berbew | 2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35c

Analysis

max time kernel
95s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35cN.exe
Size

96KB
MD5

ade303ec4f26c970a7adeb563f60dca0
SHA1

ad6c517672f6f6e42c7a89a20e54abd64ed7daaf
SHA256

2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35c
SHA512

3fbf2f0d6369d386af9c219daad5c6f456109ee2708b565623a7606a0839dc446687c63413796bc7a5cf4ac35180957bbb5272b98efa844ca90eed6d8efe7e11
SSDEEP

1536:zL6aFlqIXeF2NWybFvbOf/nlApx2LD7RZObZUUWaegPYA:X6a22ciWybFDOfPlQKDClUUWae

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lmiciaaj.exeOlfobjbg.exeQmkadgpo.exeAabmqd32.exe2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35cN.exeKlngdpdd.exeNdaggimg.exeOlkhmi32.exePdpmpdbd.exeDfnjafap.exeKpbmco32.exeMgddhf32.exePdfjifjo.exeDeokon32.exeDaekdooc.exeMlefklpj.exePfhfan32.exeChokikeb.exeKfoafi32.exeLbmhlihl.exeQnjnnj32.exeBganhm32.exeCndikf32.exeAccfbokl.exeBclhhnca.exeKfckahdj.exeLmgfda32.exeMckemg32.exeNlmllkja.exeOjgbfocc.exeOgpmjb32.exeKpeiioac.exeAqkgpedc.exeBeeoaapl.exeChmndlge.exeOflgep32.exeOpdghh32.exeAnmjcieo.exeAnogiicl.exeAclpap32.exeLbdolh32.exeMdjagjco.exeNilcjp32.exeNgdmod32.exeAmddjegd.exeAqppkd32.exeCajlhqjp.exeDopigd32.exeDobfld32.exeNeeqea32.exeOneklm32.exePmannhhj.exeCjpckf32.exeBalpgb32.exeCegdnopg.exeKipkhdeq.exeLdjhpl32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35cN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndaggimg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbmco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Kimnbd32.exe	family_bruteratel

Executes dropped EXE 64 IoCs

Processes:

Kmdqgd32.exeKpbmco32.exeKbaipkbi.exeKepelfam.exeKmfmmcbo.exeKpeiioac.exeKbceejpf.exeKfoafi32.exeKimnbd32.exeKlljnp32.exeKdcbom32.exeKipkhdeq.exeKlngdpdd.exeKdeoemeg.exeKfckahdj.exeKibgmdcn.exeKlqcioba.exeLbjlfi32.exeLeihbeib.exeLmppcbjd.exeLdjhpl32.exeLbmhlihl.exeLekehdgp.exeLigqhc32.exeLmbmibhb.exeLpqiemge.exeLboeaifi.exeLenamdem.exeLmdina32.exeLpcfkm32.exeLbabgh32.exeLepncd32.exeLmgfda32.exeLpebpm32.exeLdanqkki.exeLbdolh32.exeLingibiq.exeLmiciaaj.exeLphoelqn.exeMbfkbhpa.exeMedgncoe.exeMpjlklok.exeMdehlk32.exeMgddhf32.exeMibpda32.exeMlampmdo.exeMplhql32.exeMckemg32.exeMeiaib32.exeMiemjaci.exeMlcifmbl.exeMdjagjco.exeMgimcebb.exeMigjoaaf.exeMlefklpj.exeMcpnhfhf.exeMnebeogl.exeMlhbal32.exeNdokbi32.exeNgmgne32.exeNilcjp32.exeNljofl32.exeNdaggimg.exeNcdgcf32.exe

pid	process
1284	Kmdqgd32.exe
2928	Kpbmco32.exe
4244	Kbaipkbi.exe
760	Kepelfam.exe
3416	Kmfmmcbo.exe
4792	Kpeiioac.exe
4528	Kbceejpf.exe
4320	Kfoafi32.exe
2808	Kimnbd32.exe
4572	Klljnp32.exe
116	Kdcbom32.exe
2588	Kipkhdeq.exe
2644	Klngdpdd.exe
5012	Kdeoemeg.exe
3348	Kfckahdj.exe
1276	Kibgmdcn.exe
3316	Klqcioba.exe
532	Lbjlfi32.exe
512	Leihbeib.exe
5112	Lmppcbjd.exe
1000	Ldjhpl32.exe
1280	Lbmhlihl.exe
2624	Lekehdgp.exe
2880	Ligqhc32.exe
3996	Lmbmibhb.exe
2448	Lpqiemge.exe
5020	Lboeaifi.exe
1820	Lenamdem.exe
3640	Lmdina32.exe
924	Lpcfkm32.exe
3960	Lbabgh32.exe
208	Lepncd32.exe
4100	Lmgfda32.exe
3488	Lpebpm32.exe
4808	Ldanqkki.exe
2384	Lbdolh32.exe
2120	Lingibiq.exe
4560	Lmiciaaj.exe
5044	Lphoelqn.exe
784	Mbfkbhpa.exe
1156	Medgncoe.exe
3596	Mpjlklok.exe
732	Mdehlk32.exe
4520	Mgddhf32.exe
2800	Mibpda32.exe
968	Mlampmdo.exe
4280	Mplhql32.exe
4304	Mckemg32.exe
3424	Meiaib32.exe
4972	Miemjaci.exe
2996	Mlcifmbl.exe
2748	Mdjagjco.exe
4436	Mgimcebb.exe
2260	Migjoaaf.exe
3644	Mlefklpj.exe
1672	Mcpnhfhf.exe
4840	Mnebeogl.exe
3856	Mlhbal32.exe
4916	Ndokbi32.exe
2664	Ngmgne32.exe
2320	Nilcjp32.exe
348	Nljofl32.exe
4856	Ndaggimg.exe
2824	Ncdgcf32.exe

Drops file in System32 directory 64 IoCs

Processes:

Kbceejpf.exeMenjdbgj.exeNphhmj32.exeOjoign32.exeKibgmdcn.exeOneklm32.exeBmkjkd32.exeKlngdpdd.exeNgdmod32.exePdpmpdbd.exeDfknkg32.exeDmjocp32.exeCabfga32.exeDobfld32.exeDeagdn32.exeLeihbeib.exeMdjagjco.exeOfnckp32.exeAnogiicl.exeDhkjej32.exeNdaggimg.exeKimnbd32.exeMbfkbhpa.exeMeiaib32.exeOcnjidkf.exeBcoenmao.exeCagobalc.exeMplhql32.exeMlcifmbl.exeAndqdh32.exeBebblb32.exeBeeoaapl.exeKdeoemeg.exeLbabgh32.exeLdjhpl32.exeMiemjaci.exeCjkjpgfi.exeDaekdooc.exeNeeqea32.exeNdhmhh32.exeOfeilobp.exeMedgncoe.exeOlkhmi32.exePnfdcjkg.exeAccfbokl.exeMlhbal32.exeDelnin32.exeKfoafi32.exeLmbmibhb.exeMibpda32.exePqpgdfnp.exePqbdjfln.exeAabmqd32.exeAeniabfd.exeBmpcfdmg.exePdfjifjo.exeCjinkg32.exeDopigd32.exeCmiflbel.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Kfoafi32.exe	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Klqcioba.exe	Kibgmdcn.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Kdeoemeg.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Gebgohck.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Ndaggimg.exe
File created	C:\Windows\SysWOW64\Klljnp32.exe	Kimnbd32.exe
File opened for modification	C:\Windows\SysWOW64\Medgncoe.exe	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Meiaib32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Gfhkicbi.dll	Mplhql32.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Kfckahdj.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Lbmhlihl.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Mlcifmbl.exe	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Mpjlklok.exe	Medgncoe.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Kimnbd32.exe	Kfoafi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Lmbmibhb.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6416 6280 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
6416	6280	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Klqcioba.exeLbmhlihl.exeBnmcjg32.exeDhkjej32.exeKpeiioac.exeKbceejpf.exeLpqiemge.exeMplhql32.exeOjoign32.exeBfdodjhm.exePqpgdfnp.exeBchomn32.exeCnicfe32.exeDaekdooc.exeKbaipkbi.exeMckemg32.exeNnlhfn32.exePjmehkqk.exeBcjlcn32.exeCjbpaf32.exeKimnbd32.exeMlcifmbl.exePfjcgn32.exeDeokon32.exeKpbmco32.exeLpebpm32.exeNdokbi32.exePgllfp32.exeBalpgb32.exeCmqmma32.exeKdeoemeg.exeNfgmjqop.exeOlkhmi32.exeOqhacgdh.exeCeehho32.exeLmbmibhb.exeBganhm32.exeDhfajjoj.exeDanecp32.exeKepelfam.exeKfoafi32.exeNljofl32.exeNdaggimg.exeCdfkolkf.exeDmgbnq32.exeOfnckp32.exeQmkadgpo.exeMdehlk32.exeNjnpppkn.exeBmngqdpj.exeBmemac32.exeDfknkg32.exeDdmaok32.exeKlngdpdd.exeLpcfkm32.exeAqppkd32.exeAglemn32.exeBmkjkd32.exeCaebma32.exeMdjagjco.exeOneklm32.exePfhfan32.exeAclpap32.exeChjaol32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhlihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbaipkbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmibhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kepelfam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndaggimg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpcfkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe

Modifies registry class 64 IoCs

Processes:

Kfoafi32.exeLekehdgp.exeDhfajjoj.exeNcfdie32.exeAcjclpcf.exeCeehho32.exeCegdnopg.exeLdanqkki.exeMdehlk32.exeMeiaib32.exeMdjagjco.exe2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35cN.exeNilcjp32.exeBmngqdpj.exeCaebma32.exeLigqhc32.exeOjgbfocc.exeDmjocp32.exeMedgncoe.exeMenjdbgj.exeBnhjohkb.exeBmkjkd32.exeBnmcjg32.exeBcjlcn32.exeCagobalc.exeChagok32.exeKbaipkbi.exeMgimcebb.exeOpdghh32.exeBfhhoi32.exeLeihbeib.exeLenamdem.exeMibpda32.exePdpmpdbd.exeDeokon32.exeLingibiq.exeMlefklpj.exeBjfaeh32.exeCjkjpgfi.exeNdaggimg.exeBmemac32.exeCnicfe32.exeCajlhqjp.exeKlngdpdd.exeNfgmjqop.exeOgpmjb32.exeAclpap32.exeMgddhf32.exeNlmllkja.exeCabfga32.exeDogogcpo.exeNdhmhh32.exeBanllbdn.exeLbabgh32.exeDeagdn32.exeKepelfam.exeOflgep32.exeOlkhmi32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll"	Ldanqkki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll"	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlihfed.dll"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ligqhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gebgohck.dll"	Leihbeib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Lenamdem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndaggimg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgddhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikdngcl.dll"	Kepelfam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Olkhmi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35cN.exeKmdqgd32.exeKpbmco32.exeKbaipkbi.exeKepelfam.exeKmfmmcbo.exeKpeiioac.exeKbceejpf.exeKfoafi32.exeKimnbd32.exeKlljnp32.exeKdcbom32.exeKipkhdeq.exeKlngdpdd.exeKdeoemeg.exeKfckahdj.exeKibgmdcn.exeKlqcioba.exeLbjlfi32.exeLeihbeib.exeLmppcbjd.exeLdjhpl32.exe

description	pid	process	target process
PID 3144 wrote to memory of 1284	3144	2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35cN.exe	Kmdqgd32.exe
PID 3144 wrote to memory of 1284	3144	2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35cN.exe	Kmdqgd32.exe
PID 3144 wrote to memory of 1284	3144	2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35cN.exe	Kmdqgd32.exe
PID 1284 wrote to memory of 2928	1284	Kmdqgd32.exe	Kpbmco32.exe
PID 1284 wrote to memory of 2928	1284	Kmdqgd32.exe	Kpbmco32.exe
PID 1284 wrote to memory of 2928	1284	Kmdqgd32.exe	Kpbmco32.exe
PID 2928 wrote to memory of 4244	2928	Kpbmco32.exe	Kbaipkbi.exe
PID 2928 wrote to memory of 4244	2928	Kpbmco32.exe	Kbaipkbi.exe
PID 2928 wrote to memory of 4244	2928	Kpbmco32.exe	Kbaipkbi.exe
PID 4244 wrote to memory of 760	4244	Kbaipkbi.exe	Kepelfam.exe
PID 4244 wrote to memory of 760	4244	Kbaipkbi.exe	Kepelfam.exe
PID 4244 wrote to memory of 760	4244	Kbaipkbi.exe	Kepelfam.exe
PID 760 wrote to memory of 3416	760	Kepelfam.exe	Kmfmmcbo.exe
PID 760 wrote to memory of 3416	760	Kepelfam.exe	Kmfmmcbo.exe
PID 760 wrote to memory of 3416	760	Kepelfam.exe	Kmfmmcbo.exe
PID 3416 wrote to memory of 4792	3416	Kmfmmcbo.exe	Kpeiioac.exe
PID 3416 wrote to memory of 4792	3416	Kmfmmcbo.exe	Kpeiioac.exe
PID 3416 wrote to memory of 4792	3416	Kmfmmcbo.exe	Kpeiioac.exe
PID 4792 wrote to memory of 4528	4792	Kpeiioac.exe	Kbceejpf.exe
PID 4792 wrote to memory of 4528	4792	Kpeiioac.exe	Kbceejpf.exe
PID 4792 wrote to memory of 4528	4792	Kpeiioac.exe	Kbceejpf.exe
PID 4528 wrote to memory of 4320	4528	Kbceejpf.exe	Kfoafi32.exe
PID 4528 wrote to memory of 4320	4528	Kbceejpf.exe	Kfoafi32.exe
PID 4528 wrote to memory of 4320	4528	Kbceejpf.exe	Kfoafi32.exe
PID 4320 wrote to memory of 2808	4320	Kfoafi32.exe	Kimnbd32.exe
PID 4320 wrote to memory of 2808	4320	Kfoafi32.exe	Kimnbd32.exe
PID 4320 wrote to memory of 2808	4320	Kfoafi32.exe	Kimnbd32.exe
PID 2808 wrote to memory of 4572	2808	Kimnbd32.exe	Klljnp32.exe
PID 2808 wrote to memory of 4572	2808	Kimnbd32.exe	Klljnp32.exe
PID 2808 wrote to memory of 4572	2808	Kimnbd32.exe	Klljnp32.exe
PID 4572 wrote to memory of 116	4572	Klljnp32.exe	Kdcbom32.exe
PID 4572 wrote to memory of 116	4572	Klljnp32.exe	Kdcbom32.exe
PID 4572 wrote to memory of 116	4572	Klljnp32.exe	Kdcbom32.exe
PID 116 wrote to memory of 2588	116	Kdcbom32.exe	Kipkhdeq.exe
PID 116 wrote to memory of 2588	116	Kdcbom32.exe	Kipkhdeq.exe
PID 116 wrote to memory of 2588	116	Kdcbom32.exe	Kipkhdeq.exe
PID 2588 wrote to memory of 2644	2588	Kipkhdeq.exe	Klngdpdd.exe
PID 2588 wrote to memory of 2644	2588	Kipkhdeq.exe	Klngdpdd.exe
PID 2588 wrote to memory of 2644	2588	Kipkhdeq.exe	Klngdpdd.exe
PID 2644 wrote to memory of 5012	2644	Klngdpdd.exe	Kdeoemeg.exe
PID 2644 wrote to memory of 5012	2644	Klngdpdd.exe	Kdeoemeg.exe
PID 2644 wrote to memory of 5012	2644	Klngdpdd.exe	Kdeoemeg.exe
PID 5012 wrote to memory of 3348	5012	Kdeoemeg.exe	Kfckahdj.exe
PID 5012 wrote to memory of 3348	5012	Kdeoemeg.exe	Kfckahdj.exe
PID 5012 wrote to memory of 3348	5012	Kdeoemeg.exe	Kfckahdj.exe
PID 3348 wrote to memory of 1276	3348	Kfckahdj.exe	Kibgmdcn.exe
PID 3348 wrote to memory of 1276	3348	Kfckahdj.exe	Kibgmdcn.exe
PID 3348 wrote to memory of 1276	3348	Kfckahdj.exe	Kibgmdcn.exe
PID 1276 wrote to memory of 3316	1276	Kibgmdcn.exe	Klqcioba.exe
PID 1276 wrote to memory of 3316	1276	Kibgmdcn.exe	Klqcioba.exe
PID 1276 wrote to memory of 3316	1276	Kibgmdcn.exe	Klqcioba.exe
PID 3316 wrote to memory of 532	3316	Klqcioba.exe	Lbjlfi32.exe
PID 3316 wrote to memory of 532	3316	Klqcioba.exe	Lbjlfi32.exe
PID 3316 wrote to memory of 532	3316	Klqcioba.exe	Lbjlfi32.exe
PID 532 wrote to memory of 512	532	Lbjlfi32.exe	Leihbeib.exe
PID 532 wrote to memory of 512	532	Lbjlfi32.exe	Leihbeib.exe
PID 532 wrote to memory of 512	532	Lbjlfi32.exe	Leihbeib.exe
PID 512 wrote to memory of 5112	512	Leihbeib.exe	Lmppcbjd.exe
PID 512 wrote to memory of 5112	512	Leihbeib.exe	Lmppcbjd.exe
PID 512 wrote to memory of 5112	512	Leihbeib.exe	Lmppcbjd.exe
PID 5112 wrote to memory of 1000	5112	Lmppcbjd.exe	Ldjhpl32.exe
PID 5112 wrote to memory of 1000	5112	Lmppcbjd.exe	Ldjhpl32.exe
PID 5112 wrote to memory of 1000	5112	Lmppcbjd.exe	Ldjhpl32.exe
PID 1000 wrote to memory of 1280	1000	Ldjhpl32.exe	Lbmhlihl.exe

C:\Users\Admin\AppData\Local\Temp\2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35cN.exe
"C:\Users\Admin\AppData\Local\Temp\2e6955b5f27e91735b69656823b63e5069ee310ebdbbf88c86d83f39e776a35cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\SysWOW64\Kmdqgd32.exe
  C:\Windows\system32\Kmdqgd32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\Kpbmco32.exe
    C:\Windows\system32\Kpbmco32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\Kbaipkbi.exe
      C:\Windows\system32\Kbaipkbi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Windows\SysWOW64\Kepelfam.exe
        
        C:\Windows\system32\Kepelfam.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Kibgmdcn.exe
        
        C:\Windows\system32\Kibgmdcn.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        28⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        30⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        33⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        40⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:784
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        43⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        47⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        55⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        57⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        58⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        59⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3856
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        62⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        66⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        70⤵
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        73⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        77⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        78⤵
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:756
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        82⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        86⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        91⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        92⤵
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:624
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        97⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        99⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        100⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        101⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        103⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        108⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        109⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        112⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        113⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        114⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        116⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        118⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        121⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        122⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        125⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        127⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        128⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        130⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        131⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        132⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        139⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        140⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        141⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        143⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        144⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        145⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        147⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        148⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        149⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        150⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        152⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        157⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        158⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        160⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        161⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        164⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6228
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        167⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:6360
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:6404
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        171⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:6584
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:6628
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        175⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6672
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6760
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        178⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6804
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6848
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:6892
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        182⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        183⤵
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7120
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        187⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        188⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 404
        189⤵
        Program crash
        
        PID:6416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6280 -ip 6280
1⤵
PID:6372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
8b3880931b1e1b61e6b153aac1f10801

SHA1
d0b9c925bb61719d99b97c92667affbcfdd435ba

SHA256
905f6c048bd29a9eea5a85f98846cd5a16ba81cf47e62e33a180e4196e6bf08b

SHA512
990b6dafa2e5428fa430ef08d1856558ebea6383c1ec2b40ea0b9a95bb33abfadd558d7756f1d0ca1718de5c96a276125e41f7d2f8bb2ce28d6122865ec13b25

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
96KB

MD5
b8378db8befe1f91969f3c5bdc45ea79

SHA1
866c34d5bc1ced125075bb798fa76c3db7adf5ac

SHA256
5ed6d135e4b22162d902c647b947788b90d467bca04abf5ac6a3fdf8eaf19a65

SHA512
ddb3a5f7376b9422e581f8d4e69d33c9fbf177e1364428886baf3a929dca1a797a0309c977a88b33b2d4ef0a36214329e488b0d3b011335cb6d44990aa60d0ac

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
96KB

MD5
daa4858789206932f3fe9cc8d17cb5ae

SHA1
4dc0f8cd98c233c93bf708c789c721085283c01f

SHA256
f1548b5f897fcb03dc97e2da59c8178bd84adf0a38dfa392246137e61de03c36

SHA512
b7fc5cb7bf779cdc968769779f70361860d9853895ffa50f024fafa2bf7fb905d86b52a7b7159ad40fa16edb0c7a9fe7bb75422e8571011e4a1c48225ab8bfc7

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
96KB

MD5
a89c176f1e63cacab291fd7c733cfffa

SHA1
6cd70aba43f7973daad28108969031e89eae44c3

SHA256
abea76fd4b1831d240b0fc1178869d33b143b321e5ec29bba1695bbe3dfe8e9b

SHA512
b33b88d078794dcb3b3769b222e6726dfba2d3345223d5c17965906953fb23de93d6c3f1fe9892488825e62942984497274b78f71c13eef47362e12a24b83a52

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
96KB

MD5
d0b15d2da3403df743251483cdf2f7af

SHA1
a9610db63dfd0c537140fdb3ce3214cb1180167a

SHA256
3c0bc85551c602b8c883e068d2ae9445cadbaf578bac54f0a52542a69d1a697c

SHA512
fe1cef96b2fef012dda2c68e791e8fb2fcca17e86e3ad960009b0e1a68427cc1aeb37128dda4d382a227c15c5277936865662feaff089b2bf7f414da5229049e

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
96KB

MD5
3623e1aa11e9071edc41f029d51c3607

SHA1
6cb608ed69d5542fb52646decd28d5feaba3ee0f

SHA256
11abdcb55fa1c427820baf53ad4e2ef2c79693245ecfdd8ddaf977a9298b52ea

SHA512
cc2930a3f756cb9d89fada6014baa4c822502c2491c7b36c14ec87b1b3e73a1cfd4a601a5b64c13f3d6eb1a1ccc0cf8c96e8edd3033af04c4846d10c41cd781f

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
96KB

MD5
16593dcbb228a4fafccd2ba26daf7912

SHA1
67a640e4b52789ee6415f89874a319031dfa36f5

SHA256
a673b988322d5ac79c80f4c2f91003db648c3aaa64f264fe7f199f8e15de99ee

SHA512
a33e298db8b539051a2ca61bf8ead2c186e9f1ec2c48b90ac54991686fbeb0cc706ae2253332e5ed2118e19b2ad6f2c37fd728d320bc80c4d9783139520d002a

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
96KB

MD5
3c8ad829e54d935c7696f1f3d920ecec

SHA1
55aecd8d4d2e8640ee136a03c11e30dde576c204

SHA256
301c978f14f0540625511332a8bdb2e3818845854c202674ecde8a3eaee19abd

SHA512
ad5fbec7fb186cdf8ea52e31713935abcfc4641a2fab3bc79d80475907d1c7d066dd008827fa5fcc13514769f2114b392c302076a57362d2473219b598c61abe

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
96KB

MD5
5cfe839a3f6d52c9c3e4f3e9e363b659

SHA1
c08437f58508d50fd9c0ea89937c934d59528df5

SHA256
ad5de9e1492d63ab27767de1ae0f941dc0cc18e7bb73cd879edcdadf3dce1248

SHA512
516b36b81b7258982d79e26ef018bb8ed8a7adaee5bb2ab5a20f0f76f669337e29ca2cb124a27d427b75ce035f785814891d5be66124f1713dba7c33ce81ed9b

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
27b32c0426b3bac6e431726a37e5f60f

SHA1
155de15e450dd703b57cd75c344a2e6506f6ec73

SHA256
a303fe0a2c053350492c767838b1845e4d221f50a9e54bd9f9532b668cf30bb7

SHA512
1315612055d802a9f97cc866050bda38db573396ebede0a7641193f61aae8cbeed5ef86b3e381e1d079d9265571d07835e10bd5d46dce34210134227651d96ac

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
96KB

MD5
4892389f65453f07e216b220034d58c6

SHA1
07133f1612c494fc41fde443c6ac499e75a766be

SHA256
0a55c5f4c8ae706f22eabe92f0cb83e65dd9fd253ef4cc5270149f1d8c560aa6

SHA512
93634bd859ce8399a4392a31efe4b91d86f1785eeecb007e9f5a39e3a30d0fac169992db5dba7c40eb82c25ab8629f5f2b354adaccae78dd0c74702d2b8fe21e

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
95cfab28d2fd693f7d3efdc9f2a05ba3

SHA1
7b15411d1b1f76ecb6f8563b81363ea9f62295d9

SHA256
544d9d17352c628214956c32dfa0e3c588db6d94e438d23baee27c07b2b326a9

SHA512
79a6f35c3ab178add7290801508ecf365ddded263f3309f20553f8c5363898a5b029fd1c00547d048912f65511d55e27a5af183510c418ec75fde2057feb4afa

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
64KB

MD5
9c9637bbc5a77fe9282c063d250a44f9

SHA1
fec0630b9f97dec8f2bed04e6f4d5e244d4ffecd

SHA256
b0cc9f75b4e6a9b32bfb303c7e7694aad4ea485a920d4df0fdad26e201729555

SHA512
a57de79fba8a09f67fdfcee5051bc65378b0e80f9dc6f43318a4a73c838292fe24b3b02e3877522344f112947099c3ba96c08352e734c15f441574bfc6a55672

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
f2659e1e69bccff82de5cd3316462030

SHA1
bdad272f1175f7921a05a7b3ed02ccfc27a5381c

SHA256
cd96b9d408dc06c00a05983fc05820f4d55478e29dd827f586ecc0ff752d3e83

SHA512
c3240ae0dae0944e30e06b033230eae8580b74c444dfd65e364e96c5ed62db355f5cdcdb59c40ff2a7da818989a1c77e2485ac905fd4665d2b85e8ab4dc04417

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
96KB

MD5
beb57f4ebc4427ceffc1887152f20355

SHA1
118e526643427abc1e9e894c05b6860b4269c907

SHA256
f313adef890e7b001ed5374fd5364cc25c53c87db6f882b3a68fb4b95890b139

SHA512
f05390fa77e1e91ff56871d595d495e99e9304b505b86363a48338392f0d80c32979e40e2264a78625af02ed9ff4a412d53813f4a46886b01a3d63da6a128a19

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
96KB

MD5
e49bb076a7ea528d4050a368e2eac4e5

SHA1
85017b33f32082b76084ee4e6768a9573b32bc09

SHA256
644888a0b3b8cb70a4d02edafc23b2a796975c65107dea6561106f580913a394

SHA512
f4767648c620afdd02ee418ed66970656a94da2ac8dda810bb140f6e4988ad510c6f6b0499657ff6693c4df5e6e5e2be9c771ace7350f46478f8a20a221797e5

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
96KB

MD5
b3444a8e4304d02db3e9006519edfb19

SHA1
c15088c2055f3dda4136ee823fdc0e2629493a1b

SHA256
d8154f7325d5d94261065b1889447842ed37adb41fd74de45b89d3ee9d98cb2b

SHA512
f6b92c0cefb56cda808084af80875ada458300103020c26a62af2b04b43bdca80b66cdce58e2e40eb58a79900aadc027b0d6f18e0d32980e45d5a436d2ddc1f3

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
f8c16b90cc77f85460a2930e45c677e5

SHA1
cb106456aec8359f371489eb0d959af54831c068

SHA256
46dee22c1e27f76dc8f8dbbdf0b141369f3d027448441c1ce926f3a074534df1

SHA512
3943bff9c65ad44d102d5bf5a18836487a0029d7366d33322fcf829f4d244f9349e87f35771ab1d41fa04a6dae302edef716e16e9e0f6ac5c2da90dedb5de7f9

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
96KB

MD5
cfe630bbe690f9f2be9d3fdc3fbfb241

SHA1
852eb27004dbd76e2dddd197806a0de9696bd7e5

SHA256
aa25f96babbac18d76713d94eafe5f3e1d2173efaf2edf8e1798789d71cb13ba

SHA512
41258a93656318be319e4ae49b3958aeb7cb801f3c1115ad7f83f498eef749b49af6e88978e52d6fc849dabf08786206adb32bcbcc27106fa5575b27b17fd8bd

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
96KB

MD5
514c852d42fdc0c538ec7db032f30b91

SHA1
c52c80ac72a5caf94bf42871e135c833deceaf49

SHA256
1a395778ee62c40efc67119d88582e86db055416a3453a724a0fba45e96cb7c4

SHA512
d04488dfae8efee21578edaff2be8f23a95a43870a32018bbe850b8469faeee50e0e26562559fda60ddb7ca0e7966ac5fb564c8589e7eab29685ce24127290e6

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
96KB

MD5
822e778dfc438182f75ba068d8f3f583

SHA1
071ed219dcfcdd36d7b8cdeee54d9d26a52d617f

SHA256
1a80b1ac28a3715e0eb1afcd71891ed752187d86b164ad626c6efac34afceede

SHA512
181cc89d8266aaf41ed5922475f62779b6f02368cb7883f91ef4617e58c3c2f7566b91383f05872d627552e9d038777096f81e244e1cf28435c55a8bdbbdb068

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
96KB

MD5
008d0b5148b18c3348bd1c055aaeed4d

SHA1
847a966dcba6fc6287ab5514f802200394137775

SHA256
fb3b8207e481b657205d4bf11f65ddad6328ee90dc9db5c089737fd26e496145

SHA512
d9eb0ebeaa66d3c162e29d44ff8281cfbd18634b19f2f4c386b59dd4e747c0780e5e7c17f5bd7b9333bf64c5105468830c9df09e81fec8467b20063ceb071f19

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
96KB

MD5
7d545dbc8d75d996f89004539b2568cc

SHA1
e2f103a2be499f26441d26ecb5d270a9eba06692

SHA256
a3c5283c6753530feed08601a934d20b21f2ef036b01eb0fdb3f9a50412bacb6

SHA512
31430346f463816e49b85c07978c4c5942ffcd426671fa19a6e545916f1a68a1bf8521836f9ecaf080b78fbf0d8b9bfc8aeefd24addcada811fc66d3da79a692

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
96KB

MD5
6c3ef07179e32a75d44b0b123a58eaf8

SHA1
f6916c2966e97e0508323c670498c64d6188aa58

SHA256
f13a61512079ecd45e53eea36ea05f8b537c5ed8b8f8e1ca5ee61f109c9653ee

SHA512
d1e72ed3d4e11bc76cab76e9afd0f9f151dadf0fc2514d21998122919f3e3cc418d83d0521cf7eedee9aa9ef4fd2691fc93b87ff52b97a59fee10baf2b9048cf

Download Submit
C:\Windows\SysWOW64\Kepelfam.exe

Filesize
96KB

MD5
ccd543d0bbdf133d0ad9affab2ecd5f5

SHA1
d6b15bf203709bf86b098fc19bffe70a48bd118e

SHA256
ee4270b5120966b03e5f19add3d3b712c33f9a0d96d1a157836fa1beac4360b3

SHA512
bafc8c99a9da7baefe6674b615452217ba00c9e6e591366d485a80e6c4d72b823e25c0fd88e9640678049af4bf89df05610d5e2665805e6dd73fc61999129294

Download Submit
C:\Windows\SysWOW64\Kfckahdj.exe

Filesize
96KB

MD5
5153d266463e8adb701e94ff55901492

SHA1
38deda39d117db209492b193cbe877156eaa0c59

SHA256
b134142e6e5f7e6a48b9f3a858effb11794aa749db5f98db2013909aa3118d4d

SHA512
afc15f8d1befaae5e112f03841a79acc7f82c3e002f712c313ede54cb882f82498d7e6a34eb88c86978fe72d2ca2140d0ec4dc41e3a7f98c8f089fbb4e2b8e00

Download Submit
C:\Windows\SysWOW64\Kfoafi32.exe

Filesize
96KB

MD5
8f05a470fd5e1e094c81e800792548ee

SHA1
58f7845231f2821aac6d829e28d2e67ae2a16776

SHA256
c21875f9826496bf7e5d74e18add1f81a0a29c0cd9cfe098e53fda9aa1d8a8dc

SHA512
f62b92585621509e69c0442dd028230d44b2128784eb6e1fa6f43bdf97f506a5bfc7cbd44cdc7d20b8e375f580ceb07d38838c9524f4925adb12e66a204fde7e

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
64KB

MD5
4f14d45b21121ee9b2ef8c50c7f0f847

SHA1
93544f746db50c8d3611ccfff6378351b528c225

SHA256
55cc328c7e65df750bfebae9d7789e73fc017ce95d08b86a09291427fc529731

SHA512
ad4df45812635c51e186a20261646df0ef892e68b2bb4cbb7b0e7855d00031064866ea091b0c83b57f233d578fc41b423c58ef81454761079dfe8a45713c1c73

Download Submit
C:\Windows\SysWOW64\Kibgmdcn.exe

Filesize
96KB

MD5
a472d5505750375f12027e417dd38632

SHA1
43d9bd5a8366b43e65d543f83b0d3ff8227802f0

SHA256
da56abd5bb92696e2df4e1420fe0b74359ea65c08e9bd550f46fd73aeb43510f

SHA512
dd1e23f70ebb71f94b127ebec6cc0a57203a096dd6b65d431cabdefca1f1241c0011f6b085de1e5a50a89ef03ba1cf37b9edba8e5378b526f1b74a37ba0c24ca

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
96KB

MD5
9ffe36af2aba37dd498647c91a596732

SHA1
dd43e04bba731481eab41fb5938613e789eece9f

SHA256
42d4a13cbaaedd28e231375728c761a7397b85cbe9806e940140f366a2425da6

SHA512
60d37cc8de9b5d01718e560bd87208e337508e54a98988ed71308c74927eb7f187bbdc3edf345e76046cf8eb9dea24e81e5298c623eae621568605bf49de6bad

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
96KB

MD5
821ba85d473420f006e0a8a40912211c

SHA1
11454b09846e191f607a0301fc533f0de2c54afd

SHA256
1c0b739afc0ea059b8e152304d04007f250d1893e6fa10bf74583d8f3b2df026

SHA512
c37af3aadd76bd79760b7c58b9147a953d5ebf54225938cbc240874ac3413e5b195bab6392ce2a3365896ad444263cfeb13de6816b26a9ca47949146edc028b1

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
96KB

MD5
e5675766f6cf32ba96622124ef0f69eb

SHA1
c2f364a12f97903368b9787648c3cd708cb66e8d

SHA256
95c2c32196fd47618abc8c0cca262b6154fa2d5ce18d84155b4180c6166b8e76

SHA512
cf58fbede9c185ca740ba36d0cd1915730acedb45813f15863a5f4417bc34c9d2c22f3fda1e54fd4c36f372eb25873604c68306f1bd3cce309f96ab1674dc796

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
96KB

MD5
6019b6758ab30d616a5e01cadb545dc3

SHA1
1ff54e4e7b71cc4adc9cd6d4b60383452ce55408

SHA256
63bac47a9a8139a93c876f1618c9159cf7f5349b0e53e93065573c1368a5b6f4

SHA512
4cdddc6e266d04b09762135cba86ab5b5d3e89eccb39585f1c53d4f4f948ee079aff687b8518a5b1c34b5c76931a6c44d25d9e6e533a2d31471d437621bfd81c

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
96KB

MD5
c2ab1fdb9e31f0a17c94f32ec6e606a1

SHA1
19881efc3142bd2d433b9d9cc031df3127bfbcf0

SHA256
102d61eba20d2f3de9161547b24d2f826a32abc84b5596c6d6f035a0a2c92664

SHA512
3fbf1fce3b4a4efd559026d39dfff6ef4bc8bcba65be6993a06bf07347a0313d4ae48d3e75e4eb6aff0d18f7e874f1d6b6155183eb310c00b02e028508a00825

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
96KB

MD5
53259e9c7910b5105bbb7a967f7fd84b

SHA1
c08dec856c356e52a36eef9094997f02c9b0272a

SHA256
1a3cd3b7df0b3175e6917c6fa76c0e91332582248f84bfffc49fe22a093eb165

SHA512
3d411a1eeacbd3fcf8812bb438360dcb1b7b4639781130772bab299f3788526fc0802d99c0faefbf22bc61bfbe83524f2126485d1e7132413d0ea4205c4f8093

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
96KB

MD5
8187a7594e7813be7c974df9cf3b36a1

SHA1
eb73f53a25b5c997fa21ea2c497d83e73a51d514

SHA256
038cf873f5403a7dfed3c527c5261ed8cf3d42180410fac27d0c7141048bdfa6

SHA512
5ec4f2dc9a84c6015afa14086873a4f2145284cc387ac51adbb4701154af3bb4eda33015510cd715e16ce08d2874f7b57154ad4efdb65673c7d0b8ab0680ba4e

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
96KB

MD5
780b336bb3c5d7a049a3024d3f87949a

SHA1
1b2c924e5dfed48575e8ae134c47fdb9d4a73173

SHA256
3e36e957eed980b5276f3edb4e0b1613007c72ca5bc9ea344dcaa5b7d3df88f9

SHA512
c7d6a7d59246390dad291f256e631d9ed3e8d1faf18a79c6a6c78ab5f4a37ec4efea3ec453c730fe25fad4975aa0def9c75a22a03407ddccf5b6099b663580eb

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
96KB

MD5
77a04ba4d8ed3db8af6850b3a613703e

SHA1
215ffaafffd8308e162c9b67451394dc9d62855d

SHA256
c7d095197929b153eb2fe2cdbe616e561e622d1d194c895e7dd916b5d1d20829

SHA512
e9c507af3eb17da1ae0e46929d0d4dcfb6ee36508812b8133e619ecda3559337e96feceff3b5f9c1097182583782c549748cab1b4cb5cde967cdbe1ba6910fd0

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
fdb42712ecfd4053fe46d3f9197b4f7b

SHA1
6e02be112cab735e40b5f4ecca26c7fc722b103c

SHA256
3b81c7ee05fb5a9ee2d1d072a93054310bf7c7ed10383a25e766bc5da30c874a

SHA512
a8750eb35cfe16320b0368da0514ecefb51523545cb95ae4148374d768d322afb701c905f3243fa613365433ef0928b3802eae7021ebc0cde549492c2adea901

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
96KB

MD5
8cca645141931e9423373c76a32886b2

SHA1
5239d9f696d280a0501e4e7110c0f56acdf2661d

SHA256
c5d2d65d5050746d08572e5faad6fafce248f1f0b3f1075315f5c06792289ca5

SHA512
6f1211278d85d1a5cf9bc8ebb8d570707c4404c8476916b4369f35de6ea449c287ce334d9f117684c34ca4648484e2ebd36d7f3a70eca866422d51caddcc5ccb

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
96KB

MD5
0a3e073cfd7186f73cefed3245790a34

SHA1
0ed10d1175b76d478898e0ac999290e87a3f5a2d

SHA256
dee42c6ab330eb51b3673a80a5ca2e455223fc7c3e513fa7ea94c08843ce0bcb

SHA512
f718637973fed965aebc832873a395134b371ee33f1e8150b6041e30e5a85f41ee064a0c7960295e6f5c6f2b3bd29d56696587c94c65c0d03eb8ce4780f05459

Download Submit
C:\Windows\SysWOW64\Lboeaifi.exe

Filesize
96KB

MD5
55b6ec91ca233df367307a72880db068

SHA1
d8dd152d42c99ed92d235f95f6660db65bb1c268

SHA256
122df1e68393e74f0f49cb5e15230d31a4b85099e5b65060f8dcb35c03668fcf

SHA512
596e9b7fa5358e3abefcab33d94fffd37603ec4768195443b73a6bad4c344e4f39bb67b13f81f76e40bd0f3e7546ba2a56b20355f6d98d7bfc59a264e8e419ff

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
96KB

MD5
675707caa9d7e327089fd8013fc7dc89

SHA1
65ae80782c67e99e4d39e47cca93f6af94fc879f

SHA256
ce2e929e7769c2b26cf9582abcb03c2f95d14d7573a72379be3eaaf5b0cdb0e4

SHA512
fffd8cf8a475af003ac94f7cd586fcbca3af3e3c040942aa03721176e807def3fa0469943035106c5a2995f096e59244a028428c4d5254f1d7338822cc4ef64f

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
96KB

MD5
2fb0ef6dce43ca22e3b7fe37a55d2945

SHA1
8b8fd13cec70a2e817c19770612808bec141f7bb

SHA256
4159bbc7fb39ed57dabe60999016f922640d7a9f6d5bf81192dc1c9d048c279c

SHA512
0b7badcafe70bceba57c8601f2f53b5f1b8785a2f45dc103191a38c466111e195b64d4cf9384daa2557e5287b850f35a6d2136d2645a1ce082bcef30248b8745

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
96KB

MD5
f5cd294657e5982d3df9b5b3e14c354b

SHA1
91b0853e74fa64ced76edf4288503cb0db692445

SHA256
a37d387e345c86fbdc5a486472c4baba43a8bc5a7d61022734354aa9336cfc6f

SHA512
01941c3aa1a2dd50dd2d0ea1b75e9d3cb6e30425db785b4b9ed5e49d2ac8231d463a2e1e06dd5d7f1c3b093813e74e5a555bb81d859a517155b9286871cce0d3

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
96KB

MD5
c8fceff09f266703a52289d6903ed656

SHA1
10ebf98dced926b1c97343ef64d79d3994862752

SHA256
5b1882f2f4fabf1a0e10873d2a2b15c2c43ad1a455c0517cb247cbaeaa99adc1

SHA512
8ba25a440b5fd5b9c4c83b15e3bb0e24044fbacafe6b516e3951897f9418123a34cd47607d4d3c561a0fb420ecb187d989aaf244910e76cfaabdfbd5b28b586d

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
96KB

MD5
6249516dce3bd92dbb364027dfc88632

SHA1
0985d92affc5674a93b81ee069b7d2914c48ac5c

SHA256
7a4a37eb743cccdd822b41a10fe12c13adf9a8e4324d095b0a3b7b8faaa3d837

SHA512
a69326bbeecc8c698641587f7f5ad086bd36f728f067d932286f57463a439a560c874a332d4f623e04c1ee0398c804a090dd449fc9714eff986489a2184d089c

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
96KB

MD5
c9a02de8babf2aa092cbca2326ceb25a

SHA1
31ecd26cd58dc98c0f3aea48d8c12eb101fcc881

SHA256
fd89c222b391f4f6759d96c414a295ac7df43752865fe5607ab2d4b6b3e63375

SHA512
8dc6ddcbe2216cb0e3df68bd919b6111b376dba0066a802ea27dee8af802f6b776499b749cf2f69cd29dbce2e19df0ff38b28c60602ff034c4478d8532065e38

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
96KB

MD5
8f7365026d4ea0cb5efb0fcbf0567b8b

SHA1
e7230727fa4d1c47bc828f10ae88ac7e18ebeeec

SHA256
45dd8242c2b6e064db991eb8102bba1f88080defba53a95782d7ea78a93cf6cf

SHA512
5d821719fdbfe37c0fb592f419d3b7aea128048755b45547299477cf83af5569d75a9f0d2f960b84b3ee63996aca45a315f9fe2d7dc5a7f6ecfb47958b3b349d

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
96KB

MD5
218acc02386e347d40d3ecb5ad548335

SHA1
44c7482b056dac4886bd06f49e2f7ea907ac6f6f

SHA256
6f2fba68b42020f635dc470435f0a1798e89536d1d7054763f3884459d705dc6

SHA512
d54c8f50e16cd74e07c5bf774f3c6e0562415bd30db21d3adb6198f92077262fe474bbac2086cebe5e9670776e4e716bf6ce1bd5f62670612237629d0cb05211

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
96KB

MD5
0abea76e681d22cb0ca6c4fe6bfbe2fa

SHA1
e4cce26c4013b333ca37b4d7901307e5cc10dae0

SHA256
3cd4ac38540df6288eb338a5ba2c4d8966c171b851f1b6a773d102866f375c0b

SHA512
330927fceea17ba1b78ae57fba725daf89524e43aac4ae314f9117498ed8d145f01e5794601cbafec3f718f372b2e0b93e5fa1848679782e7c3c9e507c39c028

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
96KB

MD5
4658c637df6ef7a619ed499ee3b0c247

SHA1
5afabb1d287ff4e9c01ca7c6e8ed21607c086b53

SHA256
5b5b138e93bf8e84774dd57f33c5732acf80256d946a31c8f012ff02288cc1c8

SHA512
73c58c5b32d898456e47a977190a0616cf67b89b7ac4eb7e4ad20c8c61f3f2ae98e0275d326d6363c8b2836bdf5b19c371a08d74321b98c005b5bbbe1ad153bb

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
96KB

MD5
1b04808d62e428b4b8d0fc23d49b0958

SHA1
a2f59e8eb2f492c0362c599361c3cc1a897133da

SHA256
9acc903b4af202f628ef70714c43f55708a4910a27985cbc103878f26d1b0134

SHA512
290f8a34d332239781e0c8c34ac8ecfd679c2375452d6ea94fbdcacc290ae39481a96d352cc7ada98a971528bb7e34a566c3d9c9301cb88ef991388935ab795d

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
96KB

MD5
231fa35783b29da85379879689793d9d

SHA1
6beba4494c54aafc9b5f214b73b29a4ccdb25ec9

SHA256
2be86b4c90ddaec9c3c87262535342e9a548e6162efd2aeba5c2dae8378ad482

SHA512
246a2c979a9d5c6def1090b0be4035e72f67376d5c4dcfc481a7550d212eff3a2c7926873b068764a2c996fb38194c4773bd67703f488f79be3f51fd6c2392e2

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
96KB

MD5
2f3563e5b78926340f47f6ea2548144f

SHA1
cabbf3b0a486bf872f19834c7d2959012a72eb38

SHA256
a970329c5d5872661e3a14399c3d8a5bf1b9f0c80f0e7999039826fe72bb62ac

SHA512
d73544b490175e181e79d8872c0283dbc92bffe6ec521c276106665f441f202a59efe1d178ba80cc8fd9e3296d360068c073d5ad34734ca76a727d340d5379b5

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
d7df31b456eb722db46aad08518c2141

SHA1
27e99c2fe99f2eedde84b486826803c0c86c532c

SHA256
6ad846c5af83f4869f07a1d79d0dc124f5cb2ab55d341ea637d1eedd4e7c6335

SHA512
8219ab56bd6d86364bf99b90679e422a5debd976b967140df2352e66ab5bbf7aa67e38b1335866b494534806ce2f690b9507f26988d64e8c9a190583138a7cd0

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
96KB

MD5
03b058bef1f4f891e1bbd7cc93b4a5bc

SHA1
8eee792055904331fa2977f682e10ee5793740b0

SHA256
12b535e835759383c2fb13644d9583fc9e5b6282f08a7b9c97bc8041cf8af6fc

SHA512
30c912ac57a41fb46d98974518d355ab56c5653de2f17a0aad09096d4a5d74f00230fca4d15920368bcc28909b1c865f03bff44cc59bff111a699b141318daa9

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
96KB

MD5
74119e071276ba255600e56e59a2f9d4

SHA1
e10ba6cd7cb2f8d22464eff2a5ae0430dbbbf960

SHA256
bef05e32082711a16bf5a4730257c8850533746218c88588b8da580bf8594327

SHA512
82381c1ddaa15499c2ceb0ceb4d4b0214570b15c7a88a5a3435e0bea6397519e604724d03878f529be4b86629029812fe05b4b2e465a1a4066dae842f39d4bc4

Download Submit
memory/116-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/208-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3268-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5148-1347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5800-1338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5808-1335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6492-1320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6540-1319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6584-1318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6804-1309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download