berbew | 8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe
Size

713KB
MD5

e1210a107df64b13a71f0c5ac0a911d0
SHA1

e69c900cc876b401c336d495286abd75e634ca12
SHA256

8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263
SHA512

987c89fabd2e6cf5aad13d65a70255b22d888b8f49f07c1aa7e078a267fd734376c98d530554b21f5300b2efd471c4698df94f17d1d4810833c223b6651a1a01
SSDEEP

12288:SdvMDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lK:SS5h3q5htaSHFaZRBEYyqmaf2qwiHPKA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfoghakb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohiffh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phnpagdp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahpifj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paiaplin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaghki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odgamdef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obmnna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odgamdef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmfbpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfqccna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlqmmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaghki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbndpmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohiffh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiaplin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppkfhlc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnfddp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfoghakb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obmnna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkfhlc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 49 IoCs

pid	Process
2480	Nlqmmd32.exe
2356	Nbjeinje.exe
2704	Nmfbpk32.exe
2756	Nfoghakb.exe
2720	Oaghki32.exe
2728	Odgamdef.exe
2636	Obmnna32.exe
1156	Ohiffh32.exe
2884	Pofkha32.exe
2848	Phnpagdp.exe
2856	Pkoicb32.exe
1504	Paiaplin.exe
1064	Pidfdofi.exe
236	Qppkfhlc.exe
2180	Apedah32.exe
2220	Ahpifj32.exe
924	Aakjdo32.exe
1648	Adifpk32.exe
1864	Adlcfjgh.exe
2112	Agjobffl.exe
568	Adnpkjde.exe
2160	Bhjlli32.exe
1096	Bkhhhd32.exe
528	Bnfddp32.exe
1576	Bkjdndjo.exe
2336	Bdcifi32.exe
2836	Bjpaop32.exe
2664	Bnknoogp.exe
2776	Boljgg32.exe
2252	Bjbndpmd.exe
2284	Boogmgkl.exe
2588	Bfioia32.exe
2324	Bkegah32.exe
2940	Cbppnbhm.exe
320	Cenljmgq.exe
2900	Cocphf32.exe
556	Cnfqccna.exe
1748	Cgoelh32.exe
112	Cbdiia32.exe
2492	Cebeem32.exe
3036	Cgaaah32.exe
1720	Cnkjnb32.exe
1740	Cgcnghpl.exe
1412	Cnmfdb32.exe
1596	Cegoqlof.exe
2024	Cgfkmgnj.exe
1076	Cfhkhd32.exe
792	Danpemej.exe
2972	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2208	8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe
2208	8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe
2480	Nlqmmd32.exe
2480	Nlqmmd32.exe
2356	Nbjeinje.exe
2356	Nbjeinje.exe
2704	Nmfbpk32.exe
2704	Nmfbpk32.exe
2756	Nfoghakb.exe
2756	Nfoghakb.exe
2720	Oaghki32.exe
2720	Oaghki32.exe
2728	Odgamdef.exe
2728	Odgamdef.exe
2636	Obmnna32.exe
2636	Obmnna32.exe
1156	Ohiffh32.exe
1156	Ohiffh32.exe
2884	Pofkha32.exe
2884	Pofkha32.exe
2848	Phnpagdp.exe
2848	Phnpagdp.exe
2856	Pkoicb32.exe
2856	Pkoicb32.exe
1504	Paiaplin.exe
1504	Paiaplin.exe
1064	Pidfdofi.exe
1064	Pidfdofi.exe
236	Qppkfhlc.exe
236	Qppkfhlc.exe
2180	Apedah32.exe
2180	Apedah32.exe
2220	Ahpifj32.exe
2220	Ahpifj32.exe
924	Aakjdo32.exe
924	Aakjdo32.exe
1648	Adifpk32.exe
1648	Adifpk32.exe
1864	Adlcfjgh.exe
1864	Adlcfjgh.exe
2112	Agjobffl.exe
2112	Agjobffl.exe
568	Adnpkjde.exe
568	Adnpkjde.exe
2160	Bhjlli32.exe
2160	Bhjlli32.exe
1096	Bkhhhd32.exe
1096	Bkhhhd32.exe
528	Bnfddp32.exe
528	Bnfddp32.exe
1576	Bkjdndjo.exe
1576	Bkjdndjo.exe
2336	Bdcifi32.exe
2336	Bdcifi32.exe
2836	Bjpaop32.exe
2836	Bjpaop32.exe
2664	Bnknoogp.exe
2664	Bnknoogp.exe
2776	Boljgg32.exe
2776	Boljgg32.exe
2252	Bjbndpmd.exe
2252	Bjbndpmd.exe
2284	Boogmgkl.exe
2284	Boogmgkl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nbjeinje.exe	Nlqmmd32.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Nfoghakb.exe	Nmfbpk32.exe
File created	C:\Windows\SysWOW64\Khdecggq.dll	Nmfbpk32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Nmfbpk32.exe	Nbjeinje.exe
File created	C:\Windows\SysWOW64\Oaghki32.exe	Nfoghakb.exe
File created	C:\Windows\SysWOW64\Kaaded32.dll	Paiaplin.exe
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Adifpk32.exe
File created	C:\Windows\SysWOW64\Bhjlli32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bjbndpmd.exe
File created	C:\Windows\SysWOW64\Lkknbejg.dll	Bnfddp32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Nlqmmd32.exe	8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe
File opened for modification	C:\Windows\SysWOW64\Obmnna32.exe	Odgamdef.exe
File created	C:\Windows\SysWOW64\Pidfdofi.exe	Paiaplin.exe
File opened for modification	C:\Windows\SysWOW64\Ahpifj32.exe	Apedah32.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Agjobffl.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Bhjlli32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Mjpbcokk.dll	Oaghki32.exe
File created	C:\Windows\SysWOW64\Phnpagdp.exe	Pofkha32.exe
File created	C:\Windows\SysWOW64\Agjobffl.exe	Adlcfjgh.exe
File opened for modification	C:\Windows\SysWOW64\Agjobffl.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Odgamdef.exe	Oaghki32.exe
File created	C:\Windows\SysWOW64\Oqlecd32.dll	Ohiffh32.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Ahpifj32.exe
File created	C:\Windows\SysWOW64\Hpqnnmcd.dll	Adnpkjde.exe
File opened for modification	C:\Windows\SysWOW64\Bjbndpmd.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Fnpeed32.dll	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Apedah32.exe	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Ahpifj32.exe	Apedah32.exe
File created	C:\Windows\SysWOW64\Kmapmi32.dll	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cebeem32.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Phnpagdp.exe	Pofkha32.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Agjobffl.exe
File created	C:\Windows\SysWOW64\Bkjdndjo.exe	Bnfddp32.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Nfoghakb.exe	Nmfbpk32.exe
File created	C:\Windows\SysWOW64\Fkfnnoge.dll	Phnpagdp.exe
File opened for modification	C:\Windows\SysWOW64\Qppkfhlc.exe	Pidfdofi.exe
File created	C:\Windows\SysWOW64\Adifpk32.exe	Aakjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Bnfddp32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Cenljmgq.exe
File opened for modification	C:\Windows\SysWOW64\Ohiffh32.exe	Obmnna32.exe
File opened for modification	C:\Windows\SysWOW64\Nlqmmd32.exe	8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	Bkjdndjo.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bjbndpmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2488	2972	WerFault.exe	79

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlqmmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgamdef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaghki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phnpagdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoicb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbndpmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnfqccna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obmnna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohiffh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofkha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbjeinje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkfhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkjdndjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfbpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adifpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiaplin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfoghakb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohiffh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlqmmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmfbpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odgamdef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmfbpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfoghakb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obmnna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfoghakb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbndpmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbjeinje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlecd32.dll"	Ohiffh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qppkfhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Adifpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqnnmcd.dll"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfqccna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaghki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll"	Ahpifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongke32.dll"	8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phnpagdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpbcokk.dll"	Oaghki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paiaplin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	Bkjdndjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkhhhd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2480	2208	8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe	31
PID 2208 wrote to memory of 2480	2208	8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe	31
PID 2208 wrote to memory of 2480	2208	8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe	31
PID 2208 wrote to memory of 2480	2208	8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe	31
PID 2480 wrote to memory of 2356	2480	Nlqmmd32.exe	32
PID 2480 wrote to memory of 2356	2480	Nlqmmd32.exe	32
PID 2480 wrote to memory of 2356	2480	Nlqmmd32.exe	32
PID 2480 wrote to memory of 2356	2480	Nlqmmd32.exe	32
PID 2356 wrote to memory of 2704	2356	Nbjeinje.exe	33
PID 2356 wrote to memory of 2704	2356	Nbjeinje.exe	33
PID 2356 wrote to memory of 2704	2356	Nbjeinje.exe	33
PID 2356 wrote to memory of 2704	2356	Nbjeinje.exe	33
PID 2704 wrote to memory of 2756	2704	Nmfbpk32.exe	34
PID 2704 wrote to memory of 2756	2704	Nmfbpk32.exe	34
PID 2704 wrote to memory of 2756	2704	Nmfbpk32.exe	34
PID 2704 wrote to memory of 2756	2704	Nmfbpk32.exe	34
PID 2756 wrote to memory of 2720	2756	Nfoghakb.exe	35
PID 2756 wrote to memory of 2720	2756	Nfoghakb.exe	35
PID 2756 wrote to memory of 2720	2756	Nfoghakb.exe	35
PID 2756 wrote to memory of 2720	2756	Nfoghakb.exe	35
PID 2720 wrote to memory of 2728	2720	Oaghki32.exe	36
PID 2720 wrote to memory of 2728	2720	Oaghki32.exe	36
PID 2720 wrote to memory of 2728	2720	Oaghki32.exe	36
PID 2720 wrote to memory of 2728	2720	Oaghki32.exe	36
PID 2728 wrote to memory of 2636	2728	Odgamdef.exe	37
PID 2728 wrote to memory of 2636	2728	Odgamdef.exe	37
PID 2728 wrote to memory of 2636	2728	Odgamdef.exe	37
PID 2728 wrote to memory of 2636	2728	Odgamdef.exe	37
PID 2636 wrote to memory of 1156	2636	Obmnna32.exe	38
PID 2636 wrote to memory of 1156	2636	Obmnna32.exe	38
PID 2636 wrote to memory of 1156	2636	Obmnna32.exe	38
PID 2636 wrote to memory of 1156	2636	Obmnna32.exe	38
PID 1156 wrote to memory of 2884	1156	Ohiffh32.exe	39
PID 1156 wrote to memory of 2884	1156	Ohiffh32.exe	39
PID 1156 wrote to memory of 2884	1156	Ohiffh32.exe	39
PID 1156 wrote to memory of 2884	1156	Ohiffh32.exe	39
PID 2884 wrote to memory of 2848	2884	Pofkha32.exe	40
PID 2884 wrote to memory of 2848	2884	Pofkha32.exe	40
PID 2884 wrote to memory of 2848	2884	Pofkha32.exe	40
PID 2884 wrote to memory of 2848	2884	Pofkha32.exe	40
PID 2848 wrote to memory of 2856	2848	Phnpagdp.exe	41
PID 2848 wrote to memory of 2856	2848	Phnpagdp.exe	41
PID 2848 wrote to memory of 2856	2848	Phnpagdp.exe	41
PID 2848 wrote to memory of 2856	2848	Phnpagdp.exe	41
PID 2856 wrote to memory of 1504	2856	Pkoicb32.exe	42
PID 2856 wrote to memory of 1504	2856	Pkoicb32.exe	42
PID 2856 wrote to memory of 1504	2856	Pkoicb32.exe	42
PID 2856 wrote to memory of 1504	2856	Pkoicb32.exe	42
PID 1504 wrote to memory of 1064	1504	Paiaplin.exe	43
PID 1504 wrote to memory of 1064	1504	Paiaplin.exe	43
PID 1504 wrote to memory of 1064	1504	Paiaplin.exe	43
PID 1504 wrote to memory of 1064	1504	Paiaplin.exe	43
PID 1064 wrote to memory of 236	1064	Pidfdofi.exe	44
PID 1064 wrote to memory of 236	1064	Pidfdofi.exe	44
PID 1064 wrote to memory of 236	1064	Pidfdofi.exe	44
PID 1064 wrote to memory of 236	1064	Pidfdofi.exe	44
PID 236 wrote to memory of 2180	236	Qppkfhlc.exe	45
PID 236 wrote to memory of 2180	236	Qppkfhlc.exe	45
PID 236 wrote to memory of 2180	236	Qppkfhlc.exe	45
PID 236 wrote to memory of 2180	236	Qppkfhlc.exe	45
PID 2180 wrote to memory of 2220	2180	Apedah32.exe	46
PID 2180 wrote to memory of 2220	2180	Apedah32.exe	46
PID 2180 wrote to memory of 2220	2180	Apedah32.exe	46
PID 2180 wrote to memory of 2220	2180	Apedah32.exe	46

C:\Users\Admin\AppData\Local\Temp\8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe
"C:\Users\Admin\AppData\Local\Temp\8195c887325dad44546361dd81f0574cbf9cdbf1b945d01c4fe1f4a98e7c5263N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\Nlqmmd32.exe
  C:\Windows\system32\Nlqmmd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\Nbjeinje.exe
    C:\Windows\system32\Nbjeinje.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\Nmfbpk32.exe
      C:\Windows\system32\Nmfbpk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\Nfoghakb.exe
        
        C:\Windows\system32\Nfoghakb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\Oaghki32.exe
        
        C:\Windows\system32\Oaghki32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Odgamdef.exe
        
        C:\Windows\system32\Odgamdef.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Obmnna32.exe
        
        C:\Windows\system32\Obmnna32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Ohiffh32.exe
        
        C:\Windows\system32\Ohiffh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Pofkha32.exe
        
        C:\Windows\system32\Pofkha32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Phnpagdp.exe
        
        C:\Windows\system32\Phnpagdp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Pkoicb32.exe
        
        C:\Windows\system32\Pkoicb32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Paiaplin.exe
        
        C:\Windows\system32\Paiaplin.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Qppkfhlc.exe
        
        C:\Windows\system32\Qppkfhlc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:236
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Ahpifj32.exe
        
        C:\Windows\system32\Ahpifj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Adifpk32.exe
        
        C:\Windows\system32\Adifpk32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\Bkjdndjo.exe
        
        C:\Windows\system32\Bkjdndjo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Bdcifi32.exe
        
        C:\Windows\system32\Bdcifi32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Bjpaop32.exe
        
        C:\Windows\system32\Bjpaop32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Bjbndpmd.exe
        
        C:\Windows\system32\Bjbndpmd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Cnfqccna.exe
        
        C:\Windows\system32\Cnfqccna.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 144
        51⤵
        Program crash
        
        PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
713KB

MD5
2bac216f71f91cd320524916167b7208

SHA1
07cc61eb27a4f98f6f1ef2b10dae0dd2943f84e8

SHA256
2a05b556b69ff7c4d4f30472d0442ef9459d65e8f7266a4de130ddfad70efa66

SHA512
a0558f1951f31688d53976ea13539c99c3b7951f795256fd1d9788edeba7d1e51ad6fe460aca9bfd1668174764ffdbdb6d84c9d69f297b25ccc5c1b70dffa49d

Download Submit
C:\Windows\SysWOW64\Adifpk32.exe

Filesize
713KB

MD5
301736fa49acbe6bd14a638f1ebb5349

SHA1
c1d1da3680e4295e9e8a0ad63a422bf4da5557e8

SHA256
1c1b5cec47cf549b1c07973b6c9e493763beeb446543374f8352fdcee45c871d

SHA512
b012aa87596699b7493909cb7c8c86c80a6dbcfa896e18e4bff40d09f0564f59e74f62d0b0491f2422de591dfa192659712ee7f2c65425c080298cf956971883

Download Submit
C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
713KB

MD5
0b231a44bcdc99a71a55d618998f2214

SHA1
e76dd8417657ef7c051348f0c3fc86ae39aecd6c

SHA256
ecf2a44e74a3cbe6e17ec10ea2cb8a1c0caa1ab7c143659d276af6a4dda20e25

SHA512
26576848268fc743a0d3cdefb6ef0666c9dba84979ca875e8789089df583300d97a6518400ea59d6ad244a2ed959deb5b67aeede016a77a2f93b1e7c0793c631

Download Submit
C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
713KB

MD5
1e06f1f2bdd990bae6427c4d6edf0733

SHA1
179919b6a7ff6da68d1e37c6b60ed33f2402eeb6

SHA256
f7735229b1949452283046635e5ca9657241cf7de04fd11ce37ce5f80214e269

SHA512
e14e5f7d8e3a5a18eab37edb8f1bbefd7c66bc16a8a38a2e42cf99acecb04505e0168fd5b179f97ed7ee5ae1b58ed924b125824e901747706c33b526c50ea370

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
713KB

MD5
51e3b0b19eb36198bec4d5ef7512f223

SHA1
80d6f38b0e41771f6ccff8412a2e8873699f1831

SHA256
e2088f674a3f737300cc5e468f528bf32f13e87059cc84527681a6578800b155

SHA512
ebb2759927709adab8208bc69d5a283377d5800625f66be9b721a372cf1cb05c6444a4b7dcbdc2e022d799f45c99645da082f8f22e08babb8fcb01646e39e4c3

Download Submit
C:\Windows\SysWOW64\Bdcifi32.exe

Filesize
713KB

MD5
618f2f4bb04d2dbfa3d9a52715ac2508

SHA1
d0deb8883b2ca50a3f7637438811db0f8315ed6f

SHA256
be4a6c12df518dce327547cb661d5adee5a65e5b6c935dd333d3576105694e21

SHA512
3d580b64c257aff7dc794522fcf16374fdb1685ca2f4ae654528a35c1bbdedae6025a84d08660e4909fa23d4ef0ea0cbe8cf40956a3df53826be2db22f35229d

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
713KB

MD5
4eee6f9fd0d1354df025d768c8e96b52

SHA1
38312d9140687848c006eb795014f0dcf4f66013

SHA256
fdce7674787da809e547278e162d965c09861d036b4d187e9d7678360ebcc186

SHA512
193059143fc9e3694980d9e0dbb783a1a34b61c9fbbbd0776f6c70c60927d5641cce4f87b536455af611968059f453e9e5799df0d58c2cb4483a1c474a80c23d

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
713KB

MD5
bce7e7559599a6d1d6fdd0f6ad1419a4

SHA1
894d063b3af1e1d7f1885b11dadacc5e1c05caec

SHA256
682ec92def8d81ec9954151a193a7aad766a1ad1911450c921dfbbad79b55f0b

SHA512
6531102fd2b56b1143586507cd1f07b77b6c5582378114e34c5f8424c302d7a006320f5f7a855be848d1243c7c5f36ca48b68d5635746fc48fa0caa7f42dd1ef

Download Submit
C:\Windows\SysWOW64\Bjbndpmd.exe

Filesize
713KB

MD5
65c69a5542f1137c194c9557ee3b9c09

SHA1
fd420ae81e66a87ead4cbbd9e0dc82db38e4d1b1

SHA256
63cd32a0f2e8c34ceef13816d381b2fdde67ab694830c7d85b085693b6a85809

SHA512
d3e4d1aa147b2dc9facc1e443b1f9ba738993e1f4574e216b2bdd32af116bedbcb3e63926273081c0ec55fc2c91ef33b7960e24530da38ff26d337bb57335a2b

Download Submit
C:\Windows\SysWOW64\Bjpaop32.exe

Filesize
713KB

MD5
e76ba9ad5e74536d0e75f1c8893383fc

SHA1
b9096823dbdd3a97f530d0d010d8af5b5613847b

SHA256
d0cf9cf3c47ef97685f38d7a287f7547e0708590fadc8d4b095bb60d5b479847

SHA512
9ec722a159d3a169c1ea15f3df530c016e0cec550b6085fbe829ea0246022d5a6df57d5aa18180d92a91af57f7802f77104e4365d3c3e94d767835134d5e5c21

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
713KB

MD5
01b0fa3705ce9f22b3de8b04f7561894

SHA1
111ae35777cc5ddc6791d9487746fcb5919e3e24

SHA256
d8efc3d3690136daf93fd3be1950d68bb1b1d97ee7c16519063135e2429d4057

SHA512
8fab0e2bd38ab66231636ef6d38400c89e2f575239e8de3765c598cf81ef73cf4a295b044ab845e2e9d75d6a5a77f780b3b487b9c7312861d3953050d52ca801

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
713KB

MD5
403d765f65958837319034c57d7a7e81

SHA1
5ecdda60e402ea4bc68179167e1a843440bd8234

SHA256
0f525e3ab640a6c6ad8728fafea10001219d32c59742bcfb123fc3011e2d95ca

SHA512
b5970d0cfb26c6354a86a1ef62e5d3ca768a712d63044d788ff3a5d8888243ce8de4b02c74dbdf38f6ba2da64553592a7f12b3d72718e9dc1714bc4e3a7d1af6

Download Submit
C:\Windows\SysWOW64\Bkjdndjo.exe

Filesize
713KB

MD5
b6eebd50ce5bdc9f9af61b529340eca0

SHA1
ae013998c99cc11fb742ad886325ec4ed9c1b591

SHA256
d69d4b82a0d70ff4cc08d6a2ca599dd0ccc1cc789706d88fd5b4756353ecbc14

SHA512
0f81d54e1cc36b9bfb385213a5cc955fa57cc9c9aca616403dbad60ade4d5ff16327a711d3258bb1dd311d10175a6a6c6aec69ae62a79d5dc0ecf13f174d3d5d

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
713KB

MD5
2a3153a1c61d6be910f29976073d750f

SHA1
edc29924c03fd5aebaafbfbf308be44b136ebdc0

SHA256
17fc5a8cc24516a14a2486a7acd781f7dc89c55c2d916c41bac3273bb47eda70

SHA512
a4c597d8a519b975b302b32c0cf3f6d8a998e448133127815d5b92628d52dbdf3a647efb49bdd8b6469a6a5cea819175bd76f70f8186b425ce3e1cec482bafb9

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
713KB

MD5
c7369489e04ea0511a9e150ac3ad113e

SHA1
002d29b3ecd3e821bfcd89cd6559315f758f6ff6

SHA256
d10cd3980fa7b2050052b3179a8bc3f0c2659a322e84ab92c180ffc9ce3fe805

SHA512
a3dd300fdb8c0195cde4ad108ecaeb72b3a5fbded3b8e64a701a1bd8c5954a6ae2fe72f23ef8705618e79b077aca28c11095301a8e8b297246c64aaad7e59fc3

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
713KB

MD5
80a13de6a91beb9134d642e11123e6d6

SHA1
fdba48882309ecb68f3226c0cb5c3479cd206b3d

SHA256
01b124e061f84b832bb4cacba27169e35bd906bf973cbbf9856208b3f33a1ac3

SHA512
64eaea1b533a8014ec220b81fdbaa22f39980c582e327142979f27e8415071b6639c7025fca59545a7cd676e4121a305a3b782cd067ac70825d9295a60825c7d

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
713KB

MD5
370b058c8eece2bf45a7ceb820e8b75a

SHA1
fde9252d804e23cd258e3899b2ee46badb2f2262

SHA256
e686cbd4ba41e341f43277c0c184552e7aef943d3e6e408b3f1c16aeee85d8da

SHA512
71cf00bf1c6fdd3755bbdfe9e83a172d0524690fa45b443ee9ea5d7dd4e853e1c7807115459b97a073393285791542f93b9ed3828f595c02f3ca4f8584eaa35a

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
713KB

MD5
b8e78f83ea83bbf5f33f750b6ae91c4e

SHA1
8fe86e7b372a86b01b6c05ce8fcb034f226fec01

SHA256
90bfbc7dbed2253f7d46f5ab0ee837a328c50237f68b163bdf7311ff174d0c95

SHA512
e9b6349b35ec3d3ba9e2d127798cc3851e6562aa63e025da6b10add7ba9fc8b924f76e4edc0cb97ac88265e2800b962628ae7f096f20825c57f26dacba7a7212

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
713KB

MD5
61674ac41f9fc089a1f5e99547c70cfd

SHA1
69aafeaff5be5c28c9fff65560699ec04b385c95

SHA256
8aecee78ce1ebeae7bf3f2c43931b3ecd74cea98514e865d0e80d99e0013f7e4

SHA512
24c42e0464b4e872a9d44bd3994a2e1471eff99afbae07fb40aabd640d1aef3cecad3f2e1e4e740dc710c37c7f4b18f8b0c859970644ce411e42c65168654747

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
713KB

MD5
293d2d7710c8b26e4b07512d2e127d1c

SHA1
0a20f3409ffdbfe895a30eff41bcfb5ff551fb3c

SHA256
a0db8fe5988e0eb6816b0783dc0a12118b5143a718da4e5cfdbb3e627a394b09

SHA512
d4a9528a8d2b05a4e11a232c3a7e902926ade181e01c060b6d5890be6b528edafc152b7e6ce6930a3adf4ca724470ca857ad2d23184be7095b7fe7d486e06fcb

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
713KB

MD5
fef0b46a3f063c3ee7b19d8502e8a839

SHA1
f7f8c52138d6bb4d4cf314e88c27e3ba51b29696

SHA256
ce9aa05503cc5391bfb863470caa45215cc1fdf436c9330d40d85364e7d3eaae

SHA512
47d1115b90e249a3692c9cde6be596ce1b2f8919eb11f9389e3b101c33a4821d1539a7aa51dbccd6aa16f4023f93c9296d07e2ef20ea99e706b3cbe5aec82233

Download Submit
C:\Windows\SysWOW64\Cenljmgq.exe

Filesize
713KB

MD5
09b8433fa9a8d2fa25bb14939c777f72

SHA1
264e4741dff53b60f817fc38249cbdc95f2f5e58

SHA256
d42b6b7f8a39ea083bec30ea6993d9730f120be955073f5506aafd769746cbf2

SHA512
bc8541f0b4a508b2768ac9e54abf1599ebc2b1a4fe6ca9c798e4d94c11e96fd3ceefd95d0f3e3eccc52fcfd868a2a632a3956fc35753e22c271142cb4c12f91b

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
713KB

MD5
25bc8bf5331d2e33d49f5d6f26b58f02

SHA1
ffc3b30ee8abeedf0f80329318a47e28a0dbac2f

SHA256
634c04122cc2ef7a9479fa9a679ab33e089a8704571168d22d36dacc5467d4a0

SHA512
49484b317b74efdce395d43a41beba9d4ec5ab45c0a682a2f4e948839a1fbb7665eab8aa9601579609e3d3c7d0295f951ee2f995aa8500f2a02dd00d769cbc47

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
713KB

MD5
cbdfcf791abee703065d447651bd898c

SHA1
a8cd515adf0170c1153739aab930b1edca5820d9

SHA256
397fc0d86f76f4c0c428b7d647d62bc712d54e1906eaf2abd5c81becdbe30bf4

SHA512
75fea9831f4eaea7038b8e043c54959c7896edd422000072e7b7ba79477937b2416f9778711031050e5de43aee815f41bf0e280d9fed8de4b70e52c8346f6363

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
713KB

MD5
fd363d312c53c3268fe0bbaccf13025d

SHA1
39d81c8326ac37871a597fde8e8d3bcb18e53c4f

SHA256
25f15238f858e515fddce873b93c33c4ee1ec72999d00473d348eac0b8849a35

SHA512
d26a524d3d1463d56954b814d892ffe464f4b96b13f7d9613422db51c6b2135f9d3b826514d83f16a94130c08fd421b68259422b11d81d9a3d096f9666f1aeed

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
713KB

MD5
130e6d7dfdbdf044ece17ce890aad096

SHA1
7510d524f8441f111dee1d8204a5d76d9bdccb86

SHA256
6eb3ece4cc833524619df3f99f1856e4e01f259f9dd6a75f46fd8b41939b66e7

SHA512
906cbd51e868cdf3e21768ff3c12db5b21bcbedf0788cdfba25f0b9961598290ce0fae24590825e16f37cd5a138c56ed1241adbf7f1693decfa89be8f1a46522

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
713KB

MD5
2d5e5abae01b23ccee1151dc4aa15b4f

SHA1
0cc1d2894928aafce1d76ea0dd5c36585459309c

SHA256
e992ecba080d7d9dab5bc5b875ff2aaaa18c5d6039c18fe22313a1dd1ce88cff

SHA512
991cd310fd3716276974fc1f4e15b9ad26996c598a5f241e494c4c6c6a1b916de50667971578c94e96a66ca1a8b5884bff4b941a4ccdea2b9e31ab93d1865ace

Download Submit
C:\Windows\SysWOW64\Cnfqccna.exe

Filesize
713KB

MD5
cc7bbf40a7535847c1a715456c17366e

SHA1
28a058dfa161918bd379c35198e7a91d3e4f0a98

SHA256
772956a5d11f2af37c787e04299a24cdb084dcdfee2f9341c5cacdb55e1a9a7d

SHA512
0ece6a02e7f5975a7c111281fc5f2460e9c76396ae5423449f4874c4c00101f8455700ac9a8ccb6983fe2f4c514bf412321213f6c0ede76f7eef0d718e12b165

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
713KB

MD5
46c14dc867932fd0e1a04a86e8f5041d

SHA1
99f4f7bdfb6943b66196e44e7ad802646e55d78d

SHA256
7fb1bcd4a317621834f589a1a05c7053f4d5cddc43403c8e41904d0f8f5f17d7

SHA512
3567a614a4cca741a7b86bb307e02bdf4982c1973bc196060ad3fe12fa96e8e851684f8723ede5c3505bafcb3a836b325d5f3bf40dd9490e7074ba8c656dbd8e

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
713KB

MD5
0c0ff6d16d00b71f8fd4bcaa0422c5d8

SHA1
32de63ebb78775ca3e407355fb0924cbec68e753

SHA256
8bc8d7ca81306e85a6388ad496bd95fb0fadfdfe0798b9aebc92dfb6bb0e2fa9

SHA512
cea83b16ba9efc7158cbb94e59439e49574caae2ddf1c2c93c4aa19ec068c82ce5372059a4d73d046d19c555f63d2708430f5bc597d3f4fc837509b6ffe91dd3

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
713KB

MD5
310c007605e6812822cb9b44a7cacde5

SHA1
a09fb5a762746c0a2555a6168281672d20e55256

SHA256
1d62dee94489d34a4ca9ea5300e4f36c45827375efdf52a2c31f2d0ef15d4fac

SHA512
1f1a6f47647352229a36d321ae5ac0979e9c8997427e3608bcb43a7c1a2fc705df091a17a693d70426f7dec5505da7e3036a003be9487f7107dd957cf17e80f6

Download Submit
C:\Windows\SysWOW64\Danpemej.exe

Filesize
713KB

MD5
85a447ba3ad928187b8a8332f9a734e9

SHA1
39d61108260cb87bb13448999aa2e8b32c95c82e

SHA256
8f9c0390932591aba726db38368a01b271e5816d6eebb03cbd00c234eb20c98c

SHA512
153b623c50e17746b3c3eaedc8f7b943336af22f52793dc29b172c0a28f999cf19a58f290d36a5dc617cd4df90027ec4cc94f8ae6333ded3f952575788b3086a

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
713KB

MD5
382501abc2743465f63e8d402466feca

SHA1
83e3501e871baf08e32287c306f85fdd067b3ed3

SHA256
b5f6080bf4abb20f3329e7b5e54a3507fa31732c0d95d31a71be3102acad30ce

SHA512
debfd0b9c7eb45fa23c46cbdca9eb5274e0bc48e3235beccef06345a1aafaf7b2431f67335e8764cc596dcba48cdb7cc0a4c97e7c4300aad4e3e6791bc2e74a7

Download Submit
C:\Windows\SysWOW64\Nbjeinje.exe

Filesize
713KB

MD5
9d739e7f3ced930045a4f893d036e3a7

SHA1
0f3a83af9201b1f85538c6346fcef6ed9148204c

SHA256
645be2a4649a9345dea9df3bb5a0bd261e130e5e24b7e990c757825182cc28f4

SHA512
03977e94cb6df003f06ca118c2c52749a5148bd18210d1a41a5ac6f760063f3d1ec6b7b005b98003bfa3087822270bc9d524a131049dd1737e3c0984dab3a490

Download Submit
C:\Windows\SysWOW64\Ohiffh32.exe

Filesize
713KB

MD5
344a2329440cd522bc148ca7e6b8a535

SHA1
99b342748911d9992c0a06dadf87650f46085c63

SHA256
e4799a1fba0c8da3bca3acde94bee565809f33ed3679e1561203ea45a38aacf5

SHA512
0904a74e7aef25ad01cf4e721589acf7302f9181018bafe7b1c9e346da59e9177b4bf52edc66a8e58f9cbf784716e45f5e575592d79c11f05d2cce1c86f3c6ff

Download Submit
C:\Windows\SysWOW64\Paiaplin.exe

Filesize
713KB

MD5
f04c11739fa99622aad3d245bec1a172

SHA1
9d6a2d12d0ab00745b2d333c2be98c4e1ac7c71a

SHA256
020196bc4945caa8b76b58d33f3aa12eb4619b975c80cffe567776f1ceb2bac0

SHA512
6ec4d16863977dc8705625abe18baad7c87e1386e8dc6ac8292948444af0c3ace9ae9686a7a441e5bba4956e17607994ecce41ec101606f2760d5349dd713848

Download Submit
C:\Windows\SysWOW64\Pkoicb32.exe

Filesize
713KB

MD5
0e8ddb1ee498d92d0f10ed2a5e8d7b48

SHA1
5101ca445a1c3b521ba5367a676d2a03f260393d

SHA256
e264d8133bb9bdaaf5318477c958a3b0aafab2355944e8ad3155830c9d17997d

SHA512
7e7a5f6dd8c0a9417c82857b2ecf98346eee83808552050f2e3a782764842d65160780363e035f3540c687b1f7cd356a91535d553cf83a51cc90c46be884a84d

Download Submit
C:\Windows\SysWOW64\Qppkfhlc.exe

Filesize
713KB

MD5
14abcdff82abddce098f46f14277560c

SHA1
834e8625fa4d8e53c65a42ab1a4623ff2a9c7235

SHA256
64a4ffbfb8a492baf4e18376b3d5df53fbddbd3bd80f6bf505d8c7425b22b46e

SHA512
e4414ca186e621a30c19396b41b993a18d13c64063bd424e2196499cce400e0af92753e6f271f7d615c74698c0c25f081397751f77c5a7a2fd711c9dd836659a

Download Submit
\Windows\SysWOW64\Ahpifj32.exe

Filesize
713KB

MD5
2dca6093bcb59651251b7b994191b5b5

SHA1
5a086f4e4ac748a88b905954b4a8c3962c07d7c7

SHA256
828d0a2a0ee02b5df9f29be4c0d869bf28180f3528aa759b6bd10371614e1e55

SHA512
89d8e51eb319e43950f144b6db0da2c2b41f46d26314a5bb068e716371fe0b1415480bbf5422b9e2ab8f6b99eebef41ca105eb3b7977693044978302be2a245e

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
713KB

MD5
e9c9cb1f98b34f253356ff751f62dd08

SHA1
f51c7461a8abaf24d789f68f3967b7807c29ac76

SHA256
ca58a744b2159fa3a06a4e6c02d0c76b23187b063646fade0f93d983b36988de

SHA512
acc9ed3168a0f33829ca72005b689363cb7aa8fcaa702c7cdc4915ca09a3fe8bcfd8cff90bb0c86cc171053f5969d8d18c5b9bccc402f63170222dae7ecd1bea

Download Submit
\Windows\SysWOW64\Nfoghakb.exe

Filesize
713KB

MD5
ad773607f8d9aa1a804669522a19bc67

SHA1
24dba17d395bbb9a72dc5522daa9d4b6f53e6bf4

SHA256
46597c026e693bb27ce11c0478c00bae14fffc05f9fd017d50396ffead294927

SHA512
e431dad987939cca5a92dddc7a892822a44a7674c1119345f688979d68dc6028ae658ac816b5fbba0440743b1680da342cd58bfd6b8b63a742521e4b274b6486

Download Submit
\Windows\SysWOW64\Nlqmmd32.exe

Filesize
713KB

MD5
c4d930a0784ef2dcc94a1085d0689e78

SHA1
17a3f6322211a56a55fad2854851f96df8f2d5bd

SHA256
72ae8cf5e88f621bff7832dc25fb7b8b17096c90190ec81525148f6a0110bb83

SHA512
df8652e634e35ab28156ea8a4f1ce84bb9fd701978fb2cdd7eac918e343435aa5df0558e35c9ae4b765d8a0c6f8fc4a46467c7dcdbac13f2265b641372f79f04

Download Submit
\Windows\SysWOW64\Nmfbpk32.exe

Filesize
713KB

MD5
0423435fa20fc7a8eb3c1edd9aae57c3

SHA1
f8d8a12b4d9240a77be004aa7775507dd5b4c90b

SHA256
6288416ea696796d8592b866aee3bfa23c0bbd03ff658b76e0271e451d2801dc

SHA512
7893db4480679593313b648ce00002804613ac1ca04c677d41fb89f9b06924e996291378c0c70b012f05e733573e539283d1f99c49fcddfbaf3124314e5ffee7

Download Submit
\Windows\SysWOW64\Oaghki32.exe

Filesize
713KB

MD5
9c498beac574a9d54f89f4596da83ee9

SHA1
cbede9b531ad8e90f209db0957db819602d5fa74

SHA256
73cd39a48e3a257f754c05fbf5c502573831613c6ac6f5027cd2155fa4e32c35

SHA512
b6ad77adfa9b290e2fef3a7ae21506320d20b571a0a27718b89148f50874ee794d2f01c0f067b845c4f0b021538e505b3dd7a9f087f8f4c9153bd09179e3501f

Download Submit
\Windows\SysWOW64\Obmnna32.exe

Filesize
713KB

MD5
70d3797cb5a1b911c3faac6c3f856ed5

SHA1
b7da9f02642453db122f100ce8a98e06940f6e49

SHA256
9da55f8776a2f083d4b559e7f3593195edb4683c21ef043c815a9aae4a731ec4

SHA512
74df852b67a35ed9e148e74ab880f7df211c21be00782434c3ae6dca8def15a42e44904d7010611e246b2040925a4b4e3cf597ccbc2a9514acb354faefe9bb26

Download Submit
\Windows\SysWOW64\Odgamdef.exe

Filesize
713KB

MD5
94f19c20095907afd4e6c826cfc946f6

SHA1
a68fca5062df2e8cd094db20009881b46a903c40

SHA256
96fefd9ba5be449b417ce71ea0bd50a8f50facdedd78b68420e7d5821b6d09c8

SHA512
697c98b8751262d0617c94fc2fc972690c25ea6113a8d03d3f052612224ba1ef8aafe80bbfb3e0df3e6aad4fedd87f6276fd0bf470ac0acab42e6b9f9877a572

Download Submit
\Windows\SysWOW64\Phnpagdp.exe

Filesize
713KB

MD5
413a5f3fced2da4de0f9c242e3881c57

SHA1
8f2ec4d90d7eea63d4baace3a87ece112ee8d0b6

SHA256
dab20dd1c37fc699bff8d5800b8098a34314c2e3d05e8070b721b75b1fb16d2d

SHA512
92d6fc37abb1561eefcbda0cab5a3ad140691d7fe1c0e08cba9d1c1f9ba771d16955a01eca952f0c16214b6cc35b564e782efba397b6026e076f279e8b454053

Download Submit
\Windows\SysWOW64\Pidfdofi.exe

Filesize
713KB

MD5
59e2d928065961fbcb536903bb757d8a

SHA1
da696c2e17b642e2a29805629cd63eeaa78b7bd3

SHA256
66f7c006cbb4f6c4e6716dfe5a8532c4a01f94013fcba4e10ee932d5ebcc4b8f

SHA512
eb5736cfa4b9e5630af5d0f9a758deb9582ac76f4de868fa1cdcee0645995c0f49f7a8ddd91ce0a19ee063fa8da934dc5f272ac6492da22cc480b63acde19f01

Download Submit
\Windows\SysWOW64\Pofkha32.exe

Filesize
713KB

MD5
205ff85ebb93eb326b87c24e8dc4d499

SHA1
c1a36879108dd8cae6aba95727aa59df004d6f05

SHA256
a6dba577f37d48c4b230c5afdabc60dd3a7f8455e75ffff1b748671d08e3267f

SHA512
713ff5e713176de386ea3bbe913e568029de4d775a7f2d0718a5837003fbe4643be20fae2b73607707f8cb25a2b88fadff574c7f6c94d42d6e30a1ac9d0b5068

Download Submit
memory/112-475-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/112-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/236-204-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/236-210-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/236-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/320-433-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/528-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-613-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-309-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/528-312-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/556-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/568-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-243-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1064-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-195-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1096-301-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1156-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-122-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1504-176-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1504-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-181-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1504-487-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1504-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-323-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1576-322-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1648-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-250-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1748-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-269-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2160-612-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-292-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2160-291-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2160-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-17-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2208-18-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2208-345-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2220-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-377-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2284-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-332-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2336-333-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2356-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-36-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2480-26-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/2480-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-27-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/2480-356-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/2492-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-486-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2588-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-355-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2664-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-51-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2704-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-378-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2704-379-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2720-84-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2720-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-401-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2720-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-85-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2728-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-413-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2728-94-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2756-69-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2756-70-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2756-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-390-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2756-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-367-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2776-368-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2776-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-343-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2836-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-166-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2856-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-443-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2900-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-444-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2940-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-420-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads