berbew | 7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82N.exe
Size

96KB
MD5

7e2eaffbf151e0373ab68cc266042610
SHA1

7db9397ef6f030068de22312360d34ef496f6131
SHA256

7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82
SHA512

18a8cf4a0e4b68513f3902410705e3db0f9fbbc5292eb72941a0bb2707592511b0b6a84af42d07858af0a217ed34b199c0bf33a1b32d2627d0bd9f63989e4468
SSDEEP

1536:QfDff0Bq8PMrXJJB9wCYMhdm2L5X7RZObZUUWaegPYA:ETyqYMlJz5LpClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Kdnidn32.exeLpcfkm32.exeMedgncoe.exeChjaol32.exeBaicac32.exeBffkij32.exeOfcmfodb.exeAqncedbp.exeAeklkchg.exeBcebhoii.exeBeihma32.exeCdcoim32.exeKbhoqj32.exeLikjcbkc.exeNcfdie32.exeOflgep32.exeOcgmpccl.exeCnkplejl.exeDmefhako.exeDhmgki32.exe7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82N.exeLdleel32.exeOgkcpbam.exeOgnpebpj.exePdpmpdbd.exeBjfaeh32.exeDanecp32.exeKpeiioac.exeLeihbeib.exeMiemjaci.exeNjciko32.exeLlemdo32.exeLepncd32.exeOlfobjbg.exeQffbbldm.exeMdhdajea.exeAmddjegd.exeKedoge32.exeMibpda32.exeAmpkof32.exeDjgjlelk.exeJcioiood.exeOponmilc.exePfolbmje.exeAjckij32.exeDddhpjof.exeKebbafoj.exeMgimcebb.exeNpcoakfp.exeNnjlpo32.exeAglemn32.exeBnmcjg32.exeNphhmj32.exeOfqpqo32.exeAfjlnk32.exeAjhddjfn.exeJidklf32.exeJlednamo.exeCnffqf32.exeLebkhc32.exeMnebeogl.exeNgpccdlj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llemdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kedoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kebbafoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Jioaqfcc.exeJpijnqkp.exeJfcbjk32.exeJmmjgejj.exeJplfcpin.exeJfeopj32.exeJidklf32.exeJlbgha32.exeJcioiood.exeJblpek32.exeJifhaenk.exeJlednamo.exeKboljk32.exeKemhff32.exeKlgqcqkl.exeKdnidn32.exeKfmepi32.exeKmfmmcbo.exeKpeiioac.exeKebbafoj.exeKmijbcpl.exeKpgfooop.exeKbfbkj32.exeKedoge32.exeKmkfhc32.exeKbhoqj32.exeKmncnb32.exeKplpjn32.exeLbjlfi32.exeLeihbeib.exeLiddbc32.exeLpnlpnih.exeLbmhlihl.exeLekehdgp.exeLigqhc32.exeLlemdo32.exeLdleel32.exeLboeaifi.exeLfkaag32.exeLiimncmf.exeLlgjjnlj.exeLpcfkm32.exeLbabgh32.exeLepncd32.exeLikjcbkc.exeLljfpnjg.exeLpebpm32.exeLgokmgjm.exeLebkhc32.exeLmiciaaj.exeMdckfk32.exeMbfkbhpa.exeMedgncoe.exeMmlpoqpg.exeMlopkm32.exeMchhggno.exeMgddhf32.exeMibpda32.exeMlampmdo.exeMdhdajea.exeMgfqmfde.exeMiemjaci.exeMlcifmbl.exeMdjagjco.exe

pid	process
2192	Jioaqfcc.exe
2036	Jpijnqkp.exe
2548	Jfcbjk32.exe
5048	Jmmjgejj.exe
3900	Jplfcpin.exe
2672	Jfeopj32.exe
3412	Jidklf32.exe
4416	Jlbgha32.exe
2828	Jcioiood.exe
5016	Jblpek32.exe
2864	Jifhaenk.exe
3492	Jlednamo.exe
4012	Kboljk32.exe
3584	Kemhff32.exe
828	Klgqcqkl.exe
2520	Kdnidn32.exe
8	Kfmepi32.exe
1480	Kmfmmcbo.exe
4548	Kpeiioac.exe
4892	Kebbafoj.exe
2852	Kmijbcpl.exe
3084	Kpgfooop.exe
2960	Kbfbkj32.exe
4292	Kedoge32.exe
4104	Kmkfhc32.exe
1844	Kbhoqj32.exe
848	Kmncnb32.exe
4984	Kplpjn32.exe
2524	Lbjlfi32.exe
4284	Leihbeib.exe
2304	Liddbc32.exe
2328	Lpnlpnih.exe
2464	Lbmhlihl.exe
2692	Lekehdgp.exe
3308	Ligqhc32.exe
1636	Llemdo32.exe
1052	Ldleel32.exe
3372	Lboeaifi.exe
2388	Lfkaag32.exe
4496	Liimncmf.exe
4424	Llgjjnlj.exe
2176	Lpcfkm32.exe
2816	Lbabgh32.exe
2276	Lepncd32.exe
712	Likjcbkc.exe
1288	Lljfpnjg.exe
1172	Lpebpm32.exe
3860	Lgokmgjm.exe
3452	Lebkhc32.exe
2272	Lmiciaaj.exe
1724	Mdckfk32.exe
4752	Mbfkbhpa.exe
624	Medgncoe.exe
4876	Mmlpoqpg.exe
1660	Mlopkm32.exe
3112	Mchhggno.exe
3620	Mgddhf32.exe
1484	Mibpda32.exe
2668	Mlampmdo.exe
2944	Mdhdajea.exe
3832	Mgfqmfde.exe
2980	Miemjaci.exe
1312	Mlcifmbl.exe
376	Mdjagjco.exe

Drops file in System32 directory 64 IoCs

Processes:

Dmjocp32.exeKmncnb32.exeNloiakho.exeOgkcpbam.exeLfkaag32.exeMlampmdo.exeAnfmjhmd.exeAcnlgp32.exeCeckcp32.exePmannhhj.exePmdkch32.exeMdmnlj32.exeBeglgani.exeKdnidn32.exeCnkplejl.exeLpebpm32.exeNilcjp32.exeNjciko32.exeCajlhqjp.exeDanecp32.exeKedoge32.exeLeihbeib.exeLpcfkm32.exeMdhdajea.exeNdokbi32.exeNjefqo32.exeOcnjidkf.exeOdapnf32.exeJlbgha32.exeKplpjn32.exeLbjlfi32.exeOnjegled.exeOqhacgdh.exeQgqeappe.exeCnffqf32.exeDhmgki32.exeLlgjjnlj.exeOlfobjbg.exeKboljk32.exeNgdmod32.exePcppfaka.exeQffbbldm.exeMelnob32.exeOgnpebpj.exePmfhig32.exeAglemn32.exeBmbplc32.exeDjgjlelk.exeKemhff32.exeMibpda32.exePfhfan32.exePjmehkqk.exeCnicfe32.exePdmpje32.exePgnilpah.exePmoahijl.exeMedgncoe.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Namdcd32.dll	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Nloiakho.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mlampmdo.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Kplpjn32.exe	Kmncnb32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Kfmepi32.exe	Kdnidn32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Canidb32.dll	Kedoge32.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Leihbeib.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Flfelggh.dll	Mdhdajea.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Jcioiood.exe	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Bdkfmkdc.dll	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Leihbeib.exe	Lbjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Aoohalad.dll	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Kemhff32.exe	Kboljk32.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Klgqcqkl.exe	Kemhff32.exe
File opened for modification	C:\Windows\SysWOW64\Mlampmdo.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Medgncoe.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3908 6344 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
3908	6344	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Mchhggno.exeOlfobjbg.exePjmehkqk.exeAmpkof32.exeBgcknmop.exeJioaqfcc.exeJpijnqkp.exeLpnlpnih.exePfhfan32.exePgnilpah.exeCajlhqjp.exeChcddk32.exeDmllipeg.exeKmncnb32.exeLekehdgp.exeLlemdo32.exeNpcoakfp.exePfolbmje.exeDeokon32.exeKboljk32.exeKedoge32.exeAcjclpcf.exeAjckij32.exeCdcoim32.exeCeckcp32.exeKfmepi32.exeLmiciaaj.exeNgdmod32.exeOfeilobp.exeChmndlge.exeJcioiood.exeLigqhc32.exeLepncd32.exeLikjcbkc.exeOcnjidkf.exeDmjocp32.exeKdnidn32.exeLbabgh32.exeOjgbfocc.exePmannhhj.exeChagok32.exeAabmqd32.exeAglemn32.exeBaicac32.exeLiddbc32.exeMenjdbgj.exeNilcjp32.exeNgbpidjh.exeOfqpqo32.exeCndikf32.exeDhmgki32.exeMgfqmfde.exeOneklm32.exePmdkch32.exeQmmnjfnl.exeAgoabn32.exeJfcbjk32.exeKmijbcpl.exeNjciko32.exePncgmkmj.exeBmbplc32.exeMmlpoqpg.exePjjhbl32.exeDhocqigp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jioaqfcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpijnqkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnlpnih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcioiood.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ligqhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcbjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmijbcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe

Modifies registry class 64 IoCs

Processes:

Pdpmpdbd.exePjmehkqk.exeBnkgeg32.exeKmfmmcbo.exeLiimncmf.exeNcbknfed.exeOjgbfocc.exeMchhggno.exeNcfdie32.exeOfqpqo32.exePdmpje32.exeLljfpnjg.exeMelnob32.exeOqfdnhfk.exeOdmgcgbi.exePdkcde32.exePfolbmje.exeAqncedbp.exeDmjocp32.exeMdmnlj32.exeNgbpidjh.exeNjefqo32.exeCnkplejl.exeDeokon32.exe7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82N.exeMlopkm32.exeMenjdbgj.exePmidog32.exeNphhmj32.exeQmmnjfnl.exeAmpkof32.exeCeckcp32.exeMdjagjco.exeOlfobjbg.exeQqfmde32.exeQgqeappe.exeKbhoqj32.exeLigqhc32.exeMmlpoqpg.exeOdocigqg.exeKmijbcpl.exeAcjclpcf.exeMcpnhfhf.exeBagflcje.exeDhmgki32.exePgioqq32.exePmfhig32.exeAcnlgp32.exeAnfmjhmd.exeJblpek32.exeKmkfhc32.exeNggjdc32.exeBgcknmop.exeMgddhf32.exeMgimcebb.exePmannhhj.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfmmcbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lljfpnjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceghl32.dll"	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllifblf.dll"	7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhnmh32.dll"	Kmijbcpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jblpek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjac32.dll"	Kmkfhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82N.exeJioaqfcc.exeJpijnqkp.exeJfcbjk32.exeJmmjgejj.exeJplfcpin.exeJfeopj32.exeJidklf32.exeJlbgha32.exeJcioiood.exeJblpek32.exeJifhaenk.exeJlednamo.exeKboljk32.exeKemhff32.exeKlgqcqkl.exeKdnidn32.exeKfmepi32.exeKmfmmcbo.exeKpeiioac.exeKebbafoj.exeKmijbcpl.exe

description	pid	process	target process
PID 2932 wrote to memory of 2192	2932	7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82N.exe	Jioaqfcc.exe
PID 2932 wrote to memory of 2192	2932	7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82N.exe	Jioaqfcc.exe
PID 2932 wrote to memory of 2192	2932	7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82N.exe	Jioaqfcc.exe
PID 2192 wrote to memory of 2036	2192	Jioaqfcc.exe	Jpijnqkp.exe
PID 2192 wrote to memory of 2036	2192	Jioaqfcc.exe	Jpijnqkp.exe
PID 2192 wrote to memory of 2036	2192	Jioaqfcc.exe	Jpijnqkp.exe
PID 2036 wrote to memory of 2548	2036	Jpijnqkp.exe	Jfcbjk32.exe
PID 2036 wrote to memory of 2548	2036	Jpijnqkp.exe	Jfcbjk32.exe
PID 2036 wrote to memory of 2548	2036	Jpijnqkp.exe	Jfcbjk32.exe
PID 2548 wrote to memory of 5048	2548	Jfcbjk32.exe	Jmmjgejj.exe
PID 2548 wrote to memory of 5048	2548	Jfcbjk32.exe	Jmmjgejj.exe
PID 2548 wrote to memory of 5048	2548	Jfcbjk32.exe	Jmmjgejj.exe
PID 5048 wrote to memory of 3900	5048	Jmmjgejj.exe	Jplfcpin.exe
PID 5048 wrote to memory of 3900	5048	Jmmjgejj.exe	Jplfcpin.exe
PID 5048 wrote to memory of 3900	5048	Jmmjgejj.exe	Jplfcpin.exe
PID 3900 wrote to memory of 2672	3900	Jplfcpin.exe	Jfeopj32.exe
PID 3900 wrote to memory of 2672	3900	Jplfcpin.exe	Jfeopj32.exe
PID 3900 wrote to memory of 2672	3900	Jplfcpin.exe	Jfeopj32.exe
PID 2672 wrote to memory of 3412	2672	Jfeopj32.exe	Jidklf32.exe
PID 2672 wrote to memory of 3412	2672	Jfeopj32.exe	Jidklf32.exe
PID 2672 wrote to memory of 3412	2672	Jfeopj32.exe	Jidklf32.exe
PID 3412 wrote to memory of 4416	3412	Jidklf32.exe	Jlbgha32.exe
PID 3412 wrote to memory of 4416	3412	Jidklf32.exe	Jlbgha32.exe
PID 3412 wrote to memory of 4416	3412	Jidklf32.exe	Jlbgha32.exe
PID 4416 wrote to memory of 2828	4416	Jlbgha32.exe	Jcioiood.exe
PID 4416 wrote to memory of 2828	4416	Jlbgha32.exe	Jcioiood.exe
PID 4416 wrote to memory of 2828	4416	Jlbgha32.exe	Jcioiood.exe
PID 2828 wrote to memory of 5016	2828	Jcioiood.exe	Jblpek32.exe
PID 2828 wrote to memory of 5016	2828	Jcioiood.exe	Jblpek32.exe
PID 2828 wrote to memory of 5016	2828	Jcioiood.exe	Jblpek32.exe
PID 5016 wrote to memory of 2864	5016	Jblpek32.exe	Jifhaenk.exe
PID 5016 wrote to memory of 2864	5016	Jblpek32.exe	Jifhaenk.exe
PID 5016 wrote to memory of 2864	5016	Jblpek32.exe	Jifhaenk.exe
PID 2864 wrote to memory of 3492	2864	Jifhaenk.exe	Jlednamo.exe
PID 2864 wrote to memory of 3492	2864	Jifhaenk.exe	Jlednamo.exe
PID 2864 wrote to memory of 3492	2864	Jifhaenk.exe	Jlednamo.exe
PID 3492 wrote to memory of 4012	3492	Jlednamo.exe	Kboljk32.exe
PID 3492 wrote to memory of 4012	3492	Jlednamo.exe	Kboljk32.exe
PID 3492 wrote to memory of 4012	3492	Jlednamo.exe	Kboljk32.exe
PID 4012 wrote to memory of 3584	4012	Kboljk32.exe	Kemhff32.exe
PID 4012 wrote to memory of 3584	4012	Kboljk32.exe	Kemhff32.exe
PID 4012 wrote to memory of 3584	4012	Kboljk32.exe	Kemhff32.exe
PID 3584 wrote to memory of 828	3584	Kemhff32.exe	Klgqcqkl.exe
PID 3584 wrote to memory of 828	3584	Kemhff32.exe	Klgqcqkl.exe
PID 3584 wrote to memory of 828	3584	Kemhff32.exe	Klgqcqkl.exe
PID 828 wrote to memory of 2520	828	Klgqcqkl.exe	Kdnidn32.exe
PID 828 wrote to memory of 2520	828	Klgqcqkl.exe	Kdnidn32.exe
PID 828 wrote to memory of 2520	828	Klgqcqkl.exe	Kdnidn32.exe
PID 2520 wrote to memory of 8	2520	Kdnidn32.exe	Kfmepi32.exe
PID 2520 wrote to memory of 8	2520	Kdnidn32.exe	Kfmepi32.exe
PID 2520 wrote to memory of 8	2520	Kdnidn32.exe	Kfmepi32.exe
PID 8 wrote to memory of 1480	8	Kfmepi32.exe	Kmfmmcbo.exe
PID 8 wrote to memory of 1480	8	Kfmepi32.exe	Kmfmmcbo.exe
PID 8 wrote to memory of 1480	8	Kfmepi32.exe	Kmfmmcbo.exe
PID 1480 wrote to memory of 4548	1480	Kmfmmcbo.exe	Kpeiioac.exe
PID 1480 wrote to memory of 4548	1480	Kmfmmcbo.exe	Kpeiioac.exe
PID 1480 wrote to memory of 4548	1480	Kmfmmcbo.exe	Kpeiioac.exe
PID 4548 wrote to memory of 4892	4548	Kpeiioac.exe	Kebbafoj.exe
PID 4548 wrote to memory of 4892	4548	Kpeiioac.exe	Kebbafoj.exe
PID 4548 wrote to memory of 4892	4548	Kpeiioac.exe	Kebbafoj.exe
PID 4892 wrote to memory of 2852	4892	Kebbafoj.exe	Kmijbcpl.exe
PID 4892 wrote to memory of 2852	4892	Kebbafoj.exe	Kmijbcpl.exe
PID 4892 wrote to memory of 2852	4892	Kebbafoj.exe	Kmijbcpl.exe
PID 2852 wrote to memory of 3084	2852	Kmijbcpl.exe	Kpgfooop.exe

C:\Users\Admin\AppData\Local\Temp\7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82N.exe
"C:\Users\Admin\AppData\Local\Temp\7268bce83b46ddf66101e1b1a3460dbddfe670e28e079dc817987acb7eab7e82N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\Jioaqfcc.exe
  C:\Windows\system32\Jioaqfcc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\Jpijnqkp.exe
    C:\Windows\system32\Jpijnqkp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\SysWOW64\Jfcbjk32.exe
      C:\Windows\system32\Jfcbjk32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
      - C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        23⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        24⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        34⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        39⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        49⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        52⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        53⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        64⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        68⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        70⤵
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3060
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        74⤵
        Drops file in System32 directory
        
        PID:732
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        75⤵
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        77⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4372
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1788
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        83⤵
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        84⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        87⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        88⤵
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        90⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1784
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        96⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        99⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        100⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        103⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        104⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        107⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        108⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        111⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        112⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        115⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        117⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        118⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        119⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        123⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        126⤵
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        128⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        129⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        131⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        132⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        134⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        135⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        138⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:6240
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:6376
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        150⤵
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        152⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        153⤵
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6596
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        155⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6684
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        158⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        159⤵
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        160⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        161⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        162⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6944
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6988
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7032
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        165⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:7160
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:6168
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6324
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        172⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:6528
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        175⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6680
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:6736
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        177⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        178⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        179⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        181⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7064
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7148
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        184⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        185⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        186⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        187⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        188⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        190⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        191⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        192⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:6344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6344 -s 404
        196⤵
        Program crash
        
        PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6344 -ip 6344
1⤵
PID:6560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
96KB

MD5
425d792b7da1658484e883603f406312

SHA1
1780ece0f74a3076c3820955eb67363e08002ae3

SHA256
075613ecafdf5b178b8ad20283e219e5d65ca95c99a8427f3639fa82798cb427

SHA512
86726b7cf9f72b520699af6c6ee4a3ef8c5a3ccffed0228ca870d9c0cb0e53007762c776b2e5ab15df67f0f3e5ac0e8cd96d01962ae588411b7ebe9f8d659269

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
96KB

MD5
a6cc43360f9f6fe8dd33f28e8b4621da

SHA1
3da39f59959460d2eb9463c4034097afe0441a33

SHA256
e1ae1fa66e85486d309d4ad9471e0d29e25023e0cb19d42c3371a01c01c83d61

SHA512
d15997962db2d9b6877f4fa0f41d771ff078e225520bef0126f89402577d47245af59be3cdaa9d92c49ec6853cf563ef9507b81c040e2d61572a002594bcabb9

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
96KB

MD5
9852ee8e6145e78ad350ca8337ac7d65

SHA1
8a86e3ce6ec5ae1fb9c828282a63a3600ca971f1

SHA256
cd4d6d1cd60086d6f902f9a97cf2eefe06133353f3c08fcc691415b60a4e4bc0

SHA512
c3932a90050da1aeae0a24559aad25c1c835e02add96f53c74661b2324db8b546f5a6ad7a1c13426633e209d73c3ea211f1461c567cab0062535fea35c39437e

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
96KB

MD5
369354da5aadcdd65e5b66943cb26f01

SHA1
8fc018375fbf22febd1c8b0952225f1d4b23837b

SHA256
5651126851d34e494bf5e7a53ec56a38bb20e1272bca74c694c7cb75ce3bc83e

SHA512
3cfb4d39d6126fd7dca4c2ce15bb3448a507e87b2246d8f6afef171b7cdef8e68927ca822e98e894822d3ebea89cee0ded115c0a61b277741cb53fcb3ca881b1

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
9d69f6f259b9ef3a8b90a6a1601fb6d4

SHA1
6b020fc1c35ef6a11d098b00693fff6e40171837

SHA256
3c7996c2fa73efbbbc76b9ab464ab86e97e1c41a61fc7f959b9111179c62b64d

SHA512
dc17c32ca82cb9f8765d1b2d3fb75908653bc125adb6df0f5b2c6dc51d1fbc8211f30ec52c3ce2f98273867baf4d156c436a8c9df51b9c844c1ac1f398ccd659

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
96KB

MD5
c6f0e1e71934ed2ade6530627aecdb84

SHA1
6a388837ed9af501d97f8071d7946d8205cb79e2

SHA256
83ed7453dea57c3e1a5de1ace228881217945b78ab7996de77af21865c38676b

SHA512
768d4d3a7a58a9373667bc11d0608b303b7209acfad8d8763d41d95ac03d955e38f7f84ae260e29372683d3eb665db45eed3feceeaabf2f491039d38653a113b

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
a007c8089108e811f4d3617f4cea564f

SHA1
3dc36dc9852d2a9c8242ac29c88f252d0b412c76

SHA256
c1172f033f637bd2ab6128471208ddedd3c0ab1a049877094ad93c01eeeae1c4

SHA512
3e0c256028df3b14e2864f9b68e327499a5e7e6499e448c8e00fff8b458208aa839785e6c9b10c985bd2409b8e5e69808ab5798d9551cf00f2ddbb904fffae80

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
54be03c96453032fb8daa8d6939214d3

SHA1
dcaa2cfe0ea8e7af6f074e13d47d866e3e1d2937

SHA256
3cd07b12f69c20791f6ce245d49a00bdce5b16011a7dc690a37d992aa7c7a113

SHA512
e02185e2c6f436bb2bfc57ef658a10bf5c04283c0730560fbc7399b207e4438853ff7f822139ee72c3e805aa8b36b345950898e3f7a3c30e6c9c10e5f6a5bd14

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
1cb60f32584688df5f4098f243496922

SHA1
0d3a13782c5b352b8fb2a0516b2863131c9044fe

SHA256
77f8c27c231d3d021dc3823bd0a6d4ffae78c8ff2b46a23234a037cebb09bfcc

SHA512
d7153b28560e89e4f97e964d0d8363bc7a06c15eb580a66ccefa2261c17a2e400daba40aad2b6560f650cd01153f28e05d98457cc869c33f2dfa4e18744aac4e

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
96KB

MD5
e1c961ceeb9e98d400e2b37904bcb913

SHA1
baa3a37cbb7ae2a65d846a6bd42ce355c3e19122

SHA256
0bce0fa6bbdee7a0065da9868203df493e82b0a471e95a800bc8c262fd6be0f9

SHA512
fca01e89fb00ee604c196024e267da980623687d1102c43b247b0fe8085a76d8b59ad2a6dfc1429a049d99cff566be6cc8b94230eff5c7103cf423b715fe2784

Download Submit
C:\Windows\SysWOW64\Jblpek32.exe

Filesize
96KB

MD5
047f54b03270f48d290fcaa0eaf83902

SHA1
fcff3174f3f78170bcf300d1e0b2eb2dbed54962

SHA256
d05e65ac5caf257830baf5a42d52a5bd8c7a24002d8d6ebc930a70df268b73f4

SHA512
0636b3a4ab1fc7b5462e00ed2478a037c350914ee9cd83b48ab956c20145e17378db49e5a94ce5a6ccb0967a8b2084b06207b6a7c75431bbcb66b710d790a426

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
96KB

MD5
73cbebbfb53b78e742f0aa5b40c28c14

SHA1
778baf4869d44bbfad8c9d4ca84dc905a465587a

SHA256
d67779686d7cdaed6928b83f3e427a0294a3efdd15d0124f32f91edfe0c6d466

SHA512
ce2630ed19a407720b79d7db7df6b20204031d1008a979035806a36c639245db301a5834cc0ff1bad118ca14ea500938f0e7f8ae8513a224ec585fc38be2e776

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
96KB

MD5
0bdb9889ba341f1c6db27112b28a5b40

SHA1
0f6353ae2df4e62a44aaa5747c14dce0e8ab583b

SHA256
a1c91e9e1b7354da5220eb8d71366179708a4c83cbcdcc9f3f34dcf0cea0bd68

SHA512
a1014f99fb3d5b6bcc8f49a9b85ada05fa5c9a605dbad12822c92255f0ff732cf3bdda905e646fd8c83c90dd25656d75d74ce9375136692acd48afacad408474

Download Submit
C:\Windows\SysWOW64\Jfeopj32.exe

Filesize
96KB

MD5
7535cbe53db3f1beb729ffaab2817d34

SHA1
f1b1c4b878d7a308a0ae86cf681945884c96ced6

SHA256
e29a990c75c71e857a51f400ae976239ce72dc7883b8990c8e329b60f413063c

SHA512
8956f0ebe4a0cf92d3777532b65471e8b5882cc8d74e024d194dfcaa460907334f181b4c2cff26df90e13dc82c2aa74b3a59ee62fd90bca9a02b5bed4706ea58

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
96KB

MD5
e5fb315ce1c6c1791fa6d4f626d522ff

SHA1
38b4ea96541d305d597f886961ecc8cbf548ff52

SHA256
b8d704c125a372d1c1898c3bc7281394ddf181e4e1c44cb3b2d67b5c9184012d

SHA512
7cadf1506f5a5f3ebcf5387abde0ff6a4a276d38987583f26b13fdfbbad6f0cc7db7470f382fb9a8d276a0f62f39ac9a11aace27b8227152eb6c580f98c275f0

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
96KB

MD5
9833bc917f3676dc2dfa46dc3ecd0fc5

SHA1
93afeaccc628f6c1fe9fa15f8b8b06e06461d7b0

SHA256
5e5800d53f59300cf9b921704abaf5287f48a9425a6a2f99ba69067b24c4d6d2

SHA512
95aee7758422054572b9181cd018024e9169ae1ab7f19e986e5c48e78565683143edc00cdca06f51bce99a2443f6c0da89cf15e7fba9cedbfe9b80e0fe03fe35

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
96KB

MD5
c7e33b89648e0e5aadd08aa9dd1d5e54

SHA1
e5602d0464f28006c2e55e1e77435ba60e46b813

SHA256
83d47d99c8a3d59f8961afd02de125dc615046e97c781f242fff986080a6d639

SHA512
ec9a0ff41fb0be6b6ab2f1a77860aed0fba1c1db7ce89d4afec40b4f1e85238403ec8f1aef2b7f49c80cc5781937bacb0c330215580c08fb29914353d2c9b368

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
96KB

MD5
c0b73ec25c472664cda2c49e452fb8ad

SHA1
e43ff3c8851242aa817f7eb375d91267dae00993

SHA256
10a2e154d050c260c2b8e0a4a148d62d68bb2e03466d8d11fb31f6ad78ff0cba

SHA512
0b2ba4c95c45da4fae9e0230baacf8a1a61eadde9b9c49c73b792f7b78dc706e8460b36ad0973dc24282f0f9469be3be8b860b42f6b68d70f64793b4b7e8f553

Download Submit
C:\Windows\SysWOW64\Jlednamo.exe

Filesize
96KB

MD5
c892ee3f4cbad9f14fd18d0d98041759

SHA1
a08a3b350aa24e4b882d340fa7cbaed7c14187e8

SHA256
49b538a41f2e11051316410bdf8cc8d0fdc235e2e4089c23af377edc70cd7f2a

SHA512
96f25cff7125886bb5f23baa452ec6d1fdadc3065c70ac363050b74eef5da1610fd7b65044c7d2b366f01b997fbf4c7cc86bbfcb5719c95cb4a34b708ceff246

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
96KB

MD5
1238f1266b38cbde9055c56a841d16be

SHA1
c3cef59f3fd15761596a25e2d31ae3b15f6e4d95

SHA256
8f929aadbc12202579648f847d9f5aef5f805993e715ce22c49f03c61a389939

SHA512
6ee2db01caad328c4a8b131b114d2a11b811ca11deba56419d9b3be5ab0da16477af4e25838aecdab5d69c806f5f289ca8a4ded39573f144840d7542cc83a78d

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
96KB

MD5
225b7aca19513b097b536a4e67ee73f9

SHA1
29079f53d05b3ea93d1b262f44d7346529fe98fd

SHA256
527270a0e28604eba8c0fb73d56d58f20637084489090cc57dd30e436125ec5d

SHA512
8f9d605a7d2dfb79af21dff12efab81a5a7d72c8c439b2cba2315ef16e822a1e8bc9fd33ef33986e6962e5eac3effe3aa3bd84e67efdc8a3717ee86bd9ca93de

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
96KB

MD5
6ebef435db7d7601971e5f75b9737eba

SHA1
f4bac13de6429a39d8411f1be74a72c18a36a420

SHA256
874dfd9e2de58758a3dcca1c8653d2152cb3fac0c9c330eaf141b94cb0411799

SHA512
29f96ab974a15f982973f7524083134bde8036d892ada67743032b2e75de1e0716ac1939a670af484893cb08465204657750c33f99001ce457a1b7ad0bf3b0d6

Download Submit
C:\Windows\SysWOW64\Kbfbkj32.exe

Filesize
96KB

MD5
6630d4bb01cda281d08895262a789683

SHA1
6a4e093f281c47d0f7c17b0b16588a874c44183b

SHA256
7715611bc025f0e11945b3bf3d072a3deef638cfce349aaf92b6a7eb39572d32

SHA512
6f37104d13a481c30afabde347d73996ff4681f52e0736c462a1a0c81c6fdcce3a9fd3d880eb7a2f40dce55017aa381b3e7d31ac0bf5c46403a6424b78a0fb9b

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
96KB

MD5
c1ea0297694211c71c05af8fe13afa4f

SHA1
b892a046410e5485139f41b4adc64adb583beeae

SHA256
a97951646c59b39811f5bd689f639bac279fee19c0a9e73b0b78d15a41f490ee

SHA512
a83e766c9dd584011231bcc8a779351df187e57681eae3663a7c2fcd3bcbece645d45a57e7311e32250a2ff29b75c096a18a7a691afadb026e6b6e6e9cd43336

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
96KB

MD5
63a9d47388a9491ca52a4754aec4e942

SHA1
b6c2b64fabad3b84396ac28dec9be73f13f3a6d7

SHA256
146cdb5dfdf5d69996ed508087d2706de65cb7ba123bf724e928dc1fbb6421b3

SHA512
f9c4d48076fc8b49b3f7b1608523b56872a05c7f7bb4ae4fc0b500b3d8a959d26ae1451eb21de4b9dfbf77924f2d81c578ab04ddd230584162bbe5436e3fd0e5

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
96KB

MD5
975de91936d16097f5770dec893365f9

SHA1
b528f958b6a832958ff5ba2a54dd1f8feaaa0c60

SHA256
b15e5a1604d55facc72517c3d2ea4bad42f14216a303af3ba3210a25bd0bfdbd

SHA512
9e91c332494e966c03e6dabd7d015045c41f151c919d4858527d9c0e5681d3e20fede30acf2141d725e374b3d74d0b639f93e758e51d6104c934ee09a83964d5

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
96KB

MD5
7849c73245dafe4f4f6a0d1261316fe4

SHA1
95f0b55bb035741b19dcb231ac5d5ebe84cc5d6c

SHA256
5a7a6b7ae3b93e5950b4f8c4f87dc8209ae149c348fd4219c879aca81bd0efaf

SHA512
c1dde3ffc56cdaa6072b1f76742cbfaca93d3c902bdc09b7c0134bfc6588aea56e1eec78cdece411a418e5197589be64f7a715344648d966fd94afe760f350f6

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
96KB

MD5
78b454da627a9738cd3217af870dfc0b

SHA1
fe610b7d899d0a75225061e6f44a3a342609f89a

SHA256
32aa8723eb47005fa338154bca06fa81688bf35ea12130dedb08fd5e5538b72d

SHA512
98190c03d93ff02668900ce3618c10a3b2f5ae06ff78d8e4b3edc352688b7cc3bd09f7cf3deed2b48ba48f79657e25fdaff7d988f802b817cc25f6319cfa6537

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
96KB

MD5
223dcba074877c17ffd759e4e8ca3b3e

SHA1
3ccc047415f08f264ae6bb69d30d6db3ce325fe9

SHA256
deea96a7511e49f41fbe7841bffd53c12d10bec9e94e2105e3be77c98fdfff6d

SHA512
b5ab829dbb715b4511f3b43d2fff3fe4d36b88c1892da7374f3dc85668328b0f940e19f67f8f3550c9279484878e689dc2eeae564c6f1b618d210a04c45f795b

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
96KB

MD5
0a73d1130fc5367cc17576dfc0dc71b3

SHA1
78d38913c8db80f1f5f250bf61ca4932d32f2ac4

SHA256
0855f90bb2ada0df51b2e72f993d1265896468caf0b7d0d91d6fc56d52d78422

SHA512
bbe621491d7e29f375d491f579ba5100d0a70bbdaaf6f499ddd27789df7cad6375750f0f59b033e2db0352cde790f586a81298e8039792d374f22bcbb3b6fddf

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
96KB

MD5
33b8870ed6ab5bfedcbf46b7b873a34a

SHA1
4f997cc45c65eddabbee9fd5832d10fd20a7d63b

SHA256
7b24399123ccff0f063ea248081e734e303505848d44f420a7b19c98d584882e

SHA512
73831acf28c48d63c2a3756db3a4468aaf20a78940267603bf73c13390dc54a57c5ad6d42b5c1a85f00d0cd9b372f655027bc6af4639925a9e02bc8940824d37

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
96KB

MD5
8187a7594e7813be7c974df9cf3b36a1

SHA1
eb73f53a25b5c997fa21ea2c497d83e73a51d514

SHA256
038cf873f5403a7dfed3c527c5261ed8cf3d42180410fac27d0c7141048bdfa6

SHA512
5ec4f2dc9a84c6015afa14086873a4f2145284cc387ac51adbb4701154af3bb4eda33015510cd715e16ce08d2874f7b57154ad4efdb65673c7d0b8ab0680ba4e

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
96KB

MD5
1be11dd08c1d5da255f6de3be1d1dc7a

SHA1
6bbf82cf436f8b0aebb629bc4d037ac95a76ce47

SHA256
8b8ed96aee36b0905afdff5ba346bc55a8fd1dbea36b7d0da1fe68bf4db7f261

SHA512
16d386654363ba0f4d0f9597454b7e9c39b64907fbf6e3559622abd6d002dad62ee7ea20244d7d24cf721877d3f17f1747d8cd90ec7e2d9cb8ffeafd1b4a8355

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
96KB

MD5
d700543115248506414a1b3cbe08bf7a

SHA1
a0b5f166cd1d213ed397ed0fb796bd5ca7d9ea24

SHA256
c9dca1b3002607154312fccc4f1f3c203da81587f02254eddfa0e00aff8f97e2

SHA512
a59657c92bac038debbb327b89c19e0e4c88bb92b6adac3aaa51fc4bb6225a3386f5aa611edcbf532b52e9d0c757aeddd43c2848fc82d7b3858bd1bd416d0f76

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
96KB

MD5
13270ad04415fe6666a80f78f414fa32

SHA1
63d45e2687f81058177b046755ffa2f4dfaa8dfe

SHA256
a6a3f0594e1025a0b0c4bf05ac97fbe4910c9b55ea7831ff029d8dbabcf18b50

SHA512
2e32583d02ba2d12022466248763c0aa3a427b448f321c397a90889628bf46372efd97cc3d8ea778e7e6da1f3c6154b524b1d19dddf10f17853bde53dc8b4155

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
96KB

MD5
77a04ba4d8ed3db8af6850b3a613703e

SHA1
215ffaafffd8308e162c9b67451394dc9d62855d

SHA256
c7d095197929b153eb2fe2cdbe616e561e622d1d194c895e7dd916b5d1d20829

SHA512
e9c507af3eb17da1ae0e46929d0d4dcfb6ee36508812b8133e619ecda3559337e96feceff3b5f9c1097182583782c549748cab1b4cb5cde967cdbe1ba6910fd0

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
96KB

MD5
4b2d2eb9a6cbb58e6477fd23b19f4ec1

SHA1
8b46f5a148e2861536f9d1463f9e764bfd122762

SHA256
6872da6e4e75ee5b10d8f21624713ace60b9481b1a418621005dfec88c660cec

SHA512
428e1ea9bf0f538b25c246ebeb7a345c50a8551e5b338c06930786c90243f0638db3521fe209a6fedb41975e60e8131367888972bc99b7b78e758a3d27562e99

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
96KB

MD5
3664ce85b9cfb4284583f8deb314068e

SHA1
0904acad4262f8ce4272ddf42af64ac0337598da

SHA256
eb7f61badea3ecdac51d276f2376bcd43e93bb1d80305147ecd093342502a35c

SHA512
5ba3635bdad4ef0a65f40427400472b28c43eb05bfcdb8db7d9dccf80b38a3794af99a2fca633bf9899f871ca44ae5c91d49fd365de78210f771a690d457b9a8

Download Submit
C:\Windows\SysWOW64\Lbjlfi32.exe

Filesize
96KB

MD5
8cca645141931e9423373c76a32886b2

SHA1
5239d9f696d280a0501e4e7110c0f56acdf2661d

SHA256
c5d2d65d5050746d08572e5faad6fafce248f1f0b3f1075315f5c06792289ca5

SHA512
6f1211278d85d1a5cf9bc8ebb8d570707c4404c8476916b4369f35de6ea449c287ce334d9f117684c34ca4648484e2ebd36d7f3a70eca866422d51caddcc5ccb

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
96KB

MD5
2fb0ef6dce43ca22e3b7fe37a55d2945

SHA1
8b8fd13cec70a2e817c19770612808bec141f7bb

SHA256
4159bbc7fb39ed57dabe60999016f922640d7a9f6d5bf81192dc1c9d048c279c

SHA512
0b7badcafe70bceba57c8601f2f53b5f1b8785a2f45dc103191a38c466111e195b64d4cf9384daa2557e5287b850f35a6d2136d2645a1ce082bcef30248b8745

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
96KB

MD5
48499f14b94b9ee1c004c7f22aff01af

SHA1
2298d7443a9e57a4e95e3ccf7cb9520e4b03fb95

SHA256
5c9930dad1f3443452df877d374355fc6f5db9ca843c46ce14c6974ec1c84fdc

SHA512
894b74fc6825ffe7dca377221cc742cb6207abb911ac26301ffcc2909c8c4561e9add1a95103d428c4b56508cf945a84378ca97dc0ba18e17e444d0d453fce52

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
96KB

MD5
dbecddefd1975531a94cc57d041810c3

SHA1
790e0f84621f623e65034fcbaf9ad19942ae993d

SHA256
cbb6d52a9985cc356cf8736d1c2031f4a8e43ac2abf287bd6744d8d91f421e2f

SHA512
925ed55474c9d82b3a2f6b256f0a197700306a48d94426a2b4eed07759b269c3fd97032cc69a87f94510f8e56569684a8123d259ca7464226bcc9453a56240f7

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
96KB

MD5
a680d4319bf3350414d9ddbd381085ef

SHA1
1635bea57ac60da060d198ac8da0227c5227606b

SHA256
240137d4cc99785869f8951a36e62618df546b5caf207315f56aaa9fcef5132a

SHA512
6cf047937aaa841b61bf86ac6c9bd07f4264515cf43ee81ce49d04c1953da32ae6b4ed2735ca2b817ad639059dcc3f119d04a5b78d172a7b8fcdbcf4ec6d53a9

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
96KB

MD5
a566efaa3bd033dd4b17ff4837757363

SHA1
237aee6001b86732d0fbb992eade51696d1aa0b0

SHA256
eebad1b90784fd82996e88a83a5cd6381f216d3f6ac23710c94b34a09e6fa03f

SHA512
0069554a514bfb8fe00f15838a024a851a56b1671479eff920bf7bd8abc44c9dad81b5dc23548b9068fb041d1475a6cadb679e3c783fa5b9ed36e51bd2dc5bc6

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
96KB

MD5
caab053a37ed30110d6d0080f1670c72

SHA1
88d1ff1e25a9e84c739703305755c230c9a6081d

SHA256
329adde22ccb513fd022c43ed84947915ca8a2fe911c11034d03c63aadb959f3

SHA512
900472d84d7b58f79394a98d96b297185a616ca1b7ee00bd1f9f20fcde07d341fae608226593bd67c67b94bea6c2cbae83691f16e561b5eccd00974fc9de0892

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
96KB

MD5
8865967cdb08a8bbeffb04f2294feef8

SHA1
dd3faf6f94a4cd3dee666d1e0d94d0ba7707be55

SHA256
3f945188a363ccd68a210a8c80ee369f9e3466a408057c98decd50a9e2aed536

SHA512
59c8fcd75531f0601de009b4903818d26b8b5d3f6bc617464f28f9dc04269d6a1c82ca3093b801312e7e9eeb7bed9ab847fdef84d34714aed62cd7a0173c0984

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
96KB

MD5
eda51d243fd2b5344f597e0f90f9c6a4

SHA1
214b61e51ca8d7e387aadd0f33bd7cffb3342256

SHA256
27ff2cd05d9755f0c30ab3d681db1bf8f107327bfaad6a6799216c3ca6e2780e

SHA512
3051f6e85637fe12e4ed05b0121ffc90422334ddd958ea27b08d49585eb22f44c403f4f9d3fe6f29a5727709d68ef82bd0dd59d0afc14dfc9529905855f5a2d5

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
96KB

MD5
005ca84fa3b7d83b0ee3d18020f8de53

SHA1
815f052c93fe69f0dcb14cc462fee4fe81d1bdb8

SHA256
8a6ca0383bbde1a97e04f2081dae88d4509c79fb558ed6cd0388b1cf3b8ea4aa

SHA512
cfb3c9ad595cce13b80b33345560ea68f9235c6840d6d032ded4b83884ba9806e1bc205d25b3b4a0fda30baf6313f0dff1cc7c5fe29522503f3224c3e44efd58

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
96KB

MD5
a96cd3c083d892f0ff9ae8995c3ce535

SHA1
ab1510c74944189856555e1f258ec491ed547934

SHA256
428ae5d27181a4ecd9611e9201d8b9ccee2efa0360a639fcf8009cf4cd40a06f

SHA512
647291dede023cd893af6ac4f114d40977c79f727aa7521bd7821fd003d5ffbfdb11dcc831f9210be381bb1c9d402c1bae01e2ce86d2b636894988b601b182ba

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
64KB

MD5
f172dc8aa608c12b72848e4e38331cf7

SHA1
175924c711fbeca1363ae63fe442761588b165d2

SHA256
c4f7618c8661d76160b563d1b90df030703c9cc0cc4e578136176255c416cbf7

SHA512
7a5b430a445df0a5a0d0837318c4cab7db89d5e5e66c771a8b40a7f3bbc1713a232ddb8c6575342bb5cf4e844f59d34e29b0c6f12f42d5f9302aaf149fcdc5c1

Download Submit
memory/8-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/376-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2932-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6416-1355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6516-1354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6552-1419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6624-1353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7160-1392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download