berbew | 731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exe
Size

80KB
MD5

4d9f0e65733c3346ec33c90abb87b6e2
SHA1

2e4e82b7f6266365d193a952628618db9d804d18
SHA256

731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748
SHA512

c2599c3131e79f403d0facde89048e9cec81b12b09991dd17822a1bced1ee2afc098ed54c327745d2c4018792a91907d204786870f475ba935670962a44b357d
SSDEEP

1536:LY4JAcST2nfPDr8xtm/e/D82LSCYrum8SPGm:84GcSQDr8xo/e/D1SVT8Sz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Aqppkd32.exeCalhnpgn.exeLmgfda32.exeNilcjp32.exeOpakbi32.exeOpdghh32.exePmannhhj.exeAeiofcji.exeAcqimo32.exeBapiabak.exeLffhfh32.exeMdehlk32.exeOfnckp32.exeOcgmpccl.exePdifoehl.exeAcjclpcf.exeMlopkm32.exeMibpda32.exeBnbmefbg.exeNlmllkja.exeQqijje32.exeAfhohlbj.exeDgbdlf32.exeKpjcdn32.exeOjaelm32.exeBnhjohkb.exeBganhm32.exeDmefhako.exeMenjdbgj.exeNcdgcf32.exeNggjdc32.exeBhhdil32.exeCdcoim32.exeLdleel32.exeMgddhf32.exeNgdmod32.exeAnogiicl.exeKmncnb32.exeMnebeogl.exeNjciko32.exeCjkjpgfi.exeCagobalc.exeBalpgb32.exeDogogcpo.exeLfhdlh32.exeMdckfk32.exeNdfqbhia.exeBjokdipf.exeBgcknmop.exeKfmepi32.exePgefeajb.exePcbmka32.exeDelnin32.exeKfankifm.exeOcpgod32.exeCnicfe32.exeNnlhfn32.exeBjagjhnc.exeCjinkg32.exeCeehho32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjcdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfankifm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Kemhff32.exeKpbmco32.exeKfmepi32.exeKlimip32.exeKbceejpf.exeKebbafoj.exeKlljnp32.exeKpgfooop.exeKfankifm.exeKipkhdeq.exeKpjcdn32.exeKbhoqj32.exeKmncnb32.exeLffhfh32.exeLpnlpnih.exeLfhdlh32.exeLmbmibhb.exeLdleel32.exeLenamdem.exeLlgjjnlj.exeLbabgh32.exeLepncd32.exeLmgfda32.exeLdanqkki.exeLgokmgjm.exeLmiciaaj.exeLllcen32.exeMdckfk32.exeMgagbf32.exeMipcob32.exeMlopkm32.exeMdehlk32.exeMgddhf32.exeMibpda32.exeMmnldp32.exeMgfqmfde.exeMlcifmbl.exeMigjoaaf.exeMmbfpp32.exeMdmnlj32.exeMenjdbgj.exeMnebeogl.exeNdokbi32.exeNgmgne32.exeNilcjp32.exeNpfkgjdn.exeNcdgcf32.exeNebdoa32.exeNlmllkja.exeNphhmj32.exeNgbpidjh.exeNnlhfn32.exeNdfqbhia.exeNgdmod32.exeNjciko32.exeNlaegk32.exeNggjdc32.exeOponmilc.exeOcnjidkf.exeOjgbfocc.exeOncofm32.exeOpakbi32.exeOcpgod32.exeOfnckp32.exe

pid	process
2340	Kemhff32.exe
4600	Kpbmco32.exe
1284	Kfmepi32.exe
2928	Klimip32.exe
4892	Kbceejpf.exe
2672	Kebbafoj.exe
220	Klljnp32.exe
4792	Kpgfooop.exe
4528	Kfankifm.exe
4320	Kipkhdeq.exe
2120	Kpjcdn32.exe
1160	Kbhoqj32.exe
3236	Kmncnb32.exe
1748	Lffhfh32.exe
1972	Lpnlpnih.exe
348	Lfhdlh32.exe
2432	Lmbmibhb.exe
1244	Ldleel32.exe
2956	Lenamdem.exe
5052	Llgjjnlj.exe
1824	Lbabgh32.exe
796	Lepncd32.exe
3988	Lmgfda32.exe
3928	Ldanqkki.exe
4516	Lgokmgjm.exe
1468	Lmiciaaj.exe
4500	Lllcen32.exe
4656	Mdckfk32.exe
2908	Mgagbf32.exe
1236	Mipcob32.exe
3564	Mlopkm32.exe
3640	Mdehlk32.exe
3452	Mgddhf32.exe
2040	Mibpda32.exe
4384	Mmnldp32.exe
1888	Mgfqmfde.exe
4780	Mlcifmbl.exe
208	Migjoaaf.exe
3668	Mmbfpp32.exe
2008	Mdmnlj32.exe
3496	Menjdbgj.exe
4836	Mnebeogl.exe
1996	Ndokbi32.exe
1988	Ngmgne32.exe
4560	Nilcjp32.exe
1620	Npfkgjdn.exe
3764	Ncdgcf32.exe
4676	Nebdoa32.exe
1612	Nlmllkja.exe
2904	Nphhmj32.exe
4856	Ngbpidjh.exe
412	Nnlhfn32.exe
732	Ndfqbhia.exe
4664	Ngdmod32.exe
4956	Njciko32.exe
3428	Nlaegk32.exe
4276	Nggjdc32.exe
1984	Oponmilc.exe
3320	Ocnjidkf.exe
848	Ojgbfocc.exe
2640	Oncofm32.exe
5020	Opakbi32.exe
3880	Ocpgod32.exe
3456	Ofnckp32.exe

Drops file in System32 directory 64 IoCs

Processes:

Opakbi32.exeMlcifmbl.exePqknig32.exeKipkhdeq.exeNilcjp32.exeChmndlge.exeCfdhkhjj.exeLmiciaaj.exeOncofm32.exeQdbiedpa.exeBcjlcn32.exeCfbkeh32.exeCenahpha.exeLlgjjnlj.exeMipcob32.exeNlaegk32.exePmoahijl.exeAnfmjhmd.exeBeeoaapl.exeNgbpidjh.exeQffbbldm.exeCagobalc.exeDhfajjoj.exeOlmeci32.exeAnadoi32.exeDelnin32.exePdifoehl.exePcppfaka.exeBjokdipf.exeDgbdlf32.exePjjhbl32.exeOqfdnhfk.exePqpgdfnp.exeAcqimo32.exeCnicfe32.exeDhmgki32.exeDogogcpo.exeLffhfh32.exeLmgfda32.exeAeiofcji.exeLmbmibhb.exeCjkjpgfi.exeCdcoim32.exeCffdpghg.exeKbceejpf.exeLllcen32.exeCmgjgcgo.exeCmnpgb32.exeDopigd32.exeKfmepi32.exeQcgffqei.exeCjbpaf32.exeDddhpjof.exe731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exeCjinkg32.exeMdckfk32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Migjoaaf.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Efjecajf.dll	Kipkhdeq.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cbeedbdm.dll	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Lmgfda32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Ldleel32.exe	Lmbmibhb.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Icpnnd32.dll	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ingbah32.dll	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Djkahqga.dll	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Kemhff32.exe	731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exe
File created	C:\Windows\SysWOW64\Kpjcdn32.exe	Kipkhdeq.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Nniadn32.dll	Mdckfk32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6648 6564 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
6648	6564	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Kpgfooop.exeDfknkg32.exeLenamdem.exeNgbpidjh.exeQjoankoi.exeDopigd32.exeDelnin32.exeOjgbfocc.exeOqfdnhfk.exeOcgmpccl.exeCnicfe32.exeDkkcge32.exeLfhdlh32.exePnakhkol.exePmidog32.exeAcjclpcf.exeAfjlnk32.exeCdcoim32.exeKebbafoj.exeKbhoqj32.exeNlmllkja.exeOcnjidkf.exePcncpbmd.exePjhlml32.exeKmncnb32.exeMlcifmbl.exeAeiofcji.exeAqppkd32.exeBaicac32.exeBapiabak.exe731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exeKbceejpf.exeLllcen32.exeMgagbf32.exeNcdgcf32.exeOncofm32.exeCnffqf32.exeNjciko32.exeNlaegk32.exeOjllan32.exeBjagjhnc.exeBelebq32.exeBnbmefbg.exeCmgjgcgo.exeMlopkm32.exeMibpda32.exeMdmnlj32.exeNebdoa32.exeAqkgpedc.exeAmbgef32.exeDmllipeg.exeKpjcdn32.exeOfnckp32.exePggbkagp.exeQffbbldm.exeBhhdil32.exeDgbdlf32.exeKfmepi32.exeMdehlk32.exeMgfqmfde.exeOnhhamgg.exePjcbbmif.exeBeeoaapl.exeLffhfh32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenamdem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kebbafoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjcdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmepi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe

Modifies registry class 64 IoCs

Processes:

Pgefeajb.exeBjokdipf.exeBagflcje.exeNebdoa32.exeNphhmj32.exePcppfaka.exeDfnjafap.exeNdokbi32.exePcncpbmd.exeQmkadgpo.exeCdfkolkf.exeMnebeogl.exeDodbbdbb.exeMenjdbgj.exeBalpgb32.exeCffdpghg.exeKbhoqj32.exeLmbmibhb.exeQjoankoi.exeQffbbldm.exeChmndlge.exe731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exeLbabgh32.exeMibpda32.exeNcdgcf32.exeNnlhfn32.exeBgehcmmm.exeKpbmco32.exeKbceejpf.exeNlmllkja.exeNgbpidjh.exeAclpap32.exeBnhjohkb.exeDmefhako.exeDddhpjof.exeKfmepi32.exeLfhdlh32.exeLepncd32.exeOcgmpccl.exeCagobalc.exeQcgffqei.exeBnbmefbg.exeDogogcpo.exeOjaelm32.exeCfbkeh32.exeLdleel32.exeOfnckp32.exePdmpje32.exeCdhhdlid.exeDkkcge32.exeKpjcdn32.exeQqijje32.exeCmnpgb32.exeCnffqf32.exeLffhfh32.exeNjciko32.exeBganhm32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idodkeom.dll"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Lbabgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll"	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allebf32.dll"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoohalad.dll"	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lffhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exeKemhff32.exeKpbmco32.exeKfmepi32.exeKlimip32.exeKbceejpf.exeKebbafoj.exeKlljnp32.exeKpgfooop.exeKfankifm.exeKipkhdeq.exeKpjcdn32.exeKbhoqj32.exeKmncnb32.exeLffhfh32.exeLpnlpnih.exeLfhdlh32.exeLmbmibhb.exeLdleel32.exeLenamdem.exeLlgjjnlj.exeLbabgh32.exe

description	pid	process	target process
PID 4076 wrote to memory of 2340	4076	731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exe	Kemhff32.exe
PID 4076 wrote to memory of 2340	4076	731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exe	Kemhff32.exe
PID 4076 wrote to memory of 2340	4076	731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exe	Kemhff32.exe
PID 2340 wrote to memory of 4600	2340	Kemhff32.exe	Kpbmco32.exe
PID 2340 wrote to memory of 4600	2340	Kemhff32.exe	Kpbmco32.exe
PID 2340 wrote to memory of 4600	2340	Kemhff32.exe	Kpbmco32.exe
PID 4600 wrote to memory of 1284	4600	Kpbmco32.exe	Kfmepi32.exe
PID 4600 wrote to memory of 1284	4600	Kpbmco32.exe	Kfmepi32.exe
PID 4600 wrote to memory of 1284	4600	Kpbmco32.exe	Kfmepi32.exe
PID 1284 wrote to memory of 2928	1284	Kfmepi32.exe	Klimip32.exe
PID 1284 wrote to memory of 2928	1284	Kfmepi32.exe	Klimip32.exe
PID 1284 wrote to memory of 2928	1284	Kfmepi32.exe	Klimip32.exe
PID 2928 wrote to memory of 4892	2928	Klimip32.exe	Kbceejpf.exe
PID 2928 wrote to memory of 4892	2928	Klimip32.exe	Kbceejpf.exe
PID 2928 wrote to memory of 4892	2928	Klimip32.exe	Kbceejpf.exe
PID 4892 wrote to memory of 2672	4892	Kbceejpf.exe	Kebbafoj.exe
PID 4892 wrote to memory of 2672	4892	Kbceejpf.exe	Kebbafoj.exe
PID 4892 wrote to memory of 2672	4892	Kbceejpf.exe	Kebbafoj.exe
PID 2672 wrote to memory of 220	2672	Kebbafoj.exe	Klljnp32.exe
PID 2672 wrote to memory of 220	2672	Kebbafoj.exe	Klljnp32.exe
PID 2672 wrote to memory of 220	2672	Kebbafoj.exe	Klljnp32.exe
PID 220 wrote to memory of 4792	220	Klljnp32.exe	Kpgfooop.exe
PID 220 wrote to memory of 4792	220	Klljnp32.exe	Kpgfooop.exe
PID 220 wrote to memory of 4792	220	Klljnp32.exe	Kpgfooop.exe
PID 4792 wrote to memory of 4528	4792	Kpgfooop.exe	Kfankifm.exe
PID 4792 wrote to memory of 4528	4792	Kpgfooop.exe	Kfankifm.exe
PID 4792 wrote to memory of 4528	4792	Kpgfooop.exe	Kfankifm.exe
PID 4528 wrote to memory of 4320	4528	Kfankifm.exe	Kipkhdeq.exe
PID 4528 wrote to memory of 4320	4528	Kfankifm.exe	Kipkhdeq.exe
PID 4528 wrote to memory of 4320	4528	Kfankifm.exe	Kipkhdeq.exe
PID 4320 wrote to memory of 2120	4320	Kipkhdeq.exe	Kpjcdn32.exe
PID 4320 wrote to memory of 2120	4320	Kipkhdeq.exe	Kpjcdn32.exe
PID 4320 wrote to memory of 2120	4320	Kipkhdeq.exe	Kpjcdn32.exe
PID 2120 wrote to memory of 1160	2120	Kpjcdn32.exe	Kbhoqj32.exe
PID 2120 wrote to memory of 1160	2120	Kpjcdn32.exe	Kbhoqj32.exe
PID 2120 wrote to memory of 1160	2120	Kpjcdn32.exe	Kbhoqj32.exe
PID 1160 wrote to memory of 3236	1160	Kbhoqj32.exe	Kmncnb32.exe
PID 1160 wrote to memory of 3236	1160	Kbhoqj32.exe	Kmncnb32.exe
PID 1160 wrote to memory of 3236	1160	Kbhoqj32.exe	Kmncnb32.exe
PID 3236 wrote to memory of 1748	3236	Kmncnb32.exe	Lffhfh32.exe
PID 3236 wrote to memory of 1748	3236	Kmncnb32.exe	Lffhfh32.exe
PID 3236 wrote to memory of 1748	3236	Kmncnb32.exe	Lffhfh32.exe
PID 1748 wrote to memory of 1972	1748	Lffhfh32.exe	Lpnlpnih.exe
PID 1748 wrote to memory of 1972	1748	Lffhfh32.exe	Lpnlpnih.exe
PID 1748 wrote to memory of 1972	1748	Lffhfh32.exe	Lpnlpnih.exe
PID 1972 wrote to memory of 348	1972	Lpnlpnih.exe	Lfhdlh32.exe
PID 1972 wrote to memory of 348	1972	Lpnlpnih.exe	Lfhdlh32.exe
PID 1972 wrote to memory of 348	1972	Lpnlpnih.exe	Lfhdlh32.exe
PID 348 wrote to memory of 2432	348	Lfhdlh32.exe	Lmbmibhb.exe
PID 348 wrote to memory of 2432	348	Lfhdlh32.exe	Lmbmibhb.exe
PID 348 wrote to memory of 2432	348	Lfhdlh32.exe	Lmbmibhb.exe
PID 2432 wrote to memory of 1244	2432	Lmbmibhb.exe	Ldleel32.exe
PID 2432 wrote to memory of 1244	2432	Lmbmibhb.exe	Ldleel32.exe
PID 2432 wrote to memory of 1244	2432	Lmbmibhb.exe	Ldleel32.exe
PID 1244 wrote to memory of 2956	1244	Ldleel32.exe	Lenamdem.exe
PID 1244 wrote to memory of 2956	1244	Ldleel32.exe	Lenamdem.exe
PID 1244 wrote to memory of 2956	1244	Ldleel32.exe	Lenamdem.exe
PID 2956 wrote to memory of 5052	2956	Lenamdem.exe	Llgjjnlj.exe
PID 2956 wrote to memory of 5052	2956	Lenamdem.exe	Llgjjnlj.exe
PID 2956 wrote to memory of 5052	2956	Lenamdem.exe	Llgjjnlj.exe
PID 5052 wrote to memory of 1824	5052	Llgjjnlj.exe	Lbabgh32.exe
PID 5052 wrote to memory of 1824	5052	Llgjjnlj.exe	Lbabgh32.exe
PID 5052 wrote to memory of 1824	5052	Llgjjnlj.exe	Lbabgh32.exe
PID 1824 wrote to memory of 796	1824	Lbabgh32.exe	Lepncd32.exe

C:\Users\Admin\AppData\Local\Temp\731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exe
"C:\Users\Admin\AppData\Local\Temp\731a4cb603e87855f24095621b2a3b6b3c1374252533c4b769828a8aa6b74748.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\SysWOW64\Kemhff32.exe
  C:\Windows\system32\Kemhff32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\Kpbmco32.exe
    C:\Windows\system32\Kpbmco32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\SysWOW64\Kfmepi32.exe
      C:\Windows\system32\Kfmepi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2928
      - C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        25⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        26⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        36⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        39⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        40⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        45⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        47⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:732
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        59⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        66⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5068
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        68⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        72⤵
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        75⤵
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        76⤵
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:216
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        83⤵
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        86⤵
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        88⤵
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4260
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        91⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        92⤵
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        93⤵
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        98⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5124
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        105⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        109⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        110⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        112⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        113⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        115⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        124⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        125⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        126⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        131⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        134⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        137⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        138⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5592
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        143⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        144⤵
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        147⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        149⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        151⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        152⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        153⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        154⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        155⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        157⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6160
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        160⤵
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        161⤵
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        162⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        163⤵
        Drops file in System32 directory
        
        PID:6336
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        164⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6520
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:6564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 220
        169⤵
        Program crash
        
        PID:6648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6564 -ip 6564
1⤵
PID:6624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
80KB

MD5
e79e9ee84b3aa7d05a4412462c9d02cd

SHA1
c74ca716136e9f5e33d9fc27a7f96bb7da0c585a

SHA256
950c9b0e24bf010b9008bd35a73ec6945ff718c3bde1897ccad09136649b5633

SHA512
cc855ea52a46e66ed5d8d3d7105a8e148d914fbe3d33e141e0511d255245e064a5238ddea9a8584d64fdad83945c3d5147f1f43e6264d93e5475288201d83341

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
80KB

MD5
6d285c599d3240536467642a8e0cb1bc

SHA1
c7045b6785e9063d65415fa37343ca00e2d4d05b

SHA256
2c259e3b57006f0f749fa29a0161a76e5a03e469c7d20e109bab80861ea8b7c1

SHA512
0d9dd1204d61bf4076c0ae3a75ee4583af2a49275984298279d75d5d837284e24955c2c5cb8ce52f0abf480fc60fc24806fcc7e03f405a38ce6b4a18dd6e0e91

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
80KB

MD5
6a71b5a1a8b3198c0743f5bb920fe4fa

SHA1
60872ba7fd3ac603cf18423682c99213e04adca3

SHA256
2599cad04f8799e9d3e83df36a02762f85bdb43c85a97f666f3ae8400fdb5897

SHA512
7e50cd7fdf0db84d51fbd6fdd218c8ad3cb0eaa6334e85dcf44592f2c4314e2b4d848832b8698a4788916c234e5975ac4a02a9fe2abff6baa9b0942733682805

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
80KB

MD5
7d857a93b59791ffb5ad261f673eeab3

SHA1
3ffb253b331e35db6c46bb2d72d0bfe442682dd0

SHA256
787e28c883a4852f5dd3814107558f60f53509b410ca9cd3b281e9f885bdc0eb

SHA512
9fe0a94cc42d588b939d8e2251efc48f9464ad433197e108c09a7542f9bb4ee0d3ab2bc6121f742a8a999ffbac21834bf5d9016ed58242c9fc7ca428294c4db9

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
64KB

MD5
39faa891975e22512550057a23049e5b

SHA1
70950ef851172366286916f82e70d9237461983a

SHA256
f2ea21c7fec7353cba8f2eb35bf74757c94886d0b5f422d3db21abdb41fb4d4e

SHA512
39e61331b8de2d27fb7629c032d24bec64cdbdfce1041d617a5b90f8e8cffa59bec99bb2eb885174e8b6d31b2ca21dea0bf0aca47f4a5c89223cac8a1ff0033a

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
80KB

MD5
e516dbc9a0bf380a6b3c93f241280d7d

SHA1
467bacc07c5cc4347d82e02e3072f2eececb8317

SHA256
96e68bda622e9725beeadcd70704fb37997f17c0cd2ec77d0a662f7eb0e1117e

SHA512
8498b7b1e31bfacfe22c7a9f3a295f9933c63d2a99d36013b245f9fb41ec3a169230d0cabbda5d06bfe5b7129069756ba897025737ae4f4a237b7bded47350ac

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
80KB

MD5
b352f01966015e60815ed2d3874f68cb

SHA1
570cf6add966f9554de47ad22cdbd00b3b216fc8

SHA256
f9180001ab6879bc038e894cda723a6dc297398a11d40159cad75fabc714a0de

SHA512
8d6b3ae68d28da6481d2dc2a42af94254a8c856898844531bce8105d218a05d0114364d23a3ad98386e9ad4972f5bb71431dc0af0851465a95a2c88bade90875

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
80KB

MD5
dffc97c71d5f419d71ef14db13cfe79a

SHA1
38a71bd8333dc4df479210a73e9e381f36a75a63

SHA256
a8ba945dc099988fa7caf2fcb50e4445376584ae56e8b13d51cc28fe2563e21c

SHA512
8c59b35d9f3a087c5c51ad72484d091a3e4d6f5dde743a2a17f1011e559b5b0734252a0c6e096824f21d3e019034617567246bd60af1285a890065ff142f7a4b

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
80KB

MD5
e5915f4d132ed7d23cb4e3b46e152757

SHA1
43a9ecc056365b08d9861b2bf7a833fe37fb2038

SHA256
11bdaff7486e95889b04230668abfdaec583d45428a303e6514acddb38cdac0a

SHA512
3511ed4e763b8c7105e39794389d3c3f523ef9e5a4cedc4456a07f3beed843af149f83aab501034d6aeb7067f61fd227e51961a3f00ed4e50762431a2ae7f233

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
80KB

MD5
b3b1f1106a834027a47314d64f5bc684

SHA1
01b692988a05d7d8aa2d3b9e1a74f4f969903041

SHA256
903607079e02ef8af862fd47b1107e368bdd7eaebd36a56f9d14a7d273ebb850

SHA512
62c9c814e39866a477b0b292bb6fe838b41898a23229d5af1134ff8c03563a00eafce0892bc47c6ce0dc893ac80d9eead15c265a0e808343920c50176f6fef2b

