berbew | ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66

Analysis

max time kernel
95s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exe
Size

79KB
MD5

65b08750ea572c03cedf8ccf6b9949a2
SHA1

2e9eaff97189b8f4036e7144fdaefb2bb9f43846
SHA256

ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66
SHA512

770b7ae64172f9e2a3836b678eb4edbddf3a8d1ce4444ab9bb674a268876beb46a323ef41c3c1f1eb76d19064fc9f302688613d1addf46f1ac6cb17e73129d09
SSDEEP

1536:v1rSXJExeiMHIW7ZhNplD/UEUiFkSIgiItKq9v6DK:vl0JEx5II6NbUEUixtBtKq9vV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lbmhlihl.exeAmddjegd.exeLebkhc32.exeCjinkg32.exeDmgbnq32.exeKdcbom32.exePnlaml32.exeCndikf32.exeCeckcp32.exeLlcpoo32.exeLphoelqn.exeMlhbal32.exeAcjclpcf.exeDkkcge32.exeKpbmco32.exeNloiakho.exePfolbmje.exeQceiaa32.exeAgjhgngj.exeCmiflbel.exeCnicfe32.exeMipcob32.exeCjkjpgfi.exeKemhff32.exeMgkjhe32.exeNjciko32.exeBmbplc32.exeLdleel32.exeBnbmefbg.exeDhfajjoj.exeKfmepi32.exeMcmabg32.exeNgdmod32.exePcppfaka.exeCeqnmpfo.exeCnnlaehj.exeLepncd32.exeNebdoa32.exeOjllan32.exeNjefqo32.exeQmkadgpo.exeBjmnoi32.exece9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exeKlngdpdd.exeMgagbf32.exeQgcbgo32.exeCenahpha.exeKdgljmcd.exeMckemg32.exeOcbddc32.exeDmefhako.exeDfnjafap.exeOgkcpbam.exeBcjlcn32.exeBjddphlq.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmhlihl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kemhff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klngdpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Jcioiood.exeJifhaenk.exeJpppnp32.exeKemhff32.exeKpbmco32.exeKdnidn32.exeKfmepi32.exeKpeiioac.exeKimnbd32.exeKdcbom32.exeKedoge32.exeKlngdpdd.exeKefkme32.exeKdgljmcd.exeLeihbeib.exeLlcpoo32.exeLbmhlihl.exeLigqhc32.exeLdleel32.exeLmdina32.exeLpcfkm32.exeLepncd32.exeLljfpnjg.exeLbdolh32.exeLebkhc32.exeLphoelqn.exeMgagbf32.exeMipcob32.exeMpjlklok.exeMegdccmb.exeMlampmdo.exeMckemg32.exeMeiaib32.exeMpoefk32.exeMcmabg32.exeMlefklpj.exeMgkjhe32.exeMiifeq32.exeMlhbal32.exeNgmgne32.exeNpfkgjdn.exeNebdoa32.exeNgbpidjh.exeNloiakho.exeNgdmod32.exeNjciko32.exeNlaegk32.exeNggjdc32.exeNjefqo32.exeOdkjng32.exeOflgep32.exeOlfobjbg.exeOgkcpbam.exeOcbddc32.exeOjllan32.exeOnhhamgg.exeOdapnf32.exeOjoign32.exeOqhacgdh.exeOcgmpccl.exeOgbipa32.exePnlaml32.exePcijeb32.exePfhfan32.exe

pid	Process
4544	Jcioiood.exe
4024	Jifhaenk.exe
4204	Jpppnp32.exe
2196	Kemhff32.exe
116	Kpbmco32.exe
2024	Kdnidn32.exe
3476	Kfmepi32.exe
3584	Kpeiioac.exe
3292	Kimnbd32.exe
2468	Kdcbom32.exe
2556	Kedoge32.exe
1692	Klngdpdd.exe
2324	Kefkme32.exe
1464	Kdgljmcd.exe
3180	Leihbeib.exe
3096	Llcpoo32.exe
2392	Lbmhlihl.exe
944	Ligqhc32.exe
1528	Ldleel32.exe
2276	Lmdina32.exe
3908	Lpcfkm32.exe
4052	Lepncd32.exe
1560	Lljfpnjg.exe
1868	Lbdolh32.exe
4656	Lebkhc32.exe
5056	Lphoelqn.exe
5060	Mgagbf32.exe
2212	Mipcob32.exe
3640	Mpjlklok.exe
4996	Megdccmb.exe
672	Mlampmdo.exe
2772	Mckemg32.exe
3324	Meiaib32.exe
3084	Mpoefk32.exe
4844	Mcmabg32.exe
4152	Mlefklpj.exe
3264	Mgkjhe32.exe
5032	Miifeq32.exe
1108	Mlhbal32.exe
3628	Ngmgne32.exe
2596	Npfkgjdn.exe
3652	Nebdoa32.exe
3960	Ngbpidjh.exe
864	Nloiakho.exe
4560	Ngdmod32.exe
2868	Njciko32.exe
212	Nlaegk32.exe
3052	Nggjdc32.exe
4504	Njefqo32.exe
1888	Odkjng32.exe
3000	Oflgep32.exe
1836	Olfobjbg.exe
2544	Ogkcpbam.exe
920	Ocbddc32.exe
496	Ojllan32.exe
2380	Onhhamgg.exe
4348	Odapnf32.exe
2740	Ojoign32.exe
4880	Oqhacgdh.exe
4592	Ocgmpccl.exe
4188	Ogbipa32.exe
1920	Pnlaml32.exe
4624	Pcijeb32.exe
3744	Pfhfan32.exe

Drops file in System32 directory 64 IoCs

Processes:

Pnfdcjkg.exeCeqnmpfo.exeMgagbf32.exeMpoefk32.exeMlefklpj.exeNgdmod32.exeOflgep32.exeOcbddc32.exeCnicfe32.exeChjaol32.exeKdnidn32.exeMgkjhe32.exeNgbpidjh.exeNjciko32.exeOcgmpccl.exePcijeb32.exeLlcpoo32.exeLigqhc32.exeQgcbgo32.exeCndikf32.exeDejacond.exeDfknkg32.exeKdgljmcd.exeCjmgfgdf.exeOjoign32.exeAjanck32.exeBcoenmao.exeDhmgki32.exeCmnpgb32.exeDkkcge32.exece9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exeKpeiioac.exeKefkme32.exeLebkhc32.exeBcjlcn32.exeJcioiood.exeAcjclpcf.exeDmgbnq32.exeDopigd32.exeLbmhlihl.exeLmdina32.exeLpcfkm32.exeOnhhamgg.exeQmkadgpo.exeMegdccmb.exeNebdoa32.exeCmgjgcgo.exeChcddk32.exeMlampmdo.exeBmemac32.exeNpfkgjdn.exeOlfobjbg.exePfhfan32.exePfolbmje.exeAeniabfd.exeBnbmefbg.exeKemhff32.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Bagcnd32.dll	Mgagbf32.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Kfmepi32.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Miifeq32.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Leedqpci.dll	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Efhaoapj.dll	Ligqhc32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ncmlocln.dll	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ingapb32.dll	ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exe
File opened for modification	C:\Windows\SysWOW64\Kimnbd32.exe	Kpeiioac.exe
File opened for modification	C:\Windows\SysWOW64\Kdgljmcd.exe	Kefkme32.exe
File opened for modification	C:\Windows\SysWOW64\Lphoelqn.exe	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Jifhaenk.exe	Jcioiood.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ligqhc32.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Amhpcomb.dll	Lmdina32.exe
File created	C:\Windows\SysWOW64\Lepncd32.exe	Lpcfkm32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Mlampmdo.exe	Megdccmb.exe
File created	C:\Windows\SysWOW64\Ngbpidjh.exe	Nebdoa32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Gfhkicbi.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Mchqfb32.dll	Mpoefk32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Qoecnk32.dll	Kemhff32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
5672	5496	WerFault.exe	210

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Dhmgki32.exeChjaol32.exeKdgljmcd.exeMckemg32.exeAmddjegd.exeBjddphlq.exeDmefhako.exeLlcpoo32.exeCmgjgcgo.exeDhfajjoj.exeBcoenmao.exeCenahpha.exeDdonekbl.exeKfmepi32.exeLbdolh32.exeMipcob32.exeMgkjhe32.exeCeqnmpfo.exece9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exeBmbplc32.exeLeihbeib.exePnfdcjkg.exeCmiflbel.exeNebdoa32.exeCnnlaehj.exeBjmnoi32.exeDeagdn32.exeMegdccmb.exeNpfkgjdn.exeNlaegk32.exeAgjhgngj.exeJifhaenk.exeMlhbal32.exeDmllipeg.exeQmkadgpo.exeCmnpgb32.exeKimnbd32.exeLphoelqn.exePcijeb32.exePfolbmje.exePfhfan32.exePjhlml32.exeBnbmefbg.exeKedoge32.exeLljfpnjg.exeMpjlklok.exeOdkjng32.exeKpbmco32.exeKpeiioac.exeKefkme32.exeAcjclpcf.exeLebkhc32.exeOdapnf32.exeLepncd32.exeOlfobjbg.exeBjagjhnc.exeDopigd32.exeDejacond.exeNgbpidjh.exeOgbipa32.exePjeoglgc.exeCdabcm32.exeNjefqo32.exePnlaml32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihbeib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jifhaenk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lljfpnjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjlklok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpbmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpeiioac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe

Modifies registry class 64 IoCs

Processes:

Kdgljmcd.exeLmdina32.exeOdkjng32.exeBcjlcn32.exeBjddphlq.exeBmbplc32.exeKpeiioac.exeNgdmod32.exeCnnlaehj.exeDmgbnq32.exeKdnidn32.exeKefkme32.exeOqhacgdh.exeChcddk32.exeDmefhako.exeDdonekbl.exeMipcob32.exeMegdccmb.exeQgcbgo32.exeCndikf32.exeNjciko32.exeNggjdc32.exeOflgep32.exeMlefklpj.exeCjmgfgdf.exeDfnjafap.exeLpcfkm32.exeBnbmefbg.exeDejacond.exeCnicfe32.exeKlngdpdd.exeOgbipa32.exeNloiakho.exeNjefqo32.exeLbdolh32.exeBjagjhnc.exeDhfajjoj.exeKimnbd32.exeLbmhlihl.exeMcmabg32.exeCmiflbel.exePnlaml32.exeBcoenmao.exeCjkjpgfi.exeLlcpoo32.exeLdleel32.exeChjaol32.exece9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exeKdcbom32.exeKemhff32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpeiioac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecaobgnf.dll"	Mipcob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll"	Lmdina32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldleel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojleohnl.dll"	Kdcbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kemhff32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exeJcioiood.exeJifhaenk.exeJpppnp32.exeKemhff32.exeKpbmco32.exeKdnidn32.exeKfmepi32.exeKpeiioac.exeKimnbd32.exeKdcbom32.exeKedoge32.exeKlngdpdd.exeKefkme32.exeKdgljmcd.exeLeihbeib.exeLlcpoo32.exeLbmhlihl.exeLigqhc32.exeLdleel32.exeLmdina32.exeLpcfkm32.exe

description	pid	Process	procid_target
PID 3496 wrote to memory of 4544	3496	ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exe	83
PID 3496 wrote to memory of 4544	3496	ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exe	83
PID 3496 wrote to memory of 4544	3496	ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exe	83
PID 4544 wrote to memory of 4024	4544	Jcioiood.exe	84
PID 4544 wrote to memory of 4024	4544	Jcioiood.exe	84
PID 4544 wrote to memory of 4024	4544	Jcioiood.exe	84
PID 4024 wrote to memory of 4204	4024	Jifhaenk.exe	85
PID 4024 wrote to memory of 4204	4024	Jifhaenk.exe	85
PID 4024 wrote to memory of 4204	4024	Jifhaenk.exe	85
PID 4204 wrote to memory of 2196	4204	Jpppnp32.exe	86
PID 4204 wrote to memory of 2196	4204	Jpppnp32.exe	86
PID 4204 wrote to memory of 2196	4204	Jpppnp32.exe	86
PID 2196 wrote to memory of 116	2196	Kemhff32.exe	87
PID 2196 wrote to memory of 116	2196	Kemhff32.exe	87
PID 2196 wrote to memory of 116	2196	Kemhff32.exe	87
PID 116 wrote to memory of 2024	116	Kpbmco32.exe	88
PID 116 wrote to memory of 2024	116	Kpbmco32.exe	88
PID 116 wrote to memory of 2024	116	Kpbmco32.exe	88
PID 2024 wrote to memory of 3476	2024	Kdnidn32.exe	89
PID 2024 wrote to memory of 3476	2024	Kdnidn32.exe	89
PID 2024 wrote to memory of 3476	2024	Kdnidn32.exe	89
PID 3476 wrote to memory of 3584	3476	Kfmepi32.exe	90
PID 3476 wrote to memory of 3584	3476	Kfmepi32.exe	90
PID 3476 wrote to memory of 3584	3476	Kfmepi32.exe	90
PID 3584 wrote to memory of 3292	3584	Kpeiioac.exe	91
PID 3584 wrote to memory of 3292	3584	Kpeiioac.exe	91
PID 3584 wrote to memory of 3292	3584	Kpeiioac.exe	91
PID 3292 wrote to memory of 2468	3292	Kimnbd32.exe	92
PID 3292 wrote to memory of 2468	3292	Kimnbd32.exe	92
PID 3292 wrote to memory of 2468	3292	Kimnbd32.exe	92
PID 2468 wrote to memory of 2556	2468	Kdcbom32.exe	93
PID 2468 wrote to memory of 2556	2468	Kdcbom32.exe	93
PID 2468 wrote to memory of 2556	2468	Kdcbom32.exe	93
PID 2556 wrote to memory of 1692	2556	Kedoge32.exe	94
PID 2556 wrote to memory of 1692	2556	Kedoge32.exe	94
PID 2556 wrote to memory of 1692	2556	Kedoge32.exe	94
PID 1692 wrote to memory of 2324	1692	Klngdpdd.exe	95
PID 1692 wrote to memory of 2324	1692	Klngdpdd.exe	95
PID 1692 wrote to memory of 2324	1692	Klngdpdd.exe	95
PID 2324 wrote to memory of 1464	2324	Kefkme32.exe	96
PID 2324 wrote to memory of 1464	2324	Kefkme32.exe	96
PID 2324 wrote to memory of 1464	2324	Kefkme32.exe	96
PID 1464 wrote to memory of 3180	1464	Kdgljmcd.exe	97
PID 1464 wrote to memory of 3180	1464	Kdgljmcd.exe	97
PID 1464 wrote to memory of 3180	1464	Kdgljmcd.exe	97
PID 3180 wrote to memory of 3096	3180	Leihbeib.exe	98
PID 3180 wrote to memory of 3096	3180	Leihbeib.exe	98
PID 3180 wrote to memory of 3096	3180	Leihbeib.exe	98
PID 3096 wrote to memory of 2392	3096	Llcpoo32.exe	99
PID 3096 wrote to memory of 2392	3096	Llcpoo32.exe	99
PID 3096 wrote to memory of 2392	3096	Llcpoo32.exe	99
PID 2392 wrote to memory of 944	2392	Lbmhlihl.exe	100
PID 2392 wrote to memory of 944	2392	Lbmhlihl.exe	100
PID 2392 wrote to memory of 944	2392	Lbmhlihl.exe	100
PID 944 wrote to memory of 1528	944	Ligqhc32.exe	101
PID 944 wrote to memory of 1528	944	Ligqhc32.exe	101
PID 944 wrote to memory of 1528	944	Ligqhc32.exe	101
PID 1528 wrote to memory of 2276	1528	Ldleel32.exe	102
PID 1528 wrote to memory of 2276	1528	Ldleel32.exe	102
PID 1528 wrote to memory of 2276	1528	Ldleel32.exe	102
PID 2276 wrote to memory of 3908	2276	Lmdina32.exe	103
PID 2276 wrote to memory of 3908	2276	Lmdina32.exe	103
PID 2276 wrote to memory of 3908	2276	Lmdina32.exe	103
PID 3908 wrote to memory of 4052	3908	Lpcfkm32.exe	104

C:\Users\Admin\AppData\Local\Temp\ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exe
"C:\Users\Admin\AppData\Local\Temp\ce9eaa9c0dbac34c7b4792aa856b0b96c1d0b7fad5926c56e554b81b46c5be66.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\Jcioiood.exe
  C:\Windows\system32\Jcioiood.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\Jifhaenk.exe
    C:\Windows\system32\Jifhaenk.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\SysWOW64\Jpppnp32.exe
      C:\Windows\system32\Jpppnp32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\SysWOW64\Kemhff32.exe
        
        C:\Windows\system32\Kemhff32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\SysWOW64\Kpbmco32.exe
        
        C:\Windows\system32\Kpbmco32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5060
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:672
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        34⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        39⤵
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        41⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:496
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:412
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        71⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        72⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4920
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        75⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        77⤵
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        79⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        82⤵
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        83⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        85⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        90⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        91⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        93⤵
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3792
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        115⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        118⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 232
        123⤵
        Program crash
        
        PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5496 -ip 5496
1⤵
PID:5620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
79KB

MD5
9367e5d18d20ea899966c0e2fa89eef0

SHA1
84d0c1af6a537afee18795c4e79fad63ff75b7e8

SHA256
22d5d0ccceb8d233e96848421c8c1ca7d926589d422f3a39eee66388ddcabead

SHA512
4a45f114fd504be12ae41c57a7059c12bdc0898a35ee0583942bdc627446339d4ef03430936ed9e79f257773e30bd6f836b8853aee6913fe9befac1c821646bc

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
79KB

MD5
a04a2eb4986366c33c911fff3e21a25d

SHA1
9b360c6042a017931d060747275f421afa49edca

SHA256
22aef83ba7f577dcca64278ec6c9550b4997c79f4beaae42380c15dcccc92e8f

SHA512
9fcb9c9818527683010993781803a847ecd51f7472ce6bba80ab2f87848d6cd6767c67bea0b3f56dae59363e3438e5151357619f52efcd62f2afa5500a6868c6

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
79KB

MD5
a30fadf57137a2d92f9fdf2efd436414

SHA1
57d0bc9859465623c0ad49129e58b3ffe4e9af7d

SHA256
0dd186cfae2b7d1f181f45afe00dee7a7f0c41ac873fa4d2670c409bfd84d830

SHA512
557dd567ff2392ec2c0a935fc29ff85ef9d49148b105f50f3dc6657ded54e63626fe94b7b12fe1aefbd9143261d2e36729edccd65f3609fa630f80b481cc5c2f

Download Submit
C:\Windows\SysWOW64\Jifhaenk.exe

Filesize
79KB

MD5
caeb4478c6fad3f48063d0f76ff8f5cb

SHA1
2f73ad44d5e566c49fd641e918750992f3d4b6bb

SHA256
ab981ea0a31f107d6e79669108a02c4a511794a2ebcd29ba51c1f9152251af9a

SHA512
09a2c8292218a42c231cda6a833ce350fab4132310f7e1ca0f436b16fa23a2fd89b379352353ead9c3f0b85eaddaa984b849e96d275182c36d073c4f3d5e02b8

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
79KB

MD5
960b3b8bfc39abf83353b27576cca56c

SHA1
cfadc468646fb3f71c8ed43bdb3482510cc59f84

SHA256
de40929c2f0b9942b1fd08ea2ab2a75d9033b51360b586e20db11a032d207fc3

SHA512
70eb405167457bceb871529c6e27ff62c212f620691404e66792c3c4744d5bdc757499e069bec8a932e0f60e51fb5c170331a39cc050ac8543a379faccfc0105

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
79KB

MD5
3f2e32bb7f0938c6a57dfaf8139d4d4f

SHA1
0846cf62e68bd6e0330b9d2501b802814c7da76f

SHA256
b3b626b609b8de27338a79e4df9171039329373dd62b8fe4a9b8fded13a8374d

SHA512
90424c72863bd8d7eaed948ac04c162412fb11b9cde7afd1db2b5aa5eb0d0dcdfa4c07f781288e1a29eef0df98b41f4b4ec000b631d52e56b410626889646607

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
79KB

MD5
d2793118d6562dad834da57901a57e2e

SHA1
10fed4bead9d7aac2a274898a838d10885a63afe

SHA256
c1430644069d3e73f14b73adc92ebf14ae6db8d11140d51debfa7adefe4c4a33

SHA512
a39797884ed0b47814e2e30fbb99a19c40b93c7bdfa9e7f88e0b80901966becc0f63f846383413a60e714266caacd4f6a9443e2ffb87e49889c973ae19457da7

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
79KB

MD5
da741f162cefaeafef01abf20a6d2541

SHA1
584012a3dda21e8ea219327f61051553c1bfe797

SHA256
397f13d5e47ad291ab47b3933460ff4cdca0e5f102cda6a0e225a9bc244240df

SHA512
b07c3254adbc089e79404828bd515d4e067171cc5973db874e4a1b2ac76d0e70916717c3f77c29996cc3e9e8d3c00b6d30325c27ef13b015cc71b318961d252b

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
79KB

MD5
24ed69a6d3d07ee1f015cc3621a09381

SHA1
8ab2364bc0e995cfb4371f272d027f995edbad79

SHA256
7b12f80766794fad4f4ddfcfe5bb3dd399f1550c84bf3b6bfb75167c41fc19c5

SHA512
a06474f41bdbcdf32c7be1abd15ae501b5fc10286d32c20f588e1d594529c9d4818237920b0c233183f455f57e44e4c081ca923c2e9e0640fd09db52b0362f4c

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
79KB

MD5
c017fa4e3564c4d468d65ea4749f1c22

SHA1
d47a194fc3e635b4d0b56f6fcba762359c2d0f51

SHA256
5757544f4c987e930a81a738003822ad92ceb03d8cdea32e45fa096d4a5d0e6f

SHA512
2e7df6b730171cd21039f863ff66d7bed6283e706193546cd0348059a3685ae0e4a1a2c7a94b0adef41a9d0a5097d6253677fc1db9248204fe11d47b89ef58c4

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
79KB

MD5
2f5ff19615536ee500931f7c26287ee5

SHA1
4975162b1482735e912cd34a1dc268125b15e29f

SHA256
f615cbe2538aaf7c69202bf7d2d9df4aa068637a36caefe14b9dcb254d0b16b3

SHA512
5ad7a9d4206c72af6738fa531b3d4e71aa9e9634a23881027e3983077a426da6bd94b45a82acb7e44e6682ccdef0b98fa7d67c61597a9d975cd19dced4a9605d

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
79KB

MD5
84cc4fec78c5f0c8c57f9d539e0ede78

SHA1
c62dc9bede02143af20a7a6db68f9cc3e2d50f92

SHA256
d881db88c340941e0a203507e4b198640d52f307fae9bb5e997c9713dd4aa4ce

SHA512
f6d670792bf5d64e7fa64f62b64b7b85c35b714967e46dc3832b49e9eac2fe3490610935c26ebd6a2dbd4999e838b90785e49b9fa6d83b3c79fe0dfc33670e86

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
79KB

MD5
23a7d68f10bbd179a2a34ab9fce97a7a

SHA1
533fb9f55be3fcc8df11e0c34830cadf032dbd85

SHA256
9ac06ae990c914c27cb6b5887a12a4691f2634ad8a7c5554758225976e1d4d62

SHA512
ca112cb536ffe7e7ed9c79a500453eaace41c0d3c583b01de91fc540dd63033c2a83c4f5cad8978dd4658ccda8c6b6992721194d354e6179077698eca4b604a0

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
79KB

MD5
1fe3ffbe1dcea93363ce212ec5351885

SHA1
ae3a70051e16c18ca7fe07b35d6d56b02f8b43a3

SHA256
68d7d6c1c3030eb144340802afddc99779e26b7d9498a37fe441222542660312

SHA512
fc7a7027a84bbd2063634f39d2e7df65c9d155d7ca260ff08475c2c623f1c433ed840c33f81ec542fd9a8f35d57b4e245bf36fdbcda4fb99608e3e6c22518a81

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
79KB

MD5
3f14011fce2575bc9fc56d6af8b7bd82

SHA1
a0675c86bc51317886904d0b417871335e704f6f

SHA256
b57070278cec108b3c9cf44a3ce98d6badfa9ac692e5e2b060fc909c91a26063

SHA512
a2497942dd2217119ab08e01756c3d9471803e4438f79f16c60b69a2e2185ce2d357af55956c3d3a8a0d8452a34b38df30a52e4d65359bee439451fefdeb20b4

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
79KB

MD5
46ff285454bd7722aeee927f4eab3138

SHA1
cf460e3926fefa0ca4c25e8186ff1c6f7b046362

SHA256
8a9a8daf76f8e8b1b6f489494188f4b4579592bd943a36f946f739a6edab512f

SHA512
cb2d29a710d4e4d702bdca85d70aec467ea03882f06dea60fd90120f26b91c636b3cfa500e78272e8d65087738fe4e2250043c4d969589cf20308d06b7029683

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
79KB

MD5
acd049ca27d0847f270457639ef24ba3

SHA1
2131dc26f18b6f0a1a9c6d26a9d2120cf5ac6f9e

SHA256
a2f1a53fd24f603d3cd394b285b9f0d2fda812d5354e60b6a356b21d94e28255

SHA512
52840946cd9b031cd8e51d0275d45e46c517a146a253b058fca025661e25c42dec80aa9ad646ec199ca4f923753638d91d95400c1876c78ff38388424a2ba318

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
79KB

MD5
399e9a14b8e1e600c9db29a003d8aaf1

SHA1
d731c96268f77112ca36184c77675bae44819920

SHA256
32c4ec240e57db7538ce1701cd384551a6290818b92b34d4055c45090a19a5f7

SHA512
4eb2f0d9f7d448212fb49047bd5553d20914dafe04840b53bf84845931e2f79a0136a37420586d09e85b71bd39c3463cf2cfbc1c6ee08371ca11c755b0bd61d7

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
79KB

MD5
f23f1c999237917f25d6d6c89aa19ec0

SHA1
1e50a0970368aa732ee8b86aba25444c80497741

SHA256
6f2177e0399710b3e9e1b37ee3f4a4c193be1b67d60e04c72268068807272ec3

SHA512
229c442c75a3f677abbf6ae1aea315e3db6326de048a963664e90325cd129e56112d0103d1a1c6fb86699485b75529fec1d51c10df6af22787b2c2cb26670c6b

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
79KB

MD5
15f87f1d308d3bbfa785484206e58497

SHA1
59c43ad82cb505bb51aa80c37d2042e9211208d9

SHA256
706d15df8eca31aab535dc7dfe5738e47373970a99188801278eac5b9ed32fbc

SHA512
69d2fa9a2459ed9b61d4eebc264ddda4c4064108545762a10a7f0c757ef128bb93bbbd4e4591eb3a1f0cec57f48efa0d6de37b65a3f17433fd77fbe15c984277

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
79KB

MD5
2eeceff2c96c83e81f52924e3b6bff24

SHA1
b89de2975468874d815a99fe69b8630eced7a635

SHA256
f1d29f4cd7368154a074fc8f415d844cc23b9651c69fc29fe97f61b1faef154a

SHA512
ea23625e4daa77ebf00864e9f5b456df1cd779be1e2bdc526cf2bb268bb4ab94ee417b8c6573bf125e3d2b1ec712eddf9dc3c589605f4849819496aec3a63b94

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
79KB

MD5
34ce85251a772d102580d4124e0a7a69

SHA1
0276ea61fbc1b7ced44c214235f724e2441a41be

SHA256
78a11b2763badb2eff89201283bc2a0c5ef05dce994d11b0b2568864b6aa0f24

SHA512
65b6fb1974d0132cb8704bd081db73bb58727111adc7dc853a858eab4dadd2746abaf4bdec4f64c0c137c51d4dc822d4bd896344038bdf89e9dcf159c8f82b41

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
79KB

MD5
98c37e66d3f53763542d10b7712ad790

SHA1
ad56c99bdfbd21f4b8db33cdc547c00bf6cfc4aa

SHA256
cc1485cc77c1851fe89d05b16167a001f1a3c817a7bad7c1a46501243de1c0ae

SHA512
6095e85a00a63cc724ab377278bc229e9573750efebf6e92abbe21ed988580a2a83765fd2c9443d7b9704abaa1284fbb6b2d662e809d6cfa40ca3babe5416bf5

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
79KB

MD5
0861eca96d638277a98def51dfee7069

SHA1
3c80c85836b77af177f85b0cf7ff09e7ae983d70

SHA256
9e3c45c7689279769ba14146744da476a2eaa84ee99cb8af15bff6d64dd4c8c0

SHA512
cfadfad0bb801583f5e62f823b08be730d297b71dc0a5e162dd717206e56d7d0bae1566938a4e2c5c1b75e8cf0be5e8a0936bec69ed3c98d9914054264329b22

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
79KB

MD5
3e3e3123a767ac0d29eb783716f6c360

SHA1
c491b0830f7280aeb624c8180559e86c884d6378

SHA256
7592f0e1565d61c728b55e444b941b4adc1af0b67a1b195fa3f87409577b5b1f

SHA512
c9afad75046b2968bbbc32a740f213c67e6c2c2633797121c1bb9f4471b61090c894df64788eb0eb8444a188c54a8a6cf765a03f219855f6cf78d2344d661c72

Download Submit
C:\Windows\SysWOW64\Lmdina32.exe

Filesize
79KB

MD5
250394c9b47333ef0f4d4934db03b565

SHA1
29d3ee0c02d96fd06d1ed3f5d190f0823e3a46bf

SHA256
b6c3f741080a20750a5c635db11259698e99c38b25bc3d691c74d95ab6f83ab2

SHA512
5a044c9b49da71b3fa12b9053ce9e9d5e66e1afbef5871654682783f65cafbb359e127829d1aed9de3cb719ca2ca260dfa36c3bfe5beb0f1db83acb383c72bcf

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
79KB

MD5
f8b26fb17be03502c4c7919e7126a7b3

SHA1
419a0818931e0ebb95cb5ec4bca90ea3d7e73c05

SHA256
3f0acefbd78789a43df82ce8904453162d9ea6dae0a2516b8e395c88c52a0c82

SHA512
9ed5b6f2dd191997c7bbe93015a8e707f92a11fdd1fd455ac6c36ead2afd59d1162b1a82105a3ef0bd19fa9951f4e9e9d868a690053a08e64e7ff6255afec69d

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
79KB

MD5
21cbb868991edb099ffcba4794a77683

SHA1
baea489c3edd0e717a37d687c9bf0048b1ebf0a2

SHA256
9b80c5834f5621de4c9e732de2263b726ca4ba41efd3d3bf09423d2f1c686f67

SHA512
fe63438923e373b7aa6cc90e822c0dc902bee9ca463f008aea03cc044b73f4545cc12cae265ff849686fe4f113b3f57415c841cd5261deafaa849664af8b0b6e

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
79KB

MD5
93257c15231e438c47b5bd072c1fa61c

SHA1
7e2e17f5d0993bf1d9708c213de0fb69de1a6fc3

SHA256
8ab463ae540a002c373a5dd83a734c1eb18ca7ec80b30c48fffb5f4e4e215af1

SHA512
193c53e8f60bffa48f35841ac645e15a6fdebbda16989992815beeaea9db496b9fb4ab8869b90aef246ca5046b8a5dd74c63366be05643034f368a145c91699c

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
79KB

MD5
72d018c0c268431a4a8bdcd76270c7f9

SHA1
0b6780bbe1f375cd0ada12c5de999ff9e238a40a

SHA256
4b2c59840d50e37775989b3885562bdec111136157e1ab46921b48fe62772b4f

SHA512
f6eddc9e10d995997437a98ae90878231c20805bf62f20ac3a10b6345d4a1f303f073235612988d6b31fead24235b88316bfe6889d5582682c9621f399e249ad

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
79KB

MD5
d864f5ec1cbe01ff71e5a8392a9808c9

SHA1
a2fa586ca563af27eefe6566d26f3f1d148df8f3

SHA256
19dfa328ece2769595fa508015f8b54b131ad7c0dc50eac8b81a4dbedba9cedd

SHA512
98e953590cb77961b6bd81594d2c0a6d3a42bd2058ada14412c7bb061b050785ccadabfebedd987004b5a9bf5d3049d511e8b619453e2077e37ba1ae23091ed0

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
79KB

MD5
8fb960bc71521cc57fdc6f54a60c3d55

SHA1
9e5119458dccc23fd0e4b2309838a1507eb4c9ac

SHA256
0dca3ab88becba8b2f2ea7352d83acd8ce699ab3db3a24d81915e84cf359fded

SHA512
97bac7b79f13bf5c6475884b7019d0a256279cabf9780f0dde6686361b3aa116b0caeb2ef07b352e21d951d7c29cc212a54e06b102248e10cd16d401da489459

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
79KB

MD5
e539eef0dd7dd3caf668aba41a36e779

SHA1
98733dffeeeda3fe2a8197ebf7abf77692baf1c7

SHA256
9ea8fce80ddc8e226372c5dea8eedc94724f673153386fa43327ca5255635f0a

SHA512
4b897c329cbaa83c9ca94f35efa5a9c8a98f8076dae4c8bb46f943f13e99d26f3ee8a3639e5cfa75cb15f0b49378674f5d43aa2cb9ca2752a9d69153c305d314

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
79KB

MD5
7064f59e542bf5c011a96e803901bc9c

SHA1
57a849cc356c586f5f706200d7e76363e89870d9

SHA256
1d0f2a895733ca81596b0ef86d4760ec0ce347db2ade65092bc5fa10f6d4d9e0

SHA512
61adb987a0b5d2bea8b84297d9033dc953993f16be981fd62da754f4fb0b68b354e0d0e5c8e8137ce3a69bf743507eb99f2434789804e16f111a61fee10c2f97

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
79KB

MD5
fbcce8b47c9d4675b16763a6ef8d3993

SHA1
7b86f7c257b08288372261d601dc28e9f116bcdf

SHA256
2e8ee1f3d0a2a2583fae765035f94af371b66b0b8b377547eccedd0c203a073d

SHA512
d352034e169dfd2727c097724bf0ac95e6d18949768ee82fc611fa1b4afa3cd9d844e62f816229273ea65d91037a8815e1a2ca3a54efc81fdfffd0ba5780ed91

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
79KB

MD5
f65327b73dea2259edc33da1e67af6c4

SHA1
ad2cde4e49a4f46737dd5b165308c5769b21c8ac

SHA256
31dfc2e40656388b731e36010918a0d89923320f88e8b00eabe2dd3c381f79b4

SHA512
b9710a31bd4aa790923fc6ea336e24977490e1f7627bdaa9930ec33e1a6b82681378239daf19d916673959a714793207763fe4180a85af38131f286bbd942dc6

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
64KB

MD5
03dd76c54a771892bb3fa5df369a639f

SHA1
80bb7e1a732a75cfc22be8202199f3928c53cc4e

SHA256
b9ab08a626fc8286f1fdc13056c063ef4f1505d43c9816152bc2fc5bde80c20c

SHA512
a458e634fe6be3f780434094b85f66f44b6d20e41977c5237fe45bdf17884d2ee5da16a71c646c9e54f3cd93d2db6de86f4c55eac40da617f27fd6ecf1f198eb

Download Submit
memory/116-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/116-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/212-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/412-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/496-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/672-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/800-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/864-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/920-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/944-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1108-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1376-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1528-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1868-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2196-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2596-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2632-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2824-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3096-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-571-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3292-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3324-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3548-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3556-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3652-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3744-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3976-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4024-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4024-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4148-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4188-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4592-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4624-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-507-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5032-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5056-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5060-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download