berbew | 146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef.exe
Size

93KB
MD5

da6cc6a16bfc2c8d315aca2030c9e3d6
SHA1

fd3eebab087b0c1fcafce1db74d255215698b6ae
SHA256

146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef
SHA512

a45d1ac9076646a1c93b5eb4ea8d3c7eb9858021cb08e880fad755b560d90759fd87930452df1ce13ad0b53001c84cf515f03d2ed76bf751793cca981de6e286
SSDEEP

1536:7gMo2GaH/ivm+uZtPdl3Q8zmNTmeYYkQIsRQpRkRLJzeLD9N0iQGRNQR8RyV+32n:BGuShoXlALBJYYvepSJdEN0s4WE+3e

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 58 IoCs

pid	Process
3244	Nfjjppmm.exe
2328	Odkjng32.exe
1500	Ogifjcdp.exe
2688	Olfobjbg.exe
1168	Ogkcpbam.exe
3540	Olhlhjpd.exe
4424	Ognpebpj.exe
3280	Olkhmi32.exe
2092	Ocdqjceo.exe
508	Onjegled.exe
3000	Oddmdf32.exe
1472	Ofeilobp.exe
4992	Pnlaml32.exe
2280	Pdfjifjo.exe
2568	Pggbkagp.exe
2284	Pmdkch32.exe
4468	Pjhlml32.exe
2548	Pcppfaka.exe
1600	Pqdqof32.exe
3384	Pgnilpah.exe
1952	Qqfmde32.exe
3576	Qfcfml32.exe
4824	Qqijje32.exe
3640	Qcgffqei.exe
4032	Qffbbldm.exe
3980	Adgbpc32.exe
5088	Ageolo32.exe
2528	Agglboim.exe
4988	Acnlgp32.exe
1312	Amgapeea.exe
1608	Aminee32.exe
1540	Bmkjkd32.exe
3752	Bnkgeg32.exe
4540	Baicac32.exe
2252	Bjagjhnc.exe
1516	Beglgani.exe
5040	Bnpppgdj.exe
4608	Bhhdil32.exe
4860	Bjfaeh32.exe
4172	Chjaol32.exe
1488	Cmgjgcgo.exe
2444	Cjkjpgfi.exe
3784	Ceqnmpfo.exe
3916	Cjmgfgdf.exe
4968	Cnicfe32.exe
716	Chagok32.exe
4812	Cdhhdlid.exe
1668	Cnnlaehj.exe
4768	Dhfajjoj.exe
5104	Danecp32.exe
3380	Djgjlelk.exe
4888	Delnin32.exe
4500	Dfnjafap.exe
3476	Dogogcpo.exe
4336	Dmjocp32.exe
2908	Dddhpjof.exe
3680	Dhocqigp.exe
4684	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bmkjkd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1504	4684	WerFault.exe	141

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocdqjceo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 3244	1408	146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef.exe	83
PID 1408 wrote to memory of 3244	1408	146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef.exe	83
PID 1408 wrote to memory of 3244	1408	146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef.exe	83
PID 3244 wrote to memory of 2328	3244	Nfjjppmm.exe	84
PID 3244 wrote to memory of 2328	3244	Nfjjppmm.exe	84
PID 3244 wrote to memory of 2328	3244	Nfjjppmm.exe	84
PID 2328 wrote to memory of 1500	2328	Odkjng32.exe	85
PID 2328 wrote to memory of 1500	2328	Odkjng32.exe	85
PID 2328 wrote to memory of 1500	2328	Odkjng32.exe	85
PID 1500 wrote to memory of 2688	1500	Ogifjcdp.exe	86
PID 1500 wrote to memory of 2688	1500	Ogifjcdp.exe	86
PID 1500 wrote to memory of 2688	1500	Ogifjcdp.exe	86
PID 2688 wrote to memory of 1168	2688	Olfobjbg.exe	87
PID 2688 wrote to memory of 1168	2688	Olfobjbg.exe	87
PID 2688 wrote to memory of 1168	2688	Olfobjbg.exe	87
PID 1168 wrote to memory of 3540	1168	Ogkcpbam.exe	88
PID 1168 wrote to memory of 3540	1168	Ogkcpbam.exe	88
PID 1168 wrote to memory of 3540	1168	Ogkcpbam.exe	88
PID 3540 wrote to memory of 4424	3540	Olhlhjpd.exe	89
PID 3540 wrote to memory of 4424	3540	Olhlhjpd.exe	89
PID 3540 wrote to memory of 4424	3540	Olhlhjpd.exe	89
PID 4424 wrote to memory of 3280	4424	Ognpebpj.exe	90
PID 4424 wrote to memory of 3280	4424	Ognpebpj.exe	90
PID 4424 wrote to memory of 3280	4424	Ognpebpj.exe	90
PID 3280 wrote to memory of 2092	3280	Olkhmi32.exe	91
PID 3280 wrote to memory of 2092	3280	Olkhmi32.exe	91
PID 3280 wrote to memory of 2092	3280	Olkhmi32.exe	91
PID 2092 wrote to memory of 508	2092	Ocdqjceo.exe	92
PID 2092 wrote to memory of 508	2092	Ocdqjceo.exe	92
PID 2092 wrote to memory of 508	2092	Ocdqjceo.exe	92
PID 508 wrote to memory of 3000	508	Onjegled.exe	93
PID 508 wrote to memory of 3000	508	Onjegled.exe	93
PID 508 wrote to memory of 3000	508	Onjegled.exe	93
PID 3000 wrote to memory of 1472	3000	Oddmdf32.exe	94
PID 3000 wrote to memory of 1472	3000	Oddmdf32.exe	94
PID 3000 wrote to memory of 1472	3000	Oddmdf32.exe	94
PID 1472 wrote to memory of 4992	1472	Ofeilobp.exe	95
PID 1472 wrote to memory of 4992	1472	Ofeilobp.exe	95
PID 1472 wrote to memory of 4992	1472	Ofeilobp.exe	95
PID 4992 wrote to memory of 2280	4992	Pnlaml32.exe	96
PID 4992 wrote to memory of 2280	4992	Pnlaml32.exe	96
PID 4992 wrote to memory of 2280	4992	Pnlaml32.exe	96
PID 2280 wrote to memory of 2568	2280	Pdfjifjo.exe	97
PID 2280 wrote to memory of 2568	2280	Pdfjifjo.exe	97
PID 2280 wrote to memory of 2568	2280	Pdfjifjo.exe	97
PID 2568 wrote to memory of 2284	2568	Pggbkagp.exe	98
PID 2568 wrote to memory of 2284	2568	Pggbkagp.exe	98
PID 2568 wrote to memory of 2284	2568	Pggbkagp.exe	98
PID 2284 wrote to memory of 4468	2284	Pmdkch32.exe	99
PID 2284 wrote to memory of 4468	2284	Pmdkch32.exe	99
PID 2284 wrote to memory of 4468	2284	Pmdkch32.exe	99
PID 4468 wrote to memory of 2548	4468	Pjhlml32.exe	100
PID 4468 wrote to memory of 2548	4468	Pjhlml32.exe	100
PID 4468 wrote to memory of 2548	4468	Pjhlml32.exe	100
PID 2548 wrote to memory of 1600	2548	Pcppfaka.exe	101
PID 2548 wrote to memory of 1600	2548	Pcppfaka.exe	101
PID 2548 wrote to memory of 1600	2548	Pcppfaka.exe	101
PID 1600 wrote to memory of 3384	1600	Pqdqof32.exe	102
PID 1600 wrote to memory of 3384	1600	Pqdqof32.exe	102
PID 1600 wrote to memory of 3384	1600	Pqdqof32.exe	102
PID 3384 wrote to memory of 1952	3384	Pgnilpah.exe	103
PID 3384 wrote to memory of 1952	3384	Pgnilpah.exe	103
PID 3384 wrote to memory of 1952	3384	Pgnilpah.exe	103
PID 1952 wrote to memory of 3576	1952	Qqfmde32.exe	104

C:\Users\Admin\AppData\Local\Temp\146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef.exe
"C:\Users\Admin\AppData\Local\Temp\146269ca403b4757371f15737b94acd6915739db1f9983501dce7e23ec79efef.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\Nfjjppmm.exe
  C:\Windows\system32\Nfjjppmm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\SysWOW64\Odkjng32.exe
    C:\Windows\system32\Odkjng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\Ogifjcdp.exe
      C:\Windows\system32\Ogifjcdp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 416
        60⤵
        Program crash
        
        PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4684 -ip 4684
1⤵
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
93KB

MD5
260474cfd019d8ef0207e28981bda979

SHA1
84081e4141ac69e395ab6ec1290a3a06c2f26579

SHA256
5b0d47c878a6d792034823bd19a83c838fd1166c0276a3b784f7252a0f10ce40

SHA512
7f370bb14cae22318512894883f9d4bb525bdd18f364d2fc6c7abaabb3aa96c39e2653b59fc39f002c91527b4eca7dfc917293b8399ae1129531f316efd09d72

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
93KB

MD5
36471c1c4ea578d64e28547f06cf2c19

SHA1
eaac0039ae313ca365a8bea201deab74f3ea4825

SHA256
27550fc1ead8873f7b0be4d0327f4bf967304d641dd5275e2a30f8cf88b9505f

SHA512
e7b53f21bc4f93caff7f746f6386ea487a4466ea7711125f8d418b30ef740af02274c6ee7fc87d29bc4e09cb62cb5a347f45978f6f1f0037a7994bb0db230051

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
93KB

MD5
8199579a255d776b5e03a585c295bab5

SHA1
6c77561ddfcd3e417993add4c36f949ed0a7a84e

SHA256
0a76c314f6bd12ced8f1cf8f53d22e320afd0efa1ba0ba456ba815f75e966aed

SHA512
70f9496cff6069377a0888954cb9bdbb7f0f5cf8e8cbe18bec2e9806642eff867431a39202e7340dc3f4399b8539416d2ed221787d8a414974b90e282b9ea6ae

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
93KB

MD5
49f7915b3f199740bcdb262af31ab0c6

SHA1
d27d84d213a0e847ccaa8db7634e364d9a659d70

SHA256
e35c4dea29aebd7ed8f4f333dcc3ecdbb7c1cd9147935b5ab5babb7c12098c45

SHA512
f3baa7c0ba9c51c6796b8bef2a40b7dde27eca183dd91927cea4bf09511a94197687e3d139c390f4594bc391d79764caebc4bc92d84301176123e7e1d7b45d98

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
93KB

MD5
9f59f2ea13eca067018d56385827e1a3

SHA1
9880b1cb3119ae63c5f8fec1449257bc431cc46e

SHA256
e0e330f5d939785f79310741dc1bf56d1b9846045e30e51251b7619a226b627e

SHA512
7b13ac2df2f085112be1c9e77cd42b7df1b0f5a001838bdaa781d0162cbfbc4f42f505ebf2501098b4e7951b5e3c52dec16369df1703e61026c940c0a2db81ed

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
93KB

MD5
fd1cde49dfeff22bcbc43db5469c3a48

SHA1
abcd5ff3fcb294a668a7ee3a11ac115ae6e132e8

SHA256
1652f283f574e892a45cced0f0e53f9c597f95088ef409e1caec01f7c8c79d5b

SHA512
7be9b8cfa72c3499dd8cbcac0b73da6ecf6eb0f65c933fdbbe86ff51718b0e6a178fac40449cd7a2f85a330eec3e5e3133596c333ca27d4a1be70fb5e14cd62a

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
93KB

MD5
858dfe954279b1dbadbb075d5d16bb49

SHA1
5911e69f19941777524f23eb9657bf65ce122eb5

SHA256
98472f5d3bfb6fefa96d76f1292ad2c9cfcfd97db6a5565a3b636659a1d4e32c

SHA512
040c4b8343046b1004bf34e2ee91fd7617d504f0b3a3f9b22952d4e9c105487024f8c475383880864e8e871aeeb4b2ef1db6a065de8bcda8082cae5146f83119

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
93KB

MD5
b5b93d00e034295032c841040f92b246

SHA1
5200b5d78c3a3943e2ff41a372f52f80cee818d9

SHA256
e003c2fb670a2274a58c5e8fb277da317990e840c7bcaccbd340aea3ee364773

SHA512
341931c5d51c4035290164ede3d715a9a67527822b5e0e5ccdaad9344678379a4df7892ef09d828719e1211c428ceddedfc8b665242d3ff635de561e0e95c614

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
93KB

MD5
102006837b57f167dd44e0f951225dfe

SHA1
181be417499726628780df8e6c2fa96dcb3062b9

SHA256
579adc2374701bb1661082b67dbcaa75798536fe4a6fdfb0eb009ccc091a7d8f

SHA512
fd2e51b245d29b98c209dfc1a0e3825b7cbc7ccf11b066d3f7ce87181305347bf2244460c0d43cf41ff2908b3365ac0173ba2210419417dd0b3ee9173d5a2f43

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
93KB

MD5
45be86a5aa1879282ae434bbaf79d368

SHA1
890f770782f7cd0f2b0f8d1c93c03a4813da2888

SHA256
197e436be6b78a43402b4eb9e818ca7c7015f8849c83d1ece55f33530c62db1b

SHA512
868b34f093ff4c61d00e54f60fe3b5a611d7a63ff560339280b90e53c7b8dc2df487c35bb402cdea6558f09256139caac613432b015e1b3b47a5bc15d6b6af79

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
93KB

MD5
4bc626d36a6e2616d3978c0e270a0388

SHA1
a974ba7ca1b81671367adaf17608a6b1486792cf

SHA256
33a433f2bba1b46ff86c07f8152d24d6788ec2c193ac8dc225d523c944f7551c

SHA512
94db6488d785e992bde490e2443bbf1721483b20841998c1dd6e6ce8d87a835c4edc90b10a90f573914ae1474d028d9f1f6ba78cd7880a68c08fa394c26763a7

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
fb88f1b0990907cf4a797d75b368b11b

SHA1
3ef23556a81dfb7673925130c49216b99b1613b1

SHA256
f4a7535194fc564997f2ab35ee3462a9b9c4d989992073a4830e142af0718e48

SHA512
c1ec6ba03b43a202c87cc5103d2b974ca3486fbbfd14af12be38ad67dfcd02a26786eed72e0db4bec36e4dff5271a289104570445e3b8d7894ed560c05a08468

Download Submit
C:\Windows\SysWOW64\Lcnhho32.dll

Filesize
7KB

MD5
91bba4c6f9aed3fd9fae940a817a8aea

SHA1
e749b91c2c7533af9ad9893c0e41bddeee615d0a

SHA256
72e8161146a22a2d1cc75fd529701f41da1c1af92873e1582d6b686680c6ddbe

SHA512
71e6ff9f170f0e056fff7896358f5acc7340258c71852b0e372ba17df7224c8be599345ab4737ba94d2a32c35027148ab5eb26de0d074146f0ec003a29721bfc

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
93KB

MD5
1d8559b0a4185b67b89b1f01be89084b

SHA1
26523c0ca668dd939083c02b8da4ea366979a198

SHA256
e3128e48acf912aac7e3bf2ee6efde98ff0974ff7e6ebeef503067cad5f2d130

SHA512
fc8ea845bf9b1f25e0a002f194e756d9ccdcd8101f6dbf77acc919742db29b9bf8d8b01f5ef9a020f935534a5384b4e369bd39ba80032bb1775bdda58158bdb2

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
93KB

MD5
85c8c00b2859ca1cc73b7ea4064cd722

SHA1
44341b3026610322b8ae1da076306db2e198b4de

SHA256
67c1fbd9ae0a668c8d4358ca5cdad6022638775d43be51e4918387202ac5f295

SHA512
06fe881a62c0e0e231ae95f250674d000840b55010d7cec66258c2303008ea6ecd4c60d0cf6a20054ccabafd50557c3515a40a56f26b00c2010e6a1873463231

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
93KB

MD5
25d6cd09bd3851ee27220fb6a397f378

SHA1
6714b6a23ba0ac243512cbed7b65198a00cb1227

SHA256
ffbbc19c29bc2b05ddf90c6da6d48e414b49333e39fe8de7a00f332e8f449052

SHA512
1f29bb5b34a752e9c66047f24b4de3f1486b3c5c06c049c4b5b4bbc0ed178813b5e4b80744c0fc8e5b10438fb4042fb0d35c0402e62505d66bcb7b8a9ce868c2

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
93KB

MD5
b278d49530d844d79fb922c141e89fb1

SHA1
1bb2d6cf58702f4b1a1f6630b16b69a782cc71ed

SHA256
4caa2e07044adb97e3d18fe34f268b51365e0fbca8e7895059a788da733693b2

SHA512
5f0a4d76655935018c642f39c109e6da1ed74ce820c6a2a83d497a513059ea9f1b72853bd41c5b6a4c57b1ed4269a3f217d75ea3bc352944433df74d8a707fc8

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
93KB

MD5
186272a890dca8e830fc8825ec41214b

SHA1
d6c241c3240f121e240b911d2237ea993817cdfb

SHA256
2ac40a402dcc2478deee536917314eb372fd22e7a39b62486a2c913e144f0d9a

SHA512
ab6c022faaa9e5761bdb24b26f31edfbf20f40ad510647ecf9f35c11109a3d4739bb52f231b1150c80286bb02bbdc6af495742d604972e0568e01ade6ee2ce07

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
93KB

MD5
a552816e41ab51e23e4b676c7af27397

SHA1
20c5e67a6fe8f31b78964a79e597132fa82b646f

SHA256
82c37af015906b8e70495015e67023c4e3f8a3a942fab337974fef7a9a3652a2

SHA512
ea1084b57fa19134e1225b655e269997d1d180d971158a613b180349a6f922b050dd28676287b65c78d85133bc3bc9a33efc9228859f806db8b9150980ec6bc4

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
93KB

MD5
2e34d94550c0e138c2f08350cfd7da7d

SHA1
e3d561a52c32c3696d5361dc681a3d3a884e2eec

SHA256
59223edc2ca3cd8499d448ed88a0fd69886c07532ff85a02e20318ea987abff8

SHA512
5c36588b448d5ac73054c408321d7258b2b29a3dd1d33c1f0c9f15d21d71aec4bf94071d9b5ea2526ff956b2c5d8283ad9e88a30ed8cf8ec393f2c0e4de51141

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
93KB

MD5
81cddc983bfc44662f30c8a35a874f4a

SHA1
3bc5b81ae1df1c3b6c6eb987c60ed339163e2d49

SHA256
b2ea931f794c0f65aa39ceefaa1217b0347611b77b8a8680ecac254797a153b8

SHA512
04e7b82f79e4bae9dbdea55d6d32a986aa42b3e0ffcb7d8c1135ebe7ec0c56efa9a7414ffdcc56c56b249b6b3697fbe4c7751a41b49834dcffc1e269da152299

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
93KB

MD5
488e1691411c89c7bc444c89a58a1b7c

SHA1
d2c35214a9d3050f1fa12b23465ba577b900ee0d

SHA256
e2b06b4391bd96c9d725b46d62522d5010ac882ca2537281fa847115e09c5666

SHA512
5f5c9c067f8a89784dc5c18c86a021a14d589f96371fbf1851f9abab54987319222ec06a6d834351f2a41691376ebb85e7ddceeb016e23f8c53c71419bf3728f

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
93KB

MD5
5985580d898acaf14924cee276de0db5

SHA1
5fb2c4884ee723f846b38462574e5de5911c55b8

SHA256
ee58342f653feff5e31ce358b59259b4ab543752e4191481fd6d420c06f055c7

SHA512
514d67f4be9c060a4dc7e96754efcd45e2063e3ebcbd93528597081c021b055d7f75252ec62d303d5f1d45f9689904b41aba33709101c498033541e4f73a7d6d

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
93KB

MD5
499b070dc3089450d7f5a1227538932a

SHA1
14797b9381d8d0bbae3d0ff78a13208fe0211e7e

SHA256
e4c606c076a3f538fc787be2ed907ca876451e11632cd3b3be4b8496c2b9481d

SHA512
94906d369cec16b4fe1c033327c10a3b879710f3e4d93deb62125f5dd488cef013b3ae4f81373dabc3978ddf48d556a0eea1c6f245ea4cbdb98c932f4f9a8aa7

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
93KB

MD5
7322d9c2a222b79e1e70dd0c1dae136d

SHA1
7814f12c91ac44d6f1daead1ffc376fe62c5eef2

SHA256
51430e7afe4dbda041d28ff947d05b2dd5ece5474c9133b08a796d267e1ecc41

SHA512
924c866f1764764bef309c775fbb4d87f9962135a82777842314d2ca3c59004206a00fd12a06c4f8afcc4afc9aebce0add3d01d628fc4441d44061294c8bf197

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
93KB

MD5
57e68822f2a21369e1c5bb9804d084ec

SHA1
786bfc5103181cd09fe45c892dd5a1a6a5c01f4c

SHA256
3b4e32a7dbb93ce325378c5202882a1d2b29d1fa58b7fa8f855498e78e37158b

SHA512
d6b3010e2b7c4e4b8c776d86c4cde4dc22475201fdaa8800a88f74bc15683f8a42937c8be21e4d9770f1da3cb53b36250055cdd6dc0c993f76dc5b22ed414291

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
93KB

MD5
651123836f630a7584ff700add1a5cff

SHA1
0ffb0ad370250b49fd22bbfb5bdaf83ca8945dd1

SHA256
7ca167caf84f858481082bfbc50d7c5dd7d74c03487dc73a17cef5a1f1b810d6

SHA512
05004702e5acd6ce938701dc6fce09b8974b794be9a2fdae2f25eb037ea0fcaca9cf445608ebde44987881d413dc123a3b7820bd4dc6a33e3e5050fd8595a31f

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
93KB

MD5
3ebe6c5297506c7d01284ca0432793b6

SHA1
1e45f7bec78aae2d90c082f1e5459a7c2187f2ee

SHA256
fb34b0991265785c56db47402d8f5463be92bfc348f11f7033214c9482fd3248

SHA512
dc53362ef9c757336369ca28ce8fee6c10ff15ff4716e204db5784d471883c74f49f170bf53a739af629e00492d5ed2a56f293e49ef5c97d54cafbcb20890742

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
93KB

MD5
38a7a7c98e2afadbe380e32eda579458

SHA1
0ad085fc60584d6cd442a855c0c5b8df28273539

SHA256
ac6d5fe2ee2482204c793e396289889d6e4482711c5e16966eeebd24e4cc6dd2

SHA512
f622d1ec7960d45c759179347e5593ca0460ee36698082b5c48e3914ef17a733815da446fb8a2b15b04e6511e579bbce3460cd9499851206e0e80df64c83e9b0

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
93KB

MD5
7e2b9f9e3ca859ca8d04315b420fd8f2

SHA1
76a04f70e2aaa6e89e91687a27ffccd77abbb7a3

SHA256
f43b16416d8939813c5050fbc29297bbda15a5e2781eec7e9aa721fdde13bba2

SHA512
7949ad921456bdab5963ba9274b8fcd862111b60e6a97345351397fd17934394c259a0eb6fcfca6c6c1f7d319446045c46c08f1feaa16bf34599372e0bfceed3

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
93KB

MD5
50b833b9d263fec9d2004329bd0d30e3

SHA1
92530c92de10adadeb9b6c443b554e8c2ae91854

SHA256
9c059cd60e00b7364d1bd26ce71a0878d30f4ba2195a7ed7cb28de43ca862fde

SHA512
8db7b2035127853e0e931581bbca1b82249bba8e6983bce99d3f86304217de0ab8c88b269b2be117d0c4e410de05585cd7aee02a5558ce07dd37a43beff28ec5

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
93KB

MD5
4ae0e977dff245ad74751b4cf5770d4b

SHA1
42d51bffea193228138ccf8fc338d662a7b75952

SHA256
98453699a7bec3ab3acc70d950c4f5197f9bdb4178769974a65d054f4d2205e2

SHA512
5a12cba767a0e49e45f85519d635c7251943db780f2271f33a095fd900ba091d324efc66491991eadff2381445497d947187a96926cf335dc69a011cfaf1c16f

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
93KB

MD5
a7b8c851f5ca34b4c78963fa8016ed88

SHA1
0d8a5019e52667a9008abe67f1e6f7f073e68adc

SHA256
0d8a0a78a62ca568a6a058cb2c29df714d75531323b270a5c1d7e39fa89263f9

SHA512
d991c8c1da82726892b73448d31806d95cbe8681fa5928fcd4c19009a467cf9f210a012ec080e04d18b163d14595874d410307052cd2d973e4d6d183e9b11b1b

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
93KB

MD5
c03f7204ae878843e9c22a10c2030531

SHA1
446826388782f4109efbd716f34a3dcb2009b172

SHA256
7f727a7708a2e9e60c0fb4c295d11373110d28ef891fce014fec9f26b4e4abe9

SHA512
c6a60475c47de2ce3a5d5fd74b0be250f615efca1a7e4be0d1dac9b612fc8397a56ca4f8814f9dd42ca5369c4d19c89d5a06fc9b5d77d79cef1615e9d7bc8399

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
93KB

MD5
a7e42e99fb2442dab129a053b9b6ee8f

SHA1
ccd67554df654f459f971a12b86c838f575c52da

SHA256
3ada896c65a40b13fb541caf5e8037099ebe3f038327ad4fa81173dd8fd629ea

SHA512
dc668433380f0b1dce154cf348baf8a58162fe1357c82d076ebb35a8bb805ac3dc767cc022810a2f96396f29195064a47fcf63f79b41472118bce9f35fd0c2cf

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
93KB

MD5
d430da14ad63f85baecf43467f2fb38a

SHA1
d742a5e40150cb75dc3541ea8d178dcb63483889

SHA256
942b1d365154124dbc8d8cc911dd7094ae502d1081db54290db89ae1c0cb3c8a

SHA512
e3e426f6f36ec54dd8bc7ff1f70ea83bc8a32c87e80e26fea5e3914a6f7f8ff07eee5db3bb9c484ba802cb696ed801e567b883a5162e5038c0f8b2a21f671145

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
93KB

MD5
a92c63a78386a368e94883aa3d7b1533

SHA1
e3f15e39ae7b4afb424e6c750aeb32212bbcaa21

SHA256
b5d012cca6ae8ca72840faeb36c1df75e3ef5a9413bcbe6389ae8676b5fbef16

SHA512
c134158683e4914e700bdfb00872db862bbfe5c8e9dab9b1ee03bc69b0bb6eb42c5518cb36673a5116bbd6b9123593e6111723b52f28a0a5b9497da4d430d328

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
93KB

MD5
e1ba6fc4a1463ca567001b9f963e305b

SHA1
bce6ee793141762a73b566bf0c368e641065eea5

SHA256
f92b05cd83b88da68720ca25dcd8c5f66f721013f74f3e0648faaf252a769e66

SHA512
b9e8b7c48b7d40e840f5970eb233d6d3f467a2a3edd94df42adc0431753eb7a033072c6e54d3a85b2c76c948fcbdb7ca7ab8bc10347e6788c560748f93fd586c

Download Submit
memory/508-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/508-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/716-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1168-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1168-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1540-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-391-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1952-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2252-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2280-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3280-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3280-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3540-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3752-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3752-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3784-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3980-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4032-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4540-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4540-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-398-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4968-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4992-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4992-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads