berbew | 241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
150s
max time network
182s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/0483de1a0d30f46fbff309fc8d87275f.exe
Size

435KB
MD5

0483de1a0d30f46fbff309fc8d87275f
SHA1

ac41983dc7f69ae48b292d8d88c98aa9f1351f73
SHA256

c8b999b4f8ca488c929d97358751338eb9702d73839c85139b2eec5aaa5f7758
SHA512

eb918b12715e8a14c3592ae782a81283351427ba259b2d76339caf230b645c3c2fdd2928d4b26b13ef97c1ce4df3366eb54a4af7a419e1ca82f5db0d3bc334b1
SSDEEP

6144:IJSrqxY+gwbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/Y+mjwjOx5H:IJKSbWGRdA6sQhPbWGRdA6sQvjpxN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Halaloif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhiabbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nooikj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjdokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mebkge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfknmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkholi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkefmjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ooangh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbfdjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkgillpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhgmcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlfhke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iholohii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koljgppp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpchaqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0483de1a0d30f46fbff309fc8d87275f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkmhgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecdbop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggccllai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqghqpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moefdljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhbciqln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eajlhg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgapmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jddiegbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okolfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idhiii32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Downloads MZ/PE file 1 IoCs

flow	pid	Process
28	6432	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
3612	Bmggingc.exe
2096	Bpedeiff.exe
4928	Baepolni.exe
5008	Bdcmkgmm.exe
836	Bkmeha32.exe
456	Cdhffg32.exe
2984	Calfpk32.exe
240	Cigkdmel.exe
464	Ckggnp32.exe
4304	Ccblbb32.exe
3608	Cacmpj32.exe
2776	Dkkaiphj.exe
4300	Ddcebe32.exe
884	Dpjfgf32.exe
1980	Dpmcmf32.exe
3932	Dpopbepi.exe
3812	Daollh32.exe
4988	Epdime32.exe
3532	Ecdbop32.exe
1724	Ephbhd32.exe
1472	Edfknb32.exe
4760	Eajlhg32.exe
1896	Fkcpql32.exe
860	Fkemfl32.exe
3772	Fkgillpj.exe
2576	Fdpnda32.exe
3112	Fnhbmgmk.exe
3904	Fjocbhbo.exe
1592	Ggccllai.exe
1660	Gdgdeppb.exe
2432	Gqnejaff.exe
4020	Gnaecedp.exe
3684	Gkefmjcj.exe
4132	Gbpnjdkg.exe
4452	Gcqjal32.exe
4944	Gglfbkin.exe
3724	Gbbkocid.exe
4496	Hgocgjgk.exe
2436	Hnhkdd32.exe
2820	Hqghqpnl.exe
1832	Hgapmj32.exe
2168	Hbfdjc32.exe
4564	Hgcmbj32.exe
4356	Halaloif.exe
624	Hkaeih32.exe
3992	Hnpaec32.exe
1892	Hejjanpm.exe
4396	Hjfbjdnd.exe
2516	Iapjgo32.exe
1524	Ielfgmnj.exe
2444	Iabglnco.exe
1924	Ilhkigcd.exe
1284	Infhebbh.exe
2264	Iholohii.exe
3952	Ibdplaho.exe
544	Iecmhlhb.exe
1612	Ijpepcfj.exe
1708	Iajmmm32.exe
964	Idhiii32.exe
5084	Ijbbfc32.exe
3528	Jehfcl32.exe
1196	Jjdokb32.exe
3024	Janghmia.exe
1448	Jlfhke32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bmggingc.exe	0483de1a0d30f46fbff309fc8d87275f.exe
File opened for modification	C:\Windows\SysWOW64\Ddcebe32.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Fkcpql32.exe	Eajlhg32.exe
File created	C:\Windows\SysWOW64\Ncaklhdi.exe	Ndpjnq32.exe
File created	C:\Windows\SysWOW64\Pcfmneaa.exe	Pokanf32.exe
File opened for modification	C:\Windows\SysWOW64\Qcncodki.exe	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Cacmpj32.exe
File opened for modification	C:\Windows\SysWOW64\Hgapmj32.exe	Hqghqpnl.exe
File opened for modification	C:\Windows\SysWOW64\Kongmo32.exe	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Cbgabh32.dll	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Oijflc32.dll	Pkholi32.exe
File created	C:\Windows\SysWOW64\Pkmhgh32.exe	Pfppoa32.exe
File opened for modification	C:\Windows\SysWOW64\Qppkhfec.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Jeolckne.exe	Jlfhke32.exe
File opened for modification	C:\Windows\SysWOW64\Moalil32.exe	Ldkhlcnb.exe
File created	C:\Windows\SysWOW64\Ifoglp32.dll	Qcncodki.exe
File created	C:\Windows\SysWOW64\Mhpgca32.exe	Mebkge32.exe
File opened for modification	C:\Windows\SysWOW64\Nfpghccm.exe	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Hblaceei.dll	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Mhinoa32.dll	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Ejahec32.dll	Hejjanpm.exe
File created	C:\Windows\SysWOW64\Nhbciqln.exe	Medglemj.exe
File opened for modification	C:\Windows\SysWOW64\Ocknbglo.exe	Okceaikl.exe
File opened for modification	C:\Windows\SysWOW64\Koljgppp.exe	Khabke32.exe
File opened for modification	C:\Windows\SysWOW64\Epdime32.exe	Daollh32.exe
File created	C:\Windows\SysWOW64\Klddlckd.exe	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Eaeamb32.dll	Iholohii.exe
File created	C:\Windows\SysWOW64\Iajmmm32.exe	Ijpepcfj.exe
File created	C:\Windows\SysWOW64\Oacmli32.dll	Khabke32.exe
File created	C:\Windows\SysWOW64\Kblpcndd.exe	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Jjigocdh.dll	Mhknhabf.exe
File opened for modification	C:\Windows\SysWOW64\Nfknmd32.exe	Napameoi.exe
File opened for modification	C:\Windows\SysWOW64\Ofbdncaj.exe	Ocdgahag.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Ndidna32.exe	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Mokjbgbf.dll	Nooikj32.exe
File created	C:\Windows\SysWOW64\Leldmdbk.dll	Bmggingc.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fkcpql32.exe
File created	C:\Windows\SysWOW64\Ijbbfc32.exe	Idhiii32.exe
File created	C:\Windows\SysWOW64\Conllp32.dll	Pcijce32.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Fjinnekj.dll	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Fooqlnoa.dll	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Eajlhg32.exe	Edfknb32.exe
File opened for modification	C:\Windows\SysWOW64\Nfiagd32.exe	Nooikj32.exe
File opened for modification	C:\Windows\SysWOW64\Ndpjnq32.exe	Nconfh32.exe
File created	C:\Windows\SysWOW64\Pinffi32.dll	Ilhkigcd.exe
File created	C:\Windows\SysWOW64\Jeolckne.exe	Jlfhke32.exe
File created	C:\Windows\SysWOW64\Hgnfpc32.dll	Koljgppp.exe
File created	C:\Windows\SysWOW64\Inkqjp32.dll	Ochamg32.exe
File opened for modification	C:\Windows\SysWOW64\Eajlhg32.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Kbeibo32.exe	Jddiegbm.exe
File opened for modification	C:\Windows\SysWOW64\Nkhfek32.exe	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Pmoagk32.exe	Pcfmneaa.exe
File created	C:\Windows\SysWOW64\Cpclaedf.dll	Hgapmj32.exe
File created	C:\Windows\SysWOW64\Pddlig32.dll	Hgcmbj32.exe
File opened for modification	C:\Windows\SysWOW64\Janghmia.exe	Jjdokb32.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqdb32.exe	Pkmhgh32.exe
File created	C:\Windows\SysWOW64\Kjekja32.dll	Gbbkocid.exe
File created	C:\Windows\SysWOW64\Hqghqpnl.exe	Hnhkdd32.exe
File opened for modification	C:\Windows\SysWOW64\Jaemilci.exe	Jlidpe32.exe
File opened for modification	C:\Windows\SysWOW64\Qmckbjdl.exe	Qfjcep32.exe
File created	C:\Windows\SysWOW64\Hkaeih32.exe	Halaloif.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iabglnco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecdbop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbpnjdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okolfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkholi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epdime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoifh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkaeih32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdgahag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkefmjcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mociol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkeipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjfgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akihcfid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moalil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjocbhbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldkhlcnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oljoen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iapjgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibdplaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlfhke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfmneaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhffg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggccllai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbfdjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpgmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maaekg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeopfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calfpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebkge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ooangh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfppoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkmeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ochamg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpopbepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iecmhlhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkcpql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ielfgmnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jddiegbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khabke32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6264	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkqjp32.dll"	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ochamg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfjcep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhknhabf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ochamg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecdbop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadpqeqg.dll"	Iabglnco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepbdodb.dll"	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkjoj32.dll"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nconfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohcmpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baepolni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mebkge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koljgppp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lamlphoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkhlcnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhgmcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhmeii32.dll"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0483de1a0d30f46fbff309fc8d87275f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaekg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcncodki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcnomaa.dll"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acicqigg.dll"	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmggingc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nooikj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbpnjdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffcf32.dll"	Lamlphoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnlpohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilhkigcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Napameoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofbdncaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlhmpgg.dll"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblaceei.dll"	Pcfmneaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khkdad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpopbepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnaecedp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lggfcd32.dll"	Maaekg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odanidih.dll"	Eajlhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbfdjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okolfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbdcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khokadah.dll"	Bdcmkgmm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 3612	3160	0483de1a0d30f46fbff309fc8d87275f.exe	87
PID 3160 wrote to memory of 3612	3160	0483de1a0d30f46fbff309fc8d87275f.exe	87
PID 3160 wrote to memory of 3612	3160	0483de1a0d30f46fbff309fc8d87275f.exe	87
PID 3612 wrote to memory of 2096	3612	Bmggingc.exe	88
PID 3612 wrote to memory of 2096	3612	Bmggingc.exe	88
PID 3612 wrote to memory of 2096	3612	Bmggingc.exe	88
PID 2096 wrote to memory of 4928	2096	Bpedeiff.exe	89
PID 2096 wrote to memory of 4928	2096	Bpedeiff.exe	89
PID 2096 wrote to memory of 4928	2096	Bpedeiff.exe	89
PID 4928 wrote to memory of 5008	4928	Baepolni.exe	90
PID 4928 wrote to memory of 5008	4928	Baepolni.exe	90
PID 4928 wrote to memory of 5008	4928	Baepolni.exe	90
PID 5008 wrote to memory of 836	5008	Bdcmkgmm.exe	91
PID 5008 wrote to memory of 836	5008	Bdcmkgmm.exe	91
PID 5008 wrote to memory of 836	5008	Bdcmkgmm.exe	91
PID 836 wrote to memory of 456	836	Bkmeha32.exe	92
PID 836 wrote to memory of 456	836	Bkmeha32.exe	92
PID 836 wrote to memory of 456	836	Bkmeha32.exe	92
PID 456 wrote to memory of 2984	456	Cdhffg32.exe	93
PID 456 wrote to memory of 2984	456	Cdhffg32.exe	93
PID 456 wrote to memory of 2984	456	Cdhffg32.exe	93
PID 2984 wrote to memory of 240	2984	Calfpk32.exe	94
PID 2984 wrote to memory of 240	2984	Calfpk32.exe	94
PID 2984 wrote to memory of 240	2984	Calfpk32.exe	94
PID 240 wrote to memory of 464	240	Cigkdmel.exe	95
PID 240 wrote to memory of 464	240	Cigkdmel.exe	95
PID 240 wrote to memory of 464	240	Cigkdmel.exe	95
PID 464 wrote to memory of 4304	464	Ckggnp32.exe	96
PID 464 wrote to memory of 4304	464	Ckggnp32.exe	96
PID 464 wrote to memory of 4304	464	Ckggnp32.exe	96
PID 4304 wrote to memory of 3608	4304	Ccblbb32.exe	97
PID 4304 wrote to memory of 3608	4304	Ccblbb32.exe	97
PID 4304 wrote to memory of 3608	4304	Ccblbb32.exe	97
PID 3608 wrote to memory of 2776	3608	Cacmpj32.exe	98
PID 3608 wrote to memory of 2776	3608	Cacmpj32.exe	98
PID 3608 wrote to memory of 2776	3608	Cacmpj32.exe	98
PID 2776 wrote to memory of 4300	2776	Dkkaiphj.exe	99
PID 2776 wrote to memory of 4300	2776	Dkkaiphj.exe	99
PID 2776 wrote to memory of 4300	2776	Dkkaiphj.exe	99
PID 4300 wrote to memory of 884	4300	Ddcebe32.exe	100
PID 4300 wrote to memory of 884	4300	Ddcebe32.exe	100
PID 4300 wrote to memory of 884	4300	Ddcebe32.exe	100
PID 884 wrote to memory of 1980	884	Dpjfgf32.exe	101
PID 884 wrote to memory of 1980	884	Dpjfgf32.exe	101
PID 884 wrote to memory of 1980	884	Dpjfgf32.exe	101
PID 1980 wrote to memory of 3932	1980	Dpmcmf32.exe	102
PID 1980 wrote to memory of 3932	1980	Dpmcmf32.exe	102
PID 1980 wrote to memory of 3932	1980	Dpmcmf32.exe	102
PID 3932 wrote to memory of 3812	3932	Dpopbepi.exe	103
PID 3932 wrote to memory of 3812	3932	Dpopbepi.exe	103
PID 3932 wrote to memory of 3812	3932	Dpopbepi.exe	103
PID 3812 wrote to memory of 4988	3812	Daollh32.exe	104
PID 3812 wrote to memory of 4988	3812	Daollh32.exe	104
PID 3812 wrote to memory of 4988	3812	Daollh32.exe	104
PID 4988 wrote to memory of 3532	4988	Epdime32.exe	105
PID 4988 wrote to memory of 3532	4988	Epdime32.exe	105
PID 4988 wrote to memory of 3532	4988	Epdime32.exe	105
PID 3532 wrote to memory of 1724	3532	Ecdbop32.exe	106
PID 3532 wrote to memory of 1724	3532	Ecdbop32.exe	106
PID 3532 wrote to memory of 1724	3532	Ecdbop32.exe	106
PID 1724 wrote to memory of 1472	1724	Ephbhd32.exe	107
PID 1724 wrote to memory of 1472	1724	Ephbhd32.exe	107
PID 1724 wrote to memory of 1472	1724	Ephbhd32.exe	107
PID 1472 wrote to memory of 4760	1472	Edfknb32.exe	108

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\0483de1a0d30f46fbff309fc8d87275f.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\0483de1a0d30f46fbff309fc8d87275f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\SysWOW64\Bmggingc.exe
  C:\Windows\system32\Bmggingc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\Bpedeiff.exe
    C:\Windows\system32\Bpedeiff.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\Baepolni.exe
      C:\Windows\system32\Baepolni.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:240
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Dpopbepi.exe
        
        C:\Windows\system32\Dpopbepi.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Daollh32.exe
        
        C:\Windows\system32\Daollh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Ecdbop32.exe
        
        C:\Windows\system32\Ecdbop32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Ephbhd32.exe
        
        C:\Windows\system32\Ephbhd32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Eajlhg32.exe
        
        C:\Windows\system32\Eajlhg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        31⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        32⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Gnaecedp.exe
        
        C:\Windows\system32\Gnaecedp.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Gkefmjcj.exe
        
        C:\Windows\system32\Gkefmjcj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\Gbpnjdkg.exe
        
        C:\Windows\system32\Gbpnjdkg.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Gcqjal32.exe
        
        C:\Windows\system32\Gcqjal32.exe
        36⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        37⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Gbbkocid.exe
        
        C:\Windows\system32\Gbbkocid.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        39⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Hnhkdd32.exe
        
        C:\Windows\system32\Hnhkdd32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\Hgapmj32.exe
        
        C:\Windows\system32\Hgapmj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Hbfdjc32.exe
        
        C:\Windows\system32\Hbfdjc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Hgcmbj32.exe
        
        C:\Windows\system32\Hgcmbj32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Halaloif.exe
        
        C:\Windows\system32\Halaloif.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Hkaeih32.exe
        
        C:\Windows\system32\Hkaeih32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        47⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Hejjanpm.exe
        
        C:\Windows\system32\Hejjanpm.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Hjfbjdnd.exe
        
        C:\Windows\system32\Hjfbjdnd.exe
        49⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Iapjgo32.exe
        
        C:\Windows\system32\Iapjgo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Ielfgmnj.exe
        
        C:\Windows\system32\Ielfgmnj.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Iabglnco.exe
        
        C:\Windows\system32\Iabglnco.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Ilhkigcd.exe
        
        C:\Windows\system32\Ilhkigcd.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        54⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\Iholohii.exe
        
        C:\Windows\system32\Iholohii.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Ibdplaho.exe
        
        C:\Windows\system32\Ibdplaho.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\Iecmhlhb.exe
        
        C:\Windows\system32\Iecmhlhb.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Ijpepcfj.exe
        
        C:\Windows\system32\Ijpepcfj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Idhiii32.exe
        
        C:\Windows\system32\Idhiii32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Jjdokb32.exe
        
        C:\Windows\system32\Jjdokb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Jddiegbm.exe
        
        C:\Windows\system32\Jddiegbm.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        75⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        78⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        80⤵
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        81⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        86⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Llpchaqg.exe
        
        C:\Windows\system32\Llpchaqg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2180
        
        C:\Windows\SysWOW64\Lamlphoo.exe
        
        C:\Windows\system32\Lamlphoo.exe
        90⤵
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Ldkhlcnb.exe
        
        C:\Windows\system32\Ldkhlcnb.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Moalil32.exe
        
        C:\Windows\system32\Moalil32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4340
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Maaekg32.exe
        
        C:\Windows\system32\Maaekg32.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Mhknhabf.exe
        
        C:\Windows\system32\Mhknhabf.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Moefdljc.exe
        
        C:\Windows\system32\Moefdljc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2008
        
        C:\Windows\SysWOW64\Mepnaf32.exe
        
        C:\Windows\system32\Mepnaf32.exe
        99⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Mlifnphl.exe
        
        C:\Windows\system32\Mlifnphl.exe
        100⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3732
        
        C:\Windows\SysWOW64\Mebkge32.exe
        
        C:\Windows\system32\Mebkge32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        103⤵
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        104⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Medglemj.exe
        
        C:\Windows\system32\Medglemj.exe
        105⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Nhbciqln.exe
        
        C:\Windows\system32\Nhbciqln.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Ndidna32.exe
        
        C:\Windows\system32\Ndidna32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Nhgmcp32.exe
        
        C:\Windows\system32\Nhgmcp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        115⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        118⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        119⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Oohkai32.exe
        
        C:\Windows\system32\Oohkai32.exe
        121⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Ofbdncaj.exe
        
        C:\Windows\system32\Ofbdncaj.exe
        123⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Okolfj32.exe
        
        C:\Windows\system32\Okolfj32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Obidcdfo.exe
        
        C:\Windows\system32\Obidcdfo.exe
        125⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\Ohcmpn32.exe
        
        C:\Windows\system32\Ohcmpn32.exe
        127⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        129⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        130⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        132⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Omcbkl32.exe
        
        C:\Windows\system32\Omcbkl32.exe
        133⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        136⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Pkholi32.exe
        
        C:\Windows\system32\Pkholi32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Pcpgmf32.exe
        
        C:\Windows\system32\Pcpgmf32.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        140⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Pfppoa32.exe
        
        C:\Windows\system32\Pfppoa32.exe
        141⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        143⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        144⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        145⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Pcfmneaa.exe
        
        C:\Windows\system32\Pcfmneaa.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        149⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Qfjcep32.exe
        
        C:\Windows\system32\Qfjcep32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Qcncodki.exe
        
        C:\Windows\system32\Qcncodki.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        157⤵
        
        PID:6136

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjhFNzUxNTctRDc4OS00NDdCLThFQzUtQ0U5QUFDN0MzOTA5fSIgdXNlcmlkPSJ7QTFEOTEwODktRjdEQy00MUIzLTgzODQtMTE1NDQyM0MxRjZCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QkJFRjJBQkMtMDEyMi00MkMxLUE0MUQtRjcxN0Q5RTQ1OTQ5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NTQ0IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDgwMzc1NTYwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQxODk3MjE5MiIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:6264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baepolni.exe

Filesize
435KB

MD5
89676cf49c4053048e7d1ff6ec41d933

SHA1
50ded6a44454d2faa9c6a62967c5810281f20dbc

SHA256
6d1b2593705f3ff3037d0a1f5d278cdfcae89da3c2c900df2f07d51522560150

SHA512
31c41493de8ce4f34aa0e15ec2d83a0003be2fa098eca7435935d11fded380cee9f25afef292b4bbffecd4e221ac0570bafd3435f1922275ff32333bee04fc10

Download Submit
C:\Windows\SysWOW64\Bdcmkgmm.exe

Filesize
435KB

MD5
793c51210ea20f40ff9bf411e0892d51

SHA1
ea8772d94ed64c813f1e7b19c151fd0655c5183d

SHA256
2274d57252fe7d380c9013b76422790810ef7b5533f9e172b82e99e11292aceb

SHA512
a0a090eaca1364a7fe8b80561011f540c19e6c4aac30acbe283df95eaa8c8fea0621716f33a2359e45d4e586869fbf072b29047c300b6d6c8c7aff97e0635f04

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
435KB

MD5
a9a07f2a6be0e949d272e4b616682060

SHA1
7f55d32e8aed5e277d40a0e79e58ebc3c86360e7

SHA256
2055a75e608c499a15be7c99cd498c16780babb675235b5082013b72d57f966d

SHA512
fbf7a31ea004aaf9a2bf055917ae18c8308eeefbce2b2e5906c0f7eda5c8751418a13153917549f36e6f8abcb28b9a7a7eb060c974b06dcc8166e7c70c22a993

Download Submit
C:\Windows\SysWOW64\Bmggingc.exe

Filesize
435KB

MD5
215b469ee2a403ea12e179d17ec45e77

SHA1
6056599cacb07afc0e0af1e6458c30d7b03b2dfd

SHA256
243c6eb1ec2f04812a07486b5295346595b2ff0fe2fb95a6c7b8ebc6a62858e8

SHA512
37b4de7a579e1dc3203d864f93a020b4ad41a34144583a53ece286fdc5437d72dbd0ea5f86e55c3e03faca3d8908deb1abfb1ebeccd85d0f19367c991811eafe

Download Submit
C:\Windows\SysWOW64\Bpedeiff.exe

Filesize
435KB

MD5
ed8d5f95fca9ec720ca5e07cbe292501

SHA1
be563f7f3f940a28a63744385b059dccf4780da8

SHA256
ea7fbb487e10087fbc544dd4c4aed9849a8065d8d13f25b51eca48523749ee7f

SHA512
4afd4295732702ac849b07b061fe393365ec8f90775adee85ab340dd4e123cc82d448b5c11740852b41f279c966b61f85c08ad9495f49c6d14a2fab2f6947bc5

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
435KB

MD5
8fa7e9c68a612384ade6dbf986c58366

SHA1
24d78663695d7dc60f934bd3bcd95c76d14033ab

SHA256
37fb648de5043b2bdf10163b8bb317c147f36741382c3c0889a05523cb820899

SHA512
dc567915fa6c442d64df73d38894e828acb2f5c7f9a02fafd2d76d173aa94b4f7d9b48ff65932036961ddbd1f1be26f4fafa9d54027a3827187c137c18cd525d

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
435KB

MD5
45972ba7d9bf83c12ed8254fe87472b8

SHA1
35e44eb596b87a2b87dada5ccbf7abc8f7defba8

SHA256
cc448f0659819ef4bd9396569e8a8dbe0866d9d638eb99885ecc4d7c1bd5af6c

SHA512
2bacde0befec8e8b849fb4fc1c8e991c310fb1fc136fd1f49bcc4881dd5bf66d6e4ded0e20bf71bd64882a121a39b9d36baaec163dfb758816b06709ddd1b872

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
435KB

MD5
86e06cb522c5c7399519a80b1ee69057

SHA1
b6c43e75662a4f842df3f6fdffdd0098014a1a8e

SHA256
ca9127efaef59fa009d740e1dc8d4ff0483e6cc927a34462b1b82432d54526f3

SHA512
1b50e2d1a8f9ddcab3ec91022859705535b1356af1bc3467d75b239b8019c5aff6c2faec632524984c5c76c94fbfce4a02a35e139969a2b952e14de522a444f3

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
435KB

MD5
078bf8957af962715b266d97b5cf1ad4

SHA1
bb6225b3c4f0409fb10dcf1dda9b84f294574429

SHA256
0189bd19921db1051e63a4f7bca6d563849315397ff42ae018e3811bcc73904d

SHA512
f1aa55f221b00c67868298ba27baa7528e00a381e4928094ef5c13ceeb684e5cc2ec0061ac98f8ebfd58ff93367c1e994e8e38b9ca75548f4fe8ec7e87719a31

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
435KB

MD5
2cc18d7a9e2f88513fe8de3944284d63

SHA1
fd144a619f62a3f6e13c551f9213a0c651166ce0

SHA256
b8e46e92dc2b493db3f5e8a297e28d7d1a7883ffddbba167a9943dc8262d1c3f

SHA512
84579e6c43b4bbb91e0a17cc1f044d4044d507b7163540d25cf11f75c7161444f5555584b56bcda45424bb6f7bf05090c084671a7a1125a4245a9c8fe7213b96

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
435KB

MD5
eef94ec99066e6e5a9bcc8097f170af0

SHA1
b0d18f95ad145bbe91ec1c43e2c87f25ceb19c81

SHA256
caf6c470db67e2629ef4415557289e5c503f982165ab7a07deb93f12b8b61c93

SHA512
ab8f48020480e57ad28e092d2705daaa6edda6cf0e39f90434532cea42908ddb721c8c2b0c6be2ef1b4de5aa1850c91c619bec824bd110a412e33e4a20650ea3

Download Submit
C:\Windows\SysWOW64\Daollh32.exe

Filesize
435KB

MD5
30e44da42702899311a8a11fe95c6187

SHA1
e191a1027778689ffd36d1ae1b1fcb4b03b43afa

SHA256
2c09cebf202455d14509ae53d2bdd931c10d3fa0d9b09f58f3c3be96d1924b66

SHA512
ec02942502134c6f7b5b81ca1309d6514ec28a5818249bd38e74b458515efc140d6bac06847b365cc05ebfded7f147b6416248e18206458b9b8a95b16c6efdea

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
435KB

MD5
153404eb6c8f00745e2daec75ab07bdf

SHA1
a3a1e304024d2a04fba00463a387d2d055565dc3

SHA256
d8d3fe41b0ece14bfa0549e408cabfc77e8eea3b3f52196da6b4317937e09041

SHA512
43963a04be32a4d16ffd0919568cd39444429a606dc342fe0ff428f6a67ca41a07457f286327f3ca208417eb23c04e66396ed2d2223dd2ccb6efce69e60d251a

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
435KB

MD5
ca96a5e4fceb0afedbf76cd0b4fbd708

SHA1
dfd98cc3bc6627d93b8fa6d159dedf27baec44a2

SHA256
2b9d752ee24dcf40aa0bfdd9a4fc7f89387b9b1c73909afce74c6d7ff6437537

SHA512
69cb3e25203f2bd3f04a3e2a96b70069e3cc62af8d7b3389e1319c74f399df6beef9b5af10a192a263f9418c39d560d6d6b0e388aafbc10f7fd5f6a0daa65ce6

Download Submit
C:\Windows\SysWOW64\Dpjfgf32.exe

Filesize
435KB

MD5
2d324f24c4f0cb718cd4057ee1404e38

SHA1
9744c51535ef8a6740e69274b1ff7b06f9c87efc

SHA256
35f992e6d2343fc3bab0003884a6522921597892fac5ca5ea1d811a47200402b

SHA512
68aba3d9147b6bab1b852e91d8ce0138bfc7ce8e546dc61ff88c1de000d1aa93f206bd7230c32faef83545d50945a1872201d0615057de78159b68aefafcb320

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
435KB

MD5
650e662e93d841872ecd5496f37640a3

SHA1
5e22609e3291a1c687ece38566d159c42878ca22

SHA256
c7ea3c50cb5f39c94eb11b435a9c3751953b724f31035a367c20530c17630a63

SHA512
2dadd82722b68bcbdb8066d768114e5be7e5e8426510d69dc1f736f2f745f88c4c477cd1a8845d5aa7903e7935108cf38c5b7f32ecffcf2e530f5533c67197c5

Download Submit
C:\Windows\SysWOW64\Dpopbepi.exe

Filesize
435KB

MD5
837cb8e00d64b4ec9d6926bcd6dc94c7

SHA1
ad61043c1d7da3ac1f43ea339c3a76a9f3927baf

SHA256
b95c1773856ac7315d63edbf3816210ea3460c531bbe86bcbf27d5f204fffcd1

SHA512
afeb39ee7a47e404530964163fa9db9014aed6cdbfb8410b89e4ae55f941dbda3d327de288f84039c5eef37465a207ccbc8da2cd103bc2e6c73438d5dee70ec9

Download Submit
C:\Windows\SysWOW64\Eajlhg32.exe

Filesize
435KB

MD5
16b3500b61f9566f68202caf5cc39802

SHA1
88b1df41d2b9ad84d508d32534bcb86fd647446a

SHA256
51056e4998d1f1943f082dbf5a83adc61c01595f035fbdaa26ee821fef3ced3e

SHA512
f65323304c434d5d6de733bd9c1559a27e847a0a511f96bc7b677a5dbb12b3e3e0a4c7feb1ab1aff6ac221dc90f109417929f63bbbb8c3dc287e1f0c436900af

Download Submit
C:\Windows\SysWOW64\Ecdbop32.exe

Filesize
435KB

MD5
08a7749b664f744a5f3e9f9952366dfb

SHA1
e96a847afa32cc67e43e750daa42c80a848e87c1

SHA256
b83b95e7a455ca3e5696daf2028522a41907d8e8345905544a24ab090d3b9059

SHA512
8f55059835b02533d79a1bd98cedb140ea0e149084b765af1ab569e34c9e16da14d1e80114d30b6d0533a10d37311409f838e5bc7dfd1aedeaf3f508917d6597

Download Submit
C:\Windows\SysWOW64\Edfknb32.exe

Filesize
435KB

MD5
c22b00c565ba26838852b1a3ff2aa976

SHA1
dc8de9f6abe3385e941fcb783649f7d13bd10058

SHA256
6d36e9053bf3fb28ef7cf6ba5d1db7e78c4a79a14ebcd93ffb085a62d48ffd33

SHA512
d88c7104dff8e52b9e98c566c35b096a55bdeafe9b73ad1770c4a84f645ddc29d6881e219a1c55900c2c5dc2cc8268e57b54736a6faed7d862a39765c931bed7

Download Submit
C:\Windows\SysWOW64\Epdime32.exe

Filesize
435KB

MD5
111626aff6fa945eadd39d2605a6c33c

SHA1
ffd7e8aa624174f5f673d9105e611cc3b2f05c0e

SHA256
bde9b68293e4fca1737cf879c30822cef4c259249de7950f750fbb0630c57eea

SHA512
f6f335d6c7a38f41bc25b1ef049dc5596d853ea03336ca231ce98096a78204fc5802c10f28933c1017035e7633d3fcf3e298d07f9b71a8dc2ff48e88c3b4a8c5

Download Submit
C:\Windows\SysWOW64\Ephbhd32.exe

Filesize
435KB

MD5
af373ce8b98bcb5821694c4de1bcf953

SHA1
69b943e2d59b34e9e84f9b6ec98f2924e72764db

SHA256
9ff9ae0eb5dfce1d979605039dc48714393000bee493c1203b20ea6a6ef4809e

SHA512
868dcbc0b5bf5d65eabc6c40625cb94361fb5b6cd34fc36eb6691f0148cdb69f6d4b1e254d412a96bf87f608743bd088b4cca92159fe4981a9e27be277f5ce98

Download Submit
C:\Windows\SysWOW64\Fdpnda32.exe

Filesize
435KB

MD5
303c9b8862e00f24944c95c89ed0ea8d

SHA1
01b141eeb3bbe70083abc662a022cb9e167b26db

SHA256
90377c5da3da0b1f2279cd90fa20c1a3674788dcefba4668566650288300812d

SHA512
6b0313a5b3f5efac98ecc800cc1d4affa4e3d572e1a46af978c8f4881e20d4d95d38c7016cd98dace8dea41155159250e8880b016df011cf7d860563b7fc5f77

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
435KB

MD5
f2db69cbe3af19f907ff6ccfc4a2805a

SHA1
d1baa56003fa052757d58395ed5caf0f72c9e476

SHA256
8d8aef2c18bf7e35a5ba50ddf7e46b9b9fa0411af8a7e88d9364c78332ab976b

SHA512
248496b4c2d04873337eb3ca8ed1eb65117722fb1c4dc3e9b94f4d3c6c2ac3ae62271933f2912527fc1af61f86a650c84c742b055fe5b4f7146246ce13d35a68

Download Submit
C:\Windows\SysWOW64\Fkcpql32.exe

Filesize
435KB

MD5
bc3e1dea269b197e471d62fe16a8784a

SHA1
9b5a8671ec0250902ef4a32981358d2f20fe2f09

SHA256
42584ea67b587bcebb22e4f2ee7ca8b4174e9508b32e70ededa85b0cc20f5db7

SHA512
1b657a9f03c47ee0b36a010c96d77617ba1b97d8cd6a0b71db6b4673064302df1619564e7065feea5c937e7ea0c64ed73921c0ada477883d59ba1dfc2f8d6b97

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
435KB

MD5
3557799a1e665054548d88824ca25e12

SHA1
2b8efd2168ebc3103a0eb0aaac12ee4d82b34491

SHA256
1906bea4226c477e409bd8df5eb781c361cd2b757b5e5de076ccee87b0f82be6

SHA512
e0ab50a4dae4400ca424eb71fa62282e8baa069e66777633c8a6d182bcf37ac7689804a9aafbd6898e85801d64348afe3ef406573ffa1518985895aa3c6f9c48

Download Submit
C:\Windows\SysWOW64\Fkgillpj.exe

Filesize
435KB

MD5
fa83399f5188719b69fbbcd3645043c5

SHA1
b80e10b56915fbd4ffc118a127514efdb2c02303

SHA256
5f58fa0cc863946322f10097ee1045a64b9e24601d183d742bdb6cb23b7f7998

SHA512
3c342273cd39a8e3c5c54ac7b80b39f2138ea78175d04815f7d19c1b7a51a0c549eaf61099a2f946e0099cd7bdfe0a6bd179c06e19c87853f0b166f146a127e7

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe

Filesize
435KB

MD5
d3956e661691e9c9daf79ce3adf164a8

SHA1
511e982956ce5b113c446d21c7438180ff612ff9

SHA256
51af2336de22f788bd5e23aa7a3ad2aa76bb18f413419c488a12e1a5d8f8d767

SHA512
16baa9ae059c7b3b86f32c556bb4568c1a068822fd7ebb92a0481941b204455721907a181d53a8dac224def5fdddaa793ef080d27df6f8169e65f271c6a24b00

Download Submit
C:\Windows\SysWOW64\Gdgdeppb.exe

Filesize
435KB

MD5
e603733f0b72af6da8bc862490315bed

SHA1
48ea34d6d6a54d97c60c72dfa84ceb0b4e6bd582

SHA256
06f408a9d190af418cc92dacfef0fdd8af5318901d729ab013edaac79660d74c

SHA512
a001d893178c0d9d9ee823ea7daeda40d405287e49f8c3d645e1ca01050af56f5bc67731e39260cf70020bd987679f8c57037d81654d51ad0b70f6d99b177374

Download Submit
C:\Windows\SysWOW64\Ggccllai.exe

Filesize
435KB

MD5
8e2d96ff1bf44662457054466aaf1ff9

SHA1
34d051f43f0a81a1db796f46a096bd5c1c21900a

SHA256
15650b86e9084758703a3a1b5a6be4d953ba606b408abc0fd8f42d30f87f6434

SHA512
aeaf3f26a920d148b86b299cd9d54716b6a2ff0f934ff5dd4c8e2da290ecde87f8c548a7b36a1eec62908c2f89201911b974dad2868c0c91a52631af4c2d7838

Download Submit
C:\Windows\SysWOW64\Gnaecedp.exe

Filesize
435KB

MD5
d932cfbfdfae5098ae9cccea6c66f46f

SHA1
8c1d8e7fd844d50305aa575231a601203d77354c

SHA256
505fa42fb004f7baf84a0a59399123022e69c9f91afbceb299f47b3f17aa0fb3

SHA512
3fac62eeaec2e5778cc272c0668cd3fc7c58c50dfd3101f56c3d35d15e3c11a19af8eadefd54be3c42ddcca8cf7a06960bb4733b26f22fec46a5f39ab913868a

Download Submit
C:\Windows\SysWOW64\Gqnejaff.exe

Filesize
435KB

MD5
f24152905c647c279542e1f00c81f040

SHA1
b996922214ee87d5e2b2ef11a2bd29d54ca0753e

SHA256
8c72f1e1f99497bc4ea167baee1bd5b59d8179bf550dcda019e5c1efdc2439a2

SHA512
fa983d6bbb22deb17aa2f9fe638274ce768e290c05116bc2e18d93dc8a1edc61b5c7421a4536509b16b9f6750136b513ae57b268918453570d8b0789d7f2749d

Download Submit
memory/240-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3160-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads