berbew | ef7de73f62a49a7048ee081ee7393177955d7dd2e3d70034e9eb0da9bfaa24bc

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef7de73f62a49a7048ee081ee7393177955d7dd2e3d70034e9eb0da9bfaa24bc.exe
Size

80KB
MD5

5373fd88d19a9b3fd670b4bfd7fabb60
SHA1

8457a6a2d43e8e9b09c30a5a8af6a270c5d94ef2
SHA256

ef7de73f62a49a7048ee081ee7393177955d7dd2e3d70034e9eb0da9bfaa24bc
SHA512

17891a1ab8f3389b72e11554abed390ec4f3e5867064ae05b95e59bef0a07cf65abf2d8720d14b25077c183528d41f27aaf3bcc3c1b3162bae0d0d7536102fe0
SSDEEP

1536:jZt9HKY4pr7x+kNmlkh15l0p1tqvGwjOWusf4RFeJuqnhCf:jZLK917xVNmKwtvmBr4RFeJLCf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 56 IoCs

pid	Process
4272	Ocgmpccl.exe
1436	Ojaelm32.exe
3612	Pmoahijl.exe
3620	Pcijeb32.exe
4752	Pmannhhj.exe
1100	Pggbkagp.exe
1552	Pmdkch32.exe
3704	Pflplnlg.exe
4092	Pmfhig32.exe
1304	Pgllfp32.exe
4532	Pjjhbl32.exe
1892	Pmidog32.exe
4120	Pfaigm32.exe
2288	Qmkadgpo.exe
4964	Qgqeappe.exe
1704	Qmmnjfnl.exe
636	Qgcbgo32.exe
2652	Aqkgpedc.exe
2800	Ageolo32.exe
4696	Anogiicl.exe
4832	Aepefb32.exe
5088	Bjmnoi32.exe
2832	Bebblb32.exe
5032	Bfdodjhm.exe
4944	Baicac32.exe
1028	Bchomn32.exe
3160	Bmpcfdmg.exe
4436	Bcjlcn32.exe
1964	Banllbdn.exe
408	Bfkedibe.exe
4856	Bmemac32.exe
4888	Chjaol32.exe
2524	Cmgjgcgo.exe
2372	Cenahpha.exe
3820	Cfpnph32.exe
4180	Cmiflbel.exe
2812	Chokikeb.exe
5056	Cjmgfgdf.exe
2752	Cagobalc.exe
4548	Cdfkolkf.exe
4140	Cfdhkhjj.exe
3224	Cmnpgb32.exe
2128	Cdhhdlid.exe
448	Cmqmma32.exe
404	Cegdnopg.exe
3892	Dfiafg32.exe
3852	Dopigd32.exe
1348	Dmcibama.exe
1800	Dhhnpjmh.exe
3616	Dmefhako.exe
912	Ddonekbl.exe
1828	Deokon32.exe
2444	Dogogcpo.exe
896	Dmjocp32.exe
2584	Dhocqigp.exe
2340	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	ef7de73f62a49a7048ee081ee7393177955d7dd2e3d70034e9eb0da9bfaa24bc.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	ef7de73f62a49a7048ee081ee7393177955d7dd2e3d70034e9eb0da9bfaa24bc.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4664	2340	WerFault.exe	142

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef7de73f62a49a7048ee081ee7393177955d7dd2e3d70034e9eb0da9bfaa24bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ef7de73f62a49a7048ee081ee7393177955d7dd2e3d70034e9eb0da9bfaa24bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 4272	2092	ef7de73f62a49a7048ee081ee7393177955d7dd2e3d70034e9eb0da9bfaa24bc.exe	83
PID 2092 wrote to memory of 4272	2092	ef7de73f62a49a7048ee081ee7393177955d7dd2e3d70034e9eb0da9bfaa24bc.exe	83
PID 2092 wrote to memory of 4272	2092	ef7de73f62a49a7048ee081ee7393177955d7dd2e3d70034e9eb0da9bfaa24bc.exe	83
PID 4272 wrote to memory of 1436	4272	Ocgmpccl.exe	84
PID 4272 wrote to memory of 1436	4272	Ocgmpccl.exe	84
PID 4272 wrote to memory of 1436	4272	Ocgmpccl.exe	84
PID 1436 wrote to memory of 3612	1436	Ojaelm32.exe	85
PID 1436 wrote to memory of 3612	1436	Ojaelm32.exe	85
PID 1436 wrote to memory of 3612	1436	Ojaelm32.exe	85
PID 3612 wrote to memory of 3620	3612	Pmoahijl.exe	86
PID 3612 wrote to memory of 3620	3612	Pmoahijl.exe	86
PID 3612 wrote to memory of 3620	3612	Pmoahijl.exe	86
PID 3620 wrote to memory of 4752	3620	Pcijeb32.exe	87
PID 3620 wrote to memory of 4752	3620	Pcijeb32.exe	87
PID 3620 wrote to memory of 4752	3620	Pcijeb32.exe	87
PID 4752 wrote to memory of 1100	4752	Pmannhhj.exe	88
PID 4752 wrote to memory of 1100	4752	Pmannhhj.exe	88
PID 4752 wrote to memory of 1100	4752	Pmannhhj.exe	88
PID 1100 wrote to memory of 1552	1100	Pggbkagp.exe	89
PID 1100 wrote to memory of 1552	1100	Pggbkagp.exe	89
PID 1100 wrote to memory of 1552	1100	Pggbkagp.exe	89
PID 1552 wrote to memory of 3704	1552	Pmdkch32.exe	91
PID 1552 wrote to memory of 3704	1552	Pmdkch32.exe	91
PID 1552 wrote to memory of 3704	1552	Pmdkch32.exe	91
PID 3704 wrote to memory of 4092	3704	Pflplnlg.exe	92
PID 3704 wrote to memory of 4092	3704	Pflplnlg.exe	92
PID 3704 wrote to memory of 4092	3704	Pflplnlg.exe	92
PID 4092 wrote to memory of 1304	4092	Pmfhig32.exe	93
PID 4092 wrote to memory of 1304	4092	Pmfhig32.exe	93
PID 4092 wrote to memory of 1304	4092	Pmfhig32.exe	93
PID 1304 wrote to memory of 4532	1304	Pgllfp32.exe	94
PID 1304 wrote to memory of 4532	1304	Pgllfp32.exe	94
PID 1304 wrote to memory of 4532	1304	Pgllfp32.exe	94
PID 4532 wrote to memory of 1892	4532	Pjjhbl32.exe	95
PID 4532 wrote to memory of 1892	4532	Pjjhbl32.exe	95
PID 4532 wrote to memory of 1892	4532	Pjjhbl32.exe	95
PID 1892 wrote to memory of 4120	1892	Pmidog32.exe	96
PID 1892 wrote to memory of 4120	1892	Pmidog32.exe	96
PID 1892 wrote to memory of 4120	1892	Pmidog32.exe	96
PID 4120 wrote to memory of 2288	4120	Pfaigm32.exe	98
PID 4120 wrote to memory of 2288	4120	Pfaigm32.exe	98
PID 4120 wrote to memory of 2288	4120	Pfaigm32.exe	98
PID 2288 wrote to memory of 4964	2288	Qmkadgpo.exe	99
PID 2288 wrote to memory of 4964	2288	Qmkadgpo.exe	99
PID 2288 wrote to memory of 4964	2288	Qmkadgpo.exe	99
PID 4964 wrote to memory of 1704	4964	Qgqeappe.exe	100
PID 4964 wrote to memory of 1704	4964	Qgqeappe.exe	100
PID 4964 wrote to memory of 1704	4964	Qgqeappe.exe	100
PID 1704 wrote to memory of 636	1704	Qmmnjfnl.exe	101
PID 1704 wrote to memory of 636	1704	Qmmnjfnl.exe	101
PID 1704 wrote to memory of 636	1704	Qmmnjfnl.exe	101
PID 636 wrote to memory of 2652	636	Qgcbgo32.exe	102
PID 636 wrote to memory of 2652	636	Qgcbgo32.exe	102
PID 636 wrote to memory of 2652	636	Qgcbgo32.exe	102
PID 2652 wrote to memory of 2800	2652	Aqkgpedc.exe	104
PID 2652 wrote to memory of 2800	2652	Aqkgpedc.exe	104
PID 2652 wrote to memory of 2800	2652	Aqkgpedc.exe	104
PID 2800 wrote to memory of 4696	2800	Ageolo32.exe	105
PID 2800 wrote to memory of 4696	2800	Ageolo32.exe	105
PID 2800 wrote to memory of 4696	2800	Ageolo32.exe	105
PID 4696 wrote to memory of 4832	4696	Anogiicl.exe	106
PID 4696 wrote to memory of 4832	4696	Anogiicl.exe	106
PID 4696 wrote to memory of 4832	4696	Anogiicl.exe	106
PID 4832 wrote to memory of 5088	4832	Aepefb32.exe	107

C:\Users\Admin\AppData\Local\Temp\ef7de73f62a49a7048ee081ee7393177955d7dd2e3d70034e9eb0da9bfaa24bc.exe
"C:\Users\Admin\AppData\Local\Temp\ef7de73f62a49a7048ee081ee7393177955d7dd2e3d70034e9eb0da9bfaa24bc.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\Ocgmpccl.exe
  C:\Windows\system32\Ocgmpccl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\SysWOW64\Ojaelm32.exe
    C:\Windows\system32\Ojaelm32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\SysWOW64\Pmoahijl.exe
      C:\Windows\system32\Pmoahijl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
      - C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 408
        59⤵
        Program crash
        
        PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2340 -ip 2340
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
80KB

MD5
45b683791fa6359eae3c09ebc5abdd51

SHA1
c2b33db57158ed23f860185667f59d56a1ac2e39

SHA256
d824192cc689fc3acaca9a08c9aa69044f7bac5f005abe2e8a4a92158e80acd8

SHA512
24997093fd761143dbaca141e0349a480fdbec4ab221d448ddb38b05e1399dbb5642b8492f619aa3e9fb811c00b855a9ff7ec39e5346965a7d689481e83ccfad

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
80KB

MD5
3af75058e5e60571dc79b06c1dbdc88a

SHA1
20108d14840088b12c1edf0295376af0bb0e29b9

SHA256
c013895e6b29fbd27ef6ea073d3426b3becfc455d565afc900233be51cbe5147

SHA512
1686fd4a13733cc9df24134fbd552093ae02e270b7a9aed80236ca9d1e4d0f29a1248ede8ac38d4383dcee95e1111107cc8f0231820e27ebef49bda50c938678

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
80KB

MD5
50f0c32c300b7cd1ed4cffbdcef25d9d

SHA1
2c5ad8301ce0d1a91ee2e3991af2dde97a041fdf

SHA256
215814ef1cea355ce8ae4a7d8ba24eaa16dbb50cba4b9740f0b7ff3e4de2c64d

SHA512
dd59ea8793db83ced502106afe288edb9adbb3f99fbdd792dffd52e231ca0f327de3fe6a31dd83e1fb0c60b140f049ade11dd732941d04b23f2a6195b62f2df4

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
80KB

MD5
37d2f9fc2a0e794cbb928c3e8374dde7

SHA1
0a72dbf7fe2c50899d97ef6394264edc024ae281

SHA256
c7039784261e1b5d0530cb6118bd2fd08ae40e6a4fa7cf9be765bd5de4d4a7c1

SHA512
af143f01078299ff04a3ea66fba40ef2ce26b730e17ab84f8fe45b5a69b36ea89d8fd458780f9e9b4c6f30047e81ea663a6d6c9fc11fd7300e3514be3b0b2c01

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
80KB

MD5
b2039bfb21b718f5fd31199915ff1db6

SHA1
36052556110e38f16d157b87b97e17931d3e4800

SHA256
57c651ae3643c55401e442e473857367bde28c2173d14fd26b16954c4a549646

SHA512
d421bdff9ca50d1df5159125bec5443acc4d7929f2b0b7f9068b2f530b67e3837039c0971017365d30ade5d56c5562489f6784a7c8aea921ee998b90118a8426

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
80KB

MD5
ecc3adb0ea5017c54be1085fa11ec67a

SHA1
dfb6204137dcb4f79dfa4934017c596a7776ae42

SHA256
ca132b763937dba10758d49a2360901dc9186f4b813bc52e71ddc224efc8bce1

SHA512
c8f2fe1f144d0f330bd416455c11f49185f0750bc75f591aebc03db1b34abc8cb66879de80e789fb4c4910c2a3118bc8fd9aece23a58a506382b23ec0e0dc431

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
80KB

MD5
23cf6a67d92519450bf971bcb335205c

SHA1
08c8bfda5db95ace1202b3c0132ca20c70f3f635

SHA256
ddc620fc31e3dfc6e8ef9172ad36f9e6a63cb99e0fa211af48f5c1398b7a4564

SHA512
8f17d96f663be12ce143bae588726cec40aeddf0e4df9d8cb7512449941dc9ab8122fc74de2c6493fcace0032be0b1ad1495d9119f63fac1f713ecb524334126

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
80KB

MD5
a1315ad0c34e6764e6c38183902c244b

SHA1
c2c23065b33d7acac06153d891e9cc348929b5a6

SHA256
ae7d117d430d5b3391fbb53b608e7f87d93079c419b5a6603e609741c7ab7e2a

SHA512
437cdb27b61dec18f9a94dece9948f3cbb0739e655836158493b1ae592cd6b052cb7799a124bd9826e8902c72ea621485524147cb2fb469be6fb3ddb4d5b63e1

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
80KB

MD5
fcd82616e2f1af28adafd1e79fbccbc4

SHA1
7da1621faddd583a507a83d82fe78a1741604a8a

SHA256
bd2d536954581905824a578eca15e8d1363d2bf5ab575918f8454fd39ba0de0e

SHA512
d9d29151859dfea13366b3bb2d5b4cd040c4581e1695c4128670e04ec30bf1fd3f070a9d19d5cc3c04bc0a6cc139261e7a77ad29f9ec49f6950aca1df962e9aa

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
80KB

MD5
a2326a7816604fc874d98113d211dd44

SHA1
154bd7fd1e13c7db92e84c86574164e3aaaed15d

SHA256
818fdd052f3b7033e80fca9cc2b33639c0e745a2d86a93ce1f2401846fe4c74a

SHA512
06be2b416ece5645cbe42fb36159b5df20a337890a56a2b23900d2660d5de6b9fd86c04379fc569ce8bb2b956842df78d7f4056711022085e0a1c22e77117bc4

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
80KB

MD5
63fac3da0f32c1c53be4f162a109a5a7

SHA1
d9d4fe0ee40b61136c73557b79e45a69bd8fe7a3

SHA256
942b796f27ca6586ec2ca7230692993249897b22e30ad39d367437fdd329d841

SHA512
f8f1df96ed474631dd7056d622c4f1b79bebee62cd49acef55ac3111724068545c3e3393c37ebd53fb8f46f7b74ac0c707aa9025eb12649687ae00bb134ebb9d

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
80KB

MD5
16bb30769088dc1d113a4f1cc8ba4512

SHA1
5bea13ff94f53c21782c955c08b74b829174c3a1

SHA256
60778e5a9858518665358c9a1c318d632f2d872c3ad97f049d9b166bef49c925

SHA512
5d557544e0e9091bc46ca2824fa050b0d6a67ef9de8b40155c0f6f23827841655a9b7c2a8f96d86ab851c416cf0ff513794dfd69bcd4b7067aa59978541f9d7e

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
80KB

MD5
86be4335f7d1023ebd1fb1c427ff010b

SHA1
53f0a539dd970fcebc9a67b49b246e44b24fd5cd

SHA256
40f985361cf3d846d5180c5485760761521a29b191f2126642cec45200f1a036

SHA512
c4ced48c85c31e6076f8276befc24be91ced5a414aec668ef362cc926e262f6ed817192164b724ef2ddfceec9637c2f1127c7527a3d2b0acb24d53a83aaf713f

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
80KB

MD5
608891945094a041f01d623e54ce2a5d

SHA1
8a21cf9f1a13f19c0bc6fb831d395c332285bf97

SHA256
fad616c2eafbfb8bae61d2d53b96ca336a465bd624be8098c0f2991fecb19664

SHA512
f1a60eb52560238fafba5413b13affeba2218e0859c41747c405ae83729251801dd45b10e19d590a85d1d731fddee6130d89d7da3299b423b28a599737ab2021

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
80KB

MD5
cd88b027e368a226e1b6b8679ad75eac

SHA1
5dc6cd81edf8eed8e38b00cee672bbf552051f29

SHA256
f5979ea916f33b544067e61ffcc8944eb1b9c5c4ba28c028ee5d4be8377010e4

SHA512
c6cbcf90137e0a7465f5f50b60edbb929ac28d339e1bbac897500dc5b510f64186a806c4c67b481ec8b78717f0aab227139de9b2e6f43ebe3ee0e660cfacc88f

Download Submit
C:\Windows\SysWOW64\Hdoemjgn.dll

Filesize
7KB

MD5
1d00759049fb4e3a46b7382e6eb4b643

SHA1
a0f61fdd1cad99e37da4e639ff3c1dcae99cc258

SHA256
cfe84b9ff3f9f225d8807ab6356e86a25ee21b665144593937eb016da9d250e9

SHA512
b9ade04012941b7de7c918073a70692c9405893d4963350d3f00dd70e018660506dfd09d4ec64bacf072d399568f9f074a66984aee1fdd906db6882126c0cf21

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
80KB

MD5
cd229e73200a571c9919e88e025cd1e6

SHA1
4d1d8b8462834e917cabfe274ec9984e4fac6091

SHA256
b56a135763c6e8c58ec63244f40d0409d9e3ec10d8699f6e5c3ee2970b1e8ca5

SHA512
5152f9a6bc13347b123af4922b51469c4a3877d4019512d980c671e9b8863393f49a4fed9986efabc9ffec370025b2825edffe95d1ea4f5220d432cd8684867c

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
80KB

MD5
adcd73d7c94b2cfc5fa33bc0371a4a49

SHA1
206c5dadb9491ddff5760f98ddf7af3774e15d45

SHA256
3d3c9837c27f74f95c3428bf4238fcd5864c45581ed99b1c855b40dcd2addaf4

SHA512
82ceddf63035aff9025ca355b177b5451ca30091b310b094bd21d7531f36387beb062f011772339271e38139a6ddc6ee91dac7686af8f5f98d2ef9e2008c6905

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
80KB

MD5
4b517f9384aee187de9a2d2be3c0b63d

SHA1
4d5645524511b3fb9f39d227c4286ee1c5f35d96

SHA256
8c487da2397b5d325e4e133473dc702a5ff13ec8636c4660c0f2423074efce3c

SHA512
2cd17231c8dcca6ab127cc2b0c9401ec17a9fbf83961dc960c7d2a19a5be30115cca1e729b961d38614c21b0b614324d48bc3a223dfc284d8f6a8caf256814a3

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
80KB

MD5
adf03b7a9f087bb4b94354642ee37af2

SHA1
a9fa12fa7ed4a1ea801f223c2dc8bd8f3094f093

SHA256
ead65bab48a1e298137997061d9921378526e2e95e9374fe0bd1e19faf2de3c8

SHA512
579cb649a5eeb45592f951b5f48a43e66a6b5932c2c8fcc6dea601f7b4ccb386a09047e0747e39a74d25bd43350043200bcea22c5dda967f699f2c41f3ac99e7

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
80KB

MD5
2c2c25b7a5acf3bb1b142b7bc5e0f61c

SHA1
c74c54d438be8367fc4489838f7f09d3eefaea86

SHA256
9bff514cf26202fbca91f0c5c55662eb3a2dd7074b430df5c82342e777b1fbab

SHA512
561c9182288a825c32a9d6543da59391852feef7a09071d804648d424bcae4a30f47e4e32880d5fa1f79709351158fffdb8d93d5cae6f88ea10f0812bdd31834

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
80KB

MD5
fff6c1e42443d3bf00ca3ba8a33099aa

SHA1
9ddac0bc9dc0f5c4942d508b266e36f42a796d64

SHA256
b14a37e559a040a41d2b3f5409f6080c0364015f7277203febe7e9bac36919f8

SHA512
07005e5a6f7811ab542a75e8361f9a09b7e72ff65e594e423a9acbf75337a150b96297224bac3fe6c1fe6e815b858bf454c06baeae4ede366b380b6f5902b08c

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
80KB

MD5
68d3ae950b405e32e26f0ed64e7b5a04

SHA1
3a69cacea5798e24697ffc501db1004df11a0ffc

SHA256
75d1b8c4906921b6c1f0b65519f40511e7d9d1a8d476794e545ab40fdfd2fd40

SHA512
c1cae87989d6cc2ed7f67485d8173c2fb47ab4793338c6ff361e6cb0e7f567ef7c72db4bd3885061e2d7f813eb1a1fa9b986743d470549f3e3a11803869806b6

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
80KB

MD5
71ae5fe12abc8f4c5e1f52b258a0c985

SHA1
cf449b843205441935cea2478215862606debbfe

SHA256
d39e6f0f3dc5b588400ae4580a9d7baaffb52dae5a7621e57a2019ff28e5495f

SHA512
68fa2ae7a7d983b5a5037bd143f8839280a1c52efb02710c3fb8f301b5d7ce5b228d1a1d9ff7828e17029bb11878defab6d698259b7197ec3cdea37197cc1b04

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
80KB

MD5
7ed59bdd9e53ecb7d203ebfc7fcbf325

SHA1
9a34d13c9b360eae46ba2f5536d74a83c2fabecd

SHA256
0ae2d5295c4bbe01094bd61f0aee52f4cb92003b1751da446cdb71377f2ea1da

SHA512
cbb8fcaea9a629033928822068cbc3b5e9dd422969a59d0b7b307a44d2eac6e17735dd4d59b58f73c029974fe454edfa35e4f4c95e80ecd0bf901d76cb92808c

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
80KB

MD5
13278a7e99b8c0fb9a6e4f9e2f09c120

SHA1
f9ab7b18cc1b8b29fadb470dddaeeb6782d98fec

SHA256
19cf8245f4ab65935b9dbed3335c0e79fcf4ab8f10e33b3c02e72a4e2ff42849

SHA512
10057dc456b4de115cf358a50cb81153581331bae1f7234419a1a178cc8e28a562311f47647339f48069c9ebb4bd7ae4870b614e34cf4020f8a308a335912184

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
80KB

MD5
c75bfd8cef5abba84d9c024984f690ad

SHA1
5c83292c90739b060d13332ca61e1b313d020806

SHA256
87cd4adf6e3cde779c67cf022143acdd4b082dd4039f99c1b5355f763f2100ad

SHA512
5c967e713901248b8c456d88a7378827b72f3d0a9ad7af37cc0435009c4fa8829b6c383159b95b33197e52ba850d2bbdf4542985029c7b32e3394c25550e0628

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
80KB

MD5
0bcfe80641008bd4978d96f722dd49cb

SHA1
87fed9cf81fda6b8d3d01027b4c23414ed233b0a

SHA256
f5f343ab7e6c12df7853c0ecb8384f93c036e7033f7f03cfecbc11d6b8f7278a

SHA512
eea3b8d59cd56eb827181e2dfa0de4a628f47c6dd9d922c69dbe2c67d41011710aac8ac2e57e7dedfdd39c7ac188bfefda7ca9aeb1ca529e2afeaddeb09c9831

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
80KB

MD5
a8857c9cf68880ccef039a19b5c27441

SHA1
a1beddc56c52cc8a8c3e6faecb4a38bb3efecab0

SHA256
17a261c6c742238a9541693b8d4ce3743129abd5fa68890064058574644e2f83

SHA512
433690d47aa04159a2036d86d6a73be43c05c3f8b86d3608bdbe7954b4da1d1c296ed09c12ccc0ab79c0d4e43f0fa31d4bdbfa184c8cbbbd9a33372f62e29c2d

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
80KB

MD5
44b3411e55153d0b6fd8a45e742264e7

SHA1
b9cace1424ab47d9dcfdeae1926db907f7906406

SHA256
021a74abbc507c9c0d50453d7d76fc75b25c8d899b0b09d3c2d817535d1c575a

SHA512
23206fdc0f9fbca69419637c821e02d681ae3e6576d5c947db49eac867209b33148a1f2f9cd71eb3a36101d2b697c7cc0d87dff410b22f09bf3e4b70e5c7d800

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
80KB

MD5
753edcc12077c8e8e36e1933fc71dd35

SHA1
3bada85ffbcab8154754ebd0f5bbe3ded30bb05d

SHA256
becf962cf0aa370cbcb66d424d41c7f12cdbadabe97297bb8d335b4471730a6e

SHA512
3883bade08575b71618af06f17e65397834b626a41576cd4b633253e1f375c380453db258cae16364eb4598f5ca2fbf199c79b16ce0e777b991c7ddb45e75b88

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
80KB

MD5
fff48bad7db63703b8ed8b86b263e55b

SHA1
17f1d1047613f2a623728fcc4072bce79ab93d88

SHA256
69156e57ab8a7436f6330f859aea97e12508d2ec3e0a7656c52096a3a5374cd1

SHA512
f716cbb2f57c47db8ef864ba5e97b89393c5a5058d5cd4c5eddf2a2f67122b1e2fe0013f9a4b94637ab1d48b56f7d50e0438b27c89783ed86123a78afdecf4fa

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
80KB

MD5
e6ab1d323df0bfb2482f4e3af17cf311

SHA1
31942a3f0595d3cbcaee15fac5db22e6b1d65157

SHA256
5a07cc3f9b4ca0079adb6739fb52fc56c5a1d0d9434543b98028db090d899717

SHA512
f0cbff7c0747520f32d7a532256979a45f5a2c6bc56541125c13514e8891515ac8cffb8fcd9b21aca520f9d18d979cb889c093d401b17417b668c862e7741fe9

Download Submit
memory/404-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/404-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/408-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/408-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/636-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/896-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/896-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/912-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1028-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-439-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1100-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1304-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1304-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1436-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1436-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1552-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1800-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1800-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1828-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1828-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1892-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1892-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1964-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1964-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-403-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2444-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2444-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2524-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2800-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3160-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3224-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3224-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3588-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3616-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3704-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3704-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3820-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3852-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3852-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3892-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3892-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4120-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4140-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4140-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4180-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4180-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4272-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4272-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4436-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4436-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4532-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4548-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4548-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4696-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4696-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4964-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5088-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads