berbew | dad5cffef1509ac58d9434539fadb17a95695d6c04f90662e2295653bff6402c

Analysis

max time kernel
120s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2025 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dad5cffef1509ac58d9434539fadb17a95695d6c04f90662e2295653bff6402cN.exe
Size

96KB
MD5

dfe2fc2c7f6499532d396d291e886240
SHA1

0fdce372a7455205cd5e13704191dab7314cee0b
SHA256

dad5cffef1509ac58d9434539fadb17a95695d6c04f90662e2295653bff6402c
SHA512

1dec30e4b28a6cdaf7497e59f04daaffad339ea1d900bec9f6125c7297e9fa9acb7359700a46fd275e620c3871daef92ef81192cb6dd47b260a8a6c7b0dcdbfe
SSDEEP

1536:V/ETopopx291xLVEXKtsyQYP2LgB7RZObZUUWaegPYAS:V/P91xJE6tsypUOClUUWaef

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liddbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lboeaifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jianff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehokgge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcbihpel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbjcolha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeaikh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlpkba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgddhf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023d21-223.dat	family_bruteratel

Downloads MZ/PE file 1 IoCs

flow	pid	Process
46	6048	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
2368	Ifllil32.exe
3196	Imfdff32.exe
1856	Icplcpgo.exe
1784	Ibcmom32.exe
4796	Jeaikh32.exe
1304	Jlkagbej.exe
2060	Jcbihpel.exe
2496	Jfaedkdp.exe
4216	Jioaqfcc.exe
4668	Jpijnqkp.exe
2516	Jfcbjk32.exe
944	Jianff32.exe
4396	Jlpkba32.exe
440	Jbjcolha.exe
2256	Jehokgge.exe
4504	Jmpgldhg.exe
3976	Jcioiood.exe
4440	Jfhlejnh.exe
2036	Jmbdbd32.exe
4524	Jpppnp32.exe
348	Kfjhkjle.exe
920	Kmdqgd32.exe
3504	Kdnidn32.exe
4884	Kepelfam.exe
3792	Kmfmmcbo.exe
2384	Kdqejn32.exe
3932	Kfoafi32.exe
3244	Kimnbd32.exe
1368	Kpgfooop.exe
3288	Kbfbkj32.exe
2624	Kipkhdeq.exe
3596	Kpjcdn32.exe
5048	Kbhoqj32.exe
2408	Kibgmdcn.exe
4020	Kmncnb32.exe
3140	Kplpjn32.exe
2980	Lbjlfi32.exe
3856	Liddbc32.exe
4500	Ldjhpl32.exe
1668	Lmbmibhb.exe
2220	Lpqiemge.exe
2868	Lboeaifi.exe
2480	Liimncmf.exe
2996	Llgjjnlj.exe
4224	Ldoaklml.exe
3588	Lbabgh32.exe
3268	Lmgfda32.exe
4672	Lpebpm32.exe
1996	Lbdolh32.exe
3728	Lebkhc32.exe
1988	Lingibiq.exe
3084	Lphoelqn.exe
5004	Mdckfk32.exe
2252	Mipcob32.exe
4252	Mmlpoqpg.exe
2564	Mpjlklok.exe
4136	Mchhggno.exe
5020	Mgddhf32.exe
4912	Mibpda32.exe
1756	Mplhql32.exe
3968	Mgfqmfde.exe
4064	Mlcifmbl.exe
4092	Migjoaaf.exe
4604	Mdmnlj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Jmbdbd32.exe	Jfhlejnh.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Ibcmom32.exe	Icplcpgo.exe
File created	C:\Windows\SysWOW64\Jjhijoaa.dll	Lbabgh32.exe
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Mpjlklok.exe	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhpl32.exe	Liddbc32.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Nffbangm.dll	Jbjcolha.exe
File opened for modification	C:\Windows\SysWOW64\Jpppnp32.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Jpppnp32.exe	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Gjeieojj.dll	Lbdolh32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ghkmacoj.dll	Jehokgge.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Lboeaifi.exe
File created	C:\Windows\SysWOW64\Nljofl32.exe	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jcbihpel.exe	Jlkagbej.exe
File created	C:\Windows\SysWOW64\Kdnidn32.exe	Kmdqgd32.exe
File created	C:\Windows\SysWOW64\Eikdngcl.dll	Kepelfam.exe
File opened for modification	C:\Windows\SysWOW64\Mgddhf32.exe	Mchhggno.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Lingibiq.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaedkdp.exe	Jcbihpel.exe
File created	C:\Windows\SysWOW64\Mjddiqoc.dll	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Jfnbea32.dll	Kpgfooop.exe
File created	C:\Windows\SysWOW64\Lboeaifi.exe	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Mchhggno.exe	Mpjlklok.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Kimnbd32.exe	Kfoafi32.exe
File created	C:\Windows\SysWOW64\Jlineehd.dll	Liddbc32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Jfhlejnh.exe	Jcioiood.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Lbjlfi32.exe
File created	C:\Windows\SysWOW64\Oaeokj32.dll	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6300	7140	WerFault.exe	279

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehokgge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lboeaifi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaedkdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcbihpel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imfdff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkagbej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlpkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kibgmdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6288	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dad5cffef1509ac58d9434539fadb17a95695d6c04f90662e2295653bff6402cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hflheb32.dll"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bagcnd32.dll"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmncnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbjcolha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgfqmfde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjeieojj.dll"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imfdff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkhie32.dll"	Icplcpgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlkagbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingapb32.dll"	Jmpgldhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfjhkjle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2368	2724	dad5cffef1509ac58d9434539fadb17a95695d6c04f90662e2295653bff6402cN.exe	87
PID 2724 wrote to memory of 2368	2724	dad5cffef1509ac58d9434539fadb17a95695d6c04f90662e2295653bff6402cN.exe	87
PID 2724 wrote to memory of 2368	2724	dad5cffef1509ac58d9434539fadb17a95695d6c04f90662e2295653bff6402cN.exe	87
PID 2368 wrote to memory of 3196	2368	Ifllil32.exe	88
PID 2368 wrote to memory of 3196	2368	Ifllil32.exe	88
PID 2368 wrote to memory of 3196	2368	Ifllil32.exe	88
PID 3196 wrote to memory of 1856	3196	Imfdff32.exe	89
PID 3196 wrote to memory of 1856	3196	Imfdff32.exe	89
PID 3196 wrote to memory of 1856	3196	Imfdff32.exe	89
PID 1856 wrote to memory of 1784	1856	Icplcpgo.exe	90
PID 1856 wrote to memory of 1784	1856	Icplcpgo.exe	90
PID 1856 wrote to memory of 1784	1856	Icplcpgo.exe	90
PID 1784 wrote to memory of 4796	1784	Ibcmom32.exe	91
PID 1784 wrote to memory of 4796	1784	Ibcmom32.exe	91
PID 1784 wrote to memory of 4796	1784	Ibcmom32.exe	91
PID 4796 wrote to memory of 1304	4796	Jeaikh32.exe	92
PID 4796 wrote to memory of 1304	4796	Jeaikh32.exe	92
PID 4796 wrote to memory of 1304	4796	Jeaikh32.exe	92
PID 1304 wrote to memory of 2060	1304	Jlkagbej.exe	93
PID 1304 wrote to memory of 2060	1304	Jlkagbej.exe	93
PID 1304 wrote to memory of 2060	1304	Jlkagbej.exe	93
PID 2060 wrote to memory of 2496	2060	Jcbihpel.exe	94
PID 2060 wrote to memory of 2496	2060	Jcbihpel.exe	94
PID 2060 wrote to memory of 2496	2060	Jcbihpel.exe	94
PID 2496 wrote to memory of 4216	2496	Jfaedkdp.exe	95
PID 2496 wrote to memory of 4216	2496	Jfaedkdp.exe	95
PID 2496 wrote to memory of 4216	2496	Jfaedkdp.exe	95
PID 4216 wrote to memory of 4668	4216	Jioaqfcc.exe	96
PID 4216 wrote to memory of 4668	4216	Jioaqfcc.exe	96
PID 4216 wrote to memory of 4668	4216	Jioaqfcc.exe	96
PID 4668 wrote to memory of 2516	4668	Jpijnqkp.exe	97
PID 4668 wrote to memory of 2516	4668	Jpijnqkp.exe	97
PID 4668 wrote to memory of 2516	4668	Jpijnqkp.exe	97
PID 2516 wrote to memory of 944	2516	Jfcbjk32.exe	98
PID 2516 wrote to memory of 944	2516	Jfcbjk32.exe	98
PID 2516 wrote to memory of 944	2516	Jfcbjk32.exe	98
PID 944 wrote to memory of 4396	944	Jianff32.exe	99
PID 944 wrote to memory of 4396	944	Jianff32.exe	99
PID 944 wrote to memory of 4396	944	Jianff32.exe	99
PID 4396 wrote to memory of 440	4396	Jlpkba32.exe	100
PID 4396 wrote to memory of 440	4396	Jlpkba32.exe	100
PID 4396 wrote to memory of 440	4396	Jlpkba32.exe	100
PID 440 wrote to memory of 2256	440	Jbjcolha.exe	101
PID 440 wrote to memory of 2256	440	Jbjcolha.exe	101
PID 440 wrote to memory of 2256	440	Jbjcolha.exe	101
PID 2256 wrote to memory of 4504	2256	Jehokgge.exe	102
PID 2256 wrote to memory of 4504	2256	Jehokgge.exe	102
PID 2256 wrote to memory of 4504	2256	Jehokgge.exe	102
PID 4504 wrote to memory of 3976	4504	Jmpgldhg.exe	103
PID 4504 wrote to memory of 3976	4504	Jmpgldhg.exe	103
PID 4504 wrote to memory of 3976	4504	Jmpgldhg.exe	103
PID 3976 wrote to memory of 4440	3976	Jcioiood.exe	104
PID 3976 wrote to memory of 4440	3976	Jcioiood.exe	104
PID 3976 wrote to memory of 4440	3976	Jcioiood.exe	104
PID 4440 wrote to memory of 2036	4440	Jfhlejnh.exe	105
PID 4440 wrote to memory of 2036	4440	Jfhlejnh.exe	105
PID 4440 wrote to memory of 2036	4440	Jfhlejnh.exe	105
PID 2036 wrote to memory of 4524	2036	Jmbdbd32.exe	107
PID 2036 wrote to memory of 4524	2036	Jmbdbd32.exe	107
PID 2036 wrote to memory of 4524	2036	Jmbdbd32.exe	107
PID 4524 wrote to memory of 348	4524	Jpppnp32.exe	108
PID 4524 wrote to memory of 348	4524	Jpppnp32.exe	108
PID 4524 wrote to memory of 348	4524	Jpppnp32.exe	108
PID 348 wrote to memory of 920	348	Kfjhkjle.exe	110

C:\Users\Admin\AppData\Local\Temp\dad5cffef1509ac58d9434539fadb17a95695d6c04f90662e2295653bff6402cN.exe
"C:\Users\Admin\AppData\Local\Temp\dad5cffef1509ac58d9434539fadb17a95695d6c04f90662e2295653bff6402cN.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\Ifllil32.exe
  C:\Windows\system32\Ifllil32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\Imfdff32.exe
    C:\Windows\system32\Imfdff32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\SysWOW64\Icplcpgo.exe
      C:\Windows\system32\Icplcpgo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Windows\SysWOW64\Jeaikh32.exe
        
        C:\Windows\system32\Jeaikh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Jlkagbej.exe
        
        C:\Windows\system32\Jlkagbej.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Jfaedkdp.exe
        
        C:\Windows\system32\Jfaedkdp.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Jmpgldhg.exe
        
        C:\Windows\system32\Jmpgldhg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        24⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        27⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        31⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        44⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        46⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        52⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        53⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        55⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        69⤵
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        70⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        72⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        73⤵
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3276
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        75⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        77⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4360
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2372
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1068
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        83⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        84⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        85⤵
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        86⤵
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3956
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        89⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        91⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        92⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        94⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        99⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        101⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        104⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        105⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        107⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        111⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        115⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        116⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        118⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        122⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5760
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        126⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        128⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        130⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        134⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        136⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        139⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        141⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        142⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        145⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        146⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5880
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        153⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        154⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        155⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        156⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        157⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        159⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:6440
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:6572
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        164⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6660
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6748
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        168⤵
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        169⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        170⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6928
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:6972
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        173⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7060
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        175⤵
        Modifies registry class
        
        PID:7104
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        176⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        178⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        179⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6312
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        180⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        181⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        182⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        183⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        184⤵
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6788
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        187⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        190⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        191⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 412
        192⤵
        Program crash
        
        PID:6300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7140 -ip 7140
1⤵
PID:6256

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkU0QjAyMjktRTM3Qy00MkZFLThDOEQtNUM1M0FGMEJFMkY1fSIgdXNlcmlkPSJ7QTU2NjlBRUQtNEIyQy00NTgwLUE1OTctQTUwRDZFMUE4MUE3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NkRGQ0Q3QUUtRjQzNC00Q0IwLUJFQUItMTA2NEQ4MUNCNjI2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI4IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTE1NjkyMzUyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
96KB

MD5
81dbfc3abe9ff11129e0d67b360a05fd

SHA1
be920232f5cf8f7f6dad1aeaa5d6c10dfb1997ec

SHA256
d631241d1343152f1881f4d4fae0f4d455068ae90e7e1bd5142fc05681a21b7a

SHA512
b505d8e0e0bf818a756daa68d8417680ebcaae1508a25d7dee6f20dcb64baac94b4f3e9cd58dad39706e0abed79dbf7ac60d232af324834c4a38c6756581b416

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
96KB

MD5
177be6b534783d46e58a7d951a6cfdcd

SHA1
761b7c9a7474de00f04cc7d5c0581ad831dbeade

SHA256
3ce39e562f1669d0654b2bd710b1032134ac4ce8a219e9a403951428ab6ddce4

SHA512
06886b4924ed91b25f1b4acdcbde6eb9d2a227c6aefb0b7a9af24b119efc7079c88615f8a5651de9b91c2f6024cb1a30bec64b3f56e2066986d70540d84b3625

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
96KB

MD5
c4329c148ff18e213a2722dc9a3cb822

SHA1
369edecac2e8b2f60743e845cd24f28f5365713c

SHA256
f9faf793040c50443c6e1bb093e8878724cf057df477b77c67ab095a64dc4fa5

SHA512
efc6bceae56a8d68fa0b7b86b668f78adef4700b226bcc7b0c76469b3a820c1c117110aa4c118a69da22aaf4cb2463292086cddcaef0685f70f131ac79755afb

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
96KB

MD5
4302a82f0cd0e5f5ab809d8ee1a111b7

SHA1
09f89f86398bb6098fa70cfc11882ff65c4dbb6c

SHA256
bb0365626f3fc1d485509d0f5c805b03752396aa7c7eb3de4c15371d28c2a7ec

SHA512
e0058fc2b5bcdb880daa091caac2506a08c303f9470e1a0d811b1ebebd97b502cd28dc1beafc04a5f8d3f1c8ee01764daf17bbea37c550256a01c763d9cabaf6

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
96KB

MD5
5e3f99cb1cbd4631fbaf78bedb51199b

SHA1
8eabddd5fc4bf0b75426a03920266b20ea42c980

SHA256
db9cd3918e05a6f1679e400efaacee2129cf2a72fd429c99ea1e193aeb3127a0

SHA512
4c81688a736f6d48132be7cbade02cab02575dbaabe6c81c201e21cc2e0d3c462ec59ce8afb380ac3fd1d42a5d2b085f362cf36059c03773c565cd4b14eb25a0

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
96KB

MD5
ac3f6b3d59f51c140ac98f1ee3332a8a

SHA1
ca72472e4fb552e70cb7a5e3eb9cb03ed0ecbf7d

SHA256
9255f4f4bfd9e7c7e6c78be326d9fa92a025067e08e82e2f5814bb29c105a2a9

SHA512
f900844b45fbd691173a2c0059b6f576e2aec23e4b2eb9eb3f4743e5b75f6e5adb5926fdb1464f8d87c06aecef9bd6bf2b1701560cd777e69a22bc9d45fbf826

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
64KB

MD5
959c51a61263918e01002d96cf9a109e

SHA1
79c37f41a777ca7c639e2ba200840da28f4dcf1e

SHA256
6ea6a1a35f0dfa1320c5668435bd3ecc1dbce03a8c0df6065125dce072159ab7

SHA512
693dec217d60bd31f5a74038d7f7adccfd87e698806ece31812e2c56e814a304e2f71c3751aba3388b5a950ab7321dcbde6cf7145532faef912c40273721699b

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
96KB

MD5
1ae507ac8eab1075c984fe3d07707b05

SHA1
049ffdcd1275dc4e67837ad31fe8bdf01b987aa9

SHA256
6737f7e4a2fdd54a7b3266df9ed319c6667c60527396b256b0d0c53f3373138b

SHA512
961cd1ea32854f7497f94a3c3140b1ff0e6cb49b2dbae47d8359accb90c1ed6613c61ba77a8235b37bde592ac05b971a2fd4743d82cc75b5e5bf89b5e23318b6

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
0e8f58090cc659d915954d90cedb8e22

SHA1
8ee2c242a9c75b9868da32490c585800be1d7e30

SHA256
ddf6d3032e899cbd2a8f348b2893e4905aa008f4de30c8f3ff318a8d8a3dbb0a

SHA512
02557b2fd41607d568e571d1213134e561b4cd76c95edf05ed608a63084cf3158472e62648aa213d753ba50a138d3ab8b985b3bae016ac62520518aed03d0bc0

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
96KB

MD5
ed3052f353ca910a829cf07afaafeabc

SHA1
9ed66da9d5c9c9eb4bab815abcfdf0014401df1c

SHA256
7384bc96a479a41fda6b2e7d6b39088895cf3d48af05286987a08b9e864188d4

SHA512
8e4690620f9b5b4b99c483909bb0f950a61fe0ea53a96a7a393097873c5ac6aab2730c9f5fbb2055d07040dc0f6d0a6f300684e5a1c34c47ffcf8e88210a4d89

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
31a8d65316195dfdb706f6eb2a4bbbf2

SHA1
7c7b390c481f4ab9d686c35099d97bf28582ef72

SHA256
dca0382c5c2b1ede029a728f15a0ec9d870ecc1be370d4b10e1b416388ea1f0c

SHA512
08520795fcb40e0c32fc16fbb0ff9355ac6dec54805e80eac0be6a28d542678f7165a1127455b7fed52688708d6fec49a84224a5e6306578586549f6df2380f6

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
96KB

MD5
4ccc0414300e9bbd6234b9330d8307fd

SHA1
50c5ab6b1ca62484560f72d99acc507fb51ec502

SHA256
55f9d9e80d15829e594a7c92edf75fd80f901a2618ef2c811455246205d80571

SHA512
c6421ff2c134a7f14066ec86264218ece842e3acdee63ec576bd5cee6fb60a469fc630f8de0c6ac4236fc282d3cde16ebeacecf7fe8a9c1f6d233df1ee52a490

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
96KB

MD5
f52b098b45150d9c1281a455665a62ca

SHA1
a9f7118ec3dac81b8d3573f75ec58489aeb2f501

SHA256
e9e33d51c28015f0d0c84496061a819b14ce82e1eb54af0eac6f29c0361e117a

SHA512
4dd600225e48046c77e3950a4670375a8efb3ab3c135f694420191d81de297ee92484c0a651e0f20b5bafa1d86947ba724d090b7bd60ce6a0bde4be9b9935550

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
96KB

MD5
73aa406bf0d27e63167afa22cc13ae06

SHA1
91f4ac7128c9d3d1e6c609148061218b1d50002a

SHA256
3498a81ab132bffb4d01603a0daeba7a4838350838664186c1c9fb5f4d15a4b9

SHA512
add64d625a3caf7f5e9fc7944a8294070cb985ee1673ddf39babd098df70cae3b66c8b8c9785a44317feab5247db224771578bbb36bc00a9243088f7ffd5801a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
f57bab072542c8d2f83709de0bde00b5

SHA1
47edbd50cf4570c7c2d991560aacff9db62604cf

SHA256
4794d2e8f3e118e5950acc8ae221cdb43c29a11d5082c4fcb8a583302246efed

SHA512
9c2cb68bc69b1c8f2cd770402550f906a8dd4a4067fc2db5c373cac7b03a29bb0501ee9bbd401d9cf4bddee6ad8c01c0e152dd7fb243f17c6c8751eb030dffe7

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
96KB

MD5
2b34d620b42d5cc4be176d31eeb34980

SHA1
8f16560ee6c9a90ddccfa1cdce9058940b24d603

SHA256
69cc39d11bc70f1a55e1c07b2f4750a35bdeedea2c1636ad734b576955198508

SHA512
61e3b1b7be10d5033ccf19c23e524bd8cba1b690e92ff0bb159d37eb928c3e1ef9281b36918954ae0215f99f253a6fe8280418de747a93912156ef80b8256297

Download Submit
C:\Windows\SysWOW64\Icplcpgo.exe

Filesize
96KB

MD5
4b1dafdbfe6b81d9e0c20309541c72f3

SHA1
dca6ef1fe74508104832611f42c11c06a737fcb8

SHA256
0f3618120943539708b4dbc256175b8e09f6f4ec5561b6b4f0fe9abda1d53907

SHA512
609b426584a5c0766cb8de81e465946b40ec1968e590e87c23586b2c56b18e3a0255f87e52c3bd5d7225c7a547aa26d162251aed554ce5616658de5743d0def1

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
96KB

MD5
9abc8c3ee130fc5adbd267e100bc9543

SHA1
bddeb7d0df048abb6468826ee1f43449ad55978c

SHA256
8bd379cba6516752d22ef59a0a8c930a2cf0cf2d849cd2170d7e9ee1db504712

SHA512
4ddd784800fa926ae05892def5630e14668af71425d5df38f564ab45d8e82aee0f70a92954bf5c4859ddd5d22de9690509f772c96bced3bb3911de7235708c5a

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
96KB

MD5
0308a20a4a5fcbf0f1c3edc77ca545f9

SHA1
b220e5845437f6b578e96ea2a6010a75b1c3d944

SHA256
1067f6565784543b85065ccde98ec583a92e10e9e20109879a3370dd04732b37

SHA512
fa5f8a9e52114e97e7f62cb4d2530a78d04cff10ecc003e36d3c5bacd4047cd9b6330d1c7321d36c5e41eadc90ee9fa5c05c8d1a997af76252444cf3f5973e74

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
96KB

MD5
54975f940eab7dc1e80815fb75ffaa53

SHA1
d316ede4d5d2057e89444478638015cc90c7f5c2

SHA256
1a3effe9685e216c63fe15d5aaa4da247bb5fccc5e9ac412c4046556a47831ba

SHA512
cec0b9d26d77fe2267b84fded5c711a5d2024a347d90ce543ac7c58f028d04634c46402fe54a79479e969adc4e87588982d31248203fa87031d4524853d13062

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
96KB

MD5
8a0a59e3d5598db44624f153a700c0b5

SHA1
a60f8994df8f0cfeafa861a8b09e1784941d4a47

SHA256
189fe3e9ff0fcf1a6feb990345e7648f7e97915bbc0121940798a7b432a7db95

SHA512
a8535d8174134dc5e41a6d3a907835d49d61cbec4f93fb324b6d944c20b0551b6e1abc242d7bb097255243fb8b1375a363bfecd0da5b2ee9dc6550697e180f91

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
96KB

MD5
a823019a00083c62c700661c8cd3f346

SHA1
f75237c1658347d645d5521f68952762b4901cc3

SHA256
26d4b0306d5ee8134c7e4bcebcbb93685c981e51691c232e3b8461737dd2cdbd

SHA512
e18644999869ecc9b4e1baef3645b525de5042c7e58c61284f92c1c8de6ee29b60f968fbbcfd1a95ab4cbdb645d30f6c5ed420fff2bf30482b2cb16d710b0342

Download Submit
C:\Windows\SysWOW64\Jeaikh32.exe

Filesize
96KB

MD5
b31fd7e3efcb1887ade9f8d874b17f89

SHA1
5d7b0559d28770b00b49cc7c8201ed16ad140cdf

SHA256
44b4cb516716d259ad5d88d4cf754ad2600fd57c6e4f0d937521893408c11c51

SHA512
498dead8318be792fbadc2d304b5e3007e416d4c56d4d4e33a510b4217609b7c97d05660b0ec95503d5f44d3cb7ded14889772dd80552591001fb22af1290997

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
96KB

MD5
fb3466a01eb77544545fc3aaecb0de05

SHA1
d661b5f779f4fd15891d59b9728fdf6a4bf268d6

SHA256
56a56b4fa7b284d07214d5d7d26601cc9805a2a1990d38a08549f3f697f178b8

SHA512
bcd1566bf4a750f9e29f0b625f57bc98e9bbbf5f0f80cb180aa1029f65f83c3ae511f517a9e8e20c72dd9278829362b060b7c0672e2daea944c072a5658a8c0e

Download Submit
C:\Windows\SysWOW64\Jfaedkdp.exe

Filesize
96KB

MD5
61b58c72f4a47d5ea1cc81ca3fd26feb

SHA1
1658744afd47c772c12ee07afcb6205638a5a119

SHA256
949c13d24e27f370fae964285275312070a456ed95acf5c7d7927a0e4696d17d

SHA512
3ca327e857f05977a11907f0863f7cfb73f8f4afb785c7a85113acd6297c6a69328fc9d3dafea4b3c3b3c496ddb9d061c8790e57481eb782669971565765d85e

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
96KB

MD5
ee80bac180ab907683ab98b4db409ac9

SHA1
2a3d23a99856165e25cd0ccf4d06f893bd53e45a

SHA256
1bede1df217649bf794eeacd80ffe5d6d1e9b67b66aa5c85004c532545d42ece

SHA512
3fc0ee7eae0acf1e218f993ab0f6a5e68b49397b9ab86af59cf9a4a8db5ec718ade3dce20a39401d68befd8a2a2608a8681cd432cc97cfe36cdcd74e587ed191

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
96KB

MD5
1d6258466bb1c0bc5707aeb224e5b77f

SHA1
c01b261c9f2e44ac251b7b10bf7fcabad4d0c151

SHA256
d42396e6a5a35605445831a3b1ad71e136bed97603c905920d777b8c33bf0954

SHA512
9a06ad8ea1aadceaefb3a5a005710a281c0f5cee1e7912b09643c0bd1eae4525b4b21fb4826907b16afcb32b790ff13df71bd160e022a7f816305e6b99db86fa

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
96KB

MD5
e061c55828308492440eeec4336ee103

SHA1
d3af69dc4bffa613212372dfe978ad0527785895

SHA256
70efe107fe43018057be907be76cf5b9a7f43dd943d958b6a42b8c9c492dcd59

SHA512
d8c01edeedc2f6216b8cb04cce8aa6c704e780caf19259bef2ecc9a783f63e9ea30635eb6882127501cae280f2824a50381743c4b3c44e726550e1e4ba2dfd29

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
96KB

MD5
e4dd9563927fd60d232f3a7186c3daad

SHA1
b5c68208485087a6f80bb9b6796492b95fc2f339

SHA256
378618ecda8edbb01d8ebc909700be86319265a78e8ea08e94e58bbf73c873a5

SHA512
9769424675e5f24b7c512e8dc2c76e069eb323aad45332acaea25d45ed015352c88087c0ec401564de31852afdf6f69e98aab26d02c1501dee7110e3f6677527

Download Submit
C:\Windows\SysWOW64\Jlkagbej.exe

Filesize
96KB

MD5
6afab3679e2033ee73c9949e3c5b2908

SHA1
44d39eb162095336ce8841b14cd5556960922670

SHA256
7d60f497564fecb41da3b37d31b82ad2152529840ed949f52cf6339dd5b2d78e

SHA512
0f5fa2bb46188cc8ca0bf752c61f5cb1824e5d15d121d1dbeb41cb86e596e31bde0a88575fb2b430dfc02bbb15812b020524a5430821421ffbb7bc1e9ecf3d09

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
96KB

MD5
1ed1f67343b1a0038d1549c74148732a

SHA1
94fb71135fbb3517f44c22ab5b023717521a4b40

SHA256
eb53dbadf39943820a1145baf1dd7363fda201e0d74bb3373a2e78ec0aebafa7

SHA512
f13d30122d0c3cd1f886eaa2fc81fa33610b27dc5a5cf3004d74f5953f1be4800d8290573dfcebc31d6bbd998776b2c64a06fe93096bda9eb49b5d0f937f4e6d

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
96KB

MD5
1b200dbfba32bd26ff21da3eee92c557

SHA1
5cfec1ad52f16f9bfc398c7faf2edd2f1d19a83b

SHA256
6616091968807822717dc8c04132f80006e4b8a7d185d2c2d58ea861c1f8e61b

SHA512
ecb17eebc9233249ed8a3b820e0cea07d847eabec6abe2d6f445f02a900304bf3e3a86af7b7337fb6b9f4e2ed2ef92975b8828b19fa58a87bff55424dfa5eed2

Download Submit
C:\Windows\SysWOW64\Jmpgldhg.exe

Filesize
96KB

MD5
7b37d452ba7e6e9422792b7cabe46cbe

SHA1
3ff2242a92f12c463d509cd517665079e0e786a0

SHA256
168a4e35b48dd18e879aa01284c892b5332d48d26ed2cb4c88efc652cb5a96d2

SHA512
3a22cad93e27dcf1725c4c036ac0c57edc89e238b7a91ed9472996b6b2b33edb2a1221a121848f671c37095f8e4d023fd6e5d3668e719fd6a8d2a7a0087e2f3d

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
96KB

MD5
c0376dc2c9d65dad7c04b7be24e1930d

SHA1
e0ffb5a95f20aae0651bf56fa73a9f651c54043c

SHA256
b095b27c828ed031eb9d0faf14d74575d9442afba74c12d9e9ea057536c3d133

SHA512
1d6e0550d465a9cf5754b92abf12b75c5d0a1fb8333092de883faf141913541e08da087139c6f8cdb6b729f3ce9bbd7291227d513ed12a0cc6aab45007147f9d

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
96KB

MD5
fa58aee84451bf38bf8b1d5aafc687ef

SHA1
bc01a1c3a755ed720f0b9eac2b1ce3fea6e2b665

SHA256
d48509f2df69a333c9d2042cf73cbead5357a4517bd340a646abf3a984cf7337

SHA512
8dad6381c79beaf57f096e2cdc3a898cb0e6ff478d54a8d719c90325540cf64d2592abd383dd1592e8525904c8be6a36a41179b22a75bb5a75afdc1242be097f

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
96KB

MD5
a6a1054725438afa1db2dfa06f3de523

SHA1
ab977224c35e107f2605b1d02ba323a5dd3fda95

SHA256
e65ad7b624323100649be7f772da90833ce58cc93c6b29672d41aadeef4e62c6

SHA512
2c261dbf2c438ebff140b86e19f7e261e16a5acc0cfc11db50369db86c33d4a0a0ded57717eeb024f4a6e8664c04874150a8837705f63b06ac7dcc6536cae8d8

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
96KB

MD5
2e3a706c8186c219f2708088b3f76983

SHA1
e1088bcbfb1e53aeaf931e2f11d34d0928d71c47

SHA256
3110af4971eac2e58c611f700c99b49f585926cafb9728ba58282d10bf174f64

SHA512
287b5abbba0ffc87907b76476d6a1aa61a76d6a7ca4ae2b8431ed9fe32e811c42ee27cea431ec8e885b6f9dbd0996c710abaf1cec866a5a3a7290c9bd8dbd3bd

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
96KB

MD5
7d37cee41577bab1d94593cd826d55ea

SHA1
41cb2e505b2dd320babc17dcec20b78c84c2f150

SHA256
83b29b0360b1b9cd57d7d2d82622b0f2e77a68154da40e1d26509f89f6afba6a

SHA512
f7dfd3bd3537c4de302f790c26e09f256fe3d2b9311ce5158eeb773a8a340bbbb932d83b2298b3afd36afd418738ec48baaa1b3e4dc0171c3986df3fdd6092a1

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
96KB

MD5
570ea1a694233076256bb0f873cb610c

SHA1
8663a6d690e8feb118fb5699ae07038bc705f955

SHA256
6996876d48d68183dddbec8dc315c035de90ca258e89aeb7e3293f5955c4c7b3

SHA512
828108509302b2e1613b29c636489002b1160088c821d9db8fe806a7f48dbbead8750c58b7de23db8cad46e25e67634b759b958a4b8044c3819212a46b275ce2

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
96KB

MD5
01f844994ea2789ddd42fc1447db41a6

SHA1
a53912aa58c737fdba21e7000c3d26976a3c1dca

SHA256
cee5a9200e2e8ffd35574cafb4fd242cfb6dc72c5a1667fbc9c2ec8170c20177

SHA512
a76e12a12bfaf84d2e48767887bf9811a9cb29d2a37239a89956cd26461a015e59c886dd9ce45e7532ce80e952daeb837466fde7f5a6a8780f580e39e5a527e8

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
96KB

MD5
a84c24da1411c9f2dbbf8e07e9291298

SHA1
277535c5c136c8b95733c6425774a547f365cf36

SHA256
1f11d6803c46c6005ce406e62983126d4abf0aa245329e3017e58c33e1f7014e

SHA512
50806957726638aa13c019a9227c2db9f5ab240bb0884138390262b5475769f5a3f924a0580ca0e43327be20e4b5f0130f6d66589ee844ce1d53e5e8fac6158b

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
96KB

MD5
f138fa579b72855aa1e607c579f279d9

SHA1
c0310af1c7d8f079c84c0b165f10d96eb81202c8

SHA256
9d2e4b809002cc5433bd876aa997eac783f95ab60db0855be6e0e309a5d3c15c

SHA512
f06890c07af2b0319b4600e26aa69527be3e5d521543d0b0d54fcedf360e0cf72a9678bbec11de85c7f0acc9974443972e14cb6ea80d3822e5fe0d3c06567fa7

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
96KB

MD5
35c02bfbf990c406656eff583b5ae33f

SHA1
c0da0f71a221b29253991f8686dba5f9a34fbb10

SHA256
65938a08083e544a0ca1a0461ee08703a926843b33b624998a30e704f948eb2c

SHA512
722ff59c6cc06e4d10fe01e4d93ce43cb53c3a88687bed34cbf13cd971298842801950fd742e57d89606fb86c801d573ddfb53c37ab8cca6d601d9f96257b06f

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
96KB

MD5
29d930d3963dea86fd1d1a588fb5138c

SHA1
001f635fb58911e143d68819ea201c6b98f91b26

SHA256
8ca4dd3ead149c5392a012ddcd660025774b37383446908a037b2d18457d93ec

SHA512
1c77b83d2b369a09a5866210cd49e0ccf6983183c1bbf84f44ea9b5dc147db8d674d3f48aa569f2f45ad93f50f94d206fc5f931e701cfe0875025ef2997e962b

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
96KB

MD5
dfa3c69aeac0026ae9f237a92f8c63a9

SHA1
a5f2f1f376b91f55595a43e659fc2285380a9582

SHA256
22a0e120d9fd8c33190387b1a49eb99c42cbd4cf8a31c25e8b5c8f78523069ce

SHA512
47777665c5d4fdac6875fce561b0cfb1a4e0efa1852435485fa2466bfca399e3029e0e007b2ac67148ca2c072af36ebdd23924273f2ef00c93042428a83aced9

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
96KB

MD5
c34e8dba9773953902084862526b11c1

SHA1
55526de02cd96319c9ee15c454b9f22bec841d57

SHA256
602a51e0677b8f2eb3e8537e3fe4b742eb929fcbf78789f4142d1095b54f3043

SHA512
0320fde385ebe2e5981625a44b0c12fef74f78ba027866b28bc977dd72910e726d419ac04db04a758880e5415ebf416eedaee1a389a4f20b4e1e4460053a9565

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
96KB

MD5
cd5c10c6f9b59774e421219e17fcd823

SHA1
2bb62d4d302557cfe9c3b393d618d0ecfa35113e

SHA256
0e0d242b69ed17e09d1664d68399e511a93771385b4a5f9447317605dd2d6aee

SHA512
53d48401d1093938fea524f772969166d26390ea14d7c2fbfe340e747e38de705a42443e397f15da405d4b5a38198cc92419ac534e839f2e849e5df9a17a394e

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
96KB

MD5
630aefe2a905158e3c577105ee07839b

SHA1
b50696db57e12318a754f5cabed2053f5774561f

SHA256
fb95f434e9df1f7c74b0a2aaa9c14444dfbd59de59ac5ed492a531abc4b33543

SHA512
e824fb74d0639699f0df1fb411ff362881112204995f042d13f2b09ceadbf4b5a1524489beb05f40fb8b2aee3574a9adf965d490cc98a840ad522d8ebbfd20b8

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
96KB

MD5
70af6e85328305491a3510bd8dbe924c

SHA1
3ec176898b229c400cf9ff45818e2d7bb6fc421b

SHA256
f398ff89141ac4ed17e48531a4d6f194f6fba00e5a12698d617060ad09695691

SHA512
2a751d84155b1b7cfee5c396b6f9e6a88010e821789bf7469c7ca9c23f74df50312e2797bcf8a424b87ac28822994ba87814dd2c755bc57b000eba4c31544878

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
96KB

MD5
0816390f607ba94322a3e7bf8997f1d1

SHA1
cd7597e9864f96f6d10ab5440c60a65ce2278179

SHA256
c032ecfce7003dcd1339d579062f8552db20f3a32936dbc9c1f396e66abcde05

SHA512
b0c19304a8c83d0c35b7aa7dd51b1c2db2f15a4565fd0e33149292d0137704ae558d9ec8248285ef22ca29ea3b8efdb2212a3cb83159c4bb578f907842e9c33b

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
96KB

MD5
8f1d2717efdef8487cb91c2dbf0fee0e

SHA1
32f75bc81a5fd27371c4dbdd2c5167243d965117

SHA256
073e616b664b3e1a7e1f2aa6c91bed5ca54e813eca92788e2eef0071efc1eae8

SHA512
c41fec69b9af7677836275fda94bf4806dad1fcfc689847f5d28aa8a213d65faaad4ff704a6b25f0bf8c35df6f1f3c541c67d8b329f8052bff958fb9449cc2a1

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
96KB

MD5
cc81cae8015fad781689fb96724eb8b3

SHA1
97181b8012c95b4fc33bbb729b495178862a8e84

SHA256
b6f99c00f72aa1fe4e8c8106c85e9112da5edc269c395d8f12586b8818ebef60

SHA512
11b87f0dc0d8ee3395c4e089e81187daefd01753c052f58282def2c31260845e074472509464aa19817312a7492d94807b7bf7b94bea6de7ed6e820b9698fdd4

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
96KB

MD5
e74a3fef61da219ca5cc070ffc004918

SHA1
5032eff55800a190ff8b87b9f4637f8c240f3cc0

SHA256
16d8708bf1a46e958ad0a0be1fd47f703cc3a0b65d7cd6b5936692e6e88c580c

SHA512
a6e3fbc5eeeb972f1f82579521b2a343680f3eccd5050f4893fa58a080feea558d9339416fb8438582e27bc18521e344c66d4bdcc5df50fd8a0a8fd57429b5b6

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
96KB

MD5
b044c2a1073b6a7deb2e3e274488e3e0

SHA1
a5d6bd3aed687a16d10639021e778926b3e45309

SHA256
6fdf4c4408192bb459744f19e305b674f52e8dbe99f61c8957d8ffd819ac39f0

SHA512
71a1bae3ef89b75caee0f9a7bf70de017d5bb0f568245f61d0ea258aa2c61dff57ff427b03b190e7a23c54256d0bb4040836e2d8b79af4075e70905dd8fa24d0

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
96KB

MD5
c8f2cfd3091bd6db2124f87f2bdb4087

SHA1
efdaf1e4329405309824d380ec11df3e2aa71357

SHA256
7ef6359916698626d649bdd321405e74dba218c0b129bc1fadf5cf9887dd4419

SHA512
22f9596a00e0663d6cc5cb4cce2a2356a0e0841d5024d43334e875cfcb9a5a0a3bc20f12aabc8d622c1fe5e9ef7c2d5135db19508d643cadce9e6758e3b1e11e

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
96KB

MD5
6539678b6c840536522426e4d90a14a5

SHA1
30a8f3ba1616d6d155070846f0e04eb22853ff15

SHA256
0742db4a5ba7ee2110f80518e23903c154c1eae529f05af687929a397f29ddb5

SHA512
6305e86e47145a55f952bda8d961715eff81c41f557233d8b3b7ad95a87535e2ecd25b6c8a8718d494e426d6aa87a879b78abb8d7f42e09a4d3de47e3bd7c216

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
96KB

MD5
44c379842ca5063ca9e89726100d194a

SHA1
9303a1e021faac46345cb8d73a022ff02c54caeb

SHA256
c6f39641679c20074796df4eca23750f80e524f18c77643f3ba7a3ca329acbfd

SHA512
1f6d1e49878dbe47fe13521b31c61235f71faa954ee2f400e171a6a51aee5d552fe8d5d15f9d12f86e57be1474d1aea7cee938d4d24748c1b006c66676f5d9af

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
96KB

MD5
37ef3d61e6fb1b65600ebff0e1dba2ac

SHA1
48fc5a7db07d7482999e1e54f8ab23ad977dfa70

SHA256
726613f7b4a9a8b9fd4103d9d2acbf866de0afc0e202a640c035da57c11f3a37

SHA512
e8e06603068f97e0b386ab7e4951e6beddd6b3c277cf730d9ddd3675673545465bc2fc8a99a6e07c0f12cc8d84a2d5c3f1b4788b9083548815ea41c2054c7a6b

Download Submit
memory/224-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2812-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4224-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-1410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5308-1409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5508-1419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5824-1414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6060-1411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6336-1372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6572-1360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6660-1359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6720-1320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads