berbew | 434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97c

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe
Size

187KB
MD5

824559e42651b638d00634de32cc5400
SHA1

1cfff874cb42a553bf5a35382ce89fd3c65fc13f
SHA256

434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97c
SHA512

30e92c1926825a33bf77ccd62e2f4486ac6f6d8f92c258659195510ca6b7f7848d37759bc765a961406757b7c88db494a473d3e8d12e534a339b0adcccdfb3b5
SSDEEP

3072:zlSa4nmX4iJFOkktaBUfClil9ifUvVgtRQ2c+tlB5xpWJLM77OkeCK2+hDueH:zcbmNXktahlY1vV+tbFOLM77OLLt

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njfjnpgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenkqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oippjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pepcelel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nefdpjkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Plgolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlnpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oippjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odgamdef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plgolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnnai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgmpibam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhjjgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oekjjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pafdjmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odgamdef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oekjjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alihaioe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opglafab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oibmpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oibmpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhjjgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmmeon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apgagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 50 IoCs

pid	Process
680	Nlnpgd32.exe
2772	Nefdpjkl.exe
2788	Nbjeinje.exe
2692	Njfjnpgp.exe
2776	Nhjjgd32.exe
1564	Nenkqi32.exe
2756	Opglafab.exe
2108	Oippjl32.exe
1908	Oibmpl32.exe
2000	Odgamdef.exe
1812	Opnbbe32.exe
2676	Oekjjl32.exe
2960	Plgolf32.exe
2684	Pepcelel.exe
2216	Pafdjmkq.exe
1132	Pmmeon32.exe
1604	Pidfdofi.exe
820	Ppnnai32.exe
2456	Qdlggg32.exe
2540	Qndkpmkm.exe
924	Qgmpibam.exe
2248	Alihaioe.exe
844	Aebmjo32.exe
1700	Apgagg32.exe
1352	Ajpepm32.exe
2532	Aakjdo32.exe
1392	Aoojnc32.exe
2872	Aficjnpm.exe
2748	Agjobffl.exe
2096	Bgllgedi.exe
2588	Bbbpenco.exe
2636	Bjmeiq32.exe
1200	Bgaebe32.exe
1648	Bmnnkl32.exe
2852	Bmpkqklh.exe
1816	Bcjcme32.exe
760	Bkegah32.exe
2276	Cfkloq32.exe
2268	Ciihklpj.exe
2160	Cbblda32.exe
2564	Cpfmmf32.exe
1896	Cbdiia32.exe
1472	Cnkjnb32.exe
2468	Caifjn32.exe
2840	Clojhf32.exe
2260	Cmpgpond.exe
876	Cegoqlof.exe
1576	Cfhkhd32.exe
2300	Dmbcen32.exe
2696	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2512	434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe
2512	434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe
680	Nlnpgd32.exe
680	Nlnpgd32.exe
2772	Nefdpjkl.exe
2772	Nefdpjkl.exe
2788	Nbjeinje.exe
2788	Nbjeinje.exe
2692	Njfjnpgp.exe
2692	Njfjnpgp.exe
2776	Nhjjgd32.exe
2776	Nhjjgd32.exe
1564	Nenkqi32.exe
1564	Nenkqi32.exe
2756	Opglafab.exe
2756	Opglafab.exe
2108	Oippjl32.exe
2108	Oippjl32.exe
1908	Oibmpl32.exe
1908	Oibmpl32.exe
2000	Odgamdef.exe
2000	Odgamdef.exe
1812	Opnbbe32.exe
1812	Opnbbe32.exe
2676	Oekjjl32.exe
2676	Oekjjl32.exe
2960	Plgolf32.exe
2960	Plgolf32.exe
2684	Pepcelel.exe
2684	Pepcelel.exe
2216	Pafdjmkq.exe
2216	Pafdjmkq.exe
1132	Pmmeon32.exe
1132	Pmmeon32.exe
1604	Pidfdofi.exe
1604	Pidfdofi.exe
820	Ppnnai32.exe
820	Ppnnai32.exe
2456	Qdlggg32.exe
2456	Qdlggg32.exe
2540	Qndkpmkm.exe
2540	Qndkpmkm.exe
924	Qgmpibam.exe
924	Qgmpibam.exe
2248	Alihaioe.exe
2248	Alihaioe.exe
844	Aebmjo32.exe
844	Aebmjo32.exe
1700	Apgagg32.exe
1700	Apgagg32.exe
1352	Ajpepm32.exe
1352	Ajpepm32.exe
2532	Aakjdo32.exe
2532	Aakjdo32.exe
1392	Aoojnc32.exe
1392	Aoojnc32.exe
2872	Aficjnpm.exe
2872	Aficjnpm.exe
2748	Agjobffl.exe
2748	Agjobffl.exe
2096	Bgllgedi.exe
2096	Bgllgedi.exe
2588	Bbbpenco.exe
2588	Bbbpenco.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aebmjo32.exe	Alihaioe.exe
File opened for modification	C:\Windows\SysWOW64\Bgllgedi.exe	Agjobffl.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Oibmpl32.exe	Oippjl32.exe
File created	C:\Windows\SysWOW64\Dafqii32.dll	Odgamdef.exe
File opened for modification	C:\Windows\SysWOW64\Ppnnai32.exe	Pidfdofi.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bjmeiq32.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Hnoefj32.dll	Njfjnpgp.exe
File opened for modification	C:\Windows\SysWOW64\Odgamdef.exe	Oibmpl32.exe
File created	C:\Windows\SysWOW64\Incjbkig.dll	Aebmjo32.exe
File created	C:\Windows\SysWOW64\Bjmeiq32.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmeon32.exe	Pafdjmkq.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Nefdpjkl.exe	Nlnpgd32.exe
File opened for modification	C:\Windows\SysWOW64\Qdlggg32.exe	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Alppmhnm.dll	Aoojnc32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Khpjqgjc.dll	Alihaioe.exe
File created	C:\Windows\SysWOW64\Aoojnc32.exe	Aakjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Nefdpjkl.exe	Nlnpgd32.exe
File created	C:\Windows\SysWOW64\Nhjjgd32.exe	Njfjnpgp.exe
File created	C:\Windows\SysWOW64\Opnbbe32.exe	Odgamdef.exe
File opened for modification	C:\Windows\SysWOW64\Pidfdofi.exe	Pmmeon32.exe
File created	C:\Windows\SysWOW64\Jhbcjo32.dll	Ppnnai32.exe
File opened for modification	C:\Windows\SysWOW64\Qndkpmkm.exe	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Npbdcgjh.dll	Nbjeinje.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Aoojnc32.exe
File opened for modification	C:\Windows\SysWOW64\Nbjeinje.exe	Nefdpjkl.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Njfjnpgp.exe	Nbjeinje.exe
File created	C:\Windows\SysWOW64\Mgcchb32.dll	Nhjjgd32.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Pfqgfg32.dll	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Ajpepm32.exe	Apgagg32.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bjmeiq32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Plgolf32.exe	Oekjjl32.exe
File created	C:\Windows\SysWOW64\Nhiejpim.dll	Pidfdofi.exe
File created	C:\Windows\SysWOW64\Qdlggg32.exe	Ppnnai32.exe
File created	C:\Windows\SysWOW64\Dicdjqhf.dll	Qgmpibam.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Kagflkia.dll	Nlnpgd32.exe
File created	C:\Windows\SysWOW64\Baepmlkg.dll	Oippjl32.exe
File opened for modification	C:\Windows\SysWOW64\Pepcelel.exe	Plgolf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2864	2696	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oibmpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oekjjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plgolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmeon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmeiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apgagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppnnai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pepcelel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafdjmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbjeinje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njfjnpgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oippjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmpibam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nefdpjkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhjjgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenkqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opglafab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgamdef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alihaioe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjobffl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlnpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbdcgjh.dll"	Nbjeinje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bjmeiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbjeinje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbjeinje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opnbbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njfjnpgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oibmpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odgamdef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oekjjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oippjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odgamdef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll"	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll"	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njfjnpgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcchb32.dll"	Nhjjgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfiocpon.dll"	Nenkqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oekjjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aoojnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll"	Ajpepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmeiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alihaioe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll"	Agjobffl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll"	Pmmeon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoefj32.dll"	Njfjnpgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apgagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alppmhnm.dll"	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhjjgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 680	2512	434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe	31
PID 2512 wrote to memory of 680	2512	434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe	31
PID 2512 wrote to memory of 680	2512	434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe	31
PID 2512 wrote to memory of 680	2512	434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe	31
PID 680 wrote to memory of 2772	680	Nlnpgd32.exe	32
PID 680 wrote to memory of 2772	680	Nlnpgd32.exe	32
PID 680 wrote to memory of 2772	680	Nlnpgd32.exe	32
PID 680 wrote to memory of 2772	680	Nlnpgd32.exe	32
PID 2772 wrote to memory of 2788	2772	Nefdpjkl.exe	33
PID 2772 wrote to memory of 2788	2772	Nefdpjkl.exe	33
PID 2772 wrote to memory of 2788	2772	Nefdpjkl.exe	33
PID 2772 wrote to memory of 2788	2772	Nefdpjkl.exe	33
PID 2788 wrote to memory of 2692	2788	Nbjeinje.exe	34
PID 2788 wrote to memory of 2692	2788	Nbjeinje.exe	34
PID 2788 wrote to memory of 2692	2788	Nbjeinje.exe	34
PID 2788 wrote to memory of 2692	2788	Nbjeinje.exe	34
PID 2692 wrote to memory of 2776	2692	Njfjnpgp.exe	35
PID 2692 wrote to memory of 2776	2692	Njfjnpgp.exe	35
PID 2692 wrote to memory of 2776	2692	Njfjnpgp.exe	35
PID 2692 wrote to memory of 2776	2692	Njfjnpgp.exe	35
PID 2776 wrote to memory of 1564	2776	Nhjjgd32.exe	36
PID 2776 wrote to memory of 1564	2776	Nhjjgd32.exe	36
PID 2776 wrote to memory of 1564	2776	Nhjjgd32.exe	36
PID 2776 wrote to memory of 1564	2776	Nhjjgd32.exe	36
PID 1564 wrote to memory of 2756	1564	Nenkqi32.exe	37
PID 1564 wrote to memory of 2756	1564	Nenkqi32.exe	37
PID 1564 wrote to memory of 2756	1564	Nenkqi32.exe	37
PID 1564 wrote to memory of 2756	1564	Nenkqi32.exe	37
PID 2756 wrote to memory of 2108	2756	Opglafab.exe	38
PID 2756 wrote to memory of 2108	2756	Opglafab.exe	38
PID 2756 wrote to memory of 2108	2756	Opglafab.exe	38
PID 2756 wrote to memory of 2108	2756	Opglafab.exe	38
PID 2108 wrote to memory of 1908	2108	Oippjl32.exe	39
PID 2108 wrote to memory of 1908	2108	Oippjl32.exe	39
PID 2108 wrote to memory of 1908	2108	Oippjl32.exe	39
PID 2108 wrote to memory of 1908	2108	Oippjl32.exe	39
PID 1908 wrote to memory of 2000	1908	Oibmpl32.exe	40
PID 1908 wrote to memory of 2000	1908	Oibmpl32.exe	40
PID 1908 wrote to memory of 2000	1908	Oibmpl32.exe	40
PID 1908 wrote to memory of 2000	1908	Oibmpl32.exe	40
PID 2000 wrote to memory of 1812	2000	Odgamdef.exe	41
PID 2000 wrote to memory of 1812	2000	Odgamdef.exe	41
PID 2000 wrote to memory of 1812	2000	Odgamdef.exe	41
PID 2000 wrote to memory of 1812	2000	Odgamdef.exe	41
PID 1812 wrote to memory of 2676	1812	Opnbbe32.exe	42
PID 1812 wrote to memory of 2676	1812	Opnbbe32.exe	42
PID 1812 wrote to memory of 2676	1812	Opnbbe32.exe	42
PID 1812 wrote to memory of 2676	1812	Opnbbe32.exe	42
PID 2676 wrote to memory of 2960	2676	Oekjjl32.exe	43
PID 2676 wrote to memory of 2960	2676	Oekjjl32.exe	43
PID 2676 wrote to memory of 2960	2676	Oekjjl32.exe	43
PID 2676 wrote to memory of 2960	2676	Oekjjl32.exe	43
PID 2960 wrote to memory of 2684	2960	Plgolf32.exe	44
PID 2960 wrote to memory of 2684	2960	Plgolf32.exe	44
PID 2960 wrote to memory of 2684	2960	Plgolf32.exe	44
PID 2960 wrote to memory of 2684	2960	Plgolf32.exe	44
PID 2684 wrote to memory of 2216	2684	Pepcelel.exe	45
PID 2684 wrote to memory of 2216	2684	Pepcelel.exe	45
PID 2684 wrote to memory of 2216	2684	Pepcelel.exe	45
PID 2684 wrote to memory of 2216	2684	Pepcelel.exe	45
PID 2216 wrote to memory of 1132	2216	Pafdjmkq.exe	46
PID 2216 wrote to memory of 1132	2216	Pafdjmkq.exe	46
PID 2216 wrote to memory of 1132	2216	Pafdjmkq.exe	46
PID 2216 wrote to memory of 1132	2216	Pafdjmkq.exe	46

C:\Users\Admin\AppData\Local\Temp\434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe
"C:\Users\Admin\AppData\Local\Temp\434aa075d44963439bb2c5bdfa9a3549461aa6be8f3e22a1707d9415c1eab97cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\Nlnpgd32.exe
  C:\Windows\system32\Nlnpgd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\SysWOW64\Nefdpjkl.exe
    C:\Windows\system32\Nefdpjkl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\Nbjeinje.exe
      C:\Windows\system32\Nbjeinje.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\Njfjnpgp.exe
        
        C:\Windows\system32\Njfjnpgp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\Nhjjgd32.exe
        
        C:\Windows\system32\Nhjjgd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Nenkqi32.exe
        
        C:\Windows\system32\Nenkqi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Opglafab.exe
        
        C:\Windows\system32\Opglafab.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Oippjl32.exe
        
        C:\Windows\system32\Oippjl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Oibmpl32.exe
        
        C:\Windows\system32\Oibmpl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Odgamdef.exe
        
        C:\Windows\system32\Odgamdef.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Opnbbe32.exe
        
        C:\Windows\system32\Opnbbe32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Oekjjl32.exe
        
        C:\Windows\system32\Oekjjl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Plgolf32.exe
        
        C:\Windows\system32\Plgolf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Pepcelel.exe
        
        C:\Windows\system32\Pepcelel.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Pafdjmkq.exe
        
        C:\Windows\system32\Pafdjmkq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Pmmeon32.exe
        
        C:\Windows\system32\Pmmeon32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Ppnnai32.exe
        
        C:\Windows\system32\Ppnnai32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Qgmpibam.exe
        
        C:\Windows\system32\Qgmpibam.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Alihaioe.exe
        
        C:\Windows\system32\Alihaioe.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Apgagg32.exe
        
        C:\Windows\system32\Apgagg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Ajpepm32.exe
        
        C:\Windows\system32\Ajpepm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Agjobffl.exe
        
        C:\Windows\system32\Agjobffl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Bbbpenco.exe
        
        C:\Windows\system32\Bbbpenco.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Bjmeiq32.exe
        
        C:\Windows\system32\Bjmeiq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 144
        52⤵
        Program crash
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aakjdo32.exe

Filesize
187KB

MD5
a565df4aee910d73746d060ba0965d78

SHA1
8c07b934339f776cdc023f7a77c23bd5533accbe

SHA256
6c4705f91ff64c1fd1f18d0797e77faebda47604871ad5ada67b8388d9d19797

SHA512
f457e0917e9c7f04e2846cf058d41e338d6558467d49eb436ec206bec993751c65f83e9088e20fbe9f9ecfb56bff656d8b4e0251bfd371a7cb596e400d83aa31

Download Submit
C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
187KB

MD5
b124f7e004ef243b11f7c0cb51d06f79

SHA1
b41ad323867101e8dea030f5f84a4cdd7652bf38

SHA256
31c43e15b8211521f0f82a21f30ec4062bff92da4d0c985ee124aa73367b59f5

SHA512
a234ba044b581ba4a20694a5848ca7332e305d1ef07b436196bdeadc0e42be0cca58a26a68d258c2680cb3fe49f37147aaf76899b4853e53febf0b63902d32d5

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
187KB

MD5
22fb3a6219daa53fd39479de3e3b16c5

SHA1
80e76f6f6e5cfe014a8eab4e236481c11e1ca682

SHA256
e334f07157fab2e1feec5bc3815c494de3d71ff63cc4434dcd0364e6c1e8e5cf

SHA512
2d67cca966a87a9ab1d3c7477c87ab7ae408a6f2ce03c9dedeb33dfd0369943f8d539dd693081fad8aee651fcd6a77ac7ad93872ad975ddc6d020f6d2b58890a

Download Submit
C:\Windows\SysWOW64\Agjobffl.exe

Filesize
187KB

MD5
cd0e7e5a162e5d48661936941195ae90

SHA1
4f873284cc3dc7e743fdf8934b692422fa4ad3f1

SHA256
7581beb0b96e33f45fb6e677cae90de0d8ca9c08f478e4fdde58539dc481b08c

SHA512
383e3e5ed3ffa027251b43a636e388b32b84e858ca6bb83b1a7374a9d5d845dec3f9e27f4f0b967f609870b9ef7c4a680d80240d26f886612e1255f99a262c02

Download Submit
C:\Windows\SysWOW64\Ajpepm32.exe

Filesize
187KB

MD5
3329446b1189e542d7e26c71dc5e332b

SHA1
d0f7d97be66f0b9adabc9b58e3085db02537f042

SHA256
a8897d935bdd3c2e723b7d2b3f160117711af8065f19c34c8328cd4897e2686a

SHA512
f61e550dbc3f8b894ae695c19ad7579d5759c51610a9689bf45079f50b6e78d035f1a03a4b69acd2351f1640c95af7d92e1c1f3208e167a4158c2208c73d40c4

Download Submit
C:\Windows\SysWOW64\Alihaioe.exe

Filesize
187KB

MD5
df90f40f52543319bd9ba0fec6b48fc1

SHA1
33394c43ad479bb62d481a0b3cfc9a366761f38b

SHA256
b060644582c4664e958aae5694cd1fa6c7c68635bd70caee031f7af4058b78f0

SHA512
6e37ee98d64bdcbd40034de59dbd46a286f3f8707d87e509d9181331f7157a4ad1eb7ed473f05461e6f894f6d8d0bbdf48e63cb2919a86367732b1c52753aab3

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
187KB

MD5
853fcff2502517841aa12f67ea493df9

SHA1
7e12d08034629c9d1ba046ca248d7ae0e1fac7e3

SHA256
b76067e7702006ba36ebb61f23427c483324321c71826f59ff29d45d1f8f5e0b

SHA512
1277a93a6f82042433ab2056b31a9e6e8c7a2847262dcc1242a69dfb7bc3b5e3fd8d2672d918fd0ccf534ae50148e9e9f33f5fdb8bb834875aeb9d40d7468491

Download Submit
C:\Windows\SysWOW64\Apgagg32.exe

Filesize
187KB

MD5
8358fea6ff9c61335c9dfcb56ba0fec9

SHA1
3941d9ca4cd47815526cef99617d464b04ae99d0

SHA256
73238b8ac0b394cd098a9f9dba6e2e1afe1b5a08167d4354316cf7f6ae572474

SHA512
3275bd29b2d5de215a2c73de652351f97df9a9e1b0efcb4f9bdf7101d4b464d4d13fa798b44160225279e249f340d975e2db1d76f01626798f69840e5c7e9935

Download Submit
C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
187KB

MD5
1db345b27ad2b2612902404886f90f55

SHA1
d7f1c104a28e3f5873d278c5fd1a51aedefaa158

SHA256
d52e1d3c3d2b4a94f26fcedd2b9043de8eb0ae1ea4375472ce7e2caa303861aa

SHA512
5e4a7ac8b628a0a7ccd3eb6336df3e075ba8569595a0180b5cf21a1849c1e0b371ae0993cf14eae497c2cbddc759f69d6168141c1aa35efe9aa439fbb8c084ae

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
187KB

MD5
13503de1f617d2e9ec1701fb31e07dd1

SHA1
092754c8dfe5926fa3c73f0313d672d23b7c2c0f

SHA256
a0258ccf057deb09d96ec090abb5f6a33c747ec3f8e8964206193e3d9ea14f91

SHA512
ba26fdcea797d281357388dd208350dd6714cf182cc1133f9cbfb770af24db735045c8d7fd72bf21f40a5f770b327463a55977bc801ead332c4328727acd5d37

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
187KB

MD5
1254bd930135c0cc5a64061f31826608

SHA1
2a5391e9079cd349e329106cd39e67efe2d7d2c3

SHA256
a2f297295e1e1019b40c6c7b2ad6f74cf56806b5b2b95cc7e437aacd18f03c00

SHA512
575280fdfbbb0c03421f13c1a130d8f7d082ac784df7339954073618b27426c8d454ec9c04b60dcf75387ad8a8bda9a2321616a18d142de598b9dd4be05f6f0f

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
187KB

MD5
52ca111bbf03aeb9c9a83c52c16f6ef6

SHA1
47c348f471818de18a717ae1e2aa92c321785d83

SHA256
33067593afc626d663a8a3ddf18cbc5081fa36b840001b5c2676aa21a962657f

SHA512
bbf81d624206c624d38b25a21cd06c476c45d26049e920db123744c0142a2c16ca7120d7d91eb9e0ca71c7130bacb3aaab5544b0a823737268bbc32a749ed938

Download Submit
C:\Windows\SysWOW64\Bjmeiq32.exe

Filesize
187KB

MD5
959d4aa0abcbc28ac1ed14fc41ca004a

SHA1
01e10ff7f8e4a181ea1cbdaabd8bff031be5cdda

SHA256
42261975ac9400790834d6aa18bd9500b7f9052390247c334740a2cce8284ec2

SHA512
53fea001025d8ab6d266da576b0ded246b85d0546fad8dab5903760503c0eee1cac9c9b5d0185095ba8badc5186e21a1dbe3d01b7a265ea681c84af8c69fc8b6

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
187KB

MD5
c3765b129c073b62b1000997b937af12

SHA1
01e1458725941a3cffb5808dc3866586977be2ae

SHA256
0c3de8c9aae7304e7eb4c4e1bbd9ca02bae86d7a4a7682a0af20a83b63d9628a

SHA512
ac58f90787a587c7c64c01b4cb8a0acc26368c23c009a5a7f04b9500de0f3c32f1f6cbd1790e57f5b22a2dc9fea3afc7cbfcbb3bb2897e48157806933112556c

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
187KB

MD5
268877b1f57b4b0c0b92e306d9795d1d

SHA1
aac84c9eff8dd7358aef64cbe753637560bd6eba

SHA256
aabe39bb9b7438975f80092483cb196025a56f933849992c89396cba9fab6468

SHA512
f1956c010b8f57b644642cc3abbb0c6e553c6c2677525c1f93e97d3cf77d9afa08095b6303d944aee9a82f9757620ee48ebc8197ae5b6b131366f2e95403f948

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
187KB

MD5
4d35bccc82664e6ef6e5d56a743042b3

SHA1
9de3ed09aa4cf8b7394a3f992d9eba722712f3ff

SHA256
6bbf8ed58d0f04ee7ede7734d478b3051a0a4abab294e00cde5611b431b1c0b9

SHA512
85a9d04600adee3c370915714037c12ff466f7ef4766fb8691e28fa37c845d960f1805835ff754f1f8e8d2658f19201d46412787ef7628e6e0ab53e9aa637822

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
187KB

MD5
97f92379c7ab7b07b61ef4792f79e107

SHA1
3d556ed238a39c3e47087cbfd3ae022b25eb5182

SHA256
0176512f1f3b74d730439a0df547070c1d572bb2e0c516a0935c13de465db377

SHA512
9e9e9f7efc735c107596887f718572e84e5fc43364cdaec39df710934171f7485e5db01d454856815278e08bb2eb74556c683625244819a4cbbde2bd88a69b1a

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
187KB

MD5
57bd7d6ed5facde54bf379f3dbe1868f

SHA1
0656da9b117c89f30d709ec4de36ee7c0cf91d14

SHA256
30c29b2ee04408888dbd467ea2bbd1060ac9fe4072d10a76d1c1c3865966239e

SHA512
e330f8cc4103b0408ffc6f96035b2ae1466effdcc6ac59f615075fa37fd7f784833078c7acdf785448c377a46538c934d7eeef70ff4a52475de55807e6d99439

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
187KB

MD5
e79d17e14e43eb9c8fa2822dfcb15765

SHA1
ee84cb82a8b8fd3e35daf7c108f8eb8c062145d5

SHA256
d2a61a81dc94d214eb1707b2a1d5a9fb3a70c1dc6a60aacfe9c3a58a67edda57

SHA512
8fd3edea52a33ab593b9f92f18e170ffc95d14cc8658b4c6fd09d568be2336dfcff0c7564ef4718969d4d88d27297c7e888f2783bbfc6cae11a66239b506ba3b

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
187KB

MD5
b8f0ed655676edfbe78ce86d48024a48

SHA1
9ba1a76dd203c7c3b7da1174a017e00434663661

SHA256
7dd053484e9847dd9ece776d0b7f214fc978f5c5d7c45ba3f5f9d313ea164d1e

SHA512
5819e4f0227da5b527192553f3fdb69db5a202d4a71f4407302b304135eb532d910d327351942f3d3e3d2507eee931e74cd0ea178447b23e4e6be3ea45e657b8

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
187KB

MD5
6da9ec3107682d39bc6d5ae40280751a

SHA1
53598fd45761db31f6fe795c83332089be9faaaa

SHA256
fc22d44ce80bb6b25889cc13550a6274519dab1701deddd8600f1384f3fce0d6

SHA512
2b8b395f7b7b3a7d94e6a78c08b134bdf09027519a0ab42b24b7d5819042a1813cabb90353d8132c197729a1bede434d5cc8de0ba81728261eae73e1bc9f9a66

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
187KB

MD5
31737b2f98bf65022aa588992fa358f6

SHA1
06b3793a4465c69e244895e69561549106c082cc

SHA256
d4cb5ea3c55e1ddc7885bb3275592c207e4e7f4c340ecbc2b54bb5dba462c489

SHA512
353d907d965ef376d19c08158d27a37e6f081300e1b441e95f1648b53a8b56a7ca14df78f2dc34c11270e1bf3f6e0235a11b4aa8fd058215d89e279829462ed4

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
187KB

MD5
96ab556e375da5b563e3464f12a22d37

SHA1
aa77a9e51c0b310a985030c8487625bd669cf351

SHA256
22dffb3815b470497b01eee3dcfba12de9d427edc3cc970a906f9e75d17b33ac

SHA512
bf020f39e8191752f2d4f5d8f7cad6a526db2ffc15b53f32a3165f21efcad9a5791b1380c2de13e162acd78d99e71f9b8ac2fca82ea0764c2d0ad033d2bcf300

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
187KB

MD5
affc866dcfeac87704be71745e33905a

SHA1
6fb42764b09808fd8aaf86a61407861caf6a818f

SHA256
1c5043bee0eddb2e291aaf7319d44e591a05270f00cb1c9bc9a496925b9349f0

SHA512
7e82108fd5253cf6704bc77c20a80d94fc4b92553e5ed4dde83ce6ed26ca24705c8ddff137ef681d4c13d9511c8744885652c7131f487c80dea62558f80a20c8

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
187KB

MD5
408d2e843fb4a565df759f3cff8155b5

SHA1
4aedeb30e37cada31efab550f88e24c993e8dbee

SHA256
fafb6bed4c88bebc62264d6a53e5d8450c60c793324b10b08b308c3ebb571296

SHA512
7f59f40d47221b91992fb25c0c05965cae00cc98d96a9a94c6df30837bff1506cb310d0bb000c3c9fe73b9af6d1c22df6292b981661f0dcd01f254ced41e9958

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
187KB

MD5
15c4e10115000fdf9fd658d5ad47bc4b

SHA1
7dc8da3cf705bca1fbb415360acddf3f4980b62a

SHA256
0ce9005942d95bc128ffa785c80de7712ece5bd57adf2e18782ef4b2a8d9f043

SHA512
f4cadbe63e313bdeecbf7de255252690243eb2340de94d18e54040d28b66be3113c877794fdee7272962d6300ec91ba5c9352f9c92ab1b2b2a8876127a094a95

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
187KB

MD5
c6c4eb1ec2c98d768b1eddcc23795753

SHA1
5fdd7d23dbeacfef535fb5f2a3e75dc39f3384c7

SHA256
d66efea143d19219c2a821f04e97d9dd7a8c456bd57d5f8c74c9b1e441221074

SHA512
8f8411084ce300565e20a949524226d805ab6d97c4d664ab4d49f8b6ea923dc9f7a699b714dc9b1db8402379bbb7798d26103d800b71d4d8514e684b21d2ec71

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
187KB

MD5
dab53429928ff50bc68702962a30396e

SHA1
729f49e104bbbdcea37971f630632114be64d2d0

SHA256
d238b84c96d4662e0d9397a87161e52fb1d3c934c27aaa97ab0a9375e6956114

SHA512
a4ccdcc86acca7f8045e35c16da5001a2b4e16bceabd02dc94f27a3d673affce72dfeb6faf044de02f1ed4813cfc06ab895ac3a1baca64162d324e8f0f86d429

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
187KB

MD5
d12f6646adfbc0b9ab0aa672648cfc88

SHA1
de6c4a49192721add4b43101e504686944c81740

SHA256
3c3de3349436926880564b7e1f7d0e3d245d0f8a033c1a874b2a6076f8be17ee

SHA512
78c23bc7090f0d642ac94a421d26a9415dda2122a4a8ca375e3b0df5174788f502acdfdb530ad14f40576bc5063c846fc98371a972bb2ac5b8a3f68c49bca819

Download Submit
C:\Windows\SysWOW64\Hnoefj32.dll

Filesize
7KB

MD5
4c9cc7189dbb3bda6c9d422ee96a67c5

SHA1
8b695c84b7f0112bef699144051fe41aec0669bd

SHA256
7ff8b547f8c3c56293c31669bc0a4ed331456842fc420ffe923d34103dd67a0a

SHA512
c810c86a37815adcbabe8cbd01be51ecdb270b078511db9a70ae92f7ccf22a95711df9097426383cf5acc7f60e46694c022b05f56c54d98db4a0cada764ec96a

Download Submit
C:\Windows\SysWOW64\Njfjnpgp.exe

Filesize
187KB

MD5
b19b30dbd01063fddb85bd4494962ce5

SHA1
d40fb6db316a703e54c1a59e39ccec2e31dfac70

SHA256
29ff2a24504238b983d6741d70d950c3cd1431a6d2beff5c7436718546658aac

SHA512
4ba5153ebc3fcd367d81c0bde75030f437621425f7f13e8b1aa7bd8e01634d5dab4cf7e62aac0df7d7eea81a5c8b417ae492790451d1b85e469f2e7c73b8ead4

Download Submit
C:\Windows\SysWOW64\Nlnpgd32.exe

Filesize
187KB

MD5
3af4177ae0a56b0834989178c1eef8c3

SHA1
186c98094cb7777726d9501ac15813f26996a4a9

SHA256
b2d74412445fdfcecfeb9ce365f9adb2ee5f927507847392ada5b7bc5a57a07d

SHA512
eebfaf4cc96001e90bcef935f8b397ce819c4135c3c58ff823b23f11de4b159faccafe1f254ffc9532a715d2bfcec6ac9f51583ed375d105ce9fa5fb70a8e63e

Download Submit
C:\Windows\SysWOW64\Pidfdofi.exe

Filesize
187KB

MD5
e7e0092755476546ca97c8b7398c9e14

SHA1
d43880750eedba8f41d0ff43f5eb0cb19cbc7afb

SHA256
727f6e4800f8636b3e8ee79429b601ea776940abede1d05e30c15dd93ccfb07e

SHA512
c3afe83bc2e340bf12cc70354d180593b870fc2488c94eb78f5ae32664dd5ba3ac2334c0d7a9e6de2495d0383217d98c20fe1656cd5a69bb255c0484f60b33c0

Download Submit
C:\Windows\SysWOW64\Ppnnai32.exe

Filesize
187KB

MD5
963c6140a20c60379913974bb9364d13

SHA1
5db2e814f5334abf9a828cd683ad776291392310

SHA256
4df59123a3424f1d77ee832f0782255ba21e6f5e87ec770bdc86fffccf9748be

SHA512
5fd5886c7412413f49197883a6638bc7d27275ff2bc205d73fec2fa1d0efb3ebac3ed60f19ba23f5dfc2909459cd366e356752937a73546c415d1ed13e845b43

Download Submit
C:\Windows\SysWOW64\Qdlggg32.exe

Filesize
187KB

MD5
ac2fefcefc8960552b9e9b5f6c62d40d

SHA1
a296b3fe5d6b975478baa98f259e6fc278bec6d3

SHA256
9bf61f1a9dd923c43378e3fd8a325f26519347a3c7525584fc42b2522acf11e3

SHA512
205a7b1e6677c37eb33d290e550bf5da59abff992dd415d006ad2385db06307c7ee97dfd1d9b275b70c8581e0f9ed6df35376d5a99558f4c2a88f7d5094c3bbe

Download Submit
C:\Windows\SysWOW64\Qgmpibam.exe

Filesize
187KB

MD5
0b1f8c95ec5ba3780b64dc0cb085d43a

SHA1
b20193ea9c95430f790c7593b3eabd38b92c9995

SHA256
becce76c67487ef2a4b7bd079df5d396b254f9fc6c9b1b9824049c32ea010bd7

SHA512
179bd5db8467fcf04f0fa4a5ff2702855a241a706a324ed101f82120c3080e27f6cb3267b7bbd575b284cff9e470a45a10c134b76124d040ea5301797e57309c

Download Submit
C:\Windows\SysWOW64\Qndkpmkm.exe

Filesize
187KB

MD5
b0df5eabae22d9f6472484a274aa9c4c

SHA1
591dda893e9eff5d13c392c0eb327e2d2b938b43

SHA256
e853dfbded54351d08bc4218720870a3e70edfbe3bdef66894895e81b954f9de

SHA512
1af5f6eca9145b1746ef1e937269201e9fc1dd0209c6f04c6482ce897e7c6b79273a3ab601c5a46139631e3bf3633cc603199c4f9765c653d1d3889304c0165a

Download Submit
\Windows\SysWOW64\Nbjeinje.exe

Filesize
187KB

MD5
b9eb4e42c5ee3291a4cc6e04075e97a0

SHA1
95055f20c07caf21ced095e469199e7f6d59b786

SHA256
147a9aba30260bf87a5670d31739af699c5b65acce8183449dba89b9c1749dbf

SHA512
780adb555289ac86dec78f9f6cd405717638804c96c66bf31592c59bbe26245adc522c35539ef9571279db2871328ffc7aaa3e3fe3e7c1401996d305736e1451

Download Submit
\Windows\SysWOW64\Nefdpjkl.exe

Filesize
187KB

MD5
8259b857535730b7e4186438f5094292

SHA1
2f66b7f0c68d964919047c2cb8260845aa82ab8d

SHA256
78c6f9df9b2cc760c51ccbd421c34e50bbc47016ae84c5b53cdd273f7ab66d7e

SHA512
a323b0a7fc20abb5be7d8442f0ea35633deaa0712cd1caa759181e918972c2c2ebbf0c4bd43023faad455651d6784de2cf763929a61b705f635018914b405813

Download Submit
\Windows\SysWOW64\Nenkqi32.exe

Filesize
187KB

MD5
46a44d5fcfc33c903471b96dfbd9beb6

SHA1
47fc82cda0d8830cac559a0ae8c2825581af438f

SHA256
b4b7f6b9a0a5640aeff600d1b9b8e4b9da55a29016ed6721a03a44ea3d90dd78

SHA512
07642185a3777619c7ffe84ec4007ddbf58175ae933d881faf1b47c0b8492418ed5d0b07659e94319f412a2799dd0f811d4cca7e82785a2dcab10344bd3b50d4

Download Submit
\Windows\SysWOW64\Nhjjgd32.exe

Filesize
187KB

MD5
37afa82215153c46ca649cc9eed12b41

SHA1
09e7e9d20aecbc8f7e1dff5f205612098d254d1a

SHA256
37ea17640649ea21e5f37427c0b704aa686489f26d39192b22dafb6bb35480ea

SHA512
684b8facd99fce3d7c381e5e7c5b1f24582f5ce061f0a25a375d73a624c94a359125fcea78d8267c1478ff4f07edc7331c11c96f2a419921897054339382850c

Download Submit
\Windows\SysWOW64\Odgamdef.exe

Filesize
187KB

MD5
d30b6ef9af3cb1b107c4d1fdea336516

SHA1
600a5d20f3eef88024178d7c49a981c7adbc93e4

SHA256
dfb3c9882c93b382d2e7b97c027c4cab9f1b8b5e9b022538e691758f2388bb12

SHA512
b3ef649694ae0c6ec40b3a9da714f0ca8693ec64f448fd56dd4aa5a422e86eff3d0f306c4417e1954e71dcc46f63862bc486a0e9709b834279f6df6a070badad

Download Submit
\Windows\SysWOW64\Oekjjl32.exe

Filesize
187KB

MD5
39a2129fc5a9eeb8208926575f4da972

SHA1
f03ab8568d8056876b956a42e6ad109303bbf7de

SHA256
ad802eb849551d73aa73853d7fabaca50169300b944756b3d4d6052728bd5a1f

SHA512
26fc70271f6c5ca50e314d655b4fa856d1b741d0360e3bdd970513bafcb9b9ccaff9c6b296569be59e3f682ec4a9b2e79e9823e109e5c135bae47df28093d103

Download Submit
\Windows\SysWOW64\Oibmpl32.exe

Filesize
187KB

MD5
209caff073b60abeee1faa351b98f54d

SHA1
f8dfc4bb7036e08f9c8b723d202e5c3327bd773e

SHA256
d90e4aa85d243a053478a62eea72c2901de2dc34cf5ccb7a22931945abcde7d9

SHA512
0c35bd9a7b82ce8afe491c14aee597ad1c334b60a8828a1ebdd1dd03895d1f2cbdda33ac38934f788a5ca8fd1014ad9205f4344a6e38419e8eabaf6ae885e68a

Download Submit
\Windows\SysWOW64\Oippjl32.exe

Filesize
187KB

MD5
1709a698ebc830bc58cc464217571e90

SHA1
3c4e9bc9b8826c1ff9fd7681b4bf635331554d82

SHA256
97d6ad0e3d59bdcebbac756309796caeabd53e044ad995649b29c9d17500d7af

SHA512
1f31fecc341c32e002d741d1cc7e77a54ce7b9d78c972e35f0f6377f2dbd7db384a03de2b72c4cb181365e6c3e690b55db66000a0784513a5eed8a8715fdcd31

Download Submit
\Windows\SysWOW64\Opglafab.exe

Filesize
187KB

MD5
b93198fb4cc109ed33f5d88e55493876

SHA1
f1d0103e3a3f9f953694e3c72740ead6f06530e4

SHA256
1badfcaf58cb95be46f02d49e71df521906e13dae6c5b58a60f31fb71a5a1da5

SHA512
39f761925a22bf9442247bffede5e7c6995da9d3b4cb10500a6ef9dfc8df502989748d728700ccebb978017c86158d28cfc231baf53a04995d64a0d66f87aad4

Download Submit
\Windows\SysWOW64\Opnbbe32.exe

Filesize
187KB

MD5
d03d4e22b3f0a0fa04cb2b26fec73861

SHA1
de2a7651834e38280cd0a502674f92af257f73bb

SHA256
7f50b01ac7a20e117a3df591f4fbea71199b1921a6f8e9ad33e1ef19c801d250

SHA512
b33cdd8ff2b96ab9ba8a39787cf2f069b1cfd390d428812542094c6dd61102e748484c5dcf08637f0e5fd6b99e46c759a89d9861b86be0c87da8c401e6fa61ad

Download Submit
\Windows\SysWOW64\Pafdjmkq.exe

Filesize
187KB

MD5
9d0fec9429704953af4dc0b7465d6562

SHA1
d6495597a19aa4487ddbae77c03de63634567cd6

SHA256
c0545bb60b27fc3216a99dc070ab4dad817574c4e61a976b15867faf9ee4380c

SHA512
f2c5b653c6fb8a3a3f9cf8802f992d0010e3db764003ea05d08a5bfc3504923ea933e367db9bc8fdc0af963de36b64ac3b851855bd690bdb0e9b543064f53912

Download Submit
\Windows\SysWOW64\Pepcelel.exe

Filesize
187KB

MD5
add6c39c03738fcfa9ff48d51b234f00

SHA1
9ebd8800f04c5d5badd061470acb8c221c1bbd75

SHA256
8af651c360802513982c109ead9b213d12cabb6270eb50154f3e0e30748afd01

SHA512
3fe6d5c3d0974900e8bc5381cdeb5b4c29d52b6036a9616145e33cce54f6ab0007ebc0272a2f8e973fae7912198b9d5a6a81da6b666b3513960a657aca1d742b

Download Submit
\Windows\SysWOW64\Plgolf32.exe

Filesize
187KB

MD5
97af9e54fa393fbbf754b7e605f3e416

SHA1
9391c65a42409ffad43be0fa0f97f47b910b5e85

SHA256
3753a1d006cab740cf7d1fffb37742329e18b55d9080de5ec404051dd78cf5f9

SHA512
5ab7e0c7756d58512d18d8576987f8f125f5c694f7c7d29665bb802a719ffdbccd4517cec7b434203aa46e0d4721ffb99f31699bf21a4d799d7211424597f126

Download Submit
\Windows\SysWOW64\Pmmeon32.exe

Filesize
187KB

MD5
5c02b93101163384e97704100c4e9548

SHA1
f934d75a6cc2bd930fcd3e8f949dbba153afa78e

SHA256
60245b95b434a91df6afd80382415e5fd443b9ef2225663df0c820534ae86842

SHA512
bebe96557b4f6946b548e30efe687f8c3dfdf8c3ec75dff5b446b9d6f9f8bafea1609cda3a465311300a015c835a17a0a3617c42d435d6429da226e375233f36

Download Submit
memory/680-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/680-355-0x0000000001F90000-0x0000000001FC4000-memory.dmp

Filesize
208KB

Download
memory/680-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-450-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/760-440-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/820-246-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/820-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-620-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-294-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/844-295-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/924-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-229-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1132-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-231-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1200-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-316-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1352-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-317-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1392-335-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1392-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-88-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1564-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-306-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1700-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-305-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1812-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1812-481-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1812-160-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1816-438-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/1816-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-453-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1908-133-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1908-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-142-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2096-374-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2096-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-116-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2108-449-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2108-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-214-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2248-282-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2248-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-462-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2276-463-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2276-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-256-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2456-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-12-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2512-341-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2512-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-11-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2512-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-328-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2532-324-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2532-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-263-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2564-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-396-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2676-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-169-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2676-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-197-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2692-405-0x0000000001FC0000-0x0000000001FF4000-memory.dmp

Filesize
208KB

Download
memory/2692-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-62-0x0000000001FC0000-0x0000000001FF4000-memory.dmp

Filesize
208KB

Download
memory/2748-363-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2748-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-433-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2756-106-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2756-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-35-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2776-407-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2776-75-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2776-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-52-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2852-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-351-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2872-347-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2872-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads