berbew | 36db498cc3244664f8dbedc5776765a4fe2751881122add765f65ff3ec0e7111

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36db498cc3244664f8dbedc5776765a4fe2751881122add765f65ff3ec0e7111.exe
Size

93KB
MD5

e714bced710f9399e8eb6b9ce763b23a
SHA1

9593879aec37d90bf40b86e4aeabcc21420f353c
SHA256

36db498cc3244664f8dbedc5776765a4fe2751881122add765f65ff3ec0e7111
SHA512

581f59c33a41e5740332e13c6d59ab3a0875c90069b9fd9153870691d1540542e165b2ee001623c6699694b16aa14213d13c9c9a87e6678e82287952333686b1
SSDEEP

1536:2LQqMDPNOF6439Rjn0ffYSOgNj1DaYfMZRWuLsV+1j:Q8D4Ac0ffNNBgYfc0DV+1j

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpppnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kepelfam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmdqgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2896	Jbeidl32.exe
2740	Jlnnmb32.exe
2832	Jbhfjljd.exe
1920	Jianff32.exe
2468	Jlpkba32.exe
2204	Jehokgge.exe
4944	Jlbgha32.exe
4832	Jcioiood.exe
4464	Jifhaenk.exe
788	Jpppnp32.exe
4324	Kemhff32.exe
212	Kmdqgd32.exe
5012	Kdnidn32.exe
3000	Kepelfam.exe
2304	Klimip32.exe
4120	Kdqejn32.exe
1944	Kimnbd32.exe
232	Klljnp32.exe
1948	Kdcbom32.exe
4768	Kfankifm.exe
1856	Kpjcdn32.exe
3096	Kfckahdj.exe
4296	Kdgljmcd.exe
1376	Leihbeib.exe
4112	Ldjhpl32.exe
4924	Ligqhc32.exe
3600	Ldleel32.exe
1848	Lenamdem.exe
3672	Lmdina32.exe
2996	Lbabgh32.exe
2196	Lepncd32.exe
2276	Lpebpm32.exe
4552	Ldanqkki.exe
2172	Lgokmgjm.exe
1592	Lingibiq.exe
2500	Lllcen32.exe
1888	Mbfkbhpa.exe
3352	Medgncoe.exe
2876	Mipcob32.exe
4960	Mdehlk32.exe
4880	Mibpda32.exe
4668	Mdhdajea.exe
2484	Mckemg32.exe
3288	Miemjaci.exe
3396	Mlcifmbl.exe
5096	Mgimcebb.exe
4956	Migjoaaf.exe
1084	Mpablkhc.exe
3240	Mlhbal32.exe
1168	Nepgjaeg.exe
1492	Nngokoej.exe
4888	Npfkgjdn.exe
1468	Ngpccdlj.exe
4828	Nlmllkja.exe
3668	Ncfdie32.exe
2728	Njqmepik.exe
3636	Nloiakho.exe
996	Ngdmod32.exe
3028	Nnneknob.exe
4128	Nckndeni.exe
4644	Nggjdc32.exe
2808	Nnqbanmo.exe
4540	Ojgbfocc.exe
368	Opakbi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ingbah32.dll	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Jbeidl32.exe	36db498cc3244664f8dbedc5776765a4fe2751881122add765f65ff3ec0e7111.exe
File opened for modification	C:\Windows\SysWOW64\Jlbgha32.exe	Jehokgge.exe
File opened for modification	C:\Windows\SysWOW64\Ldanqkki.exe	Lpebpm32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Bfajji32.dll	Ldleel32.exe
File created	C:\Windows\SysWOW64\Migjoaaf.exe	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Kdnidn32.exe	Kmdqgd32.exe
File created	C:\Windows\SysWOW64\Mdhdajea.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Flpafo32.dll	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Nmpmkplp.dll	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Kmdqgd32.exe	Kemhff32.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Kmdqgd32.exe
File created	C:\Windows\SysWOW64\Pmdfog32.dll	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Mbfkbhpa.exe	Lllcen32.exe
File created	C:\Windows\SysWOW64\Mibpda32.exe	Mdehlk32.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Mpablkhc.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jlpkba32.exe	Jianff32.exe
File opened for modification	C:\Windows\SysWOW64\Mdehlk32.exe	Mipcob32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Jjbedgde.dll	Jianff32.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lmdina32.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Nepgjaeg.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Leihbeib.exe	Kdgljmcd.exe
File opened for modification	C:\Windows\SysWOW64\Ldleel32.exe	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Bagcnd32.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5456	5260	WerFault.exe	211

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnnmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehokgge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhfjljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbeidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmdina32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcioiood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djkahqga.dll"	Kepelfam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqgbjkm.dll"	Jcioiood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hledan32.dll"	Kemhff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	36db498cc3244664f8dbedc5776765a4fe2751881122add765f65ff3ec0e7111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaheeaan.dll"	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kepelfam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kepelfam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbedgde.dll"	Jianff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbeidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Aepefb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2896	1680	36db498cc3244664f8dbedc5776765a4fe2751881122add765f65ff3ec0e7111.exe	83
PID 1680 wrote to memory of 2896	1680	36db498cc3244664f8dbedc5776765a4fe2751881122add765f65ff3ec0e7111.exe	83
PID 1680 wrote to memory of 2896	1680	36db498cc3244664f8dbedc5776765a4fe2751881122add765f65ff3ec0e7111.exe	83
PID 2896 wrote to memory of 2740	2896	Jbeidl32.exe	84
PID 2896 wrote to memory of 2740	2896	Jbeidl32.exe	84
PID 2896 wrote to memory of 2740	2896	Jbeidl32.exe	84
PID 2740 wrote to memory of 2832	2740	Jlnnmb32.exe	85
PID 2740 wrote to memory of 2832	2740	Jlnnmb32.exe	85
PID 2740 wrote to memory of 2832	2740	Jlnnmb32.exe	85
PID 2832 wrote to memory of 1920	2832	Jbhfjljd.exe	86
PID 2832 wrote to memory of 1920	2832	Jbhfjljd.exe	86
PID 2832 wrote to memory of 1920	2832	Jbhfjljd.exe	86
PID 1920 wrote to memory of 2468	1920	Jianff32.exe	87
PID 1920 wrote to memory of 2468	1920	Jianff32.exe	87
PID 1920 wrote to memory of 2468	1920	Jianff32.exe	87
PID 2468 wrote to memory of 2204	2468	Jlpkba32.exe	88
PID 2468 wrote to memory of 2204	2468	Jlpkba32.exe	88
PID 2468 wrote to memory of 2204	2468	Jlpkba32.exe	88
PID 2204 wrote to memory of 4944	2204	Jehokgge.exe	89
PID 2204 wrote to memory of 4944	2204	Jehokgge.exe	89
PID 2204 wrote to memory of 4944	2204	Jehokgge.exe	89
PID 4944 wrote to memory of 4832	4944	Jlbgha32.exe	90
PID 4944 wrote to memory of 4832	4944	Jlbgha32.exe	90
PID 4944 wrote to memory of 4832	4944	Jlbgha32.exe	90
PID 4832 wrote to memory of 4464	4832	Jcioiood.exe	91
PID 4832 wrote to memory of 4464	4832	Jcioiood.exe	91
PID 4832 wrote to memory of 4464	4832	Jcioiood.exe	91
PID 4464 wrote to memory of 788	4464	Jifhaenk.exe	92
PID 4464 wrote to memory of 788	4464	Jifhaenk.exe	92
PID 4464 wrote to memory of 788	4464	Jifhaenk.exe	92
PID 788 wrote to memory of 4324	788	Jpppnp32.exe	93
PID 788 wrote to memory of 4324	788	Jpppnp32.exe	93
PID 788 wrote to memory of 4324	788	Jpppnp32.exe	93
PID 4324 wrote to memory of 212	4324	Kemhff32.exe	94
PID 4324 wrote to memory of 212	4324	Kemhff32.exe	94
PID 4324 wrote to memory of 212	4324	Kemhff32.exe	94
PID 212 wrote to memory of 5012	212	Kmdqgd32.exe	95
PID 212 wrote to memory of 5012	212	Kmdqgd32.exe	95
PID 212 wrote to memory of 5012	212	Kmdqgd32.exe	95
PID 5012 wrote to memory of 3000	5012	Kdnidn32.exe	96
PID 5012 wrote to memory of 3000	5012	Kdnidn32.exe	96
PID 5012 wrote to memory of 3000	5012	Kdnidn32.exe	96
PID 3000 wrote to memory of 2304	3000	Kepelfam.exe	97
PID 3000 wrote to memory of 2304	3000	Kepelfam.exe	97
PID 3000 wrote to memory of 2304	3000	Kepelfam.exe	97
PID 2304 wrote to memory of 4120	2304	Klimip32.exe	98
PID 2304 wrote to memory of 4120	2304	Klimip32.exe	98
PID 2304 wrote to memory of 4120	2304	Klimip32.exe	98
PID 4120 wrote to memory of 1944	4120	Kdqejn32.exe	99
PID 4120 wrote to memory of 1944	4120	Kdqejn32.exe	99
PID 4120 wrote to memory of 1944	4120	Kdqejn32.exe	99
PID 1944 wrote to memory of 232	1944	Kimnbd32.exe	100
PID 1944 wrote to memory of 232	1944	Kimnbd32.exe	100
PID 1944 wrote to memory of 232	1944	Kimnbd32.exe	100
PID 232 wrote to memory of 1948	232	Klljnp32.exe	101
PID 232 wrote to memory of 1948	232	Klljnp32.exe	101
PID 232 wrote to memory of 1948	232	Klljnp32.exe	101
PID 1948 wrote to memory of 4768	1948	Kdcbom32.exe	102
PID 1948 wrote to memory of 4768	1948	Kdcbom32.exe	102
PID 1948 wrote to memory of 4768	1948	Kdcbom32.exe	102
PID 4768 wrote to memory of 1856	4768	Kfankifm.exe	103
PID 4768 wrote to memory of 1856	4768	Kfankifm.exe	103
PID 4768 wrote to memory of 1856	4768	Kfankifm.exe	103
PID 1856 wrote to memory of 3096	1856	Kpjcdn32.exe	104

C:\Users\Admin\AppData\Local\Temp\36db498cc3244664f8dbedc5776765a4fe2751881122add765f65ff3ec0e7111.exe
"C:\Users\Admin\AppData\Local\Temp\36db498cc3244664f8dbedc5776765a4fe2751881122add765f65ff3ec0e7111.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\Jbeidl32.exe
  C:\Windows\system32\Jbeidl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\Jlnnmb32.exe
    C:\Windows\system32\Jlnnmb32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\Jbhfjljd.exe
      C:\Windows\system32\Jbhfjljd.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\Jianff32.exe
        
        C:\Windows\system32\Jianff32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        29⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3240
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        56⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        60⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        63⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:220
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        78⤵
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3584
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        83⤵
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        86⤵
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1660
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        91⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        98⤵
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3092
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        101⤵
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        109⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        113⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        115⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        119⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        121⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        126⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        127⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        129⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 404
        130⤵
        Program crash
        
        PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5260 -ip 5260
1⤵
PID:5360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
93KB

MD5
5d675c15c5c24fd110ae12f6838f8ae0

SHA1
a192017bc03da7865069357f0bc37a8788e5c0a1

SHA256
44f56ff6d99a74a6ac459c49416aa35fd910550cf425157fa8eb7d97d74a8c4b

SHA512
86b9a4dddc0b470c536ba671055c6006ecbf48a9e73c971a39e66e6b989af0b91ee3ee113589bb90a7d29185af6ddb30f5bf7eb72e58b9a1e201a662a7381bf4

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
93KB

MD5
9f4ca86ec873165cbc5c1b23818e35fa

SHA1
1b37951a6cf73ed6fa001f787f006dc14b21bb89

SHA256
a2de5f0cedbbe8b8bed1fb548c971447c39d793a7515f6312a826f6f7690759a

SHA512
8c24ebbb01f07f30aa6ce68cec1869022a0965b2e8a769df7f9f00758635f4150ad85513217d15d8ce9938c780a989b7d73ed428b662d7e208a7404540719e11

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
93KB

MD5
b261b3610d4fe5607fe58f286ee1dbed

SHA1
99afe22efa51486ec76946e363e1793d39d97c1f

SHA256
71328423006681fc3f2bb4239d735d156a711355b9bed0432f663a9a136d2537

SHA512
e2d127c8c3ee6fea748b2a8420964a4d365c5f411f0fcff2ed6e4c5332a5638845282ffabc559d7c7e3f3fee5711637a34ed7fc032c4e5f1e1c71cecc5091124

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
93KB

MD5
1c1c61ffc65fd92284d6e0ab73f8a79e

SHA1
4132d987b5a738b9486e9969013cc99ef0a00f65

SHA256
a4ad88115687008d6af9f3a5b685f7147f6fdd56aa112b755fc36df37598f6a3

SHA512
3a99ee4cbbca3cffd83da22cb88546c28bd6a915ad75e2e280d7f6b73eaddc690aef55d557fcb0d0a5cc5bc369164110ac49de41d053abe3504d0119398ac310

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
93KB

MD5
0ec4f35d52fb6d0f01e65166236f25a6

SHA1
b48aa200e2098c46195003764a4bbb217d4b63fa

SHA256
771bb886707f1f3fac1838bd8c762dc05e3a555d657cc1babbf88d7f3deccf5f

SHA512
3995dc883c6c33632f63b537b3376ea06af5333fa04e8b4c347409953bb02f78d4151538e79ac0dcc54420d757a2cbe9856fc73c3baa5fabedcd9965652acafb

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
93KB

MD5
c13a0e8a19b1fcebf9baf584744c6c3b

SHA1
da51f3b36a7fe3c47c1568f32192d2719ac27ea5

SHA256
d9e8bfe3a0c6f4ab045d7ff615a78a0142c2a3c7e253b30226671e135c86bad1

SHA512
297cbd2151adb9f3f3099f42fba5abff238944d21463475e9770a1e7c6ad4ee0f5c541da69dd5b39af2581f0f0c15ce880b6daf2a5007213df6e7a13272a509e

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
93KB

MD5
2f37c5ce2927e98eeb53f762fc21ad7f

SHA1
b231f20008127f9401c66cc040d14e791aae01eb

SHA256
c802a08d81303095c493d6c8e7c0b002b726a000ec4c77607a8a78fc42b53659

SHA512
f4b7d7adbdc899c598954e3e01db72659630f4eb68894859f99a6b38b58d834954c724c02d252941005f5a120f342b74a2910dd2cf9607f537b6ca74ff521c69

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
93KB

MD5
11dac32d65755de4c5a7393a99fe1287

SHA1
174418d7ea0f16176e0ff207d064552449db2f6f

SHA256
11a795f6710cb26aeaa537fd1bf631911a5f9335ca250c0c1a26d66a5e896e96

SHA512
f5c7bf3a7c96c57cf3f62d94b12cdc7d1a314f6aaf3fd8bcafa09def2c5f72974f184892650318c0861b50a93cc3c1fc6a7e1e58054698314b2b506354eebcf8

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
93KB

MD5
a62b6205787f69d2a124f2c24476cda9

SHA1
2690ad3da9f334acfa4c7e2e0d363da71b20c7e7

SHA256
42ba3ac3c805f73a50881692436d40610db9fdd72e9500dcbd2ff092c4d35c13

SHA512
50cb0973020c5f247da5ba743de0834b8fae3d3ad9cc405da34c3d6c9be8fe525c8af8a93d0c0e0bb87c0dbd44fa3baccacebb32b64c24b2c8a7f829cf05d558

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
93KB

MD5
efe9c96ef58a86dfcb8b22bf261dff2a

SHA1
515e686ad58b676d2bb0cd6684b9a12f8d2ec363

SHA256
1115b139b1dd695efa4c069e63383bc234959528f02796431d3624b61d5a7242

SHA512
2f18b3a6fc632987eeace639bfc06d93d60b6d38fb68d3ae2e0560b49459eaea5702719c01078777f16b0e87ce1354cbb3c2b8085733de6e5971affe878168f8

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
93KB

MD5
c4839a6a445cad1b92a67d337591fbc5

SHA1
cb20d35a497fe663b2e5d573a2d58b4a7c979d0d

SHA256
b2ea094bb1d943c28e26c06c41112df76861dfaa7d50719c412228640516d742

SHA512
2e8245b18eb7b416cc9975c1095506a5b7f114e4e3d0b72293e8164ae7f01fc63d2be742649e648c02169c218dbe303bf5a2e09193083d238a83dc8c689114ff

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
93KB

MD5
4fd7289c25d3b52faaf3c5fbba21341a

SHA1
cedab6fdf09cfd76029eeb690b1d9c33382c9def

SHA256
75d174958ce5d77b6974eb41d78703c94ce06d18e32656593577f69d968f5c93

SHA512
a0c8116f8b3b8b7152a7e02e63160646de1e4b9fc8e89390a1eee27c5b0e86f25f73c5556ce2052d468bab58b0f1c04a4e58fb5288d1e99205a9591492a3c1eb

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
93KB

MD5
e9c81bec874cecf104dc098271d6f125

SHA1
e8a6c3bc6b743d98ee942f4dc211167767229831

SHA256
3e54dd4d610b89e45e2348d81a322ccedac26f1e500637e0d20bc14e0355cd30

SHA512
2af386831d392ab39f154055d7d5b2ba3c3fc5f6be8d3aa1a1a7c63ecfcde996d47a626b0cf54e77f193841268a92641c5759840f9c47c14f6d53c451b0305ad

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
93KB

MD5
fadd26a6169241a88b1d8872bdc0b37e

SHA1
8b3206cc2029cb0f1748eef9db6ff76eda3a8dd2

SHA256
29287432220caebaf2ce86980c0ca1b36f74ee694061d9f579f74a01d08c3a48

SHA512
58f0ddf17d43562bcdd6241e9d2842e7f59a725445d4547fd8d090070b947119417d40d7a92f69770fa1372b14b9e4b81f226db1daa2f2438c72380dd7c940d2

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
93KB

MD5
d325a4ed935aed04e0823f7bf576121f

SHA1
7fa948fca2dd6feab539f3f353d2e9b3b40fcfe0

SHA256
edb3ec023243b3fbd5dfbf559696ea8c912a0c6ac7e8046180ce2dc49db6e1dd

SHA512
9af3577a13935b412deebc35bc957fdb8a153c2a1a3463d6745ea65ee57dd342946256acd18d11a4543a4632452c030a919cd41f588906616b4d2ec25393c473

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
93KB

MD5
09b6e38a9268a3cbea0b45915454b60c

SHA1
cb22ed13fb9606e4ad51fafbdb7801c6cc5827c5

SHA256
5c2c2432f448c5622f216b96ac1265582d56ee1c133d9bb1cc2e68da21a69217

SHA512
e8888537f0ed573eb7cf71aa15a6ac76867bd93d3d55b4d36a6e538874f70ba84d58fdc6f6a1231e330b39dbea66c1f1d77e6e11053d8cfee3560a9d80a56bac

Download Submit
C:\Windows\SysWOW64\Jlpkba32.exe

Filesize
93KB

MD5
3b176c0f4f2f29c135e4bf46fe3ea177

SHA1
d2c190e0e38160ccc0c96369aebc63de5afb4841

SHA256
1904b949d50be04716ab97b25b164c1745690d0b68c9ae14562ec34f8445a9d2

SHA512
c497c2fdf7eac616459f3d75711ba060483bce3bf693282fd1e61e34f2c7be768eeb92b88a52cea0c58057e1e2b94bf430e391819ff371df139ec51b97c58201

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
93KB

MD5
0cfbf448bf1f1e659038b880a337018a

SHA1
d1a882d57f30445d23650a805bb6975c2b220ea2

SHA256
6496d481dca874366be5bb68ee3ebf9b8dcc568d52e9358317dc03beef67bcc3

SHA512
050a46d4ea9b8c4116d44c5a19147beac5d1e9d0909d8ca2321c3789755de051ef08ecead13133ad798a553a9ecfc87095e9e9b9b385fa30b85850df5baefcb9

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
93KB

MD5
111b25d1c1b7cc3e7ad8f0b659ac0a4f

SHA1
746e4819210c9637099b2ccb20537c352735f958

SHA256
69e8e637b1f8cc848dacf943593ef966e19f514659ed057d28d2e3e889767a5e

SHA512
ed6c03d9a249cb43ad9f97cd46dade0b356ea9375b5d7404ce87348317575827cc0ece29a985d358b5e66769642b35cf602107a9f6b81931bfd5d7d64ad641a7

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
93KB

MD5
e30ea69be0a1a9d0e6fb22a57221fea5

SHA1
eb803fada45072ae3f6be862e6cd66ecff49e48b

SHA256
b42b910837d6e0658dd01ec7f89fb4719708315c566cb84cfb9e68efef47f060

SHA512
6b70558dc4320bf3244bf7144dffaf053a6ab0d9bd1e88383690d16795d1d029687eb15569f12ee6118cbcaafe6e95d2de603c583020f9c3644dc1f097dbf10a

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
93KB

MD5
b5c2f222bb2cc5d8810f78eac8ef6cee

SHA1
2f595665256b6691d97309ada85c528c6cae9e05

SHA256
adae481140264141e93229b191c1f91863f4cad8da4fb1c11ad63f85225ef350

SHA512
2970fe5b14fb72781dee3e22c97dc1c0d04ffdf6d1fe26de72f3b3bd20adddf534add2f07ff5a44acebad85db653600c31f4edc94ddc6daa8f86130b6195c55e

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
93KB

MD5
49f45c68357771e95aa68ef556edcd35

SHA1
919e4d87ec972c637ad2c7cd26e6f3673917702b

SHA256
610156a48b030a840a0c7ef382748300e77263f3e7ba076efe0ab62452988f0d

SHA512
03a68b6e5b953637b5f3d9e778e13f7bf4ccfc87051ef67830ce6b82a324bb0b86be86cedc6b7a69d59d707cda736ff06d5ba9bc07910baa8d54cb10a0481fcf

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
93KB

MD5
62a4512b5eba4a8b9df84ec77c6adc81

SHA1
c7abff6c96bf589298e3b813d253ac657599d427

SHA256
6cda096891f154551f57935782281977786208fd66353b63a2430de1c47fc1dc

SHA512
4c622841a805bf70ee850e9fc180947932b4f910d0ff7bb0658438ce8cea4832d6633d70f69b58bceb5ed1480335dd98448b916e818b7f7dc233ac1c3d7a628b

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
93KB

MD5
c88f81e600aa440b48bbe27c1c6bd5e2

SHA1
ab0840f955b8949af4bf30f90441c878142d40ef

SHA256
b8c2df25f84c346489e10cb9e4bc757547f6e2c7317bef653d635a0a573d1d1a

SHA512
650235189167d12edc5be5fd1cc7fd5d09a95600b80631d3c5521bce8ba34f884c972aabd312fdc01749cb0a370bd2791c89f6f4e87c59025e078fda0cec084b

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
93KB

MD5
1c046c1ce9e4d0159bbf451de5d8aa5c

SHA1
e04206e815e22e2a42737202a289240706802e8b

SHA256
f381aa819c4be3fe7553d0ca360bf7ac7cc8748d097e7f33af4a75fc78f60a9e

SHA512
040bb326ae19f118efc3cd99cc48abfc6ee002d7fbcd47279d608795c10025951b110685bab8ba3c3855e2249507cc88ddd5be8fbb3c8c544a401ec7a2c1bcc0

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
93KB

MD5
c62e6e580661e36cc673e5b334c6dabb

SHA1
29bcb14a340646dcd60bf2dff9589f5389d63249

SHA256
16b514069131ec953e64718873d09649c6a0b7adacf99b7b09687003e728a3e8

SHA512
8efec492c38aa4351b2e5960a2bfb661c2150d1513857aa1d58a14d5472bd2e2193a4ca52f384e01857436b703e8cd7f543220dfce666da1e6089a733dbb2293

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
93KB

MD5
08581980a2e2251996552edd5cfbcfb2

SHA1
97e3cd9492eb245c965d1e37351ea927f6114dd1

SHA256
d493e6402d332501bab388e8415ab89ff347a1397b344fa84412ee738e948c3a

SHA512
c440188b85f37d0b3d5f9e5f86c3076bd70c4bc7f5422268ce28d7da789ea7b9e84e9ef68aa95b70e348b0664cb573e42b7b6f84bbc317c17e13274d1857ae9a

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
93KB

MD5
5334c3058f5fcfc6ac57081d40af2607

SHA1
150f90019c46f1deaae4d98df83dc2ad8f1c3ba2

SHA256
1bac5816ca3d498bd48dcc2c9e2c8d7a987a3bf45410411144c42d9523b1f25b

SHA512
04b5dd1dd6c515060800a78edeb1875254e0137f025bee29108685d909d09b787c4104019b1f69d8a61128b722b493d33989109fb181877f7b4759588834c7f8

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
93KB

MD5
feece56006d1c193da56a86cadd4a100

SHA1
38ce2fbc9976e3b62e0296856020112f6a204227

SHA256
8888115d5b2361deecaa60e08960a67e96a4e0988fcbad3e820ecc534a255bf8

SHA512
274247f7fadc267cb8164c7a440dbba9d08f012d3d8055f778a8c106e5f8f4ab94c4acdf739a1da30e8be7952106a9ef2225db665747a259e6a9328382ac34c5

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
93KB

MD5
2de99ab521847d47674d31e377ff834f

SHA1
ed2ae9458d94b0d949dbcaa59061fd59253cf441

SHA256
ef1db8256b58862aa1e4a837494790851700830dddb1d36e642cbe33d3ef5cee

SHA512
4496a4d61117ccda65999a4a3f089bd2ba83bd2d71fc85dbea84b39d8acba81d66c682608eb2677c9a86f9b4142e3e71fa115c0c616d5e8f3b63b667c5519160

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
93KB

MD5
8bb9de0a1eda4b6dac82c565514203bb

SHA1
131736a95524f6b4ac28b3a3da0505d959f41a6c

SHA256
3f46af1c1cfb18b545b01d1e17fdb352facecbcb04a829a628f9db494e1b1d39

SHA512
b3d074f29b321785ea86b0322b3fdacde7945068fda17ba08eb2cb499594c6f990098c5814784b7a06a188113f490ddbe7edd691f645891517ad097f473d8c77

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
93KB

MD5
726b26cb2e4727420cb32d036d15824c

SHA1
e836e7440203f097580efa7d71c42871d68c08ac

SHA256
ccb3cff1fb16693fdbdb7508e1ff64012c6dd5e8c30d66fac7b8d1d369fd7a4f

SHA512
e746d2694c6ba93a3e7e655881fd30466d7544bfcdbef53c3506890b2bacf6fdc2d2cadf27f7a685caac52717e8287cd02373197309ff7cca75428914eab245c

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
93KB

MD5
6d4db05daa44401be0621edb3d5f594a

SHA1
8dbd9af6c5c81e0ead40346b19d84e90a54790bd

SHA256
f7ba9479ecd8ddcdc71b992e9460fa5ba2e6009eb1c714b86c9c9df9fa4e7146

SHA512
423ec46120b30e1b613fb312571fa597a16492bb772c64ff1488c42b5d0b83848faa9acc7db44ba27e1873c76e7f08e34d4c019d20100cc2529a100f3dc50935

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
93KB

MD5
0f291f75fbfbfdfc2aa4d8e2c48bcd93

SHA1
9f5f4bfd98fbde5632d554799f54e1f68c76f7fd

SHA256
a4eddaaf5c3728b8421e2406dc9b7c1282e598b7d36c571fa93857afc667ea35

SHA512
c577839a398f95d0b788813bc2188af2b44a85f36fd3c0c2283e25f85c5c16217103af375ff58e0dbee9773f49175c6a52c9c0c788e2b7147db0639098381f19

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
93KB

MD5
c5bd32a60ac0390d1dff8c94cdee55ac

SHA1
f12ab4440f4430d8958d26721f6e5561c99e1ffb

SHA256
9279bedae5e74d5c87adb5a397fd7fe423a5302f776fc1edcfe7374070ec7bf7

SHA512
70a180f1ac85228b335dd44f32564df9a5d60712d6e46f3b2ffc51acbf152aaf7ecb0d9c6e773235da470c54f6ddbb2b9aaf1e3e75a5a81dc11317179fda2ada

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
93KB

MD5
8b67cb92ca400dcb1886d388731dcb1e

SHA1
40da13942b9a6dfea7133bb26f68789d2328d344

SHA256
8be9fe7a40cee41e88a12fb6af6df677c01a607c10670ad593283a9708c1a483

SHA512
4450b253bc3db5fcc4ce95d1c5ece4a7fa19dcef2d39290018f89f01a064a810df34cf9279f12b0b1596353e3c2c040f837ad428ffa213177d7496342871b8e9

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
93KB

MD5
b3f0aaa53c6274f9d486fa1d1b754708

SHA1
42e357e16c07c65e3028813ccc7bc2bb2bb3dbb9

SHA256
9945f5e55e212cdd440d88f9dd1e1e9356bfb21cc6ac28fad139f86b40e9a2c7

SHA512
d1a1d2314e9e03172f69f68aee789b48519113673546ad17f46ed3503e4ba51d3d6394aaaa7d5a9c4970ad294824fb68e14d852c14655ba94df6e348e523fbbd

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
93KB

MD5
eebe64b9ea798cee0d8e7c8a7570ab1d

SHA1
fa1e046838364474eef12df1b7929a1ec03ff345

SHA256
6650dc80a57250f2a69d22d2198fe5413a2fdfd3722fd35d9aa37e9de254c427

SHA512
0db726b60a1912c287a1ec0bf404b92058e40848b4b7ccdd6b8029a0635458df285f2ba3b10527b0c2cc61b72a58310aa5107f42f0e4d5ea2dcadf345974d0aa

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
93KB

MD5
cbb943bb9e770355acb27305053173c8

SHA1
5f8dc44b513b7f29033f6b6c6404c17fd9c8c5bf

SHA256
621f83e45762b195aaa1b2dc45209e8fe28d023f7f14906b5a99ff25ff380e32

SHA512
11fb931d8577afef7c6caf6469d6576cbe473be1b5ce917cdd059cd335a82c81bf6740aa25d7f20295991af7e8190fbd9686813e9f7e5250951413e601466fed

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
93KB

MD5
6a1bee01cb8d7dbcb99a465992ebed79

SHA1
ca7ecd5e512c1d2467e42a92ffdca2ea38c2d2df

SHA256
733cd5c8edd1e8998e929540ccb07f0a3bba78a8432505f2ca6a0048e9d23d69

SHA512
47c12e7406ff3115439b3cba283c16334fd90ef6f6fbd09e6e45a8c988f8fe3224e7a8b69e1bfc78128f8b265aa437c74f4f8992a5c27b22d8a192c4ec25de25

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
93KB

MD5
98efd1c855c60567c038d3eaf7134417

SHA1
09addb7658f6cd1e97849fc0ec64e9c41c7864e9

SHA256
30f3bbc58a99d02aef538277af10058c77f10f50c946d32fb9a220688ca360af

SHA512
1efe525c55dfee012ffc3d105b9501339cc76e16b595c3d1f62189a6abcbcc85dce9217b68a15bb5596aa924f6241eecc40b13ecf34c42e090eab9f2e54c7bc8

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
93KB

MD5
fc5e7ad478d0a9f5f89a4f1d5636a06e

SHA1
75066d57fa11ee67062bbbdefa2b6a10fe31b611

SHA256
26d08a58f87862fe450150189ca593b2d3a3f8c59b73eada0ceb717fd6963eab

SHA512
ff8dd8dd80c621b9cf88f8a3873fa73af3f8639552b387ac301c03a6a129b1bdc3457395c76fa45cf8d975a82d92e52c2d42103b3174ea7794c0d3739deb8a3a

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
93KB

MD5
d83791180108c952c7d7fa2f61297c9e

SHA1
6abcbd775727f93cd1909af9d44362dbcf83581f

SHA256
6dd398ee763f09d636b96a8f379437b42cccd8c6c2dad1d7abb607606f332a23

SHA512
0a5f6619ba971c621646bfbf7e3b8c9c084a89221866fe021c02ee0adabf4a69cc2fa575bc85af1822b5ea57cbddb861365dcf52a83dc99c4c48fb5b43c39853

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
93KB

MD5
438c30b1c2799437545f6f644f3af721

SHA1
8a48dbe480bf43ffca59730b35abd9bea6267454

SHA256
ab6cfd4d35b5fa36732c786410d8b25037c1bbf94743c3eeb8815dcc1d9e53fb

SHA512
178c81f1f9f1008299eda58b5720bd8de01396955a91996dbd1e766ab59fd44947e4b2f451e5726b4cf379854761e72a6a5337923ad761a5d0cfa0d8e8316c27

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
93KB

MD5
72d985533e423e3fada9e03864998668

SHA1
09b5738139d6355d5bb238607a62e3bf9c2255f6

SHA256
27a31287b85460667228a4b724973e10a29196f0c17034e1c3cf489c8ac65f42

SHA512
2da5eb7061d558b836d47d2b156acb7e258672c48cfd95a075e2fdcf9f6bc3eaa84e23e893c2168a01faca172f3aab2cc62a2d5f5113706af727911f5ff2fbf6

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
93KB

MD5
4d7596dbd246fef5b7f795f08c86451d

SHA1
36bd1f68919df858aeda0b7265dc065c36b1fc27

SHA256
36573ffc146ea5c130e3c20e3785b08e2cc85c9e6ca494b170ddc5f103dab285

SHA512
ccecd451c02f1fe6476fc02c069284801d9faa3ce0659a4e372a436dfb01603427743438c21dbf95e7ec33b9d28d224a7cffc1068d7f3aef96d11e1a3c0620c0

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
93KB

MD5
950a47b45db815bc184b64aa7a74a85c

SHA1
e8076e25c5d7ea43b8125e787f6cd3b0d62f7c91

SHA256
77faa3e51ff2bc6256252ea4eb8d77b08f4d164e32d4f1665c02de6c5b7a0c7c

SHA512
ca3032bd0a13dfcf28a04cf79c18c6e3c4561b5b2819a993161a3ac5a5cb90cdf690e5f95f23b9d2023c15e9106bad7d4f3b860dd3302094835facf322ff7c21

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
93KB

MD5
1e1517b436dae8f2eff82d6c35b8cf2d

SHA1
cd93c17f2892d40ca5b3e8358e25656393854304

SHA256
03b29f20adb303af815b01822e4bd322c782e6f87b3ec390f093f02eb55f92c4

SHA512
b98bb6b88e2fcf9c79e5e9d14c6750e9af2f708e85d88c397020b761b3f720a1b61359d1796dccc6b09aa4e1d17fe5d77eecd5f0e6a2d80b692ed7a08789aaf6

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
93KB

MD5
5a4715867303fa3c913c1e34c52c0016

SHA1
8ae9754bd1c803eaa0e26b7f12699c8fe266176c

SHA256
12824a9d120d79cbbcc0af72c4e3712f13181093953e7c82e3f679b586c4edac

SHA512
5ffb1381d5a25d90b8f47545199e90c85daa39e1d52185b316b30a4ca0b602da701a3f58316817697439d3338190fc7ffe44fa2793f20ea74a9986a5cb506a1a

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
93KB

MD5
5018fdca4bc3472a6208821a95902782

SHA1
3d9033bdc0fbdf7695ff69de9eaf5b728905b027

SHA256
46ae76d60680e1f128e7f84cb30b383669502520646d9e6d71b9e8329253b39e

SHA512
125162109555ed37cf90b077a1aa0c521933914e5211a3965b633a224c05f2307e5797f10349ddbf09edfe89810ccee57b035f857fe146a60fda3d430df8d4c7

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
93KB

MD5
84887ef6887e87b8b2596701ca4f7d97

SHA1
779105fb6b616f89fc29882dd71824fe15649d2d

SHA256
dbfa64595b9ba7942bf05e7544a31b61575e353e11942360316cb7e7344c295b

SHA512
a28e84b9e6717faaeadbe8ebf4808572b8bfc6b7168ab3e8e34d8e637897f11bdca47b8adda104c1a8880160c73f3feb17763c72e0acbb0e140356cf7e7d2344

Download Submit
memory/212-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-999-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/368-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/788-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1728-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-960-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5928-891-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5972-890-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6016-889-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6060-888-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads