berbew | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
123s
max time network
180s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/047c2b7237010e343732b699d4b346f5.exe
Size

295KB
MD5

047c2b7237010e343732b699d4b346f5
SHA1

cd111bb6034b8060b52386874e474a4bf724b9d3
SHA256

d18a6a465d2b78ec839a8030f2d52766e99063f09b44a19c3777fe35cb9cee37
SHA512

7d82331332e136656baf54c93895eec91465a95ba15e9cf657d3c66abb7ca83b3a9ab53da9fd440c0242df3d64d556b743cdccb5bb6613a4f6d8ed4a8e585275
SSDEEP

3072:nvQziSNphV8UiEoO5Q1UkY1UkVHe1rUtst76UtoUtFVgtRQ2c+tlB5xpWJLM77OM:vRSDkOoO+1PY1PRe19V+tbFOLM77OLY

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iimcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Edionhpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njedbjej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noblkqca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opbean32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimldogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjlalkmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iijfhbhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhqefjpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnblnlhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpgmhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhldbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eohmkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaebef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Likhem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Geldkfpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geanfelc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofdhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Modpib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoepebho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgbqkhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekcgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klekfinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enfckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbplml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modpib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhbqbae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	047c2b7237010e343732b699d4b346f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Downloads MZ/PE file 1 IoCs

flow	pid	Process
23	1644	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
1244	Qhhpop32.exe
664	Qaqegecm.exe
3028	Qfmmplad.exe
1240	Qodeajbg.exe
2836	Qacameaj.exe
564	Afbgkl32.exe
4336	Aoioli32.exe
4712	Amlogfel.exe
556	Apmhiq32.exe
1460	Aggpfkjj.exe
4148	Adkqoohc.exe
4444	Aopemh32.exe
2220	Bhhiemoj.exe
3612	Baannc32.exe
1504	Bhkfkmmg.exe
2416	Bkibgh32.exe
1284	Bogkmgba.exe
4672	Bnlhncgi.exe
980	Bkphhgfc.exe
4864	Cggimh32.exe
4812	Cgifbhid.exe
4384	Cdmfllhn.exe
4200	Cpdgqmnb.exe
2612	Coegoe32.exe
2064	Cklhcfle.exe
4160	Dojqjdbl.exe
4420	Dakikoom.exe
2232	Dnajppda.exe
1056	Ddkbmj32.exe
220	Ddnobj32.exe
2460	Enfckp32.exe
1856	Eoepebho.exe
1336	Eohmkb32.exe
2860	Eqiibjlj.exe
3224	Ebifmm32.exe
2432	Eomffaag.exe
2620	Edionhpn.exe
444	Ekcgkb32.exe
3128	Fbmohmoh.exe
4940	Fbplml32.exe
3464	Fkhpfbce.exe
3992	Fbbicl32.exe
2096	Fgoakc32.exe
2388	Fniihmpf.exe
4664	Fkmjaa32.exe
1560	Fbgbnkfm.exe
1656	Fkofga32.exe
2000	Gnnccl32.exe
2856	Ggfglb32.exe
3576	Gbkkik32.exe
3240	Ganldgib.exe
4080	Gnblnlhl.exe
4928	Geldkfpi.exe
3288	Gpaihooo.exe
4528	Gbpedjnb.exe
2956	Glhimp32.exe
2124	Gaebef32.exe
1704	Geanfelc.exe
2752	Hpfbcn32.exe
4660	Hpioin32.exe
4708	Hlppno32.exe
2348	Hemmac32.exe
4808	Ihkjno32.exe
1124	Iijfhbhl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Opbean32.exe	Oihmedma.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Kebkgjkg.dll	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Hpioin32.exe	Hpfbcn32.exe
File created	C:\Windows\SysWOW64\Dbkqqe32.dll	Jifecp32.exe
File created	C:\Windows\SysWOW64\Fcndmiqg.dll	Lpochfji.exe
File opened for modification	C:\Windows\SysWOW64\Objkmkjj.exe	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Bgicnp32.dll	Dakikoom.exe
File created	C:\Windows\SysWOW64\Godcje32.dll	Qaqegecm.exe
File opened for modification	C:\Windows\SysWOW64\Jbojlfdp.exe	Jifecp32.exe
File opened for modification	C:\Windows\SysWOW64\Mhckcgpj.exe	Mfenglqf.exe
File opened for modification	C:\Windows\SysWOW64\Nmaciefp.exe	Nfgklkoc.exe
File created	C:\Windows\SysWOW64\Nijqcf32.exe	Noblkqca.exe
File opened for modification	C:\Windows\SysWOW64\Iefphb32.exe	Ibgdlg32.exe
File opened for modification	C:\Windows\SysWOW64\Khgbqkhj.exe	Koonge32.exe
File created	C:\Windows\SysWOW64\Nqobhgmh.dll	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Dbmdml32.dll	Qfmmplad.exe
File opened for modification	C:\Windows\SysWOW64\Fbplml32.exe	Fbmohmoh.exe
File opened for modification	C:\Windows\SysWOW64\Noblkqca.exe	Nqoloc32.exe
File opened for modification	C:\Windows\SysWOW64\Jifecp32.exe	Jblmgf32.exe
File opened for modification	C:\Windows\SysWOW64\Lcclncbh.exe	Likhem32.exe
File opened for modification	C:\Windows\SysWOW64\Enfckp32.exe	Ddnobj32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbpb32.exe	Niojoeel.exe
File created	C:\Windows\SysWOW64\Gnnccl32.exe	Fkofga32.exe
File created	C:\Windows\SysWOW64\Ebdoljdi.dll	Mcaipa32.exe
File opened for modification	C:\Windows\SysWOW64\Qacameaj.exe	Qodeajbg.exe
File opened for modification	C:\Windows\SysWOW64\Dojqjdbl.exe	Cklhcfle.exe
File opened for modification	C:\Windows\SysWOW64\Nfgklkoc.exe	Nciopppp.exe
File created	C:\Windows\SysWOW64\Dakikoom.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Benibond.dll	Jimldogg.exe
File opened for modification	C:\Windows\SysWOW64\Ekcgkb32.exe	Edionhpn.exe
File created	C:\Windows\SysWOW64\Fkmjaa32.exe	Fniihmpf.exe
File opened for modification	C:\Windows\SysWOW64\Jbepme32.exe	Jimldogg.exe
File opened for modification	C:\Windows\SysWOW64\Nciopppp.exe	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Eignjamf.dll	Qacameaj.exe
File created	C:\Windows\SysWOW64\Okhbek32.dll	Cggimh32.exe
File created	C:\Windows\SysWOW64\Chgnfq32.dll	Lindkm32.exe
File created	C:\Windows\SysWOW64\Eoepebho.exe	Enfckp32.exe
File created	C:\Windows\SysWOW64\Onogcg32.dll	Kapfiqoj.exe
File created	C:\Windows\SysWOW64\Modpib32.exe	Mjggal32.exe
File created	C:\Windows\SysWOW64\Lhnoigkk.dll	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Qaqegecm.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Gnblnlhl.exe	Ganldgib.exe
File created	C:\Windows\SysWOW64\Fbplml32.exe	Fbmohmoh.exe
File opened for modification	C:\Windows\SysWOW64\Bnlhncgi.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Bkphhgfc.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Omopjcjp.exe
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Qhhpop32.exe
File opened for modification	C:\Windows\SysWOW64\Lhqefjpo.exe	Lindkm32.exe
File created	C:\Windows\SysWOW64\Kaadlo32.dll	Nmaciefp.exe
File created	C:\Windows\SysWOW64\Gipbmd32.dll	Nqaiecjd.exe
File created	C:\Windows\SysWOW64\Qacameaj.exe	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Kapfiqoj.exe	Khgbqkhj.exe
File created	C:\Windows\SysWOW64\Badjai32.dll	Fbmohmoh.exe
File opened for modification	C:\Windows\SysWOW64\Oophlo32.exe	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Cpfoag32.dll	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Focanl32.dll	Ekcgkb32.exe
File created	C:\Windows\SysWOW64\Mbgeqmjp.exe	Mpeiie32.exe
File opened for modification	C:\Windows\SysWOW64\Nqcejcha.exe	Nfnamjhk.exe
File created	C:\Windows\SysWOW64\Bpldbefn.dll	Oiagde32.exe
File opened for modification	C:\Windows\SysWOW64\Aoioli32.exe	Afbgkl32.exe
File opened for modification	C:\Windows\SysWOW64\Aopemh32.exe	Adkqoohc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5376	6128	WerFault.exe	235

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqegecm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbmohmoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iehmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfagighf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjlalkmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofgdcipq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmhqapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofdhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhqefjpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjggal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hemmac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iojkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhckcgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oikjkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafkgphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edionhpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ganldgib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iafkld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbojlfdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfenglqf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gpaihooo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhanngbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noblkqca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jafdcbge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapfiqoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqhfoebo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nijqcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlppno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pakdbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofckhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpnhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhnojl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpgmhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhgkgijg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qacameaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkhpfbce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbbicl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkmjaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmaciefp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqfbpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dakikoom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpfbcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblmgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klekfinp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpioin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iefphb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojmcdgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njedbjej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfccogfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekcgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpochfji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnajppda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iijfhbhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbafoge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqiibjlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnblnlhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgnam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifecp32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3628	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jafdcbge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmlqhcc.dll"	Kpiqfima.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kofdhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mablfnne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjamidgd.dll"	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deaiemli.dll"	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	047c2b7237010e343732b699d4b346f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iehmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enfckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jimldogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaeidf32.dll"	Likhem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfljc32.dll"	Fkmjaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddnobj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Noblkqca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iefphb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddnobj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpiqfima.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lojmcdgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fgoakc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gnblnlhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iimcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhnojl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lindkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Edionhpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdihk32.dll"	Fbplml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeegfibg.dll"	Ddnobj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkmjaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbgbnkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbojlfdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkhnd32.dll"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckcba32.dll"	Oikjkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll"	Baannc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaodc32.dll"	Gbpedjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lchfib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falmlm32.dll"	Jpbjfjci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lchfib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgicnp32.dll"	Dakikoom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbbicl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhenai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll"	Lhgkgijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hemmac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeape32.dll"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jblmgf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 1244	3144	047c2b7237010e343732b699d4b346f5.exe	85
PID 3144 wrote to memory of 1244	3144	047c2b7237010e343732b699d4b346f5.exe	85
PID 3144 wrote to memory of 1244	3144	047c2b7237010e343732b699d4b346f5.exe	85
PID 1244 wrote to memory of 664	1244	Qhhpop32.exe	86
PID 1244 wrote to memory of 664	1244	Qhhpop32.exe	86
PID 1244 wrote to memory of 664	1244	Qhhpop32.exe	86
PID 664 wrote to memory of 3028	664	Qaqegecm.exe	87
PID 664 wrote to memory of 3028	664	Qaqegecm.exe	87
PID 664 wrote to memory of 3028	664	Qaqegecm.exe	87
PID 3028 wrote to memory of 1240	3028	Qfmmplad.exe	88
PID 3028 wrote to memory of 1240	3028	Qfmmplad.exe	88
PID 3028 wrote to memory of 1240	3028	Qfmmplad.exe	88
PID 1240 wrote to memory of 2836	1240	Qodeajbg.exe	89
PID 1240 wrote to memory of 2836	1240	Qodeajbg.exe	89
PID 1240 wrote to memory of 2836	1240	Qodeajbg.exe	89
PID 2836 wrote to memory of 564	2836	Qacameaj.exe	90
PID 2836 wrote to memory of 564	2836	Qacameaj.exe	90
PID 2836 wrote to memory of 564	2836	Qacameaj.exe	90
PID 564 wrote to memory of 4336	564	Afbgkl32.exe	91
PID 564 wrote to memory of 4336	564	Afbgkl32.exe	91
PID 564 wrote to memory of 4336	564	Afbgkl32.exe	91
PID 4336 wrote to memory of 4712	4336	Aoioli32.exe	92
PID 4336 wrote to memory of 4712	4336	Aoioli32.exe	92
PID 4336 wrote to memory of 4712	4336	Aoioli32.exe	92
PID 4712 wrote to memory of 556	4712	Amlogfel.exe	93
PID 4712 wrote to memory of 556	4712	Amlogfel.exe	93
PID 4712 wrote to memory of 556	4712	Amlogfel.exe	93
PID 556 wrote to memory of 1460	556	Apmhiq32.exe	94
PID 556 wrote to memory of 1460	556	Apmhiq32.exe	94
PID 556 wrote to memory of 1460	556	Apmhiq32.exe	94
PID 1460 wrote to memory of 4148	1460	Aggpfkjj.exe	95
PID 1460 wrote to memory of 4148	1460	Aggpfkjj.exe	95
PID 1460 wrote to memory of 4148	1460	Aggpfkjj.exe	95
PID 4148 wrote to memory of 4444	4148	Adkqoohc.exe	96
PID 4148 wrote to memory of 4444	4148	Adkqoohc.exe	96
PID 4148 wrote to memory of 4444	4148	Adkqoohc.exe	96
PID 4444 wrote to memory of 2220	4444	Aopemh32.exe	97
PID 4444 wrote to memory of 2220	4444	Aopemh32.exe	97
PID 4444 wrote to memory of 2220	4444	Aopemh32.exe	97
PID 2220 wrote to memory of 3612	2220	Bhhiemoj.exe	98
PID 2220 wrote to memory of 3612	2220	Bhhiemoj.exe	98
PID 2220 wrote to memory of 3612	2220	Bhhiemoj.exe	98
PID 3612 wrote to memory of 1504	3612	Baannc32.exe	99
PID 3612 wrote to memory of 1504	3612	Baannc32.exe	99
PID 3612 wrote to memory of 1504	3612	Baannc32.exe	99
PID 1504 wrote to memory of 2416	1504	Bhkfkmmg.exe	100
PID 1504 wrote to memory of 2416	1504	Bhkfkmmg.exe	100
PID 1504 wrote to memory of 2416	1504	Bhkfkmmg.exe	100
PID 2416 wrote to memory of 1284	2416	Bkibgh32.exe	101
PID 2416 wrote to memory of 1284	2416	Bkibgh32.exe	101
PID 2416 wrote to memory of 1284	2416	Bkibgh32.exe	101
PID 1284 wrote to memory of 4672	1284	Bogkmgba.exe	102
PID 1284 wrote to memory of 4672	1284	Bogkmgba.exe	102
PID 1284 wrote to memory of 4672	1284	Bogkmgba.exe	102
PID 4672 wrote to memory of 980	4672	Bnlhncgi.exe	103
PID 4672 wrote to memory of 980	4672	Bnlhncgi.exe	103
PID 4672 wrote to memory of 980	4672	Bnlhncgi.exe	103
PID 980 wrote to memory of 4864	980	Bkphhgfc.exe	104
PID 980 wrote to memory of 4864	980	Bkphhgfc.exe	104
PID 980 wrote to memory of 4864	980	Bkphhgfc.exe	104
PID 4864 wrote to memory of 4812	4864	Cggimh32.exe	105
PID 4864 wrote to memory of 4812	4864	Cggimh32.exe	105
PID 4864 wrote to memory of 4812	4864	Cggimh32.exe	105
PID 4812 wrote to memory of 4384	4812	Cgifbhid.exe	106

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\047c2b7237010e343732b699d4b346f5.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\047c2b7237010e343732b699d4b346f5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\SysWOW64\Qhhpop32.exe
  C:\Windows\system32\Qhhpop32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\SysWOW64\Qaqegecm.exe
    C:\Windows\system32\Qaqegecm.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\SysWOW64\Qfmmplad.exe
      C:\Windows\system32\Qfmmplad.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        25⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        30⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Enfckp32.exe
        
        C:\Windows\system32\Enfckp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Eoepebho.exe
        
        C:\Windows\system32\Eoepebho.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        36⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        37⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\Fbplml32.exe
        
        C:\Windows\system32\Fbplml32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Fgoakc32.exe
        
        C:\Windows\system32\Fgoakc32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Fkofga32.exe
        
        C:\Windows\system32\Fkofga32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Gnnccl32.exe
        
        C:\Windows\system32\Gnnccl32.exe
        49⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        50⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        51⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        57⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Geanfelc.exe
        
        C:\Windows\system32\Geanfelc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Hpioin32.exe
        
        C:\Windows\system32\Hpioin32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Ihkjno32.exe
        
        C:\Windows\system32\Ihkjno32.exe
        64⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        71⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Iehmmb32.exe
        
        C:\Windows\system32\Iehmmb32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Jbojlfdp.exe
        
        C:\Windows\system32\Jbojlfdp.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1824
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Jhnojl32.exe
        
        C:\Windows\system32\Jhnojl32.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        81⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        82⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Kpiqfima.exe
        
        C:\Windows\system32\Kpiqfima.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        84⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:476
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Klekfinp.exe
        
        C:\Windows\system32\Klekfinp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        88⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        91⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Ljpaqmgb.exe
        
        C:\Windows\system32\Ljpaqmgb.exe
        96⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        98⤵
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        99⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3376
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        104⤵
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Mhldbh32.exe
        
        C:\Windows\system32\Mhldbh32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2452
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        106⤵
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        109⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5184
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Nfgklkoc.exe
        
        C:\Windows\system32\Nfgklkoc.exe
        115⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        117⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Njedbjej.exe
        
        C:\Windows\system32\Njedbjej.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Nijqcf32.exe
        
        C:\Windows\system32\Nijqcf32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        123⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Ncbafoge.exe
        
        C:\Windows\system32\Ncbafoge.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:5724
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        132⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        137⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Oikjkc32.exe
        
        C:\Windows\system32\Oikjkc32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        146⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Pfccogfc.exe
        
        C:\Windows\system32\Pfccogfc.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        149⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        151⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        152⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 448
        153⤵
        Program crash
        
        PID:5376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 6128 -ip 6128
1⤵
PID:5308

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUE5OUY1NDgtQTM4NS00REI3LTlDMjQtNDU0MEMwQUYxQ0RBfSIgdXNlcmlkPSJ7QjI5QTQ0QUItRDczNS00NjY2LUI1MjYtMDYxNEYzMDJGMjI0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7M0NEMjQ4QzktNUMyOS00NzU1LUEyRUEtNDlDNzIzOEYwMUZGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NTQ0IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDgwMzc1NTYwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTIxODE1MjQ4OSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
295KB

MD5
70786b31f76336ddcd0a9ba124c6224c

SHA1
06800feba823e52d5ef1b1a7d628e1ef3ddacfb2

SHA256
458154ae7496e0a41ba6c7c749af76f50b40c7e78500bce404eadeb9f438b775

SHA512
333913805b035935bed344406921522630c41b415eccb3b3449029e600af864785262ee2652507d9e2f4b595b9e33c69dace8f1fcd89e2f43221858c06511311

Download Submit
C:\Windows\SysWOW64\Afbgkl32.exe

Filesize
295KB

MD5
ca8085829cb0328bf68bbaff3d3cc012

SHA1
f98c9f5c7fad646f5a9942fb23b7a0c8c45c4f02

SHA256
3da40fec55740c9c9230647f8fedd451473fb6f486660645b058de3f8663247a

SHA512
d9ac68b9a160f7d1cd6eedb695f6e0e79800d64a99b090bedd6c37c263cdbf84180431d1fbd3f2b24d198229029976fad61af1e37cb54071764708eb2c138d74

Download Submit
C:\Windows\SysWOW64\Aggpfkjj.exe

Filesize
295KB

MD5
7ea4f8ae05904605e67342211d4ba03f

SHA1
0ffb4aaa6e16cd4b5cfe013a8303b536a67eede7

SHA256
c466cac5c3695c4d124db045626220942bd8640f13eef9b2b59f510417315a39

SHA512
35ac9c38b584f0ee66bda769d527f0d9d30fc2807298e9346d4a4c06c4dd5887e627ade1847f2d81dc215bfa7e44658fec8904636707b7a36264fbfa88b8c418

Download Submit
C:\Windows\SysWOW64\Amlogfel.exe

Filesize
295KB

MD5
77a2b7cfc19ea28a6d70583359659df3

SHA1
2de44a6c12bf6a94df4ba6cab67926e307914c59

SHA256
fb9174d83a17a050250409feda75b596c87e5d44f760b81c645020e65a0fdaea

SHA512
5d14e7d2575a7f97859478c8f65a0c336089124c78c53d4446881b758d7f89caaffa40b827a634b0904f38735d598f0374a8ae279e599e64ae248a4cd8119023

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
295KB

MD5
cd6df24c714399c47df5df9707dc507c

SHA1
4df02be7d73a5e696423ea786ffa6a9110c6eb06

SHA256
c439a5a8fc47e514bd1ec438500b056519e4ce7c84e82f33245b61c76403dc84

SHA512
73a8c683a032a72f223e8c4a351fac7742e8716628c1e19623272db3ba8c705d67402daea12c3ae52ab534620aa1ce8d89de504af5fe9c97c9d21f69b86b49a4

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
295KB

MD5
a72830401a901ce37f0b3dfed26fc95f

SHA1
10e7154106a7334c26357b56853de42bc94f6ffa

SHA256
aea99f1b1b45be9a90249d8dda9325c4a080f826795d73a60a44a626ceab5158

SHA512
8406d46ded19acfa4f3861ed65168ea0e1513cf4d121cfd478fc071dca2e9b287af2e43e6d2a662fb96fa57a0e808fd0f4d41599ecf8558e71f8196756e82396

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
295KB

MD5
e0fb1d481710b9d0dfb34282c66e32e7

SHA1
3c4520431cdc3829cf47ca1247521dda56af5f82

SHA256
2cc5a6bf24ee01ab0ea34abce834cd0cc04dd2efccb815c312d284197be5cd52

SHA512
64a32d527f8c391a0c67c0891a8b887c5c15a8e453fde85aef7886c5766ddc5cb004b760b46be20db02a49e83379acf148d692f78512eb1032d9b7c1822104e6

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
295KB

MD5
f4e0f2f4e1942d4116792ffb249faeb7

SHA1
ad0743cec9de752f419c78c5d0a62d5884b4d15a

SHA256
3d1f7a391962ee7327a4a2470b219edd3579a53c57d84bd9fcf5f7634e3a7255

SHA512
ec5224a06dada90ca7368f9593102a03fd8875ffc65841346fb085b6b5814ab35c8ec9c259f51529e09553e098047039f2617725aa60ecfa1cc8a47984510d00

Download Submit
C:\Windows\SysWOW64\Bhhiemoj.exe

Filesize
295KB

MD5
76eed6f600fa4c7f86fe30087f2a6353

SHA1
a57b017e9e86fa09f946fb453bcde1da027195d9

SHA256
6c485f6e0386bf365e5bf1a0d183d754a8c2bea8a48dcfc52d0f630bbcf85d9f

SHA512
06e557a804491240da6829918a94d90e2feb1535f3cbb7032b0bdb32f2e8f8ca42ba1daae97c2fba98912637dadcd7e05e2c1d16586ed62b73491f50afd6ca40

Download Submit
C:\Windows\SysWOW64\Bhkfkmmg.exe

Filesize
295KB

MD5
40bf22e47b6241369a94642d9f6e59a2

SHA1
f02eebe90c05698b9b4a46839c42416fbefb5dff

SHA256
7806023073e3ac0c68d02ed79dc2dbe3afaeef902355d001124639be04ad9293

SHA512
637c3c6bd06a78f018a5832ffe4c96767e3c7543ba888ec5ef0c589e441e3eeab6ff6fdb89b43a1f7e2cb25a418a4708aac4cdba2add890fce684b61ab52a82d

Download Submit
C:\Windows\SysWOW64\Bkibgh32.exe

Filesize
295KB

MD5
c06557be294a93848c90d78093776592

SHA1
c026ba146bf0953c3122710a724b8a20f40f8d09

SHA256
a1c1252cc45ab6c823952712b2ac223b3c689034b7c0327751473ded6d70e43d

SHA512
7c416644259e4fb10c1272f01c04f5ec8383644501992c21049fd70e570a535c9169a37f330dc082c62e33b9ac94b957718418cc48d877da3013a217e3d22849

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
295KB

MD5
888ecb674551218c7de54dfd389398bb

SHA1
c27cae501aa2c4e2aa163e6ed6b3394cbb282af8

SHA256
4a9df18ea36933f0cc557e1fa1993d1c33c7eb0615a7d619515f3cefe1101a2e

SHA512
8605c8f6e8be3bf8aa8dc26d2fc5ec9bba5a341431a5b4e8614f6d7c66c85c74c5ca636784a66c3e189cb1484c381d499b40578277f71bca529a76097a6820a7

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
295KB

MD5
eb89d06f3700fd5a9ce47b89f78c7f1b

SHA1
aa2fd129626501a618ad381881dfbba2e4581c50

SHA256
29dd2f62da415b71a380d221b2cbe3e213ead2dc656d9451ea71f09aaf604264

SHA512
89f8cf6c84250cff51375caa2adfc5b6b0386a05fd6e320d6d90739936718b683be0dbe92bbc1b27913965aa90b171114775fc9323a675ef5a4b14a10676f596

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
295KB

MD5
dd41b694d091720effd7a7a2a283e6e0

SHA1
64830a43e6e826baaefcb803b601c74d1cbd0200

SHA256
354121007a667d4392e78e83b3ecc6af7868a01a0c29af7d5eb66a4a86c28367

SHA512
9f138646d20cfd8a875849ecaf5a75d2227d8d53ce335dd69800114dfb8411c7d7ffc755cb44bf753d1a49670f3cf72e010bf2cc3f351d1b7479c5b1ded98a19

Download Submit
C:\Windows\SysWOW64\Cdmfllhn.exe

Filesize
295KB

MD5
59fbfc4d5c9d82972ffc2e199c806b5f

SHA1
3c19f8b9b4278ae980e42b45a77967c41d00ba01

SHA256
67f398e63634fb204d640c27ea5b55d0cdcc1bc0c0a7f6ceed688b1746bccd40

SHA512
351846fbae4dce6690701ae69e145a986700d2ec1d41370ea1e321ffd42624290cbcf9a11cb6eedf1ca49547ae305b53fbe2a620c88c1d9743ab683e281f3b6a

Download Submit
C:\Windows\SysWOW64\Cggimh32.exe

Filesize
295KB

MD5
a18894607adc232269615a8982b1f616

SHA1
0250fe7a99f26b933dcf670053b7a5a2a18c5642

SHA256
f2a074bee502a5fad15bf8d38c29b7865d0658034d8c912909161e339bda6125

SHA512
7dd49c614847ec1543848607bed05a8b5089403282ba44873aa249bfd93bf80d8b9ac67867b7c4c6c3ea43314212a7763f8a59433c57f97065b33c01e280a3bd

Download Submit
C:\Windows\SysWOW64\Cgifbhid.exe

Filesize
295KB

MD5
d7a47596e833657044866d51c0682461

SHA1
73cdef85d83c301a3add6d8ae3afa569b5ac7a44

SHA256
7666eba9a0ab0c5e5f572c5ff1af677062a3e41bbe29cd5ab1299fac6b169763

SHA512
7c99c79d1d57592319ea9363de843022ee2311c6b22ac1e4f1d69890f5b6488fe156f59f837dac65711596ed0a7a89e0c44e886849e5f4c1135bba9072afdf55

Download Submit
C:\Windows\SysWOW64\Cklhcfle.exe

Filesize
295KB

MD5
65951c9029d84f715e7c4113d7ae9120

SHA1
80b4c025f4e54a019094422a2b3229470677c08b

SHA256
cea904fb840bc78b8d99820114030bc189671e73fe14550e7f4336894e754a2c

SHA512
9f25bb97dfa02cfa464efa65e2be85faf8f214b90fb7f3f7f64c176cc6edd9ffce04f43e3967b02aa04b9faecbcaee3fd587d6ec119c352fa909b345b28dd5b7

Download Submit
C:\Windows\SysWOW64\Coegoe32.exe

Filesize
295KB

MD5
e256e7d849542f0eeaeab16ff62cd2b2

SHA1
7999fef4ded82951fe82bce5d0376933c1858e74

SHA256
f33dded8ef2c0b3917289ec5c9a604b3e10681969525e34547e6ed55264af16a

SHA512
376efefc8a145bf6c3258ed5a9ab605e40f241aad980bd70135e4193982eddd87d0a1ee2db9bd1886c8f65295bb22034b3f6f66be5bbfb57571610fc163e6370

Download Submit
C:\Windows\SysWOW64\Cpdgqmnb.exe

Filesize
295KB

MD5
aea6627276371b21ed1ca07fbc997ec2

SHA1
8b26bd4770eba944742393f69684653678f31f36

SHA256
b4d0045a7a296f89ce05cd7b94c7b0c7e1b14d5b0781952a36853955cc8d3bf0

SHA512
6d46e1452cf63c017cb05fdb7110e0a0f5124ec8f558b1e76f5ec713088dfaaa2fef4f65864142a86cfb1773910aa3f5d6d5007018d80d68e21f475f91193c4f

Download Submit
C:\Windows\SysWOW64\Dakikoom.exe

Filesize
295KB

MD5
15a787729793dc1aad4224325318d0d9

SHA1
2764792220939fcc7c4ca8bbb9710ceac3ca392f

SHA256
beb94bce33a029a2a9cbf0b9d4395342ee5823c866f38d255e9c6f3231557ff1

SHA512
2458c73596bd214b7667d311c0f33bc691c1eef08edb0d758e310088446b7af9ad0fd7ec11bea4c5c0b91f54fad2bbb9b4ba032b5cb20852d979ec3e78900433

Download Submit
C:\Windows\SysWOW64\Ddkbmj32.exe

Filesize
295KB

MD5
d4874a7e696b16b6ce8f22b2db38ea9b

SHA1
a716ee9ed296c85741c4f31d41365da37748e6a3

SHA256
f818c61100372c36e18f71a18b8e5d30e1277aa5b2c5beb5e67666ec905a99d2

SHA512
1208806af5eac8f3544a92398a059aec8f2ef88c6b67c7efaaa2f9e191776c09b2d569df1104b73973a37bc0d2b60576cd02e45433e0477efdeebc5e103b1a13

Download Submit
C:\Windows\SysWOW64\Ddnobj32.exe

Filesize
295KB

MD5
2bf80d9de0597349321513e4da05285e

SHA1
73d4d5b3a7890c86b887974700e6f602f8d4d728

SHA256
db3e606fa088920c07b1624b951f4fb1eb740e9f1a1f4869b920e7cefc05c16f

SHA512
9093dd7215f96bed3c19e5d8173beb21ca0a1fdb047786ee19464f0f130c0cafa1b31294bff92a2ba87ab83705c0f20ef011756d6278377a2cc4eafd3acdfa78

Download Submit
C:\Windows\SysWOW64\Dnajppda.exe

Filesize
295KB

MD5
0b0a875d12de94dda6f761d245cfd0ee

SHA1
cd6036f86ae8040d280286a7f810cf9c215a1f74

SHA256
0e6151f0ccf4207bddce5d2be0ec5a2fe4923acb6a29cb82967c1d811066ccf9

SHA512
1b8a04da29d9da0082f091f98bdcfd16adf99c1c09263f46089808d5d783e7a304ade43df7203748ca7139d4269dcc0950efdadb351d919b1d2bdf9d050f7ca1

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
295KB

MD5
0ddf5282b4135672ccfd76932dad1e8d

SHA1
d33979dee1de9434545300f018a0e11274cfc802

SHA256
05d291de20f7dbfd30ddf0ca966d03175b5620da11f330bf73525be4c7d3634d

SHA512
78c0f22f87cee38b9d645bd1447889d619b9ab74849e089b1c4e427e087f0a6c622e6ce0693c2993360c09880186670f586bf9934d8fcb2ad0dd1b84c3996859

Download Submit
C:\Windows\SysWOW64\Enfckp32.exe

Filesize
295KB

MD5
4767e0663248073c6abecb0f0d769aee

SHA1
7f35f3eb39af0093334344254864e53a3351a0e6

SHA256
937fb97be6645304d48c0dc0fdd6c43be9d9d9bf91b2269c21b633a478eed094

SHA512
4951e33416b94af756540c23a5f3159b5988caa0e958d232961b1220d034e66343c5b8728204b80c1af49011cc3c7cd60798a3f4dbdd8ebc9d3a8288941e0d0f

Download Submit
C:\Windows\SysWOW64\Eoepebho.exe

Filesize
295KB

MD5
16dc8a85782983a20a3b2b8e24fe1241

SHA1
a47068305e17c36c64a94cf64466f70715eb7039

SHA256
7924a3665f72da6aad36bcd2f62d1262f469f13fab7a451aefb391545f8f756b

SHA512
81f60148c8fbd41b44757233ad601a61f3ca88c0a6dbd0d85bbd4526285fae3fe3525ec7db24a6f46deed0d9eaa1a3d374a6f96fbf79af65c19fd5b23bd4f2d4

Download Submit
C:\Windows\SysWOW64\Hockka32.dll

Filesize
7KB

MD5
345e3a6e8e00d86afe008f2ffd8b18e5

SHA1
c04d6e061389becce2afe949d688ad1a664595d3

SHA256
82297608b4c0ff4ee48692e2023949351f2bd19caf0384d1dbd6bddcf978e844

SHA512
3a61bd5778b3fcecc3f94d9c38089b80d78e0edc61d1e59e6ab648b955c0368e492e216d0e10b335be4e02cb1b92bec5c04ff6d4f96e3bed295ec08b2fd60b83

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
295KB

MD5
71b378ac4ff26727edbec9f8aa26e994

SHA1
792402fd32c7a67524dd3e74cd584a67ade5c6f2

SHA256
5439000a6b834e9e3585f5139e555457dc805228fa59ae5e44f0bb523544e521

SHA512
5a75fed37c8e5ba1c1eb0ee188e2300f17c4998b759239e1d555499c7016b3e0827c56fd0b8803cefd28a6d0c4785222cf2f3a98478d47729dad96e6e6526f6a

Download Submit
C:\Windows\SysWOW64\Qaqegecm.exe

Filesize
295KB

MD5
63a9bfe0503a9111ebed5deea6dbb2cd

SHA1
6cd2af4824d7040b346680df115b99a06e7bc728

SHA256
9fb642d21d2777d8434c8197e5df6cd0ce65e844d86a45c156494a851b00e1ad

SHA512
98ebc63a7cc9f44c25f8adc36869b7f608bff51942fb68e3d86b1f2c08b4a7ba6a71ad819a0f86871c5557e0851fd8f5d39c42a82efba2c2f43dd210d56638e0

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
295KB

MD5
6cb2c2388cfb128e16a165b78df6701b

SHA1
2d5ef5b84bb4ac9bc0c154f18615a8bb972857b8

SHA256
2fe7822b2dbcd1510279a98b7aed596223d82c1a81491e867ff9e79eb1c60c27

SHA512
5fa4d49bbe5ced2006c7ee2f5e3afc69699f2f15107d657360a8b2e6349a5ad979934136dd6e9f49163845d5f638f12cd5a7942143e3d0b6841871ffa48b1fc4

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
295KB

MD5
526cb77abee2758ff7a0f43161044f9d

SHA1
5519663ff7fa7b11cc4e815aa0e0d3598fa31893

SHA256
3ed2ab93ccfa41c0bfa157b413b93ff1a876e2bcc2766af9ca7c0649166e3a1e

SHA512
8503c550185023a6907ada1e659efe25b081fa00fb9b8bf790e490eb049e0b1bdb7680da26d199719f9cbf3060ec1c5bc5b11670f88890565ae7c12f20643be1

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
295KB

MD5
eacd185d9d620b2bb8647a4b0237ce6c

SHA1
5bdca146c9c88f6050ca20cb936c9d81e38b07ee

SHA256
1468f9b61e6298d78f8fa163207bbdcd9546c13ac1dd7498fad4fcc54c7d3947

SHA512
5781d633f46169eee6b6d1d3ff6d78e56a24ed085f214c8b79b3fd018e0e7585288651b774dab681f6400cf493e319717290bb77d55ced02b6e59d64e91ce1a7

Download Submit
memory/220-179-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/444-973-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/444-216-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/476-404-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/556-54-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/564-413-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/564-38-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/664-1045-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/664-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/664-393-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/820-368-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/872-414-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/980-113-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1056-173-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1124-320-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1240-403-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1240-26-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1244-8-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1244-389-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1284-101-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1288-336-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1336-196-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1460-60-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1484-348-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1504-89-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1560-248-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1596-394-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1656-252-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1704-296-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1728-360-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1732-372-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1824-883-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1824-364-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1856-191-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1912-419-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2000-256-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2060-328-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2064-149-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2096-236-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2124-292-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2220-77-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2232-167-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2300-352-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2348-312-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2388-240-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2416-95-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2432-208-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2460-185-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2468-324-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2532-376-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2612-143-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2620-212-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2752-300-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2836-30-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2836-408-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2856-260-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2860-200-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2956-288-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3028-20-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3028-398-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3128-220-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3144-384-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3144-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3180-332-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3224-204-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3240-268-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3288-280-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3420-340-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3464-228-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3576-264-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3612-84-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3636-385-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3788-870-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3840-346-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3992-232-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4080-272-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4148-65-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4160-155-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4200-137-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4336-418-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4336-45-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4384-131-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4420-161-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4444-71-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4528-939-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4528-284-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4568-356-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4660-304-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4664-244-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4672-107-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4708-308-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4712-48-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4712-1035-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4712-423-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4808-316-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4812-125-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4864-120-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4864-1008-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4880-399-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4928-943-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4928-276-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4940-224-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4968-380-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5108-409-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5520-749-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/6076-765-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads