32.exe
        
        C:\Windows\system32\Dbnmke32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Digehphc.exe
        
        C:\Windows\system32\Digehphc.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        25⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        26⤵
        Executes dropped EXE
        
        PID:336
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        27⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        28⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Glbjggof.exe
        
        C:\Windows\system32\Glbjggof.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Gejopl32.exe
        
        C:\Windows\system32\Gejopl32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        38⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        39⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        40⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        41⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        43⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        44⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Hehkajig.exe
        
        C:\Windows\system32\Hehkajig.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        46⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        51⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3408
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        63⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        65⤵
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        68⤵
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4384
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        70⤵
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        71⤵
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        72⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3660
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        75⤵
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        76⤵
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        77⤵
        
        PID:684
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        80⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        87⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        89⤵
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        90⤵
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        92⤵
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Mjlhgaqp.exe
        
        C:\Windows\system32\Mjlhgaqp.exe
        96⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        97⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        98⤵
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        99⤵
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        101⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        102⤵
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        103⤵
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        108⤵
        
        PID:748
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        109⤵
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        110⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1840
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:212
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4464
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        117⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        118⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        128⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        132⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        134⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        136⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        139⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        140⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        141⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        142⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        146⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        148⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        154⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        156⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        158⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        159⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        161⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        162⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        163⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        166⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        167⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        168⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        169⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        170⤵
        Drops file in System32 directory
        
        PID:6436
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6484
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        172⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        175⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6760
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        179⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6892
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6936
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        182⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7104
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        185⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7148
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        186⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6268
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        189⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        190⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        191⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        192⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        193⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        194⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:6876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 212
        197⤵
        Program crash
        
        PID:7116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6876 -ip 6876
1⤵
PID:6996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Angdnk32.dll

Filesize
7KB

MD5
5d0a5c68e0c1801c1205d7135bed7798

SHA1
8ebec0d7bd7017b8a1ece0bb79a6415e6a32d448

SHA256
394c5ab2456659c6d94b4f4d30811998eff8582e8612570f7d349b5399ad298c

SHA512
045b136ebbcf1ad4d695aa0d7614ab715f458f2b69d608e265e8576447e02bf804c5f7222442d7d21b4b42a50af7e66593ee8117a98011e391c783425b616aab

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
72KB

MD5
3a139eaf72e2d44171e7bed138ad43a5

SHA1
183032f2bb8a16654b3967535b3cfc9e1322fde8

SHA256
6710f50ffdb64481ea254543e8c7afa25dee2a3defd5755f51f092e8f3bb70c0

SHA512
21efdf60e9a23740289f0563ebd24ca38b7df8199f761c02c3ef7719f0fd6048c99f212ba52c6e4851ba0d33f662ee0108e7d345551c7b74ba561e349ac115f4

Download Submit
C:\Windows\SysWOW64\Bacjdbch.exe

Filesize
72KB

MD5
8fe1997ed40faacf51d5de4d8169efca

SHA1
3a0fcf14b7fb839b9b19186a41969952d19c3a99

SHA256
babba54fe8003a7419bcc7ac1dfa359ac5152fc5f2367618ac76857d51027eac

SHA512
9e3dc72c7a0d4219580ab92a8ae97cb4322a91c2a0ef111599e55f3104f369aa46c77ec7b28c14e3826357700c41a7d9e84a3c994546fdd0c7dbbf8fd923d2ff

Download Submit
C:\Windows\SysWOW64\Bgbpaipl.exe

Filesize
72KB

MD5
20e3e37c4e9774dc551682a1dc492d46

SHA1
af9a6df91136269f25affc5efd4ce5417acb30a2

SHA256
611912443aab4cd4c626c3e026ba9f14ba75b6e37a6e8b50b80a502b41998db5

SHA512
396f85a335ee001fb92631d8e664076abcc7922350c97737b9475e08fa6ac2923f72f42f4ad1ded9c98ffa47918efdb8c6b84c96124fe76985501437c74666ae

Download Submit
C:\Windows\SysWOW64\Boldhf32.exe

Filesize
72KB

MD5
9eced21a09efb293f810442ad3a2caf3

SHA1
e9aae13709e03d95a067d9ae7adacbbdf5e4cb77

SHA256
7317b9c8e6d6b86caaa38bfb84326e48646677eb7f0ec14114029589269402d5

SHA512
06cdebb283ce970e7a33007e42e1182384120d7f1374298a197e02a5e54a2e26724d624d6ae882a0665fb6b3bb5eb6933fac766a5e11ff02d88278720ec2ec2d

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
72KB

MD5
40b6440cd5accb392ef0ce624422db41

SHA1
f9be1a5afb668cd3293fa92d621ebdfe39829487

SHA256
6abfdf294579fd54065771222a24dc48053c74e3d53e144bce1b83b85d4b6782

SHA512
b7d20d601b1072179bed80dd413d900550d660875cd7c863866b351f7d42b37b1b1cfe408170e3ea8a47fa684160acae5a68a7ac684679a0b2896c6f4e7c44f9

Download Submit
C:\Windows\SysWOW64\Chqogq32.exe

Filesize
72KB

MD5
1afe4733e31b549125bcfe796b8313c6

SHA1
c3399478c232ae1779ebfc680fb226cef3f58146

SHA256
3f027cb6d45cb76d07d943ccc3ab19bfe9b839eacdbacb1c8bc3a11ee977a48d

SHA512
e12c80fe89414c20451c6a419e8b45dcca37946f4efeb4b75052541e3224c0ccc1848c280c2f4974679be200603ae4c72322dfa73860fc6227a385a2d9babe3b

Download Submit
C:\Windows\SysWOW64\Cnkkjh32.exe

Filesize
72KB

MD5
52f175f486a42a1f48164e508fb4a1ac

SHA1
4790a066c15edd9f82a3983a7bcfe620469ede24

SHA256
db1e57aa30c527884646f3b1b970dd13f7aeac0aebe115c355628f930c8bf25e

SHA512
0c32c4d14edca842d703108260aa6f74064ef5efbd9b077a15ff72ed1c15b6192bcb869c236c55345c3d385171bc9f56478829c69ba2f5a3849b98ef61604f04

Download Submit
C:\Windows\SysWOW64\Dbnmke32.exe

Filesize
72KB

MD5
0853e68f197a96c4161ed10e47037fa9

SHA1
2f306cc6d65e893c5abc060037e0e8567dad107f

SHA256
f14e970d6a7a8d79a34db332ea4f89962f59da7675d8e1a0fcb9e9b73d3cbb95

SHA512
4c2303a786a0665fb034ff08799b48629f180a81d940c79135798f1fc5f8767a5277e5e67ca0399aaafe1c1fb52b2712d5c409bf4ccbced0214d9dbd7fd04d4c

Download Submit
C:\Windows\SysWOW64\Dbpjaeoc.exe

Filesize
72KB

MD5
bf6b5d46cc1b9b9402fb8e241ed040ad

SHA1
c8df7b8332b185c59eedbe11ec9a4c5594b664b0

SHA256
f2af9394239d77f09ad8deea668eddcbc8f9977aa5aee3fc7c2f75f39962ab3b

SHA512
e85061eb8867ebcf8917602a70f938ba8f3300a1bc8b82cc9eb001d2531be9f097e3f4f0fb81e84bfa04d72901739840e1b2299ad2a1f4e6bb4482b16888fa4f

Download Submit
C:\Windows\SysWOW64\Ddgplado.exe

Filesize
72KB

MD5
53a7a701983609602db8087fd53e7240

SHA1
76c56bd846d52f115c0a0ebfb0499d203134dc8b

SHA256
7a4853cb0f6950ee4f454ba3797bd24c78ceb19ba7baf0c17647dea629e2b840

SHA512
94c066479e7ed730b9a25c34f65ec7af63fc1df081a51d3f56766cd3ac3fcdc34130f1bc32c4694c92e09245a11db6573c1146e790ee06ee104b98859dba4a8f

Download Submit
C:\Windows\SysWOW64\Dfglfdkb.exe

Filesize
72KB

MD5
b0e1be8548de34b0f374ce97ad674c0b

SHA1
c1b27ab6f6d108151bb396908f64a7b10bd22928

SHA256
9cfa42d4676d81c7578f9fc9e3c7423b681fee51652622f654e0f5c265e9b12f

SHA512
02925b89351adaa2a4a3b306658146c12af0f0aef0aea03c719e0b8431a2d8cce304a6a63109f7123cc4cfeb86a7001b80d06d8a28f51ff809b42bd066aa96b7

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
72KB

MD5
833f38b9ce4f3710d7a58b1dcfe1b2d4

SHA1
7488a1feea1c9058146ebd2823dcf409f28deed9

SHA256
afcb5770235bc4b774c35c1b9d791338a6fcff0b896756a96b678b95acc7c3f9

SHA512
861f86ecf52218592d2ae4463a285a297201029be9bc0aae1d1e10052b49183c5a9cd2ac7f2fd40416059071167c4645ad52c6c5261c867bacfd562748ab9e91

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
72KB

MD5
84d945a731e0b43e6193b816e85a8bc7

SHA1
8429fb86fcb539aea067b4f57a49b6a3c33a7376

SHA256
c6aab23b8e2025bab856f6294c9b9080b8982c8f37c8c567e06506bf179352ad

SHA512
0e3b0e7097678aad900abf180e15de7280c018e5a73f01ed49347eaeceaf0c80e2d223df6e68e23ea19aa3e24943602347a9c089a628eccd13c4d448f2408fd3

Download Submit
C:\Windows\SysWOW64\Dhphmj32.exe

Filesize
72KB

MD5
93708774369b1737d43cf54a0ec27f40

SHA1
1ab80896bcd2c644d209122e484f38fe1b91e8ae

SHA256
c6c3c9b2b25a67fd6c5420978100e7ea4d25725e8c56c6ab6c754ce1e55b73f9

SHA512
d86d20d5879b32ceff3ceac8d3eaa0e1f06d4e91e8d4b3c3d0e59b0dfe3d956721b00686a9d82c9a7e7cd0446760b2e5150a3d3dc867b527cff41d1c0e490152

Download Submit
C:\Windows\SysWOW64\Digehphc.exe

Filesize
72KB

MD5
3033909af7cd9e59a4870373e5b10ae4

SHA1
20f7718d74a38dc03179a6915808ef78519f590f

SHA256
d1f8953fa4a0c0ac4b94c6edbbb32f49cd6bf41bb002e569adb1d3d985dd8386

SHA512
386e26b1c9a7d6b51bb4567c209a382f34c307dead51bfde592d2bb02847160a5ae8b7239d73bafd30d65bf44abc90f376c685943d954144a54154d2a82294d9

Download Submit
C:\Windows\SysWOW64\Dijbno32.exe

Filesize
72KB

MD5
26ff27e0e6333d94f92a528b6de8c910

SHA1
0353bcba684d4cfaf1dd6d572b2bf7a399f5e8ea

SHA256
27fdc4ab059de870e10403cf01e5f609d5bfb2bcc81ccc88c671d5422f419b88

SHA512
56c0ff4e65d85a222bcd249624b8df46e4aee72187b166b1cf1bb8f7b33a0cd6179192207f9eedd527bf5ea51966f0adc344ad22268b30d679046b66811b93c1

Download Submit
C:\Windows\SysWOW64\Dmcain32.exe

Filesize
72KB

MD5
bd345a4882eec94066f5c52d88e11c0c

SHA1
e88cbf62a3108198699c67dc47d2ce5109f1ce2f

SHA256
d2374f53c1fe859a90bbace8e3a87e22f9c8f71650da7ec2313c7cf263328f36

SHA512
3423ebdba055eab402fb4c1974688821799184ac3a1da9f6eabecf4c31ee6577effceb135813fbf38716454c4ef0cbccf7ddc9606cefa75b1cc0e4894345e5be

Download Submit
C:\Windows\SysWOW64\Dngjff32.exe

Filesize
72KB

MD5
fff4dbf138056138fe8cb5c77254d110

SHA1
f7ee8436193b7a97bb50059cf614819cbb326efa

SHA256
bc6d5c3f05984e2797710923d93f31b5a057b259b2e21edde13b94c70599ce78

SHA512
959dea443fc45fc4ece175d7f6094137df7a52e1872f71d8bd05ae0f0f8d3303948cba7a2f5d76097df8dc7e109e8345134a80dbac35709e559926e1e555bcca

Download Submit
C:\Windows\SysWOW64\Dnmhpg32.exe

Filesize
72KB

MD5
e1fb004105d9bd0ca8eb58a9b4728a3b

SHA1
ad6712c7be10bd376ba64b0c79e2a985c8180ea7

SHA256
7564f81bfb1731c7f7c9ef6615366144ee01fb7b9f40de3fbe45ead26342d71c

SHA512
29357ed7fe690c4e5b0f7fd91c12b16ad7553fd02ae137b2ab10d9eae66abd4e5ca8dc7b53e64165bdba010b9701ad441ccf15fd01368048efb024cc73b5d320

Download Submit
C:\Windows\SysWOW64\Domdjj32.exe

Filesize
72KB

MD5
e60b429b1d667cc8a92721d28f8243f4

SHA1
2a5de84a5718f64bf2c3172543b167bb1b23877f

SHA256
2d2b0e3f9afc9aade33e0c8152bf74c04d1f3a209450f1e5e1755158ec5d4ddb

SHA512
f9c61af298602e29e21e74fc1b1de6ec6db56ccdf9bf0b781baff66b7dace6b98585b86ea5c338661a993c2f9ef424ab21de079e3199751fddce540d0b9ed220

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
72KB

MD5
ea2dab20a7ede30e9b021cd77509fc00

SHA1
75240d1943dabc848cf9c4244a2ade22031f3ddd

SHA256
4047a372ec3cee28e36e5ef5a6ade85b70bb210f56dcbfe669abbabfb15dc84f

SHA512
5cb80a4a84c2efb3c89c50656c5a0205208aff1d6df05fd98e646c5b0069c56a4dac602c0007a2b5f14c4cd00f35d7ca4cf77fd93435ba6f6023b1f9ff2b2690

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
72KB

MD5
cc16c90acc0264749550b47a3f244b84

SHA1
4fef6a47e649df27ac1860803c8fa29e4cc2756f

SHA256
703f05869a0e6a0a362ce7ed768d10d9eccd83347f7f2a63b9a516ece6ed0764

SHA512
252a7b66c8ffa1c03324202b1b68170f7520043a8dd3b308b686542c225d6b37d262e79cd8fa3fe5caacaad09ba8dd539d3639e408a3a6e4267847e2ca97cd09

Download Submit
C:\Windows\SysWOW64\Eiloco32.exe

Filesize
72KB

MD5
3655119b44b51f8c4926a5fb1dfcb449

SHA1
2698b0eebf3aab6f6582c1c8b0b18f3449174e50

SHA256
fe32e7211f75074f86f37a2cff70d3eb73d14cb969f9723d049cb73fa874de16

SHA512
6ab23272a4db9bcacb739f6beffcfb68fcf3d8ae746b195311e7d7e386eb9b39a198b714be8a4a890040a4ac1c4bf26ae506bb2dc1796fc716a0aafd15bd05d1

Download Submit
C:\Windows\SysWOW64\Eiokinbk.exe

Filesize
72KB

MD5
eea8e07783692287cc066ad90d481960

SHA1
2b8ee633ec5ea48e64efe14722b55f233b508503

SHA256
992a52489e867a3da9f4ea6fc579c890086c2208c6037ec7b4b7d2c33a5271c0

SHA512
62e5188376f8d766d609a263f51406d2f4a063f33266dbbce7220370a56dab7d7756f2938011c4782140d8dd00e4685b010978924fb1ec2226d5aae5e2126a23

Download Submit
C:\Windows\SysWOW64\Ekaapi32.exe

Filesize
72KB

MD5
df66fc1cc7383706bde5b7ebaebf738e

SHA1
75e6b081863e2755b06261ddc8ee9530b6af96e6

SHA256
0d802d223202ea80c04edd408ded1dae1032a1ad6d94d2fe8b9a5af1ec0d35c7

SHA512
b7457df0c3d1844265ddfa48c54193f9d966c0671b0a4cc2934baf77cce4aeb511cba89fec54fdb7df8cfe7bb63c8c18d7cf7372bf51c227d692b47f401edce3

Download Submit
C:\Windows\SysWOW64\Ekdnei32.exe

Filesize
72KB

MD5
a9a29e14f3c61648b80c3234ee4bfd96

SHA1
3ced0f23f491ceba817497840e85283a017278bd

SHA256
d177f1715aacb8b5feb1d9f43b7899ebd3e18132f4be56f455bb9fb72e7b78f1

SHA512
66514f3210b2fd9348645c2ccb35494d7abf123324e2df5e63d749b80b67d16163a91b1811d65a7171cfe65e8e3273d8cd5bd86b4ae4b8623852bd4e783ace02

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
72KB

MD5
227d88de4ee472d7847aea3053b82c2b

SHA1
f839a7185c01ddecb2dc7dea6576b42b337f83e9

SHA256
a47b109d2520a4cd5e78a187820d85b70eb685cdcb50265df43a1bac36a752b1

SHA512
4fc42b3551bdcaafbaffb41b49b59384e29864590b749347d0a485a66cc7be98679979c5ad14e0fc47f41fd05441cb64481b8c0458869549c698bc04dd567f67

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
72KB

MD5
d0b7c65a4f9ab040b6d056dce75e6aae

SHA1
3e50322baffd9013666c3a68f4f23cbd6fe78fd5

SHA256
e09090f37cd227ea56e97216602b8b7783fbefb7539577f8f2ba913a5992439d

SHA512
6fe1d35e8682cae9ae3056242c735f3198cd32c162a5f8829ae2808a41be9069379df2429eb689f4562d067d6a9e86a687d473ad82a7acca530e398b12643f7d

Download Submit
C:\Windows\SysWOW64\Ennqfenp.exe

Filesize
72KB

MD5
6c3f71c2021859fe9faae2daa4f1b2e1

SHA1
dbe8e968c8cba90c2826314e04415e5c0419717f

SHA256
0a61ac2b002782ee7f646fa64240136dbfe0e613856538102fcb35c7ee98ea6c

SHA512
9b3e135261cf9d8e9222c2ac8af49feafb83b06260144902572b7ef00a088a2f2452b7f9177f77c35b9c252fb1a19daea43ff3eb0d2d56d201851989e9531251

Download Submit
C:\Windows\SysWOW64\Fefedmil.exe

Filesize
72KB

MD5
a42d1c52cc8c68d8f62c08c0261c76f5

SHA1
d1f5dc79176709c2e46bc1b4ebe440c245981951

SHA256
824cac4d0318ec1fc531ec7c217f9c1400769e967058ce02cb8da37d3fd1a50b

SHA512
8fee07753da9bc6d217f009694b73fefdc60ecb2249f83d0820939db9868e912ac6958f5b12ecbb41fdbd0d92e7492ecd87bc10354192bff07b780f5a4017ce5

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
72KB

MD5
acc93aab7cb18fb11e51ee9b8000b52f

SHA1
484c9fd1f51bb8911f1d6bae9aede4b7f25f48b1

SHA256
846d62811039a23be38957b36b9844a2f1e44161ecf26dd98f9a1a334cd4d9f4

SHA512
616cc79440fac0ea207869cc60edf3602e66d2c245dc9b1629719c13cccfd4d21c64ff977b6ddfd605e36559bc5fb710451af7acd7415cdfb6e3fec1af2674c9

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe

Filesize
64KB

MD5
9cbb49f15a04f1d2c722110a6966489e

SHA1
9e4be26d1c4914a9f848e37e8d4a118b0c1580ad

SHA256
a590c0bced79ea1437de3e57e12628b77593e1d21a71f8280b0ee4c6b19cfc3a

SHA512
698211914b4a97ac802842bf5554bf9bed3441aabf3ed9eda81c222562e95076e9df0c7229183e29ad45079c5342dbc7c5f8880e7b1dcd854f96cc0f6dc4a47d

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe

Filesize
72KB

MD5
7cf06e9aa5e2322e37c0212c9b37af38

SHA1
db75e9a99b1d19970fe660b0fde9694d758fe4c4

SHA256
826d2cc4a023bcf4718f2babac7c64a5305353681171efe78bc98bbff49f2123

SHA512
e281b113d63679632ec8bc5c37b7b9b830087dbacecf656a5904111bc49ec7763901895cc9db7985add4a22d024a7ecb51b4bd67064c419522cd01daaf1d7c52

Download Submit
C:\Windows\SysWOW64\Fimhjl32.exe

Filesize
72KB

MD5
468931adc78c1246f93dde363904a149

SHA1
357eebeb760a45174c04a3fd577ea99ea8d743b2

SHA256
1c34f52ae046d785e90dbb4c8eac98369a04f9276ed52ad9149a85ac9782c026

SHA512
10c63722eb2cee62b5c31907c57d9bfad044cff36bac73aa9852e4fc852f41207f52372306bd461ef8b38cb14888fe2ea7c6dd5e584013306e7c62712e5f116e

Download Submit
C:\Windows\SysWOW64\Flmqlg32.exe

Filesize
72KB

MD5
feb39809a8ed7c205717e8dbc3a8484a

SHA1
eb5416d74ed84af1889f6fc1c9c0f60689247f9d

SHA256
17683c9c31b4bb57470a73884315c62cd5ed272562f1ffdba21076324efb205a

SHA512
04bc844b03110b3cfe387d280d08d644404d0b411f41399cf95f59ff2e3be2abc4a3a6bf132e0c6ef2af4f98e97ee217be5449d98b4bc416ec4577e0bacaa3b2

Download Submit
C:\Windows\SysWOW64\Fngcmcfe.exe

Filesize
72KB

MD5
7ff103aab623428f83ee95cea0862e72

SHA1
a64c435d60b701bda8d45d7c74777e5d332851a5

SHA256
ea7e3caf70762b081657eb5d039d8763c28f338260296bc00ed590dc46f2027e

SHA512
082951f908dd8612a98d4165c8712193e36a331334c5fac31db924045d5676cf9d4a4be4b9dac039e2fe1433d1ac8e8f528ae4c95799eec4a98dfd982d865b47

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
72KB

MD5
71ad5148f0a69a67f6578c2b501100af

SHA1
20ce8020c87dfe189d90909da6497cf982befd07

SHA256
69b217a05833962fe0a1df86fd669ed80f6ff69f11892e1a0b650e8da0eede87

SHA512
0f869167ea12114bbb29086f581013173791636a6459e1efcb803bfcbc5f3b2e7e1825c866c89358ab2d9cd62a453c23c7f8948eeb88667f19d371e41392b03b

Download Submit
C:\Windows\SysWOW64\Gehbjm32.exe

Filesize
72KB

MD5
182a3c0477f68e79afa95b3dfa3f0d51

SHA1
3d1af1a60e0eb7e25166327dc39fb840a7b6a327

SHA256
1e689cbc5a2f845ed4c16b9ef5d799f2668723cc462cd25c2916ceb4e76b1198

SHA512
32a4a9bac60d68b61c8c411cdd49dca4e378111e86941932f94b21419ca09a90c5ad8a0ded2587e22c2909aadc906b009eae539ba213921830dc11877ef1cac9

Download Submit
C:\Windows\SysWOW64\Glbjggof.exe

Filesize
72KB

MD5
9a2bb633e04341f16973f3dfeb3ce245

SHA1
764a2c772aaf1267ee5553582841a25425e83ca6

SHA256
c0bd55720f0d9ede8040b216b60174f4d0fc33489631059caa3cbda7643c5337

SHA512
857845a425251f96ea7b830529360a3cbb1b551afe284bbc1eb03e07ddba387e809ffdad72f860e60d0c5acae6cacd46c7c48bbc9e697d4efd8d31a704dd7d74

Download Submit
C:\Windows\SysWOW64\Hblkjo32.exe

Filesize
72KB

MD5
5a6a9cad7cc2867ebe3f0166633cc801

SHA1
a49dbae52013896fc458c78cd15f6aad7f4fa25c

SHA256
1636aa9aa4344b3d84ada4bccff2ab5cadb00d6b97e44a1708f3d092f1876729

SHA512
a0c38f16045fda2da88c1138c79a62beef656ccc6f80edd51de3096dc16cbc1dcf640a266076e190506e52d80ed4668f8003532a73de04856cb5754def2d78e5

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
72KB

MD5
2ac71453487cb48250b860242e974f18

SHA1
3a96186fa023fefc1e4f9b6eed473fefe2d4f81f

SHA256
04ce6757b1858fd11d247c11a28cb7dc579b2606dbb290e2495c6cee0b5dce87

SHA512
164f663e0b666ad68ab15655a018849a1b4a47623b2ed06ba688f907cd1fa5c5bb6e2a8761f11d6dd2b8c2aac53e77c9903a53e19fc2a3150b73b7c58ef16c2f

Download Submit
C:\Windows\SysWOW64\Jedccfqg.exe

Filesize
72KB

MD5
932bdd9aed01a38a2e12365e6874fcb9

SHA1
c498425ae9cbf080660b25eab67ac81f28f72e45

SHA256
e9220c4c297819719a7b38c19eb9dbe03f2741e50c986b3132e55ef0e837231c

SHA512
49ec7e4586402b5b41bbe140cd8012fdca1f9c8547fb6ce4769e261f987858126a22020c8a4027cd84399ce9b15f7de6b7ffaadeac4b08952cf44c197a1baef8

Download Submit
C:\Windows\SysWOW64\Jpenfp32.exe

Filesize
72KB

MD5
7c39e26af472306ba75868868437af78

SHA1
cca3516b93502951089f08002c6c880c5e3d22fc

SHA256
f661a2137d40e3f499de686a817bd517c549407c5743da960b7cfe7295cab211

SHA512
04dd0ed8c2f77273eeb569b427cc28812f5fe009a29b57bcc364ec4671aa1ec3531c240f380bb43cb30912c9c623e3c455132c1023d283ca02087976b1221f09

Download Submit
C:\Windows\SysWOW64\Kodnmkap.exe

Filesize
72KB

MD5
6b29df101fef2d94b108f79078c361de

SHA1
dea8108391c59836b3fa7d78bb4bc0adf3ac4d87

SHA256
4f400e9a3d43f11acbf19fc54581c18c22d67dc750c36526805970a23713760b

SHA512
1c472c2d4f3b100866680ead2fb540dfa15163002c8810838c06369ffd1f5d6b7c49fb2531a906c22e1581a05250d7500ea51f06062d437a3a3a160dc6f4fe51

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe

Filesize
72KB

MD5
50cbd049e8462015f5846558b294ae45

SHA1
d016fc42ef254612adceafb59889ffa55bbb5127

SHA256
2bda9d1b291b6a8eaeb73f956ceae10d38fe96e7e119bedac3f683e487389bfd

SHA512
26c6d3bff9eb874d711cba52b38c5e379d03322e0e344e97a1f0906f844a31af2e3322d3ff05e8887eb0ab79131b77fbb61d1022072f65b0524c7103773dbc92

Download Submit
C:\Windows\SysWOW64\Llodgnja.exe

Filesize
72KB

MD5
ba3f0c8711837a4a994083297077e3be

SHA1
7944d6abc885eb22e0288c9330dff44198e122ba

SHA256
9179eb3bf1870ef8cd1676cf30ea7ad2136d2e2589775fc0c5ab779a33f96db1

SHA512
7311d21c73266c115f2df9dd095d1a5e3279e1cbb661bbc656aa784f645034f1727b6bfc58e7b283e71ab8d68973685cd348fa3e1c0c31bb50e037a3544e348e

Download Submit
C:\Windows\SysWOW64\Lpfgmnfp.exe

Filesize
72KB

MD5
67a174ab7ffe8979e2cab272e91be7ce

SHA1
f4ef173a02cfd8eba03678fe040c0dbf72d0a412

SHA256
43b9bd4fc0d60248b17c40ec1cbea6016040159dab9bcd31fea3ae767076e12b

SHA512
5e4ae9feb91aa83224195378769e3065cb8f6eed825727bb7296ae83a6a5ac41e6836bc203e7c119230bf97a841f60e0eb4e2ef8b3a948117b825cfcfd74a7a4

Download Submit
C:\Windows\SysWOW64\Lqhdbm32.exe

Filesize
72KB

MD5
fbe0ffa00df2db6ad9acf39b0ee6a075

SHA1
18234e94fd192bd768ca3f5dce02db5b68d56ce0

SHA256
4dcf5ac817b480c13b5028e7b34a9258d416563f94bc8d2d7e95cad57dcf9785

SHA512
b9e3c9d1a16d73a10035708d583303084b919aab9820cfc76073b2452f9de47585b44c49501c6e1f760b64f2ebb67e9c4dc626897f418d7391211ef67afe95af

Download Submit
C:\Windows\SysWOW64\Mmmqhl32.exe

Filesize
72KB

MD5
470f0fc3e0d7dcd3145c3d8978f858e6

SHA1
bca50d00b89c025df0640dbb39c9d70f549a6c66

SHA256
e26c906d8f84e3abb005d48c35f521d899f08d9ec3a0d23be87ca55ce7c3e700

SHA512
8206a57c096de304aae1ee990ceca77ea1cd466ef4168c1ab6b9fa3d7c5231c8da612148412de63f132c4f98e693bacb0a99b8e87ca55ceeeaa14c3e55fd2ca9

Download Submit
C:\Windows\SysWOW64\Mqafhl32.exe

Filesize
72KB

MD5
15ba854b006ba90cb4e63456cf1d6da9

SHA1
4f53da1eb60a2a8f0a0e1d7b40bf6ab53b02b388

SHA256
75d67734f068692f677d6ec6983be28278d46935a868e7dd21f884beaa647139

SHA512
749584597e900ea5f5909773ab7b1d5cd81f6edf8107a94e263b92dd3a5114ec795d2b6a29f4ee0974fddbd6e53cb3fd79d6cf626a369bf0c6aa74704abe43f6

Download Submit
C:\Windows\SysWOW64\Mqdcnl32.exe

Filesize
72KB

MD5
f85a0e4689808b528a705a78890930b3

SHA1
4b06f942f667be34de43663ca7fad0d57c6df933

SHA256
ef9dd3cc867b9c844bf9eeb4ab77885b7972a8d380bd8ced4f1f2777bc5a8cd0

SHA512
5987e0dac30368d182fc8f4650233f1c70424071dc3acb937b4f9222e52ee90c379d9f023a849e02c461ab7ab3cb1cd20cab9e684ae84a8ed68a8c0c35b7dfc8

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
72KB

MD5
670076cf82b221d79c61d97d6f2018ed

SHA1
7cb46fcf1616b301c7036326ba1f625a724b7308

SHA256
c45fb90a40acf3e3e1e3fd715e8e8ee9da534ad4e687cc8d7923f0d540ed2b69

SHA512
d0a0b7e06b487840e04ccae9a64afde3821d32faf2a3a0b0feb7351cd3acfb30ea917dea5a24e3308fe01210ca20d6a6e248696e3db2729c69a76ed701405252

Download Submit
C:\Windows\SysWOW64\Nmfcok32.exe

Filesize
72KB

MD5
64cb44901d269c1e597fafd948275004

SHA1
5af72dcb81ae450e1c9faca68664d0d4c3111adb

SHA256
afa26ddeb79e85751116d1a6193394fdaf9362824b8f34026590cf500e9d7d4f

SHA512
ce0f0d2f8099397548bb59869cc7ddd18b897615b004721b56b47e4e3ef074769fa107fb99ed66329a3f6375df1ac4b2eb1f0390a78bf3857c83d700fabda109

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
72KB

MD5
befcfcd1b5311e89b8370b80d6522aae

SHA1
2c02a7a5fa2fb4f264da5f5b3fe3c2be381f3592

SHA256
1e6a1079f909099c4927dd1cfa11a8614f1243505c34e6b114a95acd5a582a18

SHA512
8fda61584db7f89c1bc157bfdfae269e18596a5284fa33b30b720ce41b6ba06bb9556ea3b0cd63e685dfa33fa7f9f0da602969b520ad45f84bae1b80f2e8bfd8

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
72KB

MD5
c530336a58e42e357eeb98a82b7cbc29

SHA1
c6a78d10e8424a00be733228768ebebe82752de1

SHA256
45fbebf9b4861a2d5db3bada3e50cde7fb0dabeee067da8520a05ff5274592ce

SHA512
cc4d6682f4156ae7e673fd3abf2e8390b1d71e104fe716dba1f2891c31db3192a269fc987ed1d3e2a70943b2ba0bd435ccfdd29106a3e90eade59d09cc97a0aa

Download Submit
C:\Windows\SysWOW64\Omgmeigd.exe

Filesize
72KB

MD5
6f9c0ee7e5a999e50ac06264c9e174d1

SHA1
91284a8f763d41f523e2d22c4f5a56fe41ff5975

SHA256
112865565414c0402d3e1ceca28fe87c5566ccfc42e2dbc273266a470318a20a

SHA512
77a8b03de1b4c3af8430abd9489f0fe3873c92db7ad5026d370a64a13c22f0a71d66e08aa46f87cf9d081549b06ac324d6090f440680a6a996c0fdfb8326f7ef

Download Submit
C:\Windows\SysWOW64\Pagbaglh.exe

Filesize
72KB

MD5
78fc5872b1db320b749eb68607f9bccc

SHA1
1e7ee580eed3e0ba7fd001f543608c1e1dfaba2c

SHA256
dbdb2ca432b4adbc5383a32aa4465f1bf1e2c807ac621a574047c762d366556b

SHA512
cb6f49eb66cf16a7332812468f7e1ce9264b9b2abfe5d1afdf1ceab6ecedae225a03f0a98298486fd0f4aee840df800579fb3d5bd848ee3f5a6aec307a8563ce

Download Submit
C:\Windows\SysWOW64\Pnplfj32.exe

Filesize
72KB

MD5
54f9e7d357ef015eee413725e7725eb8

SHA1
e5bcec9fd0572ffe3968b5a3e5583b87bec6f83f

SHA256
590f8f91dfc3cf1b7fc61551f5f90ca97e5c45a6354c93e10e92501667ed9d36

SHA512
8dbdd29474e95572999783a0c38f656afdb9ac1012138225b92760085562e725eee272dbf693aaab876e1021f8167a663d82ee6dafb02d00c3385a87d7063353

Download Submit
memory/336-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/772-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/804-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1328-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3740-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3844-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3924-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4204-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4628-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6212-1415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6256-1414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6796-1357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6876-1356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads