berbew | 1531227e7c24a0f4612971c0ba65562b21c81c69de4697f66d2cbb736d6d54e2

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1531227e7c24a0f4612971c0ba65562b21c81c69de4697f66d2cbb736d6d54e2N.exe
Size

96KB
MD5

4f7591b0f4a8d4bf90561b3c543057c0
SHA1

28d563ec0bbc8737c49d5aacc3cc6ee805bec8e1
SHA256

1531227e7c24a0f4612971c0ba65562b21c81c69de4697f66d2cbb736d6d54e2
SHA512

f8b3e41b29e0dafef52ad4dbcc9468469a32819421b8d9cddb12e90ce49631a21446a99b6dc4c2f03b8d129dd65669126cf58678e4ffa87cee31d2c0c702028d
SSDEEP

1536:i+5qb7LgOOnALRZ8r7Luac2Lj+7RZObZUUWaegPYAW:D5kgNnALYr/uUj+ClUUWaeF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnlkedai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eicedn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmmqheb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpdcag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jenmcggo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncchae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enbjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gemkelcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glipgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoobdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocefm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnlkedai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjdho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiodpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gncchb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hipmfjee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fneggdhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hemdlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgpfbjlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klahfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnlecmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adfgdpmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiglnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgibpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omnjojpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhndpol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipgbdbqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joahqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igdgglfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihnomjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbelcblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnepna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eejeiocj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlgepanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flpmagqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlepcdoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipeeobbe.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4056	Dbbffdlq.exe
1128	Emhkdmlg.exe
1556	Eofgpikj.exe
4644	Ebdcld32.exe
1580	Ekmhejao.exe
3068	Enkdaepb.exe
2008	Emmdom32.exe
1596	Ekodjiol.exe
336	Ennqfenp.exe
524	Eicedn32.exe
2452	Epmmqheb.exe
3576	Eejeiocj.exe
3604	Emanjldl.exe
2216	Enbjad32.exe
4136	Fihnomjp.exe
4004	Fneggdhg.exe
4220	Fijkdmhn.exe
1124	Fpdcag32.exe
4904	Ffnknafg.exe
3240	Flkdfh32.exe
2456	Fbelcblk.exe
224	Fiodpl32.exe
2180	Flmqlg32.exe
3580	Ffceip32.exe
1012	Fefedmil.exe
3920	Flpmagqi.exe
3088	Fpkibf32.exe
3596	Gfeaopqo.exe
4528	Gnqfcbnj.exe
2348	Gfhndpol.exe
5028	Gmafajfi.exe
3312	Gncchb32.exe
2152	Gemkelcd.exe
916	Gnepna32.exe
3564	Glipgf32.exe
2540	Gfodeohd.exe
4796	Gmimai32.exe
4464	Gojiiafp.exe
4872	Hipmfjee.exe
2276	Holfoqcm.exe
2812	Hlpfhe32.exe
2172	Hoobdp32.exe
3512	Hidgai32.exe
2864	Hlbcnd32.exe
2424	Hifcgion.exe
416	Hlepcdoa.exe
2220	Hemdlj32.exe
5060	Hlglidlo.exe
3032	Ibaeen32.exe
3560	Ipeeobbe.exe
2528	Ifomll32.exe
3952	Ipgbdbqb.exe
4636	Iedjmioj.exe
3960	Ilnbicff.exe
4612	Igdgglfl.exe
3820	Ilqoobdd.exe
1856	Ickglm32.exe
2916	Joahqn32.exe
4400	Jcmdaljn.exe
2488	Jiglnf32.exe
4112	Jocefm32.exe
2004	Jcoaglhk.exe
4816	Jenmcggo.exe
5112	Jlgepanl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Onmfimga.exe	Ojajin32.exe
File created	C:\Windows\SysWOW64\Biafno32.dll	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Mdkgabfn.dll	Eejeiocj.exe
File opened for modification	C:\Windows\SysWOW64\Glipgf32.exe	Gnepna32.exe
File opened for modification	C:\Windows\SysWOW64\Ncnofeof.exe	Nfjola32.exe
File created	C:\Windows\SysWOW64\Bhgbbckh.dll	Ncchae32.exe
File created	C:\Windows\SysWOW64\Eieijp32.dll	Jcoaglhk.exe
File opened for modification	C:\Windows\SysWOW64\Adkqoohc.exe	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Jpenfp32.exe	Jepjhg32.exe
File created	C:\Windows\SysWOW64\Aopemh32.exe	Agimkk32.exe
File created	C:\Windows\SysWOW64\Dbbffdlq.exe	1531227e7c24a0f4612971c0ba65562b21c81c69de4697f66d2cbb736d6d54e2N.exe
File created	C:\Windows\SysWOW64\Hipmfjee.exe	Gojiiafp.exe
File created	C:\Windows\SysWOW64\Igdgglfl.exe	Ilnbicff.exe
File opened for modification	C:\Windows\SysWOW64\Igdgglfl.exe	Ilnbicff.exe
File opened for modification	C:\Windows\SysWOW64\Hemdlj32.exe	Hlepcdoa.exe
File created	C:\Windows\SysWOW64\Fgeaiknl.dll	Kgiiiidd.exe
File created	C:\Windows\SysWOW64\Kpdjljdk.dll	Lmaamn32.exe
File created	C:\Windows\SysWOW64\Qjfmkk32.exe	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Pccahbmn.exe	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Boldhf32.exe	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Cjafgpmo.dll	Fihnomjp.exe
File opened for modification	C:\Windows\SysWOW64\Gmafajfi.exe	Gfhndpol.exe
File created	C:\Windows\SysWOW64\Njjdho32.exe	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Oglbla32.dll	Oakbehfe.exe
File created	C:\Windows\SysWOW64\Pnmopk32.exe	Pffgom32.exe
File created	C:\Windows\SysWOW64\Agimkk32.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Lpcncmnn.dll	Iedjmioj.exe
File opened for modification	C:\Windows\SysWOW64\Mnhdgpii.exe	Mfqlfb32.exe
File created	C:\Windows\SysWOW64\Mfjnfknb.dll	Mfqlfb32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhpimhp.exe	Ofmdio32.exe
File created	C:\Windows\SysWOW64\Flhkmbmp.dll	Oplfkeob.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Ilmjim32.dll	Gncchb32.exe
File created	C:\Windows\SysWOW64\Bohgljdl.dll	Kodnmkap.exe
File created	C:\Windows\SysWOW64\Ljnlecmp.exe	Kjlopc32.exe
File created	C:\Windows\SysWOW64\Kkbfan32.dll	Nadleilm.exe
File created	C:\Windows\SysWOW64\Lnangaoa.exe	Lmaamn32.exe
File opened for modification	C:\Windows\SysWOW64\Nqbpojnp.exe	Ncnofeof.exe
File opened for modification	C:\Windows\SysWOW64\Gmimai32.exe	Gfodeohd.exe
File opened for modification	C:\Windows\SysWOW64\Jcmdaljn.exe	Joahqn32.exe
File created	C:\Windows\SysWOW64\Gaagdbfm.dll	Ocohmc32.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Lielhgaa.dll	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Mfbjdgmg.dll	Dbbffdlq.exe
File opened for modification	C:\Windows\SysWOW64\Enbjad32.exe	Emanjldl.exe
File created	C:\Windows\SysWOW64\Jepjhg32.exe	Jgmjmjnb.exe
File created	C:\Windows\SysWOW64\Kodnmkap.exe	Kgiiiidd.exe
File created	C:\Windows\SysWOW64\Qpeahb32.exe	Qhjmdp32.exe
File created	C:\Windows\SysWOW64\Mfgomdnj.dll	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Ankkea32.dll	Ennqfenp.exe
File created	C:\Windows\SysWOW64\Cfidbo32.dll	Ilnbicff.exe
File created	C:\Windows\SysWOW64\Jniood32.exe	Jgpfbjlo.exe
File created	C:\Windows\SysWOW64\Nmiadaea.dll	Ncnofeof.exe
File opened for modification	C:\Windows\SysWOW64\Koaagkcb.exe	Kgflcifg.exe
File opened for modification	C:\Windows\SysWOW64\Monjjgkb.exe	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Apmhiq32.exe	Aajhndkb.exe
File opened for modification	C:\Windows\SysWOW64\Pplobcpp.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Amnlme32.exe	Aokkahlo.exe
File opened for modification	C:\Windows\SysWOW64\Ahdpjn32.exe	Apmhiq32.exe
File opened for modification	C:\Windows\SysWOW64\Ekmhejao.exe	Ebdcld32.exe
File created	C:\Windows\SysWOW64\Ibingd32.dll	Fbelcblk.exe
File opened for modification	C:\Windows\SysWOW64\Hlepcdoa.exe	Hifcgion.exe
File opened for modification	C:\Windows\SysWOW64\Mfqlfb32.exe	Mjjkaabc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6392	6208	WerFault.exe	277

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lncjlq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojajin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akkffkhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlgepanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jokkgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caageq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glipgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpenfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofhknodl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emanjldl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fefedmil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljqhkckn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncchae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhpimhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhjmdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbelcblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgdpni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mokmdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqbpojnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqagcag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmafajfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igdgglfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnmmboed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpolgoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agimkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphgeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgeenfog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flkdfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnlkedai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gemkelcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilqoobdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcoaglhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnangaoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjjkaabc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocjoadei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enbjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffnknafg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmjdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlbcnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqafhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiglnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocohmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjola32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojfcdnjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjkmomfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjfmkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fneggdhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jenmcggo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epmmqheb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffceip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iedjmioj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiglnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleiba32.dll"	Jniood32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eejeiocj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglbla32.dll"	Oakbehfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcknij32.dll"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbbffdlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbjdgmg.dll"	Dbbffdlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emmdom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fiodpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gncchb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiglnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlgepanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdifpa32.dll"	Gfhndpol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcncmnn.dll"	Iedjmioj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfkeh32.dll"	Kgflcifg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koaagkcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjlopc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmjlphl.dll"	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glipgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hipmfjee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmaamn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekmhejao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcmdaljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjljdk.dll"	Lmaamn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjlopc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njjdho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaafabl.dll"	Conanfli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfeaopqo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmafajfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll"	Jcmdaljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfoijn.dll"	Mokmdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1531227e7c24a0f4612971c0ba65562b21c81c69de4697f66d2cbb736d6d54e2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oclkgccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkalh32.dll"	Fijkdmhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciibdmj.dll"	Hlglidlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbqpfg32.dll"	Jepjhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edommp32.dll"	Enkdaepb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gemkelcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqafhl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4056	5016	1531227e7c24a0f4612971c0ba65562b21c81c69de4697f66d2cbb736d6d54e2N.exe	83
PID 5016 wrote to memory of 4056	5016	1531227e7c24a0f4612971c0ba65562b21c81c69de4697f66d2cbb736d6d54e2N.exe	83
PID 5016 wrote to memory of 4056	5016	1531227e7c24a0f4612971c0ba65562b21c81c69de4697f66d2cbb736d6d54e2N.exe	83
PID 4056 wrote to memory of 1128	4056	Dbbffdlq.exe	84
PID 4056 wrote to memory of 1128	4056	Dbbffdlq.exe	84
PID 4056 wrote to memory of 1128	4056	Dbbffdlq.exe	84
PID 1128 wrote to memory of 1556	1128	Emhkdmlg.exe	85
PID 1128 wrote to memory of 1556	1128	Emhkdmlg.exe	85
PID 1128 wrote to memory of 1556	1128	Emhkdmlg.exe	85
PID 1556 wrote to memory of 4644	1556	Eofgpikj.exe	86
PID 1556 wrote to memory of 4644	1556	Eofgpikj.exe	86
PID 1556 wrote to memory of 4644	1556	Eofgpikj.exe	86
PID 4644 wrote to memory of 1580	4644	Ebdcld32.exe	87
PID 4644 wrote to memory of 1580	4644	Ebdcld32.exe	87
PID 4644 wrote to memory of 1580	4644	Ebdcld32.exe	87
PID 1580 wrote to memory of 3068	1580	Ekmhejao.exe	88
PID 1580 wrote to memory of 3068	1580	Ekmhejao.exe	88
PID 1580 wrote to memory of 3068	1580	Ekmhejao.exe	88
PID 3068 wrote to memory of 2008	3068	Enkdaepb.exe	89
PID 3068 wrote to memory of 2008	3068	Enkdaepb.exe	89
PID 3068 wrote to memory of 2008	3068	Enkdaepb.exe	89
PID 2008 wrote to memory of 1596	2008	Emmdom32.exe	90
PID 2008 wrote to memory of 1596	2008	Emmdom32.exe	90
PID 2008 wrote to memory of 1596	2008	Emmdom32.exe	90
PID 1596 wrote to memory of 336	1596	Ekodjiol.exe	91
PID 1596 wrote to memory of 336	1596	Ekodjiol.exe	91
PID 1596 wrote to memory of 336	1596	Ekodjiol.exe	91
PID 336 wrote to memory of 524	336	Ennqfenp.exe	92
PID 336 wrote to memory of 524	336	Ennqfenp.exe	92
PID 336 wrote to memory of 524	336	Ennqfenp.exe	92
PID 524 wrote to memory of 2452	524	Eicedn32.exe	93
PID 524 wrote to memory of 2452	524	Eicedn32.exe	93
PID 524 wrote to memory of 2452	524	Eicedn32.exe	93
PID 2452 wrote to memory of 3576	2452	Epmmqheb.exe	94
PID 2452 wrote to memory of 3576	2452	Epmmqheb.exe	94
PID 2452 wrote to memory of 3576	2452	Epmmqheb.exe	94
PID 3576 wrote to memory of 3604	3576	Eejeiocj.exe	95
PID 3576 wrote to memory of 3604	3576	Eejeiocj.exe	95
PID 3576 wrote to memory of 3604	3576	Eejeiocj.exe	95
PID 3604 wrote to memory of 2216	3604	Emanjldl.exe	96
PID 3604 wrote to memory of 2216	3604	Emanjldl.exe	96
PID 3604 wrote to memory of 2216	3604	Emanjldl.exe	96
PID 2216 wrote to memory of 4136	2216	Enbjad32.exe	97
PID 2216 wrote to memory of 4136	2216	Enbjad32.exe	97
PID 2216 wrote to memory of 4136	2216	Enbjad32.exe	97
PID 4136 wrote to memory of 4004	4136	Fihnomjp.exe	98
PID 4136 wrote to memory of 4004	4136	Fihnomjp.exe	98
PID 4136 wrote to memory of 4004	4136	Fihnomjp.exe	98
PID 4004 wrote to memory of 4220	4004	Fneggdhg.exe	99
PID 4004 wrote to memory of 4220	4004	Fneggdhg.exe	99
PID 4004 wrote to memory of 4220	4004	Fneggdhg.exe	99
PID 4220 wrote to memory of 1124	4220	Fijkdmhn.exe	100
PID 4220 wrote to memory of 1124	4220	Fijkdmhn.exe	100
PID 4220 wrote to memory of 1124	4220	Fijkdmhn.exe	100
PID 1124 wrote to memory of 4904	1124	Fpdcag32.exe	101
PID 1124 wrote to memory of 4904	1124	Fpdcag32.exe	101
PID 1124 wrote to memory of 4904	1124	Fpdcag32.exe	101
PID 4904 wrote to memory of 3240	4904	Ffnknafg.exe	102
PID 4904 wrote to memory of 3240	4904	Ffnknafg.exe	102
PID 4904 wrote to memory of 3240	4904	Ffnknafg.exe	102
PID 3240 wrote to memory of 2456	3240	Flkdfh32.exe	103
PID 3240 wrote to memory of 2456	3240	Flkdfh32.exe	103
PID 3240 wrote to memory of 2456	3240	Flkdfh32.exe	103
PID 2456 wrote to memory of 224	2456	Fbelcblk.exe	104

C:\Users\Admin\AppData\Local\Temp\1531227e7c24a0f4612971c0ba65562b21c81c69de4697f66d2cbb736d6d54e2N.exe
"C:\Users\Admin\AppData\Local\Temp\1531227e7c24a0f4612971c0ba65562b21c81c69de4697f66d2cbb736d6d54e2N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\SysWOW64\Dbbffdlq.exe
  C:\Windows\system32\Dbbffdlq.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\Emhkdmlg.exe
    C:\Windows\system32\Emhkdmlg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\SysWOW64\Eofgpikj.exe
      C:\Windows\system32\Eofgpikj.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4644
      - C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Emmdom32.exe
        
        C:\Windows\system32\Emmdom32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Ennqfenp.exe
        
        C:\Windows\system32\Ennqfenp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Eicedn32.exe
        
        C:\Windows\system32\Eicedn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Emanjldl.exe
        
        C:\Windows\system32\Emanjldl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Fijkdmhn.exe
        
        C:\Windows\system32\Fijkdmhn.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Ffnknafg.exe
        
        C:\Windows\system32\Ffnknafg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Fbelcblk.exe
        
        C:\Windows\system32\Fbelcblk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Flmqlg32.exe
        
        C:\Windows\system32\Flmqlg32.exe
        24⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Gfeaopqo.exe
        
        C:\Windows\system32\Gfeaopqo.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        30⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Gemkelcd.exe
        
        C:\Windows\system32\Gemkelcd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        38⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        41⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        42⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        44⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:416
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        50⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        52⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\Ickglm32.exe
        
        C:\Windows\system32\Ickglm32.exe
        58⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        66⤵
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Jniood32.exe
        
        C:\Windows\system32\Jniood32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1656
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        76⤵
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        77⤵
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1472
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3080
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        83⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Lgibpf32.exe
        
        C:\Windows\system32\Lgibpf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2576
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        90⤵
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        91⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        94⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        95⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        96⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        104⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3700
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        108⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        110⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        115⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        116⤵
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        118⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        127⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        128⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        130⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        132⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        136⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        137⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        138⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        140⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        142⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        143⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        146⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        148⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        149⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        151⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        153⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        154⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        155⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        156⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        158⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        159⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        161⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        163⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:6200
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        168⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        169⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        170⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        171⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        172⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        173⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        174⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        175⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6600
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        177⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6688
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        180⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        181⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        182⤵
        System Location Discovery: System Language Discovery
        
        PID:6896
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        183⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        184⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        186⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        187⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        189⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6208 -s 408
        190⤵
        Program crash
        
        PID:6392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6208 -ip 6208
1⤵
PID:6296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
96KB

MD5
8afa63703e477f83610034db13253100

SHA1
3a81e40a847c42b4f279d4d8b3558f88747088d6

SHA256
fafdc81671aa682ddc0928e195bf4ce02be7e23617c64e3dc415e3e97775b011

SHA512
d15f7d30546258eb6110facd97887821aadd96a95ec02949e633315f7b72ae030ec00f2115205fdf1bd845ca4eb262d2799147617083068e26658deab53f19af

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
96KB

MD5
f87a8d4f54bb0bf76e748f3c68fa1eb5

SHA1
41b0b53f7dfb3fb8259ff7e73c15ec6aeb7412ac

SHA256
34b0d6b9f1b27ec3948453d1c3fc1898cf3bc306801c031a94febc6c34b5461a

SHA512
0b52745845e61835683a532ac48b76854ce01a1ab98588dfe46edba2add5caa9cb68db067e01c30b0e6464424d86ba21b078b6e94b4b52b205223e184c19d0b4

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
96KB

MD5
342b858e1e6058edb538b9f063dfc047

SHA1
24c9aa1e64cc5df679b7bef90e20f20aa475a43d

SHA256
aef4e87bd48636d6c2ee4c6174a58774b851afeae831a27ef5ba92d662bf85ed

SHA512
613bb22ba573b6347fe163b06c367aac2efb6507a6187791a7cc41cf06049c0ea0279a80ae738aba8ba54e7accb97916f2e870b4a261e2fecad0df743335c340

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
96KB

MD5
4130fb3e2e5da71362824c790ff15f22

SHA1
c6f9284ffe4d8a6502445f59af50bb7a4aff25dc

SHA256
fb8468943219674358c47a73901c6adb9f77338bf6ef62cd473f579cf979177c

SHA512
837b276ab63b2c35c86e497a0276973015c5c08e13563cde22d77a7c7c87d27e65783fb9f1aa7cb098c1d19838b358909bfef9290496b710da356ccccdb88a95

Download Submit
C:\Windows\SysWOW64\Bkgeainn.exe

Filesize
96KB

MD5
e16351c7c6ac518614ba550a7d80f91f

SHA1
8815bd72477ec60f7f5eaf424ed7890202218427

SHA256
3e06043d71c01e2d9087e90519f87a5add5ccd55c3de46c7d1cc6c964e58c1d6

SHA512
87dc8a9dc9033230e7c6e8106f98023fb3f4bbb52874178e4013834d42147ffd2ab1c4061ae14244e06307ad84d0060b348dfebc1c739e5835563cb93a755fde

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
96KB

MD5
81e95230f7bf185a4f3ec8908b3db5cc

SHA1
86e97a281d64bda3ee3959f1561138927ec3aa90

SHA256
c1fc0ccb8a0a5acbea6aa995731890703cbc0186c17fe34824d79a27fabe17de

SHA512
e7418f62364fff34980edca5ba9718d6b3af6e2931ec60d412241296264c88868fe38b9851261cb3f94ec0e63428b9c96fcf14953104cc8d3b337aebe8e846a3

Download Submit
C:\Windows\SysWOW64\Cpbjkn32.exe

Filesize
96KB

MD5
f9e8d707f90907af896281de1ce760f8

SHA1
e1f41fe347ba48b2c51c790c0a1c14503d906606

SHA256
1856a9ab886bed1e1b0916b0f854817c6b5fa3c9559bf7991ea2322678034377

SHA512
32c784a50c05688fec8f5d6859b769dd6048b35ada12de646f71c21a46f908a6d349258cc1346f223143bee7a02f5f1a74ac6076fbc0ca357d95c23401577d30

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
96KB

MD5
5b599f44ef064df98905af327b8bd704

SHA1
31f2be153885a21f8acb48b0621e3b0afe9354a3

SHA256
412a70681702049ba1a7a2cd3d77e7aae199048bba04c9152a89d055ac638e14

SHA512
4b233f4e092414ae732fb537bc52638580f9dff2f207db9a46bfa50536ff67c0125a493b750fe47f3d7144d1c8812f67985115d05a8fb6f3c99f83b8efa736c8

Download Submit
C:\Windows\SysWOW64\Dbbffdlq.exe

Filesize
96KB

MD5
953e683bc4200a286ec460a3a29b6152

SHA1
667e3f4a9da02162440609c77ce49358dc45167b

SHA256
4e842a424fd9f0abb77085d66a49dea96c9226011ca7b80eac41b58d236b3368

SHA512
1473c976af918d01b1a1400b34383461dee497c65c68e9865d3af19e94170df51216729464c4eb574fbad229b36c52b68a78f12e8370241cb05cea6aaab1dae5

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
96KB

MD5
f7786bd98d6720c816eb56334f692d0d

SHA1
ef5f03080b7dee54b2ae6e1f49fb067bc8155628

SHA256
87c996659e18b207088b2e4d77814c352901ea5e248528da68755353e01581b2

SHA512
a475b24d676395b2f18074d82b9a2a12c24d9b6031a55c4a8576ef3b25de1f6e739e5eedd8a5215983f1767b00baf3e6a16f7330c58ffa950e5782303c2b4ee1

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
96KB

MD5
1b7e4425fa07c11ff3ee25ddb284c8d4

SHA1
b4d81976d3e8b31fd70c0de36e946df2dad37209

SHA256
dfd8496567c18a03744bad304f57de2fdf2a3d75b501dc5f8de0caec1f5ae960

SHA512
becb172a4495fbe03263229879eab90b4283505c504993738b446006ddd554a2a86dcb90d898547631a7df1c2d27271e00867328876925bf0aa80617f9e189db

Download Submit
C:\Windows\SysWOW64\Ebdcld32.exe

Filesize
96KB

MD5
1e5c34f1d3a875ed62cb402f86ef8ed8

SHA1
be1efcf8268a05965c9048d8d0749108656e1981

SHA256
5dd37287aab69453f648b90240e95bd62eedcf2ccfae4acde4e8ee5678543752

SHA512
37aa04a573bb01cb54dd803078858ba172a64ff8df3b7dced7a0839b6efa726612f4a47388686b4043b6dd7ba9330f96ef97f4ecc9bf81c70b1aecc74b8ca260

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
96KB

MD5
ea5ed7376b506dfa931297e0f945177a

SHA1
7a9461fcf73403bab6e8b03dd5f4acae2e5be750

SHA256
151b45582d3269d62137ea63362fd6e5cae4d7eeefe1ba75671a6c39856934b1

SHA512
aeee3c3170d07fb6fae641382f9c11298ada6476598b27dfaf5a08ab2688ddf3022bc78d408fa5442d354a8a809fa9fb30ffa04caf3bc4561408037a8c2a73cb

Download Submit
C:\Windows\SysWOW64\Eicedn32.exe

Filesize
96KB

MD5
e4d5ca56e3f928c635dee357078c1633

SHA1
d174d106a197fa3a41096cb7992d96036fbc33ce

SHA256
2b8233c18750a88f0ae77e3eedbf8d00fd45ae3872b47acb8cd12754cc1fcf05

SHA512
d72ed6ad119df78202b371e1970d1fe125c7966b352900eb9e87cda82829c9ff442419eb6c2953f7276726c16af5fa27d2fae8595f46a7066d16ce83dfda5cf2

Download Submit
C:\Windows\SysWOW64\Ekmhejao.exe

Filesize
96KB

MD5
0de421fda088fbc2756a23628dbb659d

SHA1
eb24a1da505261f0ffc6d2b75af77305d477b713

SHA256
1d2b6eadfb0e7fec46c3b98669bfde4556a3fd18dbe52169b14b9ca4a0d9b8b5

SHA512
8f5fbb278baccabeadfdb24c6ce404f2d5e7a588b54c735c37d5c19cef02d8f2ad589c118d1366215a597630a08623d49bc23509a6e710de7fe1e3977bf3ac41

Download Submit
C:\Windows\SysWOW64\Ekodjiol.exe

Filesize
96KB

MD5
6e2dd4f37042f5312565fcd63cef42e2

SHA1
0b4dce64b82d5bd4746d0197d6122bb9801bfd09

SHA256
a8f4ab05e6d7f8962a1b7ba248a99a365ef4983ee37e88a891f525a2f9e4d532

SHA512
de4d71cac68253c0b9bf5bb1ccd786f7f62b58cdfff9f1fb82a3eff99db93c9ec976b9382d63893f91588dad33b07345d93adf0881615a29fcee688965b8794f

Download Submit
C:\Windows\SysWOW64\Emanjldl.exe

Filesize
96KB

MD5
fca70f64737809ce009c455b8b1d4ec3

SHA1
a2df0b79a2ae79fe21b2801b86c5a2717a1a2a19

SHA256
3ca00e27f005cd3dce943d8998b46262a89fac8817bed14e057a7904dd001ce9

SHA512
f849aa4b774325f779d2a1406c9e849449ca30c9f7622ff1752dcd2386afc8def6b394c14dea84e588b16ee9045c3843e6d464dd14b8e2aba5654164976c26e6

Download Submit
C:\Windows\SysWOW64\Emhkdmlg.exe

Filesize
96KB

MD5
c5c5faa9462d0d44cd184a32e69ac873

SHA1
33d24883b34f3c359fff4cbdeb1ac2b13c2126f9

SHA256
6ae7b8030a845ef61cc3796081e95fbe71abb4034b7f0bd0907bb77325276c50

SHA512
698b1fb2116515958d5aa94f7f442b0dda4e904b033f036bf96e19612e423126e5d2046638d9dd5bc5b2b884f6f2939a9141f7048527533fe983cc30cae3b6bc

Download Submit
C:\Windows\SysWOW64\Emmdom32.exe

Filesize
96KB

MD5
ec22928df5e244aacb8ce1f699e1c7bf

SHA1
2f31654804218da4db25eced5ff605af9bf22b22

SHA256
a3e9d86e541651d65ead2ead9fa41434cb5caa9dc7cdd71fd2fc30387c2a1953

SHA512
9d1097653ac97ba422f2e2d9494484b183b6d0ce3123e9b1c38af278d0902b3bfec2125732ffec00d7bdb8c6d876d5dcebb1100da2fa2f6423ee87e28b2a7578

Download Submit
C:\Windows\SysWOW64\Enbjad32.exe

Filesize
96KB

MD5
2c570f213757a456c99ef82e5a15d1df

SHA1
c59d1be1aef34f25688ba06dd5e0b06cdcb65d45

SHA256
15acae1da15d1b237af10a25778d7e567e3840b71f42bef350501f11accadaa8

SHA512
36d38ce7dcacf2d0f8e499b35fb34043ff75e44ae39dc72593ff94974c821d4e1f0ded4f9ff13f4e4161113b45d5dbca07d2e8b731a8c1bb6fc0e75bd26975fe

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
96KB

MD5
72cfdd86c16ad1b37121681c0e46e37c

SHA1
d4959af846a8d227c27d5e90ef9de9602ed19f0e

SHA256
484a75ebebd47892d81073d6fba899733691f90600c601b606a0cfbde4febe4a

SHA512
bc966bf1a9e11c5cd5fa58de3ac300119c97c31bf9aaf9686843be2b03962b83bc7aba057b9c3346cbc02f40686c827aa074d8b9a38578e16bc771939d2bd324

Download Submit
C:\Windows\SysWOW64\Ennqfenp.exe

Filesize
96KB

MD5
ff58485cacb23ec297837c287cf60e3c

SHA1
5f5265db07b2c1bfaa65182d6e62391392976646

SHA256
b41d5e96fabafafb6abd925406d115b6f5c3a2c89fbc862134032ed0e99ef108

SHA512
21d084b2cec339381844ca0b6eb152732e17719b9d40199d9b384e7a6fa05a56c0d0721211e18fe07bf7f4a32944457338b8e767e2a4cd164e5475adf91a21a1

Download Submit
C:\Windows\SysWOW64\Eofgpikj.exe

Filesize
96KB

MD5
10992123f3caecc543a093a6cc61bc05

SHA1
6ff7ee21432a471fb6d32d068510e71b023987ba

SHA256
d844cb7e232e12a95bec98a29e65d51d4d3004227a4858c226ac868660c49206

SHA512
3cce29e01b37b457e65caed88679e5ab5b18150bdc3061ebb375cfd955d9401c401070a8ed89e3686628a8b09cae1ec7287673b31794764677cbdf550d414d4b

Download Submit
C:\Windows\SysWOW64\Epmmqheb.exe

Filesize
96KB

MD5
25754f019df168676364fe05c77fb966

SHA1
894f8dc1edd74f4ff5919481d540fcb789e85948

SHA256
789165196c2639a74c726eb14dff24aa712a42dd9c2b3ba66b8af84d1a8cca51

SHA512
cb1412e7f5bcaaba226b419522c3d351e3885af1403c27623a2027c29ade5083499fd29ebcb18164ef0866802a8a3cd82c9f85f09cdb0a48176e41367b44a87e

Download Submit
C:\Windows\SysWOW64\Fbelcblk.exe

Filesize
96KB

MD5
a53d9f1c88712ddc1e8adfbbe7464dc1

SHA1
c8b53526d6b1810fe10f7f149a5758413392a800

SHA256
46d067a80181ad50afbf365142a2918a96dea4c90a53d5d45c218cf3135ba44b

SHA512
13fdc62cc79afb6976967b057a8e54b7a18229870d1aef555b5615ce8647cd98c4f95152696425b46dddab325bb9f350c56d5beca173c64565f5ad39a548eadf

Download Submit
C:\Windows\SysWOW64\Fefedmil.exe

Filesize
96KB

MD5
65cf77a93a75ec6ae08324a68de29336

SHA1
6894e55a009d786c47a5489db2c4910b58560e82

SHA256
3ca30f30e1f78ceddfee0d51852149279e9f2548ea37a081612cc1bab423a668

SHA512
5abca2fa0156aa751b043c9db2a4e54127e38cd3abb94276405aabfca2b15e9ad532c40c9ba7399394e165a5168524ee43ad4041a079d26ae2f0ffd498e8d5e8

Download Submit
C:\Windows\SysWOW64\Ffceip32.exe

Filesize
96KB

MD5
1863b091a6d09cfa9ecb54bcdec55cfa

SHA1
91cb7d55a7b7a76ef4546301633abb954b6106c2

SHA256
fe682f5cf38444e7245e854c47781ae275466a0bd012ee3a5ae0f8a642d68499

SHA512
bfad34d528a9e497e0c1ed265c57a9525da4eaf31f586d31f33b8ba156b9f3fc2b37beda11b9334659def6164f9bdd01d6f8e0c24741fa47a2bf8c198254d69c

Download Submit
C:\Windows\SysWOW64\Ffnknafg.exe

Filesize
96KB

MD5
75120161b8314ab0ea8be40c22356273

SHA1
a32518f63dbca4ca6fb10c02671a422632becefa

SHA256
1f5f966b5a80147d26387549eab3e9e1cdf5404ee6d8982dd6608e8ca75129a5

SHA512
3e4fb581ed41e3403d4b2e6b481ffcb708459f8883c9305ca63f93f24625f9ef8a2cee427d2f791c6f6ae9d2bc334b0f127fa8814267b179103a6be4ef82462d

Download Submit
C:\Windows\SysWOW64\Fihnomjp.exe

Filesize
96KB

MD5
80818613a9af6955243f41a95ad69cb6

SHA1
f90e0396d7a76547af415caf37788f7a48408789

SHA256
4dd10d15943a23888f34a8352bb5ab1053406d56135e73ab992ab88ab6105af4

SHA512
fc8a58f1f5dc0125f167f57e5bb6693ea485b412b65c06d2a0e66f40245e6941687eec1c92876892f8aac665652d645cc8e030f46280140d9496d3ba95be6927

Download Submit
C:\Windows\SysWOW64\Fijkdmhn.exe

Filesize
96KB

MD5
eaf790cc4a5115995ea46ce835c7872b

SHA1
edd2d1fe814cfef71accc2f01f90b82bb5d3e90f

SHA256
505cc8c755c40c39b27d2e6dd70774bcab0d34c727c558a3e546a668ac495ab6

SHA512
9cbf1b0526e5e1647ca8c8562680c4f7ce7a295f6d1d758f4064e1d0949793909f7e8ad6a33f5322d3e537ff5a27499c31cd0ab54e707d901e7410d48172adc4

Download Submit
C:\Windows\SysWOW64\Fiodpl32.exe

Filesize
96KB

MD5
9e6de7ab12cf36bd476ccb702239df6a

SHA1
c8a6ec92b493fb764f3a8d61cd3bd5e2ead678ac

SHA256
6a2136d3c6fbb0e8b2efe7e19348a5c0d72ffa5019ba27831691be8e647a8326

SHA512
7e2fd0a7c1c8e161b0833410eb5984e3267ae91c4055adf5827e19de7eaa3795eb1febb7fbc6c4a4a018909601dd80d5abbfed00a87ba5494938aaef79116e6e

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
96KB

MD5
60677165acaeeef4bead126569d44d22

SHA1
e2203d94b6f0be3c522863defbe9fe48aca9028a

SHA256
e5405f9ea9e10babc42f9c40aa3b057438c1c592f55188560403a4c334ba7def

SHA512
86b7173a3f361792570c00ac00c94cd400636e5ef7644c1d19db526051548d44771e0ed8e2a578ac4dc7ce6e03bc6ed3bb04adf155cf8841d9112c5afa9074d9

Download Submit
C:\Windows\SysWOW64\Flmqlg32.exe

Filesize
96KB

MD5
dbdcd78669b495bffb8ae85ceb5a3f65

SHA1
ca3d11959b55946e4996da5a7d2b34c0e8698d88

SHA256
a5b188b45c898d8ed37795a378ea490d40808888dc75dda1bc7878bc8820f6d4

SHA512
f3dfa407bdbbaddbe4ef84314618095f580d13d9849a8b248eebef4050e5400b2962dfadf512bb857041fa4da5ec93b6f881784bcd141970889755ae37bafeac

Download Submit
C:\Windows\SysWOW64\Flpmagqi.exe

Filesize
96KB

MD5
e323df1365fc83308e5e539148ee57f0

SHA1
f157cfe67f851817a58af67cc6992372dfa3612a

SHA256
accef96f9fa41ecee1ddc330488fe653699500e0642202a8dae69954bf5f7069

SHA512
245428c2840c6cbe469f677067e13c1510340061b50b94beca15abd66b50cc8e1befca47a1166074e660141331b7b5beeb10951803d16e309a35a820c8b3a1cf

Download Submit
C:\Windows\SysWOW64\Fneggdhg.exe

Filesize
96KB

MD5
996ee73781b5941ace5e2fffd3272912

SHA1
4473df5c2a0117263976a4ae8cc79a2c37493a5a

SHA256
2ec8b978d1588c69959a0398b65021605beb7a17d8f8002a6d5fc6618c5520af

SHA512
a4c6c4eb2fe7c8e059a4799f442b6930387ec5c60440b25ac1fb22de371f77aaac7d17bfc926552e329f1965e12c14cdd660ee986cea6bf589bb765b93a9bbaa

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
96KB

MD5
8718077b39423ca91df3ffb377168892

SHA1
e3ed5162fd9649b3c3a96804056376b79e283813

SHA256
f15c714e46d68bcef9c7cac4da63a2b6a02316c0a67bbfa0994b89b2d60bfa04

SHA512
8f2688c043d81a69ee5a3f8ab69c639a2a30170d9468fce69b3b6d3af0670ffccf3bd27bbe707b603f8b0bd3f62b18d3ef22bfa1768b0d949fe35d3f89824049

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
96KB

MD5
7c3dace086360943d8ecd1bf76ff026c

SHA1
32f98f8aac21765bd229511e2db27a389525df19

SHA256
80a69c23c544e50a7449a4d52b29d1aefe342077adfcaab00c2a32435efaf8f0

SHA512
fd739d1d560e9cc22915ea06c244e0ba6d046fba27a1b05d1a48352161a591a20e1d1d549d3e5c812ebde9e5953691d669fb7929974795ba04b31415bddde002

Download Submit
C:\Windows\SysWOW64\Gemkelcd.exe

Filesize
96KB

MD5
81e10eb01fa986dc96d76b32c908c5b9

SHA1
4009b4829ccaf7c5d642b4dcad6dca4a330d566e

SHA256
211ea7be67a835328469f3e1ebcd5825d2686644266e9a6b63ad993d89018d7a

SHA512
d2b4a88c7a3e24184e3bceb5a7041a94e76a2f296819f9be4ce10a2d595f19f2269c114687fa4b51ccd20c16c4e1e375530c24c5abe2eab05c937cde86c9b40f

Download Submit
C:\Windows\SysWOW64\Gfeaopqo.exe

Filesize
96KB

MD5
4838535ae1cd24d1d459f8d1f7b4ae14

SHA1
ee81ead2c5f6571224f2d97ae1820b93bec6733b

SHA256
8e14fb7bb996c9fd26a6a15c3e89f004c3dd820fb710cc8f71cc41947a2b1987

SHA512
8cb1a76871666b4f507fc90b2325f21e718b95ebba88370849b858a477769ba143cfbac444604b4560bcf744c37bab88a8b7a5c769d761c311b87200810f94bf

Download Submit
C:\Windows\SysWOW64\Gfhndpol.exe

Filesize
96KB

MD5
66f7a4d56c07e6cdc186588e7d0afa11

SHA1
3030eeef1cb821a5eeaa91d26517e9d8e2a785f1

SHA256
a887680426dbef480806822f2a54729e71acd88944dedca92da4819336d92641

SHA512
002cfcc2b6c8d0a2d5c5e7fa2cbc92914c40ade76c9d28b5b1856d876d0d3083f790ce8fd4b058c9f4755e3370c290da293992fa96f0eb78f98a436dc82c3393

Download Submit
C:\Windows\SysWOW64\Gmafajfi.exe

Filesize
96KB

MD5
8b0fbdb24309554813f0a0a41cb2a89f

SHA1
05bab8b04d0883c862142e8757456f7faa1af5e4

SHA256
321b76e8c242abb2d929b1e9f7bce50133d7d4f48d540febb689179a89f3c775

SHA512
c999bbb81fa477361f0d248c4b93608abacc5a2732a69dd5d5e605eeef3b6ee055eda8e878ccefd69a982cc93c84fe41dacf00bb125798687f6690c2ff8e5b0b

Download Submit
C:\Windows\SysWOW64\Gncchb32.exe

Filesize
96KB

MD5
0b445a1823c4164c7d7a26035f8809f0

SHA1
8bc59e699082c122b5875fa6b6b438f7877533ef

SHA256
9caaa043fbb21a538e13964ec06c1ad5f54076f5fa543a3d12b35ec73ef79356

SHA512
e77a35e0ac3aa32225b008bcd1a5d3acbcc16c61a6a32770b6415df7f6f6d50bc85c8274aac4abd80c478c1cb39400f8cb3b4b40d176b36422d1b7b331297a2e

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe

Filesize
96KB

MD5
506ce531717aaedaabc3b35e1a694981

SHA1
163bcd22c114e593d6079683daf62b10d7e3d5e6

SHA256
d0f0d9eca8b56e05e1897a34c3be5fd03f6f4a2ecb5e86fd8bb1285001aa8794

SHA512
837ffdd6a14cbee492f899fffeaf797b498b698cf99430b7db53b8fcd0a3abbe3241ddcdbc2e441e7c78abc98336028e16f5426b94fa31e518d631cdacde971b

Download Submit
C:\Windows\SysWOW64\Hidgai32.exe

Filesize
96KB

MD5
410f947b4efca213286aa41c1eda2413

SHA1
8e31cc8ab2fe436d46a60342b3326a4b008434b6

SHA256
d9fb5e93012bec91aae96584faf5f7826d9900e13cca326bcfed2eaba409eecd

SHA512
903f29257b9d2d2d2182d48a38fe14809b890e4cf90ee5cebe8363bc7996774ba252e5183600e9ab6ce32e4d1ae6744457704586699b24da0bdf78440ab34109

Download Submit
C:\Windows\SysWOW64\Ilnbicff.exe

Filesize
96KB

MD5
9b9625de61b4fa023dd2f9688a274521

SHA1
39671471a4989b1267000d2d68d88c5414fd684c

SHA256
383802ef78a3635af3c8bef876f96abf98168a0ff64219d63c287901ef60015a

SHA512
a6fd4a52c89fe78b14a4c393ea9e453fd6d1f2c02c7f291b75a5d9ceb7438446df7a0c485b80bf93f284b43b05bdf2117b758a693d350925c3f54f29768bfcf4

Download Submit
C:\Windows\SysWOW64\Ipgbdbqb.exe

Filesize
96KB

MD5
26463a9221a6bc20f08c529a15b8feb9

SHA1
bc5dc6dc5e268ff730b184b1e2f6f784f1e3fabf

SHA256
98ef7b4091ae42a10d28333759ab379e1365a1145ce7d7b40d93dbd37a8ba8a0

SHA512
90aa50327e1a9123ff4e3ac4f52b7a86bbc236417b19d474dc79d2267ab6210751d0ac158df393e806c4716d6c479fcff835aaac22cd61f087f2fd846095cd1e

Download Submit
C:\Windows\SysWOW64\Jokkgl32.exe

Filesize
96KB

MD5
f8a92337f7e414e44f07407c8763dd66

SHA1
cffdb9e13549632ea353cb75dfe816620d59abe8

SHA256
58dc42086d887fe6fc9ed25bb912dbed9e69d917c2a7e76b861925b69c6e14d9

SHA512
73c0c2fd7710703b823fe35ccf156f4f4eed90540ff83790ba242ef8e127c0bde12c8eaf5a88881d0d78e0baf2dc4446665438d394b8ffca6b65e49485130e28

Download Submit
C:\Windows\SysWOW64\Kgflcifg.exe

Filesize
96KB

MD5
be6db69c52827e8a25f39c38a0848e9a

SHA1
36b3c8514091a871a1fc022bd205d4a42cf22c4d

SHA256
2aec1f4c109324ab8a36145c5269d11e11079ab03ca2c1a74f7dca092a9f1f6f

SHA512
c1e7d7b4430a8b9576d446589ce2eaa314a367b66cc8ae01689ab060a67515af871e0023d78e25e22244f8d0eec4b0ca0583d0bea4e159b2b42dcd6c0d541ccf

Download Submit
C:\Windows\SysWOW64\Kjjbjd32.exe

Filesize
96KB

MD5
cc4a63f042ec79555680c5a3622c8e52

SHA1
6cc41386ace094917daab127cef2f9f3f294b475

SHA256
d1f9707715c3217e1f8b9ceca8ba7a294df1aba3b7f96720b819078f3a65d2bc

SHA512
4474e433ce6214ecf338a1dbf2538c7134bf41ab1355348c6e095e2b1bfcd0b5f6b7cb08c10679e5d0caae0682125e1383a65e42eed9fced06c4db46c5713286

Download Submit
C:\Windows\SysWOW64\Koaagkcb.exe

Filesize
96KB

MD5
b41a54d1de3a81e9cf780de97bf86de4

SHA1
cb5082e5bce7a85dafe1cc769389ad3d7e074f24

SHA256
e6f45064cdc3cd8cb07062bfc32732d65fa8d0ebb7d939796200febd122fd591

SHA512
eda7b0371b0797bf59a0ab310ead49fc280c88ff3c1be11cf798471d1f25613bde96a913e83415e651aa95803cc400b218508925a4abbea585b70b185298aff5

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
96KB

MD5
3709d3ae5accb3bc45bdf305bbb561c7

SHA1
619351c71f00fea5d4d3a847788f6d13117bd23d

SHA256
462098b48477a25a025882d20ae80ff43b8a0be20c47b981f6136a9d608674dd

SHA512
13719c943ab33fe6d047040e7a6fb8b94edde7a1726a1f5a9b9d0e3b82d54653d77ba4d465b1e06eaf6c40591228a5e9006bc0e2611abfd0ad80fb69933ecb0b

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
96KB

MD5
25073dbaab72348caad41823384505b0

SHA1
ad406ed08102636e4d9101f10804cac982dc2b6b

SHA256
542cea4894f9b69fa22a856597bbd62468a9a6dcbcad3623199bf5d4bfac8113

SHA512
2a4f7bd7b8ce9c19b0acd163c6cdb0b20039e8d17011e3782f96051b88c45c8592abf85d52220a5682f70d3db94564b73c1ad3a208f4132c9346f15a03c842c2

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
96KB

MD5
6a91132702255d171cd21941e7cfe6ff

SHA1
702dc52a26ab71cb0cf9305ee33f48d3596fa408

SHA256
5c2fc56f5101b44fe2765f799a3a1076eefda88bb3808ae415c26839687f4616

SHA512
039593619557ce5633d1e804f5886f70050016fc8e357aec9142a8b5b7c7f491fea97a63532f7d35d45876d6714d444bc24fd94b736edca6331e8b3b6d390890

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
96KB

MD5
f5e366432e237fc41c1eec643e4afad5

SHA1
166fdd1aef9d0d5fa0be3dcf4999827e725cf3d5

SHA256
519d9ccc413b4bfb2b43f19f56622310bd88faff3c4c581bd5def2b18c799266

SHA512
5d9f694fdec6ac61fb2bdbc38e815f3db6536940ea6966b5b0ee435c3113882e929579778a37171aa3136433341e5cb12a59553091354d7afe013adf89052ada

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
96KB

MD5
7b1b98ded7889550ac50762084ec9191

SHA1
a1534df4a083726ce49ecfb0057e0230b2599260

SHA256
f29c000057c7b6ab0f0df5821bf015964d69aef76cd9adf9ac947b3afd3954e9

SHA512
a6947f72724ebe79b94b11245bd911bb005853882a3ca3856b5bbc51560a8478997b7197a25ba0913c26412a208a061803d324774cb0a2eac8103d89c61cfdae

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
96KB

MD5
d04c8c11344b34b0853ccfd18d59cd50

SHA1
1d4fe9c4abd04f9090ea729635c7c16278f23d50

SHA256
649cd5ccbd2780087b0908713be097002294871426634a76d30d1963753d4313

SHA512
a0ecfe582505e31e5bafba2319a1d729dce695eb67156567734f045f82835d134fdcb52db00b83fc3b9236182065dda00db84a6356294b87caecc894d1679ad6

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
96KB

MD5
b76c6bf742f7bd4a3cea1f14f691137a

SHA1
550b8038ce7c3d1bfa43dd006b8cbd8597ef21fc

SHA256
ea49ae4d4a90832c1bab7b66ce4476c01455b7547947da712eab249abae8040b

SHA512
defd8ae2b4831abbe967020056fc2e4b4a850c069622f5a35efa05b007fd8fcc7c3129f13e529960667746fd908b7b64cbd029f0a125d4205eb8e978f6202112

Download Submit
memory/224-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/336-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/524-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2348-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5028-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6004-1380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6552-1341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads