berbew | 360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218d

Analysis

max time kernel
106s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exe
Size

93KB
MD5

e2a68e66ed349120b05845babf953e10
SHA1

e4d557cc8626fac0e55921d5b697d89158084a92
SHA256

360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218d
SHA512

71f7195531ef4c09ffcde1f3cc2190e3f557a27a02d21da1a81602fbe6594fbfe328784983f71dde1bc3bfc1a3d1b4150d286d946ea9177414ab7375a6e241af
SSDEEP

1536:Rds+OdlypOc/j1RKcyzZB2x1zuQ8c2Z1DaYfMZRWuLsV+1Z:ReQOSLEBszacAgYfc0DV+1Z

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Pmannhhj.exePcbmka32.exeAglemn32.exeMlefklpj.exeNilcjp32.exeOcnjidkf.exeOddmdf32.exeOcgmpccl.exeCfbkeh32.exeCajlhqjp.exeMcmabg32.exePqdqof32.exeAqppkd32.exeCfdhkhjj.exeAmgapeea.exeBagflcje.exeDejacond.exeNlmllkja.exePmfhig32.exeAjfhnjhq.exeCdfkolkf.exeBapiabak.exeCjbpaf32.exeDknpmdfc.exeOjoign32.exeAnogiicl.exeAgglboim.exeBnkgeg32.exeDhkjej32.exeDdakjkqi.exeNjciko32.exeNpmagine.exePmoahijl.exeBganhm32.exeNdfqbhia.exeDodbbdbb.exeCdhhdlid.exeNjqmepik.exePnlaml32.exeCeqnmpfo.exeCagobalc.exeDdmaok32.exeDelnin32.exeNdokbi32.exeAnfmjhmd.exeBcoenmao.exeDjdmffnn.exeBclhhnca.exeCjpckf32.exePcijeb32.exeAnmjcieo.exeAeiofcji.exeDopigd32.exeBgcknmop.exeBjddphlq.exeBjfaeh32.exeAcnlgp32.exeBgehcmmm.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

Processes:

Mckemg32.exeMiemjaci.exeMpoefk32.exeMcmabg32.exeMmbfpp32.exeMlefklpj.exeMdmnlj32.exeMgkjhe32.exeMnebeogl.exeNdokbi32.exeNgmgne32.exeNilcjp32.exeNljofl32.exeNcdgcf32.exeNjnpppkn.exeNlmllkja.exeNcfdie32.exeNjqmepik.exeNloiakho.exeNdfqbhia.exeNgdmod32.exeNjciko32.exeNpmagine.exeNggjdc32.exeNjefqo32.exeOponmilc.exeOcnjidkf.exeOjgbfocc.exeOlfobjbg.exeOdmgcgbi.exeOjjolnaq.exeOpdghh32.exeOgnpebpj.exeOjllan32.exeOlkhmi32.exeOdapnf32.exeOgpmjb32.exeOjoign32.exeOlmeci32.exeOddmdf32.exeOcgmpccl.exeOfeilobp.exePnlaml32.exePmoahijl.exePcijeb32.exePgefeajb.exePjcbbmif.exePmannhhj.exePclgkb32.exePfjcgn32.exePnakhkol.exePqpgdfnp.exePcncpbmd.exePjhlml32.exePmfhig32.exePcppfaka.exePfolbmje.exePnfdcjkg.exePqdqof32.exePcbmka32.exePjmehkqk.exeQmkadgpo.exeQdbiedpa.exeQgqeappe.exe

pid	Process
4828	Mckemg32.exe
1984	Miemjaci.exe
4348	Mpoefk32.exe
2424	Mcmabg32.exe
3900	Mmbfpp32.exe
600	Mlefklpj.exe
2940	Mdmnlj32.exe
4864	Mgkjhe32.exe
3640	Mnebeogl.exe
5060	Ndokbi32.exe
4312	Ngmgne32.exe
1228	Nilcjp32.exe
2112	Nljofl32.exe
1732	Ncdgcf32.exe
1992	Njnpppkn.exe
2328	Nlmllkja.exe
3668	Ncfdie32.exe
2956	Njqmepik.exe
1600	Nloiakho.exe
4288	Ndfqbhia.exe
4916	Ngdmod32.exe
1676	Njciko32.exe
1140	Npmagine.exe
1036	Nggjdc32.exe
1368	Njefqo32.exe
3968	Oponmilc.exe
2748	Ocnjidkf.exe
4392	Ojgbfocc.exe
332	Olfobjbg.exe
672	Odmgcgbi.exe
2728	Ojjolnaq.exe
1976	Opdghh32.exe
3380	Ognpebpj.exe
3128	Ojllan32.exe
3340	Olkhmi32.exe
232	Odapnf32.exe
2564	Ogpmjb32.exe
3584	Ojoign32.exe
8	Olmeci32.exe
4588	Oddmdf32.exe
3916	Ocgmpccl.exe
3116	Ofeilobp.exe
956	Pnlaml32.exe
2900	Pmoahijl.exe
3240	Pcijeb32.exe
4576	Pgefeajb.exe
2296	Pjcbbmif.exe
4960	Pmannhhj.exe
3200	Pclgkb32.exe
4388	Pfjcgn32.exe
1680	Pnakhkol.exe
1924	Pqpgdfnp.exe
5052	Pcncpbmd.exe
1304	Pjhlml32.exe
2124	Pmfhig32.exe
4008	Pcppfaka.exe
2272	Pfolbmje.exe
4620	Pnfdcjkg.exe
1532	Pqdqof32.exe
636	Pcbmka32.exe
1644	Pjmehkqk.exe
4756	Qmkadgpo.exe
3732	Qdbiedpa.exe
3728	Qgqeappe.exe

Drops file in System32 directory 64 IoCs

Processes:

Ogpmjb32.exeOjoign32.exeOlkhmi32.exeCmqmma32.exeDjdmffnn.exeBgcknmop.exePcppfaka.exeQdbiedpa.exeQjoankoi.exeAnfmjhmd.exeCfdhkhjj.exeDmjocp32.exeOdapnf32.exeQddfkd32.exeAeiofcji.exeBeglgani.exeDelnin32.exeNdokbi32.exeAnmjcieo.exeBgehcmmm.exeDgbdlf32.exePmfhig32.exePcncpbmd.exeCdfkolkf.exePgefeajb.exeNjnpppkn.exeOlfobjbg.exeOjllan32.exeOfeilobp.exeMpoefk32.exeQmkadgpo.exeAgeolo32.exeAjfhnjhq.exeBfabnjjp.exeCdabcm32.exePnfdcjkg.exeNpmagine.exePnlaml32.exePmoahijl.exeDfiafg32.exeMmbfpp32.exeNjqmepik.exeNggjdc32.exeOpdghh32.exeCajlhqjp.exeMnebeogl.exeDknpmdfc.exeNjefqo32.exeBagflcje.exeBjddphlq.exeCdhhdlid.exeNljofl32.exeCfbkeh32.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
6268	5916	WerFault.exe	223

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Mgkjhe32.exeOlkhmi32.exeOjoign32.exePcijeb32.exePjmehkqk.exeNdfqbhia.exeOpdghh32.exePmoahijl.exePjhlml32.exeNloiakho.exePqdqof32.exeAgeolo32.exeBjfaeh32.exeDddhpjof.exeNilcjp32.exeBgehcmmm.exeDhkjej32.exeMlefklpj.exeAgglboim.exeNljofl32.exePnlaml32.exeBnhjohkb.exeBganhm32.exeQgqeappe.exeQjoankoi.exeBfabnjjp.exeCmiflbel.exeCdhhdlid.exeBjagjhnc.exeCeqnmpfo.exeCnffqf32.exeCmqmma32.exeQgcbgo32.exeAnogiicl.exeBcoenmao.exeOgnpebpj.exeOgpmjb32.exeNcdgcf32.exeBjddphlq.exeCjpckf32.exeAeniabfd.exeDfiafg32.exeDknpmdfc.exePgefeajb.exePfjcgn32.exeBeglgani.exeCagobalc.exeNpmagine.exeAnfmjhmd.exeDejacond.exeOddmdf32.exeAepefb32.exeCjbpaf32.exeDmllipeg.exePnfdcjkg.exeDopigd32.exeDmjocp32.exe360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exeMiemjaci.exeOlfobjbg.exePfolbmje.exeDhfajjoj.exePqpgdfnp.exeAnmjcieo.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe

Modifies registry class 64 IoCs

Processes:

Ncfdie32.exeOlkhmi32.exeOddmdf32.exePjcbbmif.exeBfabnjjp.exeBeglgani.exeDelnin32.exe360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exeOponmilc.exeOjjolnaq.exeAeniabfd.exeNjnpppkn.exePmoahijl.exePcppfaka.exeQmkadgpo.exeAnogiicl.exeAnfmjhmd.exeBnkgeg32.exeBapiabak.exeCnffqf32.exeCagobalc.exeNpmagine.exeNilcjp32.exeQddfkd32.exeBclhhnca.exeCdabcm32.exeCegdnopg.exeOgnpebpj.exePmannhhj.exeBgehcmmm.exeNcdgcf32.exeOgpmjb32.exePjmehkqk.exeQdbiedpa.exeQgqeappe.exeQgcbgo32.exeAmgapeea.exeBcoenmao.exeCfmajipb.exeCeqnmpfo.exeDdakjkqi.exeDknpmdfc.exeMpoefk32.exeOpdghh32.exeAnmjcieo.exeAeiofcji.exeCfbkeh32.exeDmjocp32.exeCfdhkhjj.exeDmefhako.exeMgkjhe32.exeNgmgne32.exePnfdcjkg.exeBfkedibe.exeCdhhdlid.exeOcgmpccl.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ocgmpccl.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exeMckemg32.exeMiemjaci.exeMpoefk32.exeMcmabg32.exeMmbfpp32.exeMlefklpj.exeMdmnlj32.exeMgkjhe32.exeMnebeogl.exeNdokbi32.exeNgmgne32.exeNilcjp32.exeNljofl32.exeNcdgcf32.exeNjnpppkn.exeNlmllkja.exeNcfdie32.exeNjqmepik.exeNloiakho.exeNdfqbhia.exeNgdmod32.exe

description	pid	Process	procid_target
PID 884 wrote to memory of 4828	884	360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exe	84
PID 884 wrote to memory of 4828	884	360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exe	84
PID 884 wrote to memory of 4828	884	360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exe	84
PID 4828 wrote to memory of 1984	4828	Mckemg32.exe	85
PID 4828 wrote to memory of 1984	4828	Mckemg32.exe	85
PID 4828 wrote to memory of 1984	4828	Mckemg32.exe	85
PID 1984 wrote to memory of 4348	1984	Miemjaci.exe	86
PID 1984 wrote to memory of 4348	1984	Miemjaci.exe	86
PID 1984 wrote to memory of 4348	1984	Miemjaci.exe	86
PID 4348 wrote to memory of 2424	4348	Mpoefk32.exe	87
PID 4348 wrote to memory of 2424	4348	Mpoefk32.exe	87
PID 4348 wrote to memory of 2424	4348	Mpoefk32.exe	87
PID 2424 wrote to memory of 3900	2424	Mcmabg32.exe	88
PID 2424 wrote to memory of 3900	2424	Mcmabg32.exe	88
PID 2424 wrote to memory of 3900	2424	Mcmabg32.exe	88
PID 3900 wrote to memory of 600	3900	Mmbfpp32.exe	89
PID 3900 wrote to memory of 600	3900	Mmbfpp32.exe	89
PID 3900 wrote to memory of 600	3900	Mmbfpp32.exe	89
PID 600 wrote to memory of 2940	600	Mlefklpj.exe	90
PID 600 wrote to memory of 2940	600	Mlefklpj.exe	90
PID 600 wrote to memory of 2940	600	Mlefklpj.exe	90
PID 2940 wrote to memory of 4864	2940	Mdmnlj32.exe	91
PID 2940 wrote to memory of 4864	2940	Mdmnlj32.exe	91
PID 2940 wrote to memory of 4864	2940	Mdmnlj32.exe	91
PID 4864 wrote to memory of 3640	4864	Mgkjhe32.exe	92
PID 4864 wrote to memory of 3640	4864	Mgkjhe32.exe	92
PID 4864 wrote to memory of 3640	4864	Mgkjhe32.exe	92
PID 3640 wrote to memory of 5060	3640	Mnebeogl.exe	94
PID 3640 wrote to memory of 5060	3640	Mnebeogl.exe	94
PID 3640 wrote to memory of 5060	3640	Mnebeogl.exe	94
PID 5060 wrote to memory of 4312	5060	Ndokbi32.exe	95
PID 5060 wrote to memory of 4312	5060	Ndokbi32.exe	95
PID 5060 wrote to memory of 4312	5060	Ndokbi32.exe	95
PID 4312 wrote to memory of 1228	4312	Ngmgne32.exe	96
PID 4312 wrote to memory of 1228	4312	Ngmgne32.exe	96
PID 4312 wrote to memory of 1228	4312	Ngmgne32.exe	96
PID 1228 wrote to memory of 2112	1228	Nilcjp32.exe	97
PID 1228 wrote to memory of 2112	1228	Nilcjp32.exe	97
PID 1228 wrote to memory of 2112	1228	Nilcjp32.exe	97
PID 2112 wrote to memory of 1732	2112	Nljofl32.exe	98
PID 2112 wrote to memory of 1732	2112	Nljofl32.exe	98
PID 2112 wrote to memory of 1732	2112	Nljofl32.exe	98
PID 1732 wrote to memory of 1992	1732	Ncdgcf32.exe	100
PID 1732 wrote to memory of 1992	1732	Ncdgcf32.exe	100
PID 1732 wrote to memory of 1992	1732	Ncdgcf32.exe	100
PID 1992 wrote to memory of 2328	1992	Njnpppkn.exe	101
PID 1992 wrote to memory of 2328	1992	Njnpppkn.exe	101
PID 1992 wrote to memory of 2328	1992	Njnpppkn.exe	101
PID 2328 wrote to memory of 3668	2328	Nlmllkja.exe	102
PID 2328 wrote to memory of 3668	2328	Nlmllkja.exe	102
PID 2328 wrote to memory of 3668	2328	Nlmllkja.exe	102
PID 3668 wrote to memory of 2956	3668	Ncfdie32.exe	103
PID 3668 wrote to memory of 2956	3668	Ncfdie32.exe	103
PID 3668 wrote to memory of 2956	3668	Ncfdie32.exe	103
PID 2956 wrote to memory of 1600	2956	Njqmepik.exe	104
PID 2956 wrote to memory of 1600	2956	Njqmepik.exe	104
PID 2956 wrote to memory of 1600	2956	Njqmepik.exe	104
PID 1600 wrote to memory of 4288	1600	Nloiakho.exe	106
PID 1600 wrote to memory of 4288	1600	Nloiakho.exe	106
PID 1600 wrote to memory of 4288	1600	Nloiakho.exe	106
PID 4288 wrote to memory of 4916	4288	Ndfqbhia.exe	107
PID 4288 wrote to memory of 4916	4288	Ndfqbhia.exe	107
PID 4288 wrote to memory of 4916	4288	Ndfqbhia.exe	107
PID 4916 wrote to memory of 1676	4916	Ngdmod32.exe	108

C:\Users\Admin\AppData\Local\Temp\360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exe
"C:\Users\Admin\AppData\Local\Temp\360934dbcd0215f73174d02677bc4a09cf7dc4bda898c765012ed9b23d3a218dN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\Mckemg32.exe
  C:\Windows\system32\Mckemg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\Miemjaci.exe
    C:\Windows\system32\Miemjaci.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\Mpoefk32.exe
      C:\Windows\system32\Mpoefk32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        29⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        31⤵
        Executes dropped EXE
        
        PID:672
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        40⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        50⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        52⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        70⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2416
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:524
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        78⤵
        
        PID:316
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4684
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        89⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        92⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        96⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        98⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        100⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        103⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        105⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        110⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        119⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        121⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5692
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        126⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        127⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 224
        137⤵
        Program crash
        
        PID:6268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5916 -ip 5916
1⤵
PID:6156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
93KB

MD5
4008b35f3c51e83637fa6390a05f5522

SHA1
0518ec1d46408b07089a6a20a6f01e7e1bd03303

SHA256
245c9037a16b2e2a31c6458b7d2a64c876d710ceb62bc13796e4f7440b07aa37

SHA512
038996d790cd4f91fc015a828bd8e54f3fee1be2a22e2a51123ee9029bda6cb85a9ae5eddd989d98b46ce0d40be0faac1d929fb27d6183b88275e11526eaa2a5

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
93KB

MD5
c0863d2ed0203dcc995fe9ef720cd91f

SHA1
5310df774aa2964d1f0959add81c6a001e96c81f

SHA256
6878a7cbc1abd850cb76da330379b520ea2a3ca5893277a9a14420e3598fb374

SHA512
2aa5089492ba8b749032326a137a97d8e7af53af07957b47c042b33a604e833dbddd3b62387a1a80a0c3f95877eaad7c7a05636f0aed2e47c79612b6b797095a

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
93KB

MD5
c038e4311dc1defdb5dd4ccc51a68883

SHA1
2841051eacf020abed1c3440ca0690eab25a7e9e

SHA256
91962ef14d97768d1dedea66812835a631392fa6e8e89dade1175bde6f3b5a9f

SHA512
64e07560873513faadec4b4789347490cb19e3d54aebf73910137302d4016388368b6a29f343bc7e2f90d18ab57bf5d08a8feabb15369fac1598c05b6301c31a

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
93KB

MD5
605e544405f3903e9b636cde29c6b4fc

SHA1
66bb6d0fd6f1864445dc903174fe6a26e56f0a64

SHA256
fd2cc28339e88f36bea5192e17bdba0d1a8e728f71215d3a93eb74dac9c49718

SHA512
6622c0c535680401c9cd91bee285e8682d0d21bf82335f0c500fbe832411169ec4f7eb62bdae938b0c72f5d20591c1e41129108c0d6f58cfcc6eaf226c134387

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
93KB

MD5
c647d16547dd2c6bf1e0d6f6924ab2e4

SHA1
882f7b5e8204b05821522b334d0c184897ac27c8

SHA256
d7809763de8068c10705321b315c0a15e7928318001ce8ff2ccbbf76d7b72b6e

SHA512
9d7fecb5d5e98d011416341b5df4e84171093ef3d53b0dee7a790a188ccdf06c4d85452abff0a756a7ada832a5842e5484e4b9aee1313b3e2d57803b96575409

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
93KB

MD5
04a61376e51edaeb6355ab14f30a0994

SHA1
9edc0365590f38a0de62486e6ce036138bec5b12

SHA256
7c350889fdf8fa9a23efdc88cf71cfbfc830822aa10eda002df2f1dd5573c52a

SHA512
a742ec155873b796079d4631c3847254f87db018424512f9c192c1ecfc00f212d96ae2c52270ab8826bf991524160d068eeeba6d056eab9b4b57200f76a34764

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
93KB

MD5
ee220e30ccb5f542404d4c07b0d4dd1e

SHA1
d2312d1e4e4bc711a1be941f5afb19138994cb99

SHA256
74a040da64e0c407d14a5be1ede18c821f50bc5e116c73563711669a36f278a7

SHA512
bf1c5a8837d8f1f7cddd293cd0588e921709e98a391621201581325eebff80ac43317210ba485c5fb87080ae5c9ef38d91ca0b19189b1a7435bce75f71ae0671

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
93KB

MD5
df3a56e5ced595425740343059a7743b

SHA1
f7d649e369cfdf184742cc6198ba36e98725b63d

SHA256
4cc76c3756eda66948e34261d8b3ce99168382492230471f583adcead5696294

SHA512
1171306fa8fa7a0be1f2dc80e0624dd7887c3dca8b7d376506adc546e057566b8567c3852099d37fbf66abe197d015f1b326db0fd679c8e76cbd523b14c7daea

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
93KB

MD5
5c875a1157a94189a2c1287878b39c71

SHA1
d64bc04438455e356a0f2b4692a4572ad7db8349

SHA256
a9bd1c922e5cccbcaccc38055745461c1c8d92b7f1df4a2aacff2143b9b4d900

SHA512
55ffbecc07fb74d3397e2826afef1aa610905e65bfa4511eb6117e700300bcc97057b359de48eab8448757016a3026c81f64ca78c661fd19412c964deddbaefd

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
93KB

MD5
03e46fd7bdff128c710afebf249a2e0b

SHA1
5e6075ab80dce39d1e1e797600c344509c0f111d

SHA256
84db05ce0f64e2634aa29f32f3b2c8d7b7fc863960560a184864d063b4c579e3

SHA512
68b779c4435424f7916b3c6caa2b46dbbdc7cf02d349b64b2b454033e7c78ccbcfa777fa8ff956145d98033c69e2097ea1a4d71af9b5285869eed2502f2896c9

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
93KB

MD5
fc6e01a83e18df54a3721d717a99d2b4

SHA1
9644bdfab43de9e557fd0e3da06241320d216eb6

SHA256
13695a8f186186c1091f52d261cb6b205f132e7b444d43b6f81c3c9999a43f70

SHA512
fb6039b1b240af23ab12d23dd0309e3ca83ba75154eaeeaf43ca4460c384ada96cbbf4d250504a241f84713ae9700e476eee7ca24c22ee97815d67074d6bb685

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
93KB

MD5
15bb1bc04dbca51073ab66adb1b182fe

SHA1
2e790ad7e3b52bb293c859cfba94241eec661b61

SHA256
8591804a531d3b134f330a0dfe9590f6bd137612d4b0c25291d3a889f5eb568a

SHA512
efff33fc4175f4e745cefca47a59c2cb8f056ed945bee69778c4c5a83121a23ece2560839a2b7746eb110f645520785515b6176967d56302e08398dfe48b0b3a

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
93KB

MD5
c33823a471429eb1f04d9f012eede445

SHA1
9c145801cfb4af66cfaaa6e93d0073637f665481

SHA256
3f22aa3b069947c74c703f83a33e1c817eb5c851f5cb4dfc4b54bd63442d8e36

SHA512
960e27f72063c2f377936cd194449b6f4a6318a9c6a79696e92e3508b283731d2948ee263a0252b26ba23bb4963264400feccc684bfbcf3ae5460ea1723f4fc2

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
93KB

MD5
64d8a32665ecc53906d5b75c0e6bc824

SHA1
100f599cdec88829db7655de613941868df3b40c

SHA256
985160d6156e5e8a30df15502f858760d2b92a882748b495af426b6092ae710f

SHA512
cebf79868d59bc88ffa942fffe698bdf4547819a095066f3d18b2441854044f6948292aab954d18ca36e29d5a4d6a166ee24649d44f45e6d76cb9f9ee6e95242

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
93KB

MD5
bf11b061314d658a464b69b2985c3260

SHA1
19a1820e2d3c379c829d4d45c601e38e64dd377a

SHA256
7130994c2cec8b6f836a369b583787a49045bfeb6ca164d9bcc23abfe97d0e56

SHA512
4a1355b7719f8a466384bc34be062371ce630441b6073f98a4ca190a9b288e71bc06616a5b8e8727e117001e6c5c5ddee73eaf298f2795e4a884099f50c74d7b

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
93KB

MD5
235cb13b9e90bc28a3c5c1a62e3652d4

SHA1
2d312ccafd254ade58c1c72696792019a59cfbe4

SHA256
02d60778d6d8d2c1badcedca4d57aee593ab332857699dc61a4771b325862a60

SHA512
890e627b602573a40b719bc15305da2af065aee54a6c09a092a8d85657305a68622172edb2e72223397af5005cddf8a41016427a64741fbf390f26fc374e9e1b

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
93KB

MD5
1bced997f82d2d16462bb739f339383a

SHA1
cb6c3851235a5e43ecbf1cb3e72936b6fb174f69

SHA256
b6d47fef77cb53c4ff31a2fac19a88797d0eaf0160c0c988ca4f7b6b00653f69

SHA512
cef14be3b1a4a2019bc4780ef5119fc12ea627ab3d4cf7b59fc18a8086e10c06824b998be76b93ec745db8799c1d5ba2fcd0ca053c1dd7de1b0cbd76c04d2bfb

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
93KB

MD5
d168a1f1889bbdebd73b214e497ee440

SHA1
c49a8086eaa5cc97d3704c8901339615fe09f352

SHA256
a038cd0240b236175e2ecb510d4e15d431d1316d346f8ad8d195a534295c943d

SHA512
f13dc43adb4f6e8993a85366770b39265050066e9cfca0adbc30ab453cecda02eb709e30942a14f805c81f7fdde01fb0af5f85fa598f1ba41f36fe205a77e49a

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
93KB

MD5
f18cfce22c259447b99214f2008b00c6

SHA1
b41582609468647967b974f8488c07f6d54f4b37

SHA256
df6b2c616031587e89a1f7c45d108b45ab79480a5ba1c6b88f6b6467b30d2873

SHA512
bd057fdf60365748b31c0b0cf25c9cabda5704270d5095f8b36e6d1df796704c20e7c3a8da6f5fc968a71fedadd07d5d6b4502c38858fc1999da3cae8012aea6

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
93KB

MD5
af7766b7cf52381b195b3ecc2257be78

SHA1
c17efe40f62b6e6b066ebe07f2dc9c2d53724dbe

SHA256
9457dfb94999eb362f39592d56e99000048d8b0a1cfdfbb9450c7997adc80456

SHA512
d2485f93537c7b31721ed9bcf7ad5903d817ea9fd20e144f49f833862d9250f1971f9b12fde669ada8612cae79c3407899106453ae4b1c275839e986a3950d79

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
93KB

MD5
9e7525d670b6839cb2724af7412e4f41

SHA1
60c70d5536c5afa3d9c243660f550a505a5669a7

SHA256
bcc3f929a60af22913b9cc0749471f1c2f7e5a60d8d80fc3e9928ee6d422a6c8

SHA512
c1ad5af802f8f852ecd505d47e0ae403c390d4b27998e6d337020072a6bd450c52a63318b841bc90bfb86bd7a1aac92f0834222705ebdfffb9cfc97b0b1c8d61

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
93KB

MD5
73210e75f25cd4a32c0555f9d17ba2ce

SHA1
41dc0af4bbfb76df29d6d5723b80ba4d1427844f

SHA256
471146dde541ef9fb855da95ffd4b4f661a83196a7c0a7baa9a615fe898ecbc5

SHA512
f525a030136329e88c4a2cc971dd4b2b05e407d6fcec1a8bb5b9060f527279e0b90f799578dabfde386c82a58726968ea193f0ce23b5c23c968a8c8ee3165c4f

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
93KB

MD5
d3afd495adb80a93c46d95c992a70be9

SHA1
c16e1dd4db7ee2f910f13744671e58ba86b71ac8

SHA256
598edea14620afb95f1e9b5a5f118c2a3be3bb2c4867be3e3b067d6c4813dbf9

SHA512
470ba487645b2482f83c29efe28fe4bee65eb59ea57174fb19b9a4d40861347f6dcceebb1131eaa885c771a359588e437a4c65915218419751e7b299a95b352d

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
93KB

MD5
bb8ec0d5ee4e6bd3af9d91484f7f9982

SHA1
51dd6549768efff144fc744680f3f9d6b2bc7ca5

SHA256
db3574c572ed558a91bfb5448848c36ac3157d80cfbab9d5a5e8f462976dee55

SHA512
b70632d87643c2d1c9135b10b9a29f5589019d8d76dd155f2cd544966fd3b616018e47eb98d32acbe39f54065781e6a1083d65af4484edf177031b9d72551021

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
93KB

MD5
82f453dd9df1190720d735d5f311e735

SHA1
50bd2964785af801476bfa6990ec8b4966c3d35a

SHA256
58e76ab055e98d86321b33bf8477e45bdcdf8276b57611e2802448c7d14085d1

SHA512
5d9ba96183b58fb767a0f82d6f0e821fe1c31c6ecf0333838a4f274af1c75ee387738d15b6576de0f390628d280d498d26f10ad46eb752278e9841e9d9ccd5d1

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
93KB

MD5
fd528d7c7c5a584919c59fad7fcde4db

SHA1
d91cc8e840ad6166697e87dff173254cafdc5069

SHA256
fb32ba088269aae9d22fe828051f90cade67bbb04e01101b5ab0303112f81594

SHA512
c4955d4bf50807f871365e7077b5db686cf29f46b14a8059230cdda570a11a7f46bcc93bd1eb8ea26e037a30012b7e3df0a7bfeb42b1e9abdbc4bc00516aace5

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
93KB

MD5
69ecdaf24f87d125990424ed4155f2ba

SHA1
c89be4debf87ab73d16033eda072dbb01ea41605

SHA256
f80514e4189803a0871af3bd00b53cb3857dec38acfd3accdbc965d35fc272d9

SHA512
3004682a9fa582116cc83498ede658fb7910b568433f89db8e15a76d6a38e54be139801ed8711775821487538cced2a60087f75f82d589674f10ebe90705dfb6

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
93KB

MD5
e1e1cba57ef9a6c893528cb793fed8e7

SHA1
a0c5fec4cdd4aa3fe9902702c45d90b8a3893630

SHA256
1492cd051ef9c3f5ba2c6e36ef5a05a9867b835d1970743d1c8cc7e142d1b60b

SHA512
63ee851dbaf1e745c34d7a6766d0c7e1639cced2c1ab78bd522d6cb4864e4afce6fdc75cfe32c0e03fbccd8f30160ab74d08414d534a0f859263f25dbdd9a0c3

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
93KB

MD5
4ce7ee3de6c32b253c8ce83d5fc6f0c2

SHA1
60140dd3d940a4c1dc09f7ea90195ff940bd66f0

SHA256
c03ead57d0850afbd02d909b1160a32138274acc0ec1fc57353ef76ddef10a3b

SHA512
e6a6a0329152bb44de874a600d155aa8bc9747663f4c53a68cbc3b8fd1a57aedf3d394c17d5330efce6a33c104307b2968e65035b610bfd9247f15aca6726dbd

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
93KB

MD5
e286ac228d3b5e57ca6511303c637529

SHA1
ce9c4e28fe2179366452e8c2b98b12d8a2effbf1

SHA256
9c19e84485bd2307ed912afce7cf70b19af6608f2d800097058c9aa7fd6a6cdb

SHA512
56ce30e626d6c5ef1079bf77445313e9effaed6756ce9ca8212d68b31be903a974191cd0ee70203213b60f1464fec5b152bfdf26d01349ed1fc8669ab5b3777a

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
93KB

MD5
8631bc67361ae8b3fa361d2d8b2951f6

SHA1
bf54626b4b17f03dd9e464faba2473f714d43190

SHA256
acd0094536a7174fcc442bd6b336dd80ea5d3ce6146bb08075b8703b116eb06c

SHA512
d262f8c18b2fe4804f0a95e8dcdfb986b6f5bf644bf3c9fd228f16f84deb9d1a2210e07bcb8a82887216123c97be3819627311b9ae5d6424c684aa46988ed4e0

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
93KB

MD5
285963757fccefbb7bfadb5f67d35839

SHA1
35afb938b5dd9104cfd32d47a4f58acccfb39629

SHA256
ec66d6d72877073d0483e267fc8a1d806421f6cd47d55e678801d5fbd71f7e20

SHA512
e337227e6c9a5776b2809610433fc171df729bd6424bbf622151397376b9fe132ebbbacce2f8be664e9bfcf3b82db28046f81c10cdd437ee4637845b9f16a68e

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
93KB

MD5
037dbcbcfc9c57d518f8c9b98dbfd90e

SHA1
46e4f5309e2c051d7b5815172b2b470cc179f9aa

SHA256
a7e46ddbd3443546e5818995d2d8712918e7fd3c751b42adebd8c40adbe3199f

SHA512
6fde549049fc5a3523f2aac9f27078a57fceebf42c3aa1537b531998dc1176bb2334748629753612e7dff07fe800e83c03887aafc8a9fda324ecdbb8a96ea777

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
93KB

MD5
201ea6250eb384d7a552f12099a564c8

SHA1
101079641e69bdd37c6175a0137b0cbb0dad3c2b

SHA256
d6f3a95cc2c2f772933aa0f237aba42840838b7a06fc40ce01bd46f09280347a

SHA512
009432ea3a156d340946f208ee9ded1e12f43fe6371dbb1a5902000da9e67dec93b98710714b72362821ff9863ae8feab9de9534e06d3b44948a92f576e60604

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
93KB

MD5
aa229c5c7e7036aa3121fc6a1cc9335b

SHA1
2c0702d8a57bced09d3ebf433fdb987624d0038a

SHA256
c79f9bc51dee50f50a21d53ce658bba8b088d8619e388ebcb2dc90e1d9cfc85d

SHA512
cca3ef3672cee5d4657cbd180ed89b17399471384d49602a842640e63ba04814619e1df46a35b60d6d53d4f5e03920aa72d6f865b49362d6f6153223c4f98aa5

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
93KB

MD5
bfe80bd049f6c39a9d3adf49a08c45ce

SHA1
a1203bf73a8ae1f052387709b5b022e15767f3ac

SHA256
f14107b6b6dfb9a41cb3491403900b22d75a2c9b71b98d2df761eba40daae86e

SHA512
2950f46d406ee0af90911f8100d0f990fff1dd9fe6e5434c97480ea54293362af7c475dc31eebed0a82f534363493b4dae0c715f66bdc268546d0259e8cd8fea

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
93KB

MD5
0f849edf7003009433eff718d2bcf27b

SHA1
88acef0aae4e81578cd77bfb5d6a4076c6e03ba8

SHA256
389ec90b36ca104a02d006d075123533afab3cc207337537a6111b10270367ef

SHA512
cd772a4bcb897c700f6affe45f139b791ec32c4a3ca964620e244a06d7db2531da63c008588d837e035c9d853f60e5581c68a0323657f5bd9af44c1046400f2a

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
93KB

MD5
f7279ba001d6f9df6db3f59613334695

SHA1
d62ba343075d13304a9071a184e5b841915842fe

SHA256
c7a2d20f54d54cab0a5b87f34e1c50cbd1070895d4ca156c2565c59d5d08d4f9

SHA512
1ca92abf00eec029c51be7292ad59bd810d307fe149cd2fa344e6037cd2d61420b9e96da4df2d4c3fe82247c865ab8ce588ac363b5b4ccd302da3e888c6e3852

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
93KB

MD5
f6d253ef3227059ed32cf79292933a1f

SHA1
c8cd2cd6063631ead31cd9bcff5c71af1f4cb4de

SHA256
7bd2b9edb8397cd8aff70da2ad9919a9b8719d85daab647283b6c0e47398ab08

SHA512
a5dbf00104295a747733333e51344c968ae7e129e60083dba4467b7979f519818dafb7895a86a3a67d6ac68c94cdde5b8c000e2f9c5c7ad9ab0564153906fba2

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
93KB

MD5
6d49f27a712c9d2b9e5cd9a0c69e4847

SHA1
57de7d0956b5519f0bcaa465d5ffec3a8a677a3c

SHA256
ae2543ae87b813ca706785b7f00cff9050badb0a5b728328973276474210c2f2

SHA512
1c2b91e9737bc521416aa9a8aac19ddd9a8b981ab1f0d7e8a28563e34bc7f469466bff120d61f0bfb995268eb7862882628f412db2fa6bc4d49ae0b59e8cbd69

Download Submit
memory/8-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/332-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/524-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/600-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/600-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/956-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-1053-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4288-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5140-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5184-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5228-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5812-970-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download