berbew | 404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exe
Size

790KB
MD5

f803d9a71b4adbfff3b0f60fab868003
SHA1

bd91789c56c7609316295c6e15bea22dfae59455
SHA256

404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32
SHA512

9ccd7f32a26f5cb544b46f846b9a5662c66bf60a9e1f323083055c305b25663f4643496a0c4bdb2abb99e37e2110d6bc24fc822eb93b888d62a618b32010f065
SSDEEP

12288:wcLSk1Ab4keFB24lwR4P87g7/VycgE81lgxaa79yj:ZSk1vDPqoIlg17oj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Mfeeabda.exeNjjdho32.exeGppcmeem.exeLomqcjie.exeLgdidgjg.exeLmaamn32.exeMgnlkfal.exeMqimikfj.exeOjfcdnjc.exeApmhiq32.exeBnoddcef.exeCaojpaij.exeCocjiehd.exeDdgibkpc.exePdhkcb32.exeEfblbbqd.exeEpmmqheb.exeHfjdqmng.exeJcdjbk32.exeNclbpf32.exeEfgemb32.exeFelbnn32.exeIgajal32.exeImkbnf32.exeLjeafb32.exeNmbjcljl.exe404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exeKeimof32.exeNagiji32.exeLgbloglj.exeNflkbanj.exeEppjfgcp.exeEbnfbcbc.exeFlfkkhid.exeJpaekqhh.exeKflide32.exeNgqagcag.exeAmcehdod.exeBgnffj32.exeCpdgqmnb.exeChnlgjlb.exeChdialdl.exeCammjakm.exeGoglcahb.exeIebngial.exeJngbjd32.exeNgndaccj.exeQodeajbg.exeAdkqoohc.exeKlhnfo32.exeMqdcnl32.exeCgifbhid.exeDgcihgaj.exePhonha32.exePmpolgoi.exeFpkibf32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjdho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lomqcjie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmaamn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnlkfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqimikfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efblbbqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmmqheb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjdqmng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcdjbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nclbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Felbnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmaamn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfeeabda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igajal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imkbnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gppcmeem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcdjbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keimof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbloglj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eppjfgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebnfbcbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Flfkkhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpaekqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Keimof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kflide32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goglcahb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebngial.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jngbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqdcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phonha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Felbnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpkibf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Dkfadkgf.exeDbbffdlq.exeDeqcbpld.exeEfblbbqd.exeEpmmqheb.exeEfgemb32.exeEppjfgcp.exeEbnfbcbc.exeFelbnn32.exeFlfkkhid.exeFpkibf32.exeGppcmeem.exeGbalopbn.exeGoglcahb.exeHmkigh32.exeHbjoeojc.exeHblkjo32.exeHfjdqmng.exeHpchib32.exeIepaaico.exeIebngial.exeIgajal32.exeImkbnf32.exeJoahqn32.exeJpaekqhh.exeJiiicf32.exeJngbjd32.exeJcdjbk32.exeKpjgaoqm.exeKeimof32.exeKflide32.exeKjjbjd32.exeKlhnfo32.exeLjnlecmp.exeLgbloglj.exeLjqhkckn.exeLomqcjie.exeLgdidgjg.exeLmaamn32.exeLjeafb32.exeLflbkcll.exeMqdcnl32.exeMgnlkfal.exeMmkdcm32.exeMfchlbfd.exeMqimikfj.exeMfeeabda.exeMonjjgkb.exeNmbjcljl.exeNclbpf32.exeNflkbanj.exeNjjdho32.exeNgndaccj.exeNagiji32.exeNgqagcag.exeOakbehfe.exeOcjoadei.exeOjfcdnjc.exeOjhpimhp.exeOabhfg32.exePmiikh32.exePhonha32.exePmlfqh32.exePaiogf32.exe

pid	process
1968	Dkfadkgf.exe
1264	Dbbffdlq.exe
3504	Deqcbpld.exe
2272	Efblbbqd.exe
1712	Epmmqheb.exe
3880	Efgemb32.exe
4928	Eppjfgcp.exe
4460	Ebnfbcbc.exe
4360	Felbnn32.exe
1808	Flfkkhid.exe
4836	Fpkibf32.exe
4644	Gppcmeem.exe
2516	Gbalopbn.exe
1608	Goglcahb.exe
4184	Hmkigh32.exe
3388	Hbjoeojc.exe
4620	Hblkjo32.exe
316	Hfjdqmng.exe
4724	Hpchib32.exe
216	Iepaaico.exe
4712	Iebngial.exe
4708	Igajal32.exe
1592	Imkbnf32.exe
4436	Joahqn32.exe
4944	Jpaekqhh.exe
2508	Jiiicf32.exe
3936	Jngbjd32.exe
4116	Jcdjbk32.exe
764	Kpjgaoqm.exe
2772	Keimof32.exe
3628	Kflide32.exe
1952	Kjjbjd32.exe
1972	Klhnfo32.exe
4000	Ljnlecmp.exe
4488	Lgbloglj.exe
544	Ljqhkckn.exe
3908	Lomqcjie.exe
744	Lgdidgjg.exe
2224	Lmaamn32.exe
3644	Ljeafb32.exe
3728	Lflbkcll.exe
4992	Mqdcnl32.exe
4632	Mgnlkfal.exe
1288	Mmkdcm32.exe
1844	Mfchlbfd.exe
1872	Mqimikfj.exe
4120	Mfeeabda.exe
220	Monjjgkb.exe
3048	Nmbjcljl.exe
1496	Nclbpf32.exe
3960	Nflkbanj.exe
4984	Njjdho32.exe
2000	Ngndaccj.exe
2904	Nagiji32.exe
2892	Ngqagcag.exe
1708	Oakbehfe.exe
4244	Ocjoadei.exe
4796	Ojfcdnjc.exe
3668	Ojhpimhp.exe
2056	Oabhfg32.exe
4864	Pmiikh32.exe
2468	Phonha32.exe
1060	Pmlfqh32.exe
4232	Paiogf32.exe

Drops file in System32 directory 64 IoCs

Processes:

Pmiikh32.exePmlfqh32.exeBaegibae.exeCaojpaij.exeFpkibf32.exeHmkigh32.exeJiiicf32.exeNgndaccj.exeHblkjo32.exeNjjdho32.exeQobhkjdi.exeJoahqn32.exeLmaamn32.exeMonjjgkb.exeBhblllfo.exeDkfadkgf.exeDbbffdlq.exeImkbnf32.exeCkbemgcp.exeMfeeabda.exeAfbgkl32.exeBgnffj32.exeMqimikfj.exeNclbpf32.exePfiddm32.exeAdkqoohc.exeAgdcpkll.exeDnmaea32.exeEpmmqheb.exeMfchlbfd.exeMqdcnl32.exeOcjoadei.exeOjhpimhp.exeBdagpnbk.exeCgifbhid.exeIgajal32.exeKjjbjd32.exeOabhfg32.exeBnoddcef.exeCammjakm.exeCocjiehd.exeFelbnn32.exeIepaaico.exeKlhnfo32.exePmpolgoi.exeApmhiq32.exeJcdjbk32.exePhonha32.exeHfjdqmng.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Phonha32.exe	Pmiikh32.exe
File created	C:\Windows\SysWOW64\Paiogf32.exe	Pmlfqh32.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Bjlfmfbi.dll	Caojpaij.exe
File created	C:\Windows\SysWOW64\Pfnmog32.dll	Fpkibf32.exe
File opened for modification	C:\Windows\SysWOW64\Hbjoeojc.exe	Hmkigh32.exe
File opened for modification	C:\Windows\SysWOW64\Jngbjd32.exe	Jiiicf32.exe
File opened for modification	C:\Windows\SysWOW64\Nagiji32.exe	Ngndaccj.exe
File opened for modification	C:\Windows\SysWOW64\Hfjdqmng.exe	Hblkjo32.exe
File opened for modification	C:\Windows\SysWOW64\Ngndaccj.exe	Njjdho32.exe
File created	C:\Windows\SysWOW64\Eehmok32.dll	Qobhkjdi.exe
File created	C:\Windows\SysWOW64\Jpaekqhh.exe	Joahqn32.exe
File created	C:\Windows\SysWOW64\Ljeafb32.exe	Lmaamn32.exe
File created	C:\Windows\SysWOW64\Nmbjcljl.exe	Monjjgkb.exe
File created	C:\Windows\SysWOW64\Bnoddcef.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Dbbffdlq.exe	Dkfadkgf.exe
File opened for modification	C:\Windows\SysWOW64\Deqcbpld.exe	Dbbffdlq.exe
File created	C:\Windows\SysWOW64\Hbjoeojc.exe	Hmkigh32.exe
File created	C:\Windows\SysWOW64\Dmcnoekk.dll	Imkbnf32.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Monjjgkb.exe	Mfeeabda.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Bdagpnbk.exe	Bgnffj32.exe
File opened for modification	C:\Windows\SysWOW64\Bnoddcef.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Ghkogl32.dll	Mqimikfj.exe
File opened for modification	C:\Windows\SysWOW64\Nflkbanj.exe	Nclbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmblagmf.exe	Pfiddm32.exe
File opened for modification	C:\Windows\SysWOW64\Amcehdod.exe	Adkqoohc.exe
File opened for modification	C:\Windows\SysWOW64\Apmhiq32.exe	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Cglbhhga.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dnmaea32.exe
File created	C:\Windows\SysWOW64\Jipegn32.dll	Epmmqheb.exe
File opened for modification	C:\Windows\SysWOW64\Mqimikfj.exe	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Pmblagmf.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Iafphi32.dll	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Mgnlkfal.exe	Mqdcnl32.exe
File created	C:\Windows\SysWOW64\Nphihiif.dll	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Oabhfg32.exe	Ojhpimhp.exe
File opened for modification	C:\Windows\SysWOW64\Baegibae.exe	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Caojpaij.exe	Cgifbhid.exe
File opened for modification	C:\Windows\SysWOW64\Imkbnf32.exe	Igajal32.exe
File opened for modification	C:\Windows\SysWOW64\Klhnfo32.exe	Kjjbjd32.exe
File created	C:\Windows\SysWOW64\Pmiikh32.exe	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Chdialdl.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Cammjakm.exe
File opened for modification	C:\Windows\SysWOW64\Cpdgqmnb.exe	Cocjiehd.exe
File opened for modification	C:\Windows\SysWOW64\Flfkkhid.exe	Felbnn32.exe
File created	C:\Windows\SysWOW64\Iebngial.exe	Iepaaico.exe
File created	C:\Windows\SysWOW64\Pjkakfla.dll	Klhnfo32.exe
File created	C:\Windows\SysWOW64\Idaiki32.dll	Pmpolgoi.exe
File opened for modification	C:\Windows\SysWOW64\Aonhghjl.exe	Apmhiq32.exe
File opened for modification	C:\Windows\SysWOW64\Gppcmeem.exe	Fpkibf32.exe
File created	C:\Windows\SysWOW64\Ifenan32.dll	Jcdjbk32.exe
File created	C:\Windows\SysWOW64\Imnbiq32.dll	Mqdcnl32.exe
File opened for modification	C:\Windows\SysWOW64\Monjjgkb.exe	Mfeeabda.exe
File created	C:\Windows\SysWOW64\Fcokoohi.dll	Nclbpf32.exe
File created	C:\Windows\SysWOW64\Pmlfqh32.exe	Phonha32.exe
File created	C:\Windows\SysWOW64\Hebqnm32.dll	Iepaaico.exe
File opened for modification	C:\Windows\SysWOW64\Joahqn32.exe	Imkbnf32.exe
File created	C:\Windows\SysWOW64\Ngidlo32.dll	Lmaamn32.exe
File opened for modification	C:\Windows\SysWOW64\Hpchib32.exe	Hfjdqmng.exe
File created	C:\Windows\SysWOW64\Cnffoibg.dll	Ojhpimhp.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5532 5408 WerFault.exe Dkqaoe32.exe

pid	pid_target	process	target process
5532	5408	WerFault.exe	Dkqaoe32.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Qobhkjdi.exeDgcihgaj.exeFlfkkhid.exeMqimikfj.exeOcjoadei.exeMqdcnl32.exePmblagmf.exeDdgibkpc.exeDkfadkgf.exeHbjoeojc.exeKeimof32.exeCacckp32.exeEbnfbcbc.exeJpaekqhh.exeQdaniq32.exeApjkcadp.exeCocjiehd.exeGbalopbn.exeOabhfg32.exePhonha32.exeLjeafb32.exeMfeeabda.exeNagiji32.exeNgqagcag.exeOjfcdnjc.exeGoglcahb.exeJngbjd32.exeKflide32.exeIgajal32.exeKpjgaoqm.exeKjjbjd32.exeLgdidgjg.exeNjjdho32.exeEppjfgcp.exeHmkigh32.exeHblkjo32.exeAgdcpkll.exeApmhiq32.exeIebngial.exeJcdjbk32.exeKlhnfo32.exeNflkbanj.exeOakbehfe.exeEfblbbqd.exeEpmmqheb.exeHfjdqmng.exeQhjmdp32.exeBnoddcef.exeDnmaea32.exePmlfqh32.exePaiogf32.exeQhhpop32.exePmpolgoi.exeBnlhncgi.exeCnjdpaki.exeDpiplm32.exeEfgemb32.exeLjnlecmp.exeNclbpf32.exeCammjakm.exeCgifbhid.exe404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exeQodeajbg.exeAmcehdod.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qobhkjdi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flfkkhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqimikfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocjoadei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqdcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkfadkgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbjoeojc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keimof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebnfbcbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpaekqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbalopbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljeafb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfeeabda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nagiji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqagcag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojfcdnjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Goglcahb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jngbjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kflide32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igajal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjgaoqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjjbjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgdidgjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjdho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eppjfgcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmkigh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hblkjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebngial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcdjbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klhnfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nflkbanj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oakbehfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efblbbqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epmmqheb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfjdqmng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhjmdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlfqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiogf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmpolgoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efgemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljnlecmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nclbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe

Modifies registry class 64 IoCs

Processes:

Nmbjcljl.exeQdaniq32.exeBobabg32.exeHmkigh32.exeKeimof32.exeMqimikfj.exeMfeeabda.exeOcjoadei.exePhonha32.exeDgcihgaj.exeEbnfbcbc.exeBhblllfo.exeCnjdpaki.exeJoahqn32.exeIgajal32.exeMfchlbfd.exeQhhpop32.exeCgifbhid.exeCacckp32.exeHfjdqmng.exeHbjoeojc.exeKpjgaoqm.exeLjqhkckn.exeNgndaccj.exeAmcehdod.exeEppjfgcp.exeLjnlecmp.exeQobhkjdi.exeEfgemb32.exeHblkjo32.exePmiikh32.exeGbalopbn.exeFpkibf32.exeKlhnfo32.exePmlfqh32.exeBaegibae.exeIepaaico.exeFlfkkhid.exeNgqagcag.exeBgnffj32.exeCkbemgcp.exe404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exeGppcmeem.exePfiddm32.exeAonhghjl.exeBdagpnbk.exeCaojpaij.exeJngbjd32.exeLgdidgjg.exeLflbkcll.exeQhjmdp32.exeBnlhncgi.exeCpdgqmnb.exePmblagmf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmdae32.dll"	Hmkigh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Keimof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Keimof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mqimikfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehmlqi.dll"	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ebnfbcbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polalahi.dll"	Joahqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdahdiml.dll"	Igajal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbeojmh.dll"	Mfchlbfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapmnp.dll"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfjdqmng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbjoeojc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpjgaoqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eppjfgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfjdqmng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minqeaad.dll"	Ljnlecmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmok32.dll"	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigbqakg.dll"	Efgemb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Igajal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfnagdi.dll"	Ngndaccj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hblkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbalopbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmlfqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebqnm32.dll"	Iepaaico.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Flfkkhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galdglpd.dll"	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll"	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlfmfbi.dll"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efgemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmkff32.dll"	Jngbjd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgqoll32.dll"	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lflbkcll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdaia32.dll"	Gbalopbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmblagmf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exeDkfadkgf.exeDbbffdlq.exeDeqcbpld.exeEfblbbqd.exeEpmmqheb.exeEfgemb32.exeEppjfgcp.exeEbnfbcbc.exeFelbnn32.exeFlfkkhid.exeFpkibf32.exeGppcmeem.exeGbalopbn.exeGoglcahb.exeHmkigh32.exeHbjoeojc.exeHblkjo32.exeHfjdqmng.exeHpchib32.exeIepaaico.exeIebngial.exe

description	pid	process	target process
PID 3472 wrote to memory of 1968	3472	404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exe	Dkfadkgf.exe
PID 3472 wrote to memory of 1968	3472	404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exe	Dkfadkgf.exe
PID 3472 wrote to memory of 1968	3472	404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exe	Dkfadkgf.exe
PID 1968 wrote to memory of 1264	1968	Dkfadkgf.exe	Dbbffdlq.exe
PID 1968 wrote to memory of 1264	1968	Dkfadkgf.exe	Dbbffdlq.exe
PID 1968 wrote to memory of 1264	1968	Dkfadkgf.exe	Dbbffdlq.exe
PID 1264 wrote to memory of 3504	1264	Dbbffdlq.exe	Deqcbpld.exe
PID 1264 wrote to memory of 3504	1264	Dbbffdlq.exe	Deqcbpld.exe
PID 1264 wrote to memory of 3504	1264	Dbbffdlq.exe	Deqcbpld.exe
PID 3504 wrote to memory of 2272	3504	Deqcbpld.exe	Efblbbqd.exe
PID 3504 wrote to memory of 2272	3504	Deqcbpld.exe	Efblbbqd.exe
PID 3504 wrote to memory of 2272	3504	Deqcbpld.exe	Efblbbqd.exe
PID 2272 wrote to memory of 1712	2272	Efblbbqd.exe	Epmmqheb.exe
PID 2272 wrote to memory of 1712	2272	Efblbbqd.exe	Epmmqheb.exe
PID 2272 wrote to memory of 1712	2272	Efblbbqd.exe	Epmmqheb.exe
PID 1712 wrote to memory of 3880	1712	Epmmqheb.exe	Efgemb32.exe
PID 1712 wrote to memory of 3880	1712	Epmmqheb.exe	Efgemb32.exe
PID 1712 wrote to memory of 3880	1712	Epmmqheb.exe	Efgemb32.exe
PID 3880 wrote to memory of 4928	3880	Efgemb32.exe	Eppjfgcp.exe
PID 3880 wrote to memory of 4928	3880	Efgemb32.exe	Eppjfgcp.exe
PID 3880 wrote to memory of 4928	3880	Efgemb32.exe	Eppjfgcp.exe
PID 4928 wrote to memory of 4460	4928	Eppjfgcp.exe	Ebnfbcbc.exe
PID 4928 wrote to memory of 4460	4928	Eppjfgcp.exe	Ebnfbcbc.exe
PID 4928 wrote to memory of 4460	4928	Eppjfgcp.exe	Ebnfbcbc.exe
PID 4460 wrote to memory of 4360	4460	Ebnfbcbc.exe	Felbnn32.exe
PID 4460 wrote to memory of 4360	4460	Ebnfbcbc.exe	Felbnn32.exe
PID 4460 wrote to memory of 4360	4460	Ebnfbcbc.exe	Felbnn32.exe
PID 4360 wrote to memory of 1808	4360	Felbnn32.exe	Flfkkhid.exe
PID 4360 wrote to memory of 1808	4360	Felbnn32.exe	Flfkkhid.exe
PID 4360 wrote to memory of 1808	4360	Felbnn32.exe	Flfkkhid.exe
PID 1808 wrote to memory of 4836	1808	Flfkkhid.exe	Fpkibf32.exe
PID 1808 wrote to memory of 4836	1808	Flfkkhid.exe	Fpkibf32.exe
PID 1808 wrote to memory of 4836	1808	Flfkkhid.exe	Fpkibf32.exe
PID 4836 wrote to memory of 4644	4836	Fpkibf32.exe	Gppcmeem.exe
PID 4836 wrote to memory of 4644	4836	Fpkibf32.exe	Gppcmeem.exe
PID 4836 wrote to memory of 4644	4836	Fpkibf32.exe	Gppcmeem.exe
PID 4644 wrote to memory of 2516	4644	Gppcmeem.exe	Gbalopbn.exe
PID 4644 wrote to memory of 2516	4644	Gppcmeem.exe	Gbalopbn.exe
PID 4644 wrote to memory of 2516	4644	Gppcmeem.exe	Gbalopbn.exe
PID 2516 wrote to memory of 1608	2516	Gbalopbn.exe	Goglcahb.exe
PID 2516 wrote to memory of 1608	2516	Gbalopbn.exe	Goglcahb.exe
PID 2516 wrote to memory of 1608	2516	Gbalopbn.exe	Goglcahb.exe
PID 1608 wrote to memory of 4184	1608	Goglcahb.exe	Hmkigh32.exe
PID 1608 wrote to memory of 4184	1608	Goglcahb.exe	Hmkigh32.exe
PID 1608 wrote to memory of 4184	1608	Goglcahb.exe	Hmkigh32.exe
PID 4184 wrote to memory of 3388	4184	Hmkigh32.exe	Hbjoeojc.exe
PID 4184 wrote to memory of 3388	4184	Hmkigh32.exe	Hbjoeojc.exe
PID 4184 wrote to memory of 3388	4184	Hmkigh32.exe	Hbjoeojc.exe
PID 3388 wrote to memory of 4620	3388	Hbjoeojc.exe	Hblkjo32.exe
PID 3388 wrote to memory of 4620	3388	Hbjoeojc.exe	Hblkjo32.exe
PID 3388 wrote to memory of 4620	3388	Hbjoeojc.exe	Hblkjo32.exe
PID 4620 wrote to memory of 316	4620	Hblkjo32.exe	Hfjdqmng.exe
PID 4620 wrote to memory of 316	4620	Hblkjo32.exe	Hfjdqmng.exe
PID 4620 wrote to memory of 316	4620	Hblkjo32.exe	Hfjdqmng.exe
PID 316 wrote to memory of 4724	316	Hfjdqmng.exe	Hpchib32.exe
PID 316 wrote to memory of 4724	316	Hfjdqmng.exe	Hpchib32.exe
PID 316 wrote to memory of 4724	316	Hfjdqmng.exe	Hpchib32.exe
PID 4724 wrote to memory of 216	4724	Hpchib32.exe	Iepaaico.exe
PID 4724 wrote to memory of 216	4724	Hpchib32.exe	Iepaaico.exe
PID 4724 wrote to memory of 216	4724	Hpchib32.exe	Iepaaico.exe
PID 216 wrote to memory of 4712	216	Iepaaico.exe	Iebngial.exe
PID 216 wrote to memory of 4712	216	Iepaaico.exe	Iebngial.exe
PID 216 wrote to memory of 4712	216	Iepaaico.exe	Iebngial.exe
PID 4712 wrote to memory of 4708	4712	Iebngial.exe	Igajal32.exe

C:\Users\Admin\AppData\Local\Temp\404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exe
"C:\Users\Admin\AppData\Local\Temp\404e2c6c17e0be002a26d9efdbb6d34d062e67783c1d35151ad6ae3091db9d32.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\Dkfadkgf.exe
  C:\Windows\system32\Dkfadkgf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\Dbbffdlq.exe
    C:\Windows\system32\Dbbffdlq.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\Deqcbpld.exe
      C:\Windows\system32\Deqcbpld.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\SysWOW64\Epmmqheb.exe
        
        C:\Windows\system32\Epmmqheb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Efgemb32.exe
        
        C:\Windows\system32\Efgemb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Eppjfgcp.exe
        
        C:\Windows\system32\Eppjfgcp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Flfkkhid.exe
        
        C:\Windows\system32\Flfkkhid.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Hpchib32.exe
        
        C:\Windows\system32\Hpchib32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Iebngial.exe
        
        C:\Windows\system32\Iebngial.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Imkbnf32.exe
        
        C:\Windows\system32\Imkbnf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Jngbjd32.exe
        
        C:\Windows\system32\Jngbjd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Lmaamn32.exe
        
        C:\Windows\system32\Lmaamn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        45⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Monjjgkb.exe
        
        C:\Windows\system32\Monjjgkb.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4340
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        75⤵
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        79⤵
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        82⤵
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3708
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        94⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        104⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 420
        105⤵
        Program crash
        
        PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5408 -ip 5408
1⤵
PID:5472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afbgkl32.exe

Filesize
790KB

MD5
1b851a7daf5275ed0b92ccd61ff8a7d2

SHA1
c6e5ccb4fe88484d19b1cc355f8ba54977583fd5

SHA256
ebfa40efc168c51495331c5e5de8bc6b896b1ebb0df0a56b93446b0102eda68a

SHA512
d18465b2cb3414626b084460c9125c8c9ec51c84aa9c6c6ddf8796695c820798ee5009eb9dc5c1f347985eb894d2d0fd020b62fdb15946d09fc84f237ebdcca4

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
790KB

MD5
25ce13e9cb966cb90ebafd4f52b0f310

SHA1
d6e6042c51e80670f2ef824edb53d303546cf862

SHA256
35b08a59422dbfa83c94b3cc4ed3d5c358f34b22e2dd75a7eb8f26a42ef64835

SHA512
c1f53ec0b283994ed9238bbfa9bf983b1ad3f6b7e17128d16d12d15b1a37bf17f54bb6185d4301a29f6bd2f84f3e44e748f20d1cf5e708ff32a525fc610fcc6e

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
790KB

MD5
2dbb302188b75d577a4c81a3a83b6deb

SHA1
d59c0a081a2831e7ae5af42cadb0d07933ce406a

SHA256
da92c5c5f0d847efdb3902c661bc70c0c3cf29b5ff1d9f2cbc82455d9a722ae5

SHA512
36c64f8ce5702e351dd311e18a4d076c2a37bd3c2714e15af323f9227774558931efc04b39ab855d1a12a5806e7e6475ed848fe95b5a4f7c5ee0841eec46b605

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
790KB

MD5
334d9ebff70fe5474d779a4938450baf

SHA1
f619546cee594b8d2e6337ad1ac7e9fec7e6eb16

SHA256
8525df8ffb37eb247ad8a800d532be93a71849effa19757c6d7e3fd481fd0fd5

SHA512
38570f4c3ed90cd341a25d4f8fede86eafdb3399e8136271e72e79a66d7b3005aa1db7c467b05481350daa8205114a18a460a053c3db20d3bfda2de6abacebb8

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
790KB

MD5
0ccc98930372fff5b7558a0f4dcab72b

SHA1
8a700668701042a4ecb9053fdff1e3f1b822c8d4

SHA256
084428c41fb69b3c8977dbbefffebd09cd5a9abb17102e67a4e1c2e2be92c6cc

SHA512
eb48df0d2fcc3dbf2791facd4d47c3099857aea1ebf1994cfc38afe4e3147d3a17dd731754c2ddaec38d171f9e8f7589aad10b86ab6dd6e800ea422589f45411

Download Submit
C:\Windows\SysWOW64\Cgifbhid.exe

Filesize
790KB

MD5
48ebbb68e1c50901f40e5679d16842bc

SHA1
44d1c3f9c2e274870f986a81365ec01e5216dceb

SHA256
0b7480d7624678b612bce433f65a1f65f2db8e535f2b3707841899c353ba3de0

SHA512
4024d702e88b2370d76f394a680fb6173da58e4708b07d060b2fe830ab5ccfd8561775374c9902722b9a5fabe46432b55255e9493a846c19d061ab78974f85aa

Download Submit
C:\Windows\SysWOW64\Cpdgqmnb.exe

Filesize
790KB

MD5
05e151d08ebed1778689022e76e9b4b3

SHA1
a85710cabe74c43359c2b434d6a21864346ddc7b

SHA256
86b18d8f851f6e13d8c8205068b20245f85b9cb440e01ac0bf4af3fd71945cab

SHA512
a199cf8192d3996dbbfc540b1337de1f7a9811a0564901433741ee9e2e77544ad5068b18999c615ffb28e6e223e1635371807fdbe8093acc80ab0b026ece047b

Download Submit
C:\Windows\SysWOW64\Dbbffdlq.exe

Filesize
790KB

MD5
b25b54c2e0bd81b9229b2db1a16e847f

SHA1
f9b96df2fd8cbd492d550451dec878b727d7e69b

SHA256
80b65e13dea5a2c5504ddd51d1dc6ea781639b1600e12fda3735019037526736

SHA512
f0f6664a35e7ed4cea4b2b2bf575a12d3a1135dfefb5c04e78c9e24a36d2dda000aeb60a91d33ed448a77d3c2ad6e215ac1c649eb2f9850d41ce313c0bfc2a6b

Download Submit
C:\Windows\SysWOW64\Deqcbpld.exe

Filesize
790KB

MD5
ccacceaca71d4fd605caea1620c9d7e5

SHA1
6fc781480b669c4ecd91866f0c60ff34ddeeb54b

SHA256
231e844d55085178bdfbb791e4389fcf43b10871b4c005870cb1e723894d830c

SHA512
b8e096cc4d3d53599424ef85597e590dd707f8229510984f489046a43017650692f9dd06cf065b0b8dc4b274625f7928646bf1ed4a390c23a95b12e8006825b7

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
790KB

MD5
c331d71fbf96fdc13e544c5d99c08fc2

SHA1
41b8867242ec8c608989b772f5a50e819f78a106

SHA256
dec7edf77bae77034237118515797fa1b6b8dc1636ede8800638bff86ca3084d

SHA512
86cfa9f95729ca5234ed5b5f6b8a6903c86818209545ccba4f4214df735de7c8e1faeb0762e2dec24cddfb4af3b3577b3920b3a5d07d093b1011592d2a840978

Download Submit
C:\Windows\SysWOW64\Ebnfbcbc.exe

Filesize
790KB

MD5
2210ad47dde81522135a2107893d5d65

SHA1
b460af5948d60fe2cd28d522a63a6f128a19100a

SHA256
e34099a0297f63115648177519c9a841a901054082ca2580cd6427ffab156d33

SHA512
42c52ded1f393fb2bbddcaeb6613d3f42a5386fe6e9b957d73567ef91515872472e82785ec10e9aeba65f8692ad0c09750c3fa5c34ed1bd5b209657ed0a9343a

Download Submit
C:\Windows\SysWOW64\Efblbbqd.exe

Filesize
790KB

MD5
dd741efda2e36ea498b1504e9d519f6d

SHA1
9e4733e0dab42a9b3457026f8abbdfa1364e3d95

SHA256
b70869475131846ac19a9fd304d97d5abe35ccf01bb3dd2614dc1bad0d0ea886

SHA512
7f0d0222b8d4365aff46b22ecfc025cb65141fed07fa74993fbc45421d1072fee70e400c6fc9a16ae106af15906e3d9388b4785c52ca73393dfba08e4a1af541

Download Submit
C:\Windows\SysWOW64\Efgemb32.exe

Filesize
790KB

MD5
df10672a31d272ce3bf8b597f43a573e

SHA1
5c6739bb227ba36a035acec1bb2bd49af21edfd3

SHA256
f62aacc236ce9c44b756b901203d31d29fcb93335ff16e44a65ec92b5421e1e7

SHA512
386118ae93f9e2d3a18a8bb9943fbe465dda599069529ea871474a120497d5ad992e99228b55b8e089615d6eae5f5e6e55ee44a36f28cc57a75c89b26d8a0791

Download Submit
C:\Windows\SysWOW64\Epmmqheb.exe

Filesize
790KB

MD5
8eab6b060f68ce20338fa2a1cbae2ae2

SHA1
543246212b4dcd503f87185a83a80c61f4fd8ca5

SHA256
fb2c8f37f44427dd4a6d31e5629f50fc8294e06a48540a7e81490cc3a4ba75a4

SHA512
0545eea1b62b83b39da070ff196f41a9d1e507e775bcf6f9ed4fd3c8e0f96181fb892fdcf604247109cceda4ce84de6f5e0a82de8cbd08e4639b4c2c9b68cb3e

Download Submit
C:\Windows\SysWOW64\Eppjfgcp.exe

Filesize
790KB

MD5
55498c0585de64f3098559f54396f497

SHA1
14e7fd08a8d79599fa95233b0148131da752648f

SHA256
40c6edf6945584b9a35a3143577ce2f1bc8d1a2bc161395667feaebf51d39250

SHA512
99cb5298fab119c30f7d2d2df2a52e83e03b205e49483e5ffd1f482470f69f04b5acf8f6579dd79d0fa7c8554bb0e3bdc302f8c8ce929c6dd05fc7f1f0120065

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
790KB

MD5
046a30159c39d2e0045de4235c3f4dec

SHA1
cc07cc285079acd1440ea2907aec5896e50c5317

SHA256
99c1add30800929c5139ed1973f3b97cc049f0474452ef7c256e8d976ff60f70

SHA512
90c9eac88b7e94dd5f4ef3c2bd5dd52fa88ef082f8d2fb07c3f48759f9aafced7355a5b7844906096ca80b6b6b438272d1914dbd7da722657a07d0ae3468ab21

Download Submit
C:\Windows\SysWOW64\Flfkkhid.exe

Filesize
790KB

MD5
d93fe45499442d510537189a45a88618

SHA1
bfda32ed99b762ffc874d7f486ab4056e4cb205d

SHA256
f016afd3f2c3cde4d8a1591b04bc679d442c770d48f51594c3d4e99026ffd7e5

SHA512
9f40c39645b2de097e237f78bb06c98e8d5581c1514da21dcd901d3bff2c0187ebdc0ee92156e55f02a295ca057583e4fae884d74ce59ce885c232885fe309db

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
790KB

MD5
71acf1da021e007b025a9de956867d64

SHA1
eaeff6697ed9f610fbed8f776c1bc0294c5c13e5

SHA256
88b55ef420d81989e67bfb674fde28caff5c1a4865e99aa79e4f6c946896fb8c

SHA512
c38aae55877f65e644d35d387f9fec0bceab352b63008ec1cbd7d70e2c44c179d9c0329220e3ddc335f5f6feff439e477ad09bdf22558548f52c7b6df1086f00

Download Submit
C:\Windows\SysWOW64\Gbalopbn.exe

Filesize
790KB

MD5
897f14317bfa3ba6c8e838c7b260f0de

SHA1
64766d7b83a2b2328346b995741c001224e811c3

SHA256
11e4e7a9fbd18d19d98b2f43dd2185884b9d297cad6fee2d3892806ec5315fc3

SHA512
32bc6e28eda94ebc8656efdf0c87b076ca0a5878c1e1c90a12ca961bbc81422846d1d4e326aafdd8b4be47f75f6f106a7385b392dbce214e22d1dadd7a671e47

Download Submit
C:\Windows\SysWOW64\Goglcahb.exe

Filesize
790KB

MD5
122cc52ca9b92d19fe65710ae5bef5ac

SHA1
436d91098aeb9933eff46c5d0ad6fd58deb82921

SHA256
68c0c74e3e2722c7c5e735c76fa51e556109230a25fcd076133e8d8f0406a0d4

SHA512
4ba858b9ecc5504aa5b838ae3b01eb15a83e43e86722ab52471a61e987eff43c699c7e05cb4949caabf2ac39cffb0bd65d2395753b414a7ca575e187c7e8b646

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe

Filesize
790KB

MD5
97f10e8d6a37e9fd40f9e12352f98902

SHA1
3126dd10dd003a37f505abae88fdcbf285f4c3b5

SHA256
bca4418e76c17c013aeef310146ae240ebeca6aed22453a948f2f72460d5ffb3

SHA512
c33f9cd851c47af8caf7793e107866fa3b8a275a2b214e14cff3030ee715899c904d135d32ce4cd56b2ce8bc2c0434895f6db8b71b72741aab1f0175cd375035

Download Submit
C:\Windows\SysWOW64\Hbjoeojc.exe

Filesize
790KB

MD5
5bb475b5f27efd55c3d2a9c85509edaf

SHA1
0211197b7c6a09e8f604f6ae6ddec3f8d9f84e1b

SHA256
a17b3754d07d3f8bbe34fd47514653f2d7424b4421114d9d103744cac61ca341

SHA512
6126d0bac2b40651313453957f372d50457c21c2f3f7042917cf2b3084dcd55e7d3dc51fe246b25758a3357a3966b9a6419e8d0453d972826923f2b5ba5f1c75

Download Submit
C:\Windows\SysWOW64\Hblkjo32.exe

Filesize
790KB

MD5
aed94f3d3e25ea8ec22f605937c4126d

SHA1
7181c761afc074cbdb1e19b5ff74e072f3b6937d

SHA256
7912bea90228b326f89d47c2949b49613f4e84d91fa161d0748670a3aa8ca164

SHA512
1158fe629ff5b2b0d8f6ed40307f2dfdfee1260059f70600e84c14b062db170f2bee0d6e5e7207dfddaa4c34577c80fc4075e4ca2a8c978d7464f0b148a0f6eb

Download Submit
C:\Windows\SysWOW64\Hfjdqmng.exe

Filesize
790KB

MD5
72380494eb04cf20c8ba9f556cbe7184

SHA1
4868102573ec4cd1c1bbad9eccbc305074a6d71a

SHA256
0c2785cc8dfba2e8c7870a881a4e5f83e7c259dbe60aa9e525f355136a57384f

SHA512
c556416259f8b88f7c50f136546553bbed3d86943ba20a48f770a5ec9f1e5a5113e35cf7bd873feebdf7359705380df9186f6cbdff2a7d0cfbb6f50c09d1b1f3

Download Submit
C:\Windows\SysWOW64\Hmkigh32.exe

Filesize
790KB

MD5
e6c91c1640c0215e4d374e71d7688a3e

SHA1
3aa39ed5c6a88db56e4264042bd0e750e7a44bf9

SHA256
5e180cd17d360abfce4f1a62b6c2f176b94b1ddf8739be6ef78adfcb7456346d

SHA512
ff802d9349abfbffba3d7875100449facb1486737e9da5f6ce65735a7296a95cc7ddbbf352fcde32ec2b78723139983a865cdacfc076467f1c56166b3460acc4

Download Submit
C:\Windows\SysWOW64\Hpchib32.exe

Filesize
790KB

MD5
bb9b85d9742a862e2e4ae7c89ca7a6be

SHA1
9fa617f28238cf788baf3a25f3bb6ddc6195bbc5

SHA256
725d9de0c2485bfb9ce60c1c8ef0cb4bea5a880bdd2eec46a5165dffdd1cbdaa

SHA512
f4ba7ae949885537a2f4a57d5d0ff38c9dfb808d0d4041a81704511999111dc14394a03d1f278b3c5ac4eb78578745f3c3a27cf7be29225ef12cf29319030df2

Download Submit
C:\Windows\SysWOW64\Iebngial.exe

Filesize
790KB

MD5
e26d1d5d4133711a085dd1382a75f00c

SHA1
d7fafcc45770e247222cae0c88e0d41e5d4250a1

SHA256
3eac975b127ffb4e0a52cf93f6f65f7bf6b1adaa4e167c3c7bd2bd0b242599eb

SHA512
e91baaa8f5b8dc60c59d85a9c37a5d2e52cd46103f82a5b2596dcbd52fef05e0558386de477fca11504e436f00466f80fd3bd060154fe8dbb2ecf1889da5f92c

Download Submit
C:\Windows\SysWOW64\Iepaaico.exe

Filesize
790KB

MD5
05c872a57cfc2a0bca03655104cb638f

SHA1
727faebd8b16f371eac2450e11ce887feead9de8

SHA256
5870a4c8756582886249cc5daef336f3089b8a3acf590ab972f78dc141d1cfe6

SHA512
1860a6caa32627ac543a49a857b5c41d26bab3de87d10daabe681e19c7b7b8a1ee39d8af1e3df6fa6e70986c93224e2e43f3abef04cbf83a7d4cb57f9260af0f

Download Submit
C:\Windows\SysWOW64\Igajal32.exe

Filesize
790KB

MD5
962fb8b9f45b775a5f1c5547c7b4f410

SHA1
bec9d7157362666ff427a0845eb550d9731ce133

SHA256
76b82e2971613fd4778ed2f40036d3b4f7b78a8f8a4fd9442780d08e485d0f7e

SHA512
5b56a79cad73410b5fad457e319143de6f120d11c8a40c20b75e54e8f08898fb543f1c2600d3e73a2f7ce8c6c1c99b0f818053416c73f21721b8480597cb69f2

Download Submit
C:\Windows\SysWOW64\Imkbnf32.exe

Filesize
790KB

MD5
d1f7d52ac0d4d746e70dd902632537e5

SHA1
690530be2e7aa34f1f2270f0f2780c3bd2d3198f

SHA256
c40425e970d81e246cb98caa36b4399517b292c10c37739686165e0ef0cbd202

SHA512
0262a7c875a7d2536e6ca128e75dbdf911c50d68b92148602e995ed09af19ddea12d4b575cfb911d088a2d729e1715acd0a88495203f081d4af8b9463cba5c0a

Download Submit
C:\Windows\SysWOW64\Jcdjbk32.exe

Filesize
790KB

MD5
88007a9609cdac21e61cb512fd74fa40

SHA1
eed84462b7dc29d8dbad5da0ab4ce7cdf853fba3

SHA256
c0577221258d7e4fed22a0cc4a01923482f460776a30b4c23c260395702c49bd

SHA512
1216a4638b2b29cd0ba9e9904d450cbe574e86f5e0c77b1b004ec4e5eff8b0a043af512deaef0a60dab007696a5d3f1ad81be7740831e5043c51a1e59d329940

Download Submit
C:\Windows\SysWOW64\Jiiicf32.exe

Filesize
790KB

MD5
29f2887de8433fde323994cb40186097

SHA1
56027a40ef6e4ada6d613b0065f68a04800aa835

SHA256
55659e13dceda1a1e3902e24ff2e4db12c9b9aab81a8f4be8af7a28b71bc2d21

SHA512
0608d73d10185ceb9f5261d13154c9a9b53d049b13004680575c31bdc8e191845668d553845b6d82c7810524da2a4b5ae79ef504b5a657f2eb9950abcebcf3e9

Download Submit
C:\Windows\SysWOW64\Jngbjd32.exe

Filesize
790KB

MD5
835191c1d722cc2d0a27beb3691d8105

SHA1
7d3f526db1320d7ae989a515a2bf69e242cf2f44

SHA256
af28317f984ac492fde4d79a57662c3b43d9ec2f60050c9e59a6e13ebb502ae8

SHA512
878435754ecf2c74c39c728b44798b216a75c3c97727aea4c40424b5677efbedabff7d21bccc62871c2a76011f9339f75eb3c080939bb5e456ee5793bf3b4250

Download Submit
C:\Windows\SysWOW64\Joahqn32.exe

Filesize
790KB

MD5
88af10db1dca5fbcf0ef9b4762d2cfac

SHA1
b1edbba1267d86e9f38eff3ed98e5bccc079601c

SHA256
abf63e76efa856fd4968c8b9c9cc25a607856dbbe4a3e510d8d26d04ad88faf0

SHA512
d37b0f77354009531ce7b7eaecf4423de0556bdbdc987cfb1d0506abd7d2e88f4c30c4b22de6fe4e65cc8d2de4c9e03aa1917be835d35a5b1ed78cfbb32856f9

Download Submit
C:\Windows\SysWOW64\Jpaekqhh.exe

Filesize
790KB

MD5
12c419ae091f0a141ae9d006aaaff0c7

SHA1
7370b9df1507cb823964134a8ce886bb75aa2119

SHA256
f480dba961af5812ec5cc0a7916c290639d35cc695f0483ce5677ac1e7942ea2

SHA512
534c74531cc51bf60478e74b574b2823bc53896c739fb4d0e3f04c1bfd819b99047e1c5c7eac962d72b6f46fb75093d67e3b23b3d1fad010e220f47655d44e5d

Download Submit
C:\Windows\SysWOW64\Keimof32.exe

Filesize
790KB

MD5
81dab9da6036e012d0d3a61028e95a70

SHA1
7b3b1592bddb2a286e1f4d2fbabaae045b5152ee

SHA256
cec7436e8868616071fb175e77a58cb61f605e03cde69f460a4db1ba024090b6

SHA512
008e93f96973c84bef5d14ff9562722e9e72ba42b39db65574fd73c8d78f05efa25952207a4302db964b1ef0db36df724bc96f20c4df7501f5d87b445f9c256a

Download Submit
C:\Windows\SysWOW64\Kflide32.exe

Filesize
790KB

MD5
100a3976a563420df1713bc9005889ce

SHA1
2ece2f02a219c96d53f95f722edff15aeb4e1870

SHA256
36a8f85f843cdf70dbd702e3f2551de49518b3f1b0e1c37fa47b66ca2ebffd71

SHA512
56456017c5912926eb5e0451cc17c0aad15b9952a1ee7f90e863242e1a9e09a6d245fc34fc94cd79a488bd5f69c0258468e5afb86058ce8a3c5153cf52f77b4b

Download Submit
C:\Windows\SysWOW64\Kjjbjd32.exe

Filesize
790KB

MD5
811ea4b004169a3c3cbf487d02fa0bc5

SHA1
303909ac7d323136eafb7aee466d8fb3b7d77ae3

SHA256
499b277fafe66df1207edea6fd372976c1d3aeb88024f5915d38addec06cf4ef

SHA512
4c9b6c7d9e3bcaa1716bb3504e38353675f9cc49fb2eb2ed0a1fb4f65e673c08998b585974c2bfdced0a9b090076ef99410c055b5a99b32c96700f1650d6807d

Download Submit
C:\Windows\SysWOW64\Kpjgaoqm.exe

Filesize
790KB

MD5
2e628ab16fa4ff19c66fabc88cb18882

SHA1
1ee558ae9109c76d1a52756aa72ad515590b40bd

SHA256
5aebc18876688f11881060694019a083427a8653426befa88bcafee98271aee7

SHA512
79dff252134c925498fd8780f00adf6727d6faed5d6b85fcec8cd5dc43f5a60dcea01128881288bebda0fd984c8127af124a1f8a60eef4048b34fe8461ba0f39

Download Submit
C:\Windows\SysWOW64\Mgnlkfal.exe

Filesize
790KB

MD5
424d981679ccb25153e8ef2d41132460

SHA1
e55ef0b1118557778186b8b26915e1fd6105f91c

SHA256
f7b8c5451476a589a478c6ab0c6053c11377bbd0ef1b1f0e1c44ec710af24ce2

SHA512
7832aba990411ca75555310c12ccadd77d9b1bbcdab5a169b9ccd363963de73f2f64dc69b05866d2ede53ef16ab56dd7e92bb90aca15a196497e275cf668cd24

Download Submit
C:\Windows\SysWOW64\Nclbpf32.exe

Filesize
790KB

MD5
31fd24c74cefb2ef6e5af8bfa2f5c6a2

SHA1
d192d8788387cf899ef99ee045a8f8bea8ab9d57

SHA256
ea8bf9f895dd5e58381387593792abd041b69d66e57c5a6941d8bc16e053af90

SHA512
3db0a57c6ad214ee84bc1f2d909da19083004f88b94b206225e0a1e383ceb76795c7206feb05401eeed59a9143a4d524968f756b46bec9af9d6a40bcc92aaa25

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
790KB

MD5
b39b73e7a91f573754225e51be992a14

SHA1
fc308b7886476761e894baddc0cb74c5af0e244b

SHA256
27cc79063b008cbc49d9789255dbb7406984162959e5325d1745b1d2ddaf421c

SHA512
7b3e5ca101dc5d60200782dc309b4c09ff77d43893e5238fb1c4b1a373f314cb5f0011be45ff3cbb46b209c0c3c445dbfac51bb5a78932654b59bec9566c3ad1

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe

Filesize
128KB

MD5
55069c7c5f627de7ffa82b776e58e3ed

SHA1
3bf2851b1008a52aaa8a54bb0d9917fdf61cd8eb

SHA256
65d371feff7a039dc2c2d60bb5c2a8a526abc7c02db3947ffb3949e1a3ea7065

SHA512
df8f3c0a1c68d7b6fd0bd43ba3a8c93b8bbc21a7b07ca585ed2c0d207e93d1e04da8539c6788d71951148463bb07ba50b4304c8d29f85c53e15249c6ae309be1

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
790KB

MD5
59fe952e9b777e06c6e1e05f5810c909

SHA1
9fdb3a9e8e9288f26194c6dd0f79ab1b903eb3a2

SHA256
da32d2dd38bc26f1c2b6609ecff9c5840630b74c4dedbe32fd21aae985d41b31

SHA512
b8a00e104542be68414965830c194b584827f7b405917f0282ce03557915e2c5b0520033dfd1fbd7503bfb735a2d80ac9b1cb9b26a300a0e90eded8c8248fa4b

Download Submit
C:\Windows\SysWOW64\Paiogf32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Pjpbba32.dll

Filesize
7KB

MD5
db013983d0aa9729e86ffddfeb51205b

SHA1
6d4e5de7a2e193a4ecab778efa29b452ffb33a01

SHA256
02971c165a8b6e35cfb28b2e4db0531530ed9ba5896121f1c3b8490467e9f61c

SHA512
2207c1efaa09c1f8db2f4d40e0d4a7f1b9f59673d763ffcdbc2df7d25c5b0f9e8fde18830650d64c9e8205f726824d18c63243da6b9ffdfafd0f77a31584ff37

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
790KB

MD5
cb91c0ec74baff139fa3060e28f9296c

SHA1
d7043693be5b63a5ecdb2a13145b915bb49d9f74

SHA256
9345a92d9be98333a88d71d11663b5efb5d8fae5d8bf059aeb7c30b72ede19f0

SHA512
41f7d97afe7e6954f027981ad52f828064b261adc82b6253ccc9bf45cc9cd207e9993c2b5d8c18513da25c972c0946ac2adfef1406c8c1a2bc7c8d9fc190cbbf

Download Submit
C:\Windows\SysWOW64\Pmpolgoi.exe

Filesize
790KB

MD5
7e1dd9ebdb9f7c943ef72f2f41dd9ccd

SHA1
e33d4b0a00f0a6e7d1bc6b37a1c0a8ed52e82b98

SHA256
f48b67a76b772592badab570e24765aa99c6a966b845394ccf0736060977dbe5

SHA512
4d1e4dc83629354b2f115812956a0b0dd38b769a3275d80fe093718938647cc6a3a4f5065b9ce7db0bfd05b605f2d6eb27c3c93ac25ff6ae8e03c623f1fd45e4

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
790KB

MD5
cf8df23ab4478497e99c6fef732e03e3

SHA1
3fe85ede8acf3aa5b919a386aa776422e70d205b

SHA256
8ed4fecb1d0ffd2a1144dfb46d4009471aef24711335dfbcb71c61fa94500343

SHA512
417023a3929ab0afc63e42003724afb543340748d972171de44078d07166b29d486a10f36af0ebfcf36bb1f4da570b3a6f17396b005c0080b4439333e48f8748

Download Submit
C:\Windows\SysWOW64\Qobhkjdi.exe

Filesize
790KB

MD5
a81de38034c3ee12887880eb49554e2b

SHA1
7e14952c34f0ac1b858d043adfc4bd148c750a3f

SHA256
c6c29dfb1528b2eb24287f2773c9643743ac82da0f5b68cbe5c73efe15c138da

SHA512
d81ef06b8994451190af39ca00e69a4b9f229f76e62396a952b0bf8e895977023b7fe07cf7467ce76f916163f028f25cf6348127d5f9bc7c08dca2837376e7f8

Download Submit
memory/216-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/700-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-819-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-729-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-800-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-763-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-748-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download