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
80KB

MD5
b73f7f0bb54075ff4b0d46e28185785b

SHA1
9fc1c3c64a61bc93e1428dbe7b195669e6d11ef4

SHA256
d6c0443152b5a72e905d186d998393cff48096919f30a1a8fd58a3ddce2e1c8b

SHA512
c62f746e2b93af2630ca85692fe9ccc55e361c556e5d3d1a8a5443afa62d232b3d8a4e7765898b29cbe996c637f08668118f24a7a22a06ccbac919205328264c

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
80KB

MD5
b498a076e660a4cbebf792b63fce2e9e

SHA1
cf36dd03e7beabd1256c7cf0d5a7341d14aeb2c1

SHA256
3676f2c85082c49888d02169019f487793504ebee0a29daa60ba233b47cdc3cf

SHA512
0c044b06813440cc1efa62bbb1c086a1d6d5f411cab1d90a313655e8512ca428feb1bc2af6efd62420de7cf4b0ab66e5ad7dc58dfc32518a8a5ca04da0ac92e6

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
80KB

MD5
8aa21d186a9900afbde2c6e12aa570eb

SHA1
d443b3b2780750389725f1ea50a23ad685ab119f

SHA256
17fe6668d15e225ad5502040a5582f32f58096dddb96fcf398f9998bf54a8c3a

SHA512
be93f6db1ab779042f992a095c16ada0b20ee39c96dfb81b3f91e1aca51106244fb68f325638f17797115ac8c7c71d9ea9a514b2f3d7270c840f2e723272eff5

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
80KB

MD5
91e4a947b5d55bfcbf619d974d445a72

SHA1
df3e5c6be063acfbebe004af7b0c39699f9c32d3

SHA256
0c1ece3af2611313b9f4b2a20cbca03e47eb543794d5dbcbc83d0954437529ad

SHA512
cbff6d4eb26d0b3de8793cf7927c96ff7f1ab641721da207673151cff70a43a263d57d73db3eb13478296fc6b18810f4a7a659df4dbbd8c368a341065257d985

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
80KB

MD5
6b1708baa6a8ce6c7672be8f28d22673

SHA1
fe22c5750419e924ba88fe8a125fda8c04afc43b

SHA256
bd3f8c1579ff5e0a9fcd2f65dc0f3fcc15fedc3d72cd1ce99bf7b5f72fa411e9

SHA512
e0cc55083a22e5acfcc38366eabfac5620c0532b13346b39a4ae1058d9086dee2f223142e48d0b244cf2433985a1f6cd8e90c99af79eee001ed7fb3c602245e9

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
80KB

MD5
4b64b29051d17931b77d27f679cf0c64

SHA1
971f04ee2189489477c6895da2c984abe3ff9f5c

SHA256
e7ebc554fc375b185832df7ad15247652bfad9f3c5ce9865059e21782e941035

SHA512
3aeeb1678f02af916af4f8100b5c2714994a435d3c37475cc259fe3f28fde54288950d73833c11e5d69439982506389fd7f05f4d6356f705e3347891b953c3b4

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
80KB

MD5
8c68d4e55182e36004a731e474504b41

SHA1
e6fdd63962af2d26b62d7955f897afe3b0b62c70

SHA256
268ad5af474fac7c34446eae165b9f7a37a2497cc4ee60510259bb0b1f850096

SHA512
466d51e09b99f5506963bb6d56dd7014f78695d5b245c13f0bcd1cef907e42444a3df0f04117c60b873a2b1c7c3b2b58016f3a407f750b5de5c6a6d50b6165d2

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
80KB

MD5
ad956835f5ae429428fec5a43948c3e7

SHA1
4c9140644bdfbcce8453682cbde70973c3290238

SHA256
ae49e4ece5007d83536e75569490644430efca86a9e313ba8774f8e52c233774

SHA512
95c8da5a8a78795bdebb569791d55ab34ffe5787521cda5c8752fa7d689f8111229879d11020cf496215f87e4ad5de8d3da9d8575cc5e0d5730aab46a9780daa

Download Submit
C:\Windows\SysWOW64\Kebbafoj.exe

Filesize
80KB

MD5
c0356c25acfe320219d60864b6d20d49

SHA1
a9a54c06dac94a1bfb4e8188685269771e1fa152

SHA256
78e28d3ed7af5777318325923d6261af8889fbe60de31ed789a1df4cf1cc2d8a

SHA512
6f94f34aa92cec9f761b2d69c108b7e34c67b80b7fcfc95f490abbff7b8265e7a4cecee301e2461631cbda948c5f92c07ec2d580af6ea2def941a9f1dd2c4ca8

Download Submit
C:\Windows\SysWOW64\Kemhff32.exe

Filesize
80KB

MD5
1e91530ca84cb34bdae39c6d47bf4508

SHA1
93130067490ff331c982326d582244e7b1d81f9a

SHA256
831ecf71566c6c5b05cb53c39c2833e7e96caaa42902b4f172a6d8530d2173e3

SHA512
d923a81d8797b9ace26e07b4c68e01603814f1a56961d5dc5869742ee58d6140b28277d23d21d634ed494b212f1ffad1f1f91154ea988df5e469a24c4d4565d1

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
80KB

MD5
8c38e359c21bada10d2b665ab5035423

SHA1
786b994dda52e18a7dc8de7317ee9f2909066c04

SHA256
a1f572e0710968c91153b6b6c51086c643c49f5e04e9ad516f09889bd7aa9dcb

SHA512
39dfa7a376c86754f68aa15ef12992dd909b22f2632d792a7ef24e9bb54f4bb5cbc5520e878597f072178db4be21dd2a9e11e756c4ae7f8efa0141ed7622ae21

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
80KB

MD5
0945392495cdaa865a9a8697fbd34da7

SHA1
17cda6d2d50393f321f07a1701a32026d54d64d5

SHA256
09d6ad26087cd725c303f297f7f68622617b4cbee9f24a535fe8fb4ee7062850

SHA512
f80bcf51bbd62b5d7db3409c44fce94d043014d02d42d95c880b0fd85035482dfb0724b6d9df8f850dde3d3bd560072cb08ba3f736a07d3841ef72fee8cea970

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
80KB

MD5
61c25167402ec11a09ccb70ae9dc09bb

SHA1
e0de7101ee31b405cf25b5f026dcfabc70844a0b

SHA256
0c4894c3413af89ba9cf539b0d3fb0dc3dc534a554953dabd1193c589880b8a8

SHA512
5d2d9a2a099c3c62bf57642a7dda9c706f60232aab45e902afe6294ed45f455cc5236a08c92fb89a52b0d935663ecfadbe4386d727a84a4cc0c9a1cbb2e1063c

Download Submit
C:\Windows\SysWOW64\Klimip32.exe

Filesize
80KB

MD5
e634a5f4f1038664dae019ce7b2ad7ed

SHA1
0840ce658ed00bc4fc769d12e1904b2c6b407598

SHA256
5cf4c8746af0838e44a4db6e2f2d879d3f0165696660416734ad914a9ef17116

SHA512
99e2198ea7f2178df085f83e8b0268a5d22c8abaac4a7d832b10cca75446e3e65fbfcd954eca8adc13535fdaea90465179048b7f960c0371c06f591c62dfc1a6

Download Submit
C:\Windows\SysWOW64\Klljnp32.exe

Filesize
80KB

MD5
108b6554f4249cb120e07d54e684bfef

SHA1
640065c086a14402e7378e2dcb0a7831ee67cf29

SHA256
04b3b52b9ac046478f9346ba13651ce903b6b654f2132308bc9daac736a2449e

SHA512
4dbe8affac117a931eb574ab2d2dd92f70786760401cad69d6eb159179de55fb08aa2abe3b4a3aac6d1f6a18efbae817707d620e06f8439187dfa0cea905b490

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
80KB

MD5
fbbf1264007812dccee5cf394f05f126

SHA1
5f2a52107b4295567aa60f5ef236198972786d45

SHA256
718d9254952da7ba40e75effcc57f77daeeb01a5bf4199846b35dfe5ba498d3a

SHA512
dcc5b0ebedaf24290ff82e6d5f766978b4833c66e4cce445a00ebbc7b1a9df0fdcf9c4868c8a80449c5cddf2d27a916729f71f4801d304ff3501b961913065a0

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
80KB

MD5
9196994e54a70150e43cb020b8f0781b

SHA1
ae0de3807311d510ff608af45d7b583cc042f1cc

SHA256
e1f3c4b62654c9dcb63297c9a565044458ebc02ac62a4664c107119b3faec95e

SHA512
1a99fa3e761973e56392e1596dfd56ebf9b5cbe7a4f753bf00851e049e5b99124d8c8fcbc32ee84b134ee5592c44eb044d5f8a7876963aa073ac30755a63b2cd

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
80KB

MD5
fcd4b0966db1b5580f8cbafdf5661ac1

SHA1
8e22abf634ca1564e345bda5ac911ba3fe330b61

SHA256
5804942829642adc3bc2e0a76597111b923e01b3bb1643f109ba1a7538b6f42c

SHA512
36f07fcacb243c8307dd986552c13442a0245b7db36efcdac8175b431d5b32a7b91b841dcb487599afbeb9bed607781a5719e85a8a9d554b368e989c2fd2c5a0

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
80KB

MD5
626b61c4621fdeb59cbe7597f7e40740

SHA1
64f2b9f58c8bef67e69344391b691b88f417a447

SHA256
83b4e1fbadb16c968c9d5fb48d4062657442894afaface98757398d92f7d57b7

SHA512
b80dcb4a9400cfac2de4e607a79fa63e89a5b92821c950a8f0d41124a7dc091db0162d017bfed22c8b2b69e9e0278107edfe53fee50171b4a69797fc003a56ef

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
80KB

MD5
ada1168328a0b78bcabb6fd9c53aaede

SHA1
550ce9851043aec5ea216e89482e4c96c01ed525

SHA256
c9332cc38b581aa48f7f10d6d645960b4cb39dfa8c5dd91de315f063a9692e13

SHA512
6bed05e969e440fdd4a4afa5a447279db3f83c29db42052006023b6ceb12c0b92d998296a1fa7c8005014ae62a3076d2122aef095b57a08bbaf460fdd593721f

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
80KB

MD5
59e26ef598023d65374f30d2c9472f54

SHA1
5b711c97a05b1b4c8e7661906c08bb6684ccf70e

SHA256
5d45032d6ef169469d4177c9c76cbfa3dd9b32b669944187a699974bb6821757

SHA512
1ac1ab8967f93de60790548b13f2344f265f3e16b3f4e6a0dc75786121fb311209829d1bad8cb707ba18e8f7747f16909423138043a9220ff2fda44354bcc25e

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
80KB

MD5
0b6d0097f283298612134b71e6ebadc3

SHA1
8cb1418727d4428520d4e056a0cf559aa7253ee7

SHA256
dbfbbf217140d83bf96b30dbc38606ae3cb6df315b354df0c7bd25ab4c2e2cff

SHA512
bdb7f669fb223e8f98be67b18c8dbed5a750a3e30618fe6fe6348b7691497a3ca5eb8b97e4e4c49747b422f9e1089fd9c3f5e20f16f078c3cb902d0644649aab

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
80KB

MD5
c1d731058c501326f3ffd4b5bcdf4438

SHA1
2a9f8bacd1b5884468a737c8da546013afb45804

SHA256
917e06a767a8f7727169f2f3dc0031b985d0da174a393de25cd87de96a832b5a

SHA512
19b38f50b48a8118af3cd237da1b1bd435e762b3f1f9d38397a887d885674773131184eb956cc8a5232852f4393271ae66e8c83b96eeccc1b8a99c158ba2d2e8

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
80KB

MD5
cec1af5d5381637d9a86ff410539b55d

SHA1
787257a336617fc56c32d4786f72e9eee5371f7f

SHA256
60e4e5a7f3e87ba0814980aa0cdb09ce5a0ede804474be9bc0c1b9e9a6fb46e9

SHA512
dde743b07ed324d88b50cb2fa844f4755fee15a75d2141aac14340930fa6d77e3bb17c38113743308d5af5918940f8b4708a83f551922e471f71191e8ffc5a61

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
80KB

MD5
d23eb55a38618357dec64b34a5e25d7d

SHA1
bfdaabffea2f846b91c23d1cd5ad4c8fd83bdda8

SHA256
be07161357e495000f598fdfb57eebdcdd01459ff7594b2a71f151c2c8d30dd1

SHA512
4f3527ed43a527fdbd654fb95ed61d28841ff52445a78135588d7fb2406f0586594046b24f98d8cfe0d6f9ad2dd6fe0325c9f5b42feb4cdf941dccbb8e5c14ed

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
80KB

MD5
b6b56907f0d7c04e581dfe36f5cead63

SHA1
60da97e7db06ba4b0963786bbd06feca1fc0202d

SHA256
9cdd16cd463d8ff110a683a85a5c3ad8de9677e01042427d299b2a1b65a7d193

SHA512
5d000162863f291a9cf41d5e1523686be2625f02a0fac7199ce84b6252c98ec3a0d2d7b8f14311792b24e730b396cd684e9582dbc468f65ee7d3e6831fedf39f

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
80KB

MD5
ada0bce644b206e381c6e3ca59427b22

SHA1
6b91d45276c17066e7e2cbe7436d31e8b31f978f

SHA256
03878221519c4edafb29c292c90ecf6686037b7319564a03963427d58ef42f36

SHA512
6453158717e657b802fa3a1e9515a8d0e875a943427e94513453b1b559c7b0c9ddb11db0337ce49700aa4c25de325379d969ba020179dde556bd53ebed60f90c

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
80KB

MD5
941a75f241695334b205e7e8ecaf05df

SHA1
cbaf8828a6c657aa5608a004b17b255a13a0b2ab

SHA256
45cc48c4773478853e027058b2b3f60bf3351f391b497e67acd5e0cf2cd988d2

SHA512
9ab72e1f02745eccd1fcb478bd200cc0eda8346931fbb038bc0713b2fd482785de6f23167bd20a53c29c0ab4c3486dbe367425a615f36181079fa8099b1a7d35

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
80KB

MD5
eccda072850396cca485a5aee28cc5c2

SHA1
086ee0e9a83352e8dac1458a63abdfe723f65ff4

SHA256
65b268fa9d8b59e0be42d3a1df2965cc4592445fe117db472f7fcae3d6c881ef

SHA512
8828a33d0b5dec78f44c1637725d1b08432ec569dbc99411cb5b5a9bcfb86ae368e4b2ea758c2717eb702308800439a183cef57c68b6557f732d33970ce1ab06

Download Submit
C:\Windows\SysWOW64\Lmbmibhb.exe

Filesize
80KB

MD5
12ef8eb37e1dace4e5f5c2c23344704f

SHA1
7eaa169eb0dd1745a7182b96840d3cf227196973

SHA256
440b5edb6a32640ca05629163b64010c1056758657b395ae77088581449adc15

SHA512
a0b716d1cce20e9363e64d750c152b68889248f444aaa186e4bb41037d9cc22ca2b4f26b166432b92bff6acd2fa7c8c469fd4b83ed2ba444c86c2c49928fee91

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
80KB

MD5
3f46a015cf468bca76a7b2226055a897

SHA1
c3963d47d73fc3ae401f61d2a56d5f7ebe985e85

SHA256
5f770c3cab1ef8e396cd1f370ec41ff3bfdcb03d77f82e234a8852be199e2caa

SHA512
160d5b2a6c9eba55b3271527166aa6ae7d431661d252e4a74d503a340703ee7f2e088e39b844adf1f985b7b24e4f625d739461ca878a2056d82a7a155870c02d

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
80KB

MD5
816aabaa7050b6cc596a93c3a0a3636a

SHA1
d75adfb7d7c193c767300d4c3f1e396a37711ca6

SHA256
d4ea6adc001aede44ccdbad495af4539344dc3417b81a5cc8c806f9004f31854

SHA512
0b89e66c272bdfdf01d4c2156f6a59d7a6d8c3a70395adceaee2bbe9f836903d524f7a859152eb4c6028e94c0bbc8a548fb9f95606d133628ac9265aa6e35991

Download Submit
C:\Windows\SysWOW64\Lpnlpnih.exe

Filesize
80KB

MD5
b4cbb7478a3483fe87258c23d21c2fdb

SHA1
98cb36e0ecf35969973fab04d2e17c1604c118c0

SHA256
6400bf79dbc8cefcdaa445534c161655427498a0c002663b804002a85a41bd2f

SHA512
80b183378ff72cd33a927220641433a115c287712d20ca1302f86e759325c8cd5a09a7f0546c658221dd017565ef5baef4213c0418b362711bd631f42ac1d64c

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
80KB

MD5
c3aa662d0edd6e9cb0b6df5eb6754c79

SHA1
afe9ebf38e28b4ef0e9d35d19e705a095042a0fd

SHA256
6209e0afece1ef82b20a02ad06fc253095316affef3748f867901b1d64dacf1c

SHA512
1981eb1d9c209a7fc7989a8b89a0c1a1893384e3957d0b60d3dfee977c853ceb3e42e811ef1e38ba63d4a15946b3ddeb964eb9c3da9be3f47c17dcff02c2d18c

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
80KB

MD5
419f0a3169998481b7beb1ddca268822

SHA1
2546c49782746d145e2789e9054d835af21d810b

SHA256
40df6546bc4d36ed6d04b114f0df42b527c6a795ab7a13c6d18b6a1ab5f94292

SHA512
0105d751ddc8768a186be159b37dacc8a32f7f2a42943be86cff1aff3620bf1de3706191f9ed36a148823a8e3cebc57cb3cb25ce7853f7dad88fc71d647ba370

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
80KB

MD5
e3fa75d242d2e1b7e540f331d0fd294a

SHA1
23308208ef99e4daac5a2e5f78183fc564bca42d

SHA256
f67590cc3517a8cee46195a9597cc89c03cae3aab02ff5621b58514a287651c2

SHA512
3dd88a64a7cb99dc9692ffe4fad0e5656ee9c50b57aaee1610c67b645add68a3a2f45763668d9024a5ab9969f7d6970f06b6bf6b5230c7144fa126ed483e5c95

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
80KB

MD5
4e234f0d7ee775c367b5cf2f7511eb26

SHA1
149c4290eed50aff882df6a7b6add6e50100dd97

SHA256
fdc2e058c1e96680a95b738fdcbf8814efdea2ad2d6a2889c18da2eb9c85c848

SHA512
c9fc2eae11f13b265424a202d8a9fff5962017ec5f4f2ac5baf40e6b709a5999d07aefbf65df3b5d9f35ad8040dc1ea88980872bcb8d43b9f94331f8f41ddb72

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
80KB

MD5
9568c7f03a36fb634407192217eac64e

SHA1
5398934e8c87657b8dcc93ef46eba1ade559ef91

SHA256
036cea2819fdef21a6b669752943d06936e9b637bf8996612a74c40a04ab73df

SHA512
49b9c76457985407d37382fd72a38a9f50a802b30dcd21fc2b1373a1d6f4ae84395b40d0110d58e688ecaec2fa52402bfbaf55cc279e974c176f547284d62404

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
80KB

MD5
32a3bc91e71afb3c4e8e1aef40235cfa

SHA1
87610afaf7127061c9f859862547a6a0fc7d71bd

SHA256
77fd0df321303ec63933d335cb6dc62af3c42ff557c438c69d70f230d633700b

SHA512
b9bb50f22a89b854fffe27081b8f22729ab797a3f5899b5ec989ac4a692c94925901a8844b495dd9b30c38b5affbddd4b946b7db6a0443661955fbd5822262bc

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
80KB

MD5
e2b2844ecc95bed49b4b25734f25e9e8

SHA1
d8aa76ef0dcbc25af421d7b53d956a1dedad03cb

SHA256
1af03ab9853b8c5646d6b3a0751905a879ff0bf1ce1d4519c1b577e4b50a2e48

SHA512
340804db4e9c6b24dde8572b871507746830c8719097c242277b6ba392fbbf7a9c46dff38960b3e4fbc8772afc0e90b6d98b97b872c714a59d111003638edc65

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
80KB

MD5
f4fd7d830e384afa8d3d39d66b132a14

SHA1
fc5997ddb48184d969b77582fb2f87f6802c9284

SHA256
17fb55ac38d5ba858bce79bfac8c45131de4990f27b5e7ff8cc8d1978ff25ffd

SHA512
93d10ab4fca2446e45e8e668e7f6765f46a4a2fdaa8ba4a99d6cf095db530a7716d43ddcd2ddf9eded934c7cc552ddca10adb332ef8a4e2d5fdf44ed63489b34

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
80KB

MD5
843acf513a25db50a7725722fe2b8f71

SHA1
279a56ebebb5a1a199ee66f508de3d5d809689e5

SHA256
92cc1838e6eb6c651b9547562d42acd97685057b72551d8f1543d31bbdb6890e

SHA512
d781fb3a0dd495a45817ae9367d8cb59c8aa1c82ee492d8a9559b3b0c189c01f581f0ef626c51fdc07197612814f7100724ac995127b3de6e6513ece8e721cbf

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
80KB

MD5
1aa13d362abed10c1be237e4e240bca4

SHA1
9a31c47cdf8aa45c7f98b025597cd8820d74c3de

SHA256
4112801dfc0ca185c1331a348118d2e4d5f22bfabe011f33a6401db83f2a8e5a

SHA512
d33607f326e766f0daaaa133f90e674f9b730b83da12f4b29a686278f2145a2ec4682bfa6775869db0c99a487f5df8bd26d851fed27d98d1af312c94f367aa1b

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
80KB

MD5
a02c45fc2655425541a65fda7735a44a

SHA1
679aaacd415595309c21006aa1b53ea7d2c10224

SHA256
834fcf25ef7811857d28517a586c44d9725661a290b3d59f7efc1526a2ded0c7

SHA512
2443c0dce9c5800f99442e2acc5a22ca86a2924798859639d8deb4ac5ae7ec0d10e54a7b07f2f59e20df5de2103aa72cfe05afa61696ea71c15fec93cb04a055

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
80KB

MD5
b9cbdd9e70e0ce3e6ddef863bd126198

SHA1
f66c2c280dbd8436e41cd0489f42419cd50c7273

SHA256
a938fe799e934d3585b2797f19950c8c182ac22df54796871370dd7c5147889a

SHA512
34d87695930ff156d7bd4f053085562a0ecc943187eb11d1ce569d2812bc9fb4c3c39ae164c6ff06293d41dbcbe338b2cc57e6fea668b674a42746bd9ba5a93d

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
80KB

MD5
e20278143480ffe65d2ed5d410ef9531

SHA1
377269a626d83a41889d567a2e73314de45854db

SHA256
88cb286a5b1b4858502cfa700f37cc20e1d76beccaccbec8e3b9fe65303df665

SHA512
2bb1e5e5da6cd22ca2b24dd0829ec6cb6bcfb57f67a30fddf618c38830c157da244a10e9c64537697b35667750cba2b05139a20da037bb2791c4417e902d4751

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
80KB

MD5
63d9b0e00f7876b4c436993feaa8044e

SHA1
123b1d0e099e089b4b7a555bd9f9c86c278cd7b6

SHA256
4b5cc0febeb890d0e664b8044351c971c37a87b678b64568362108e23741f3fb

SHA512
d58013c59e7058ffa0621b69381713cc49075dc3f74afa24999ff56662a3ed48ea5cc968fb0ebd8783bfef73d464561a84f99dab8259e2a6b6482e57ab398b1f

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
80KB

MD5
5bdb0a3ecc4849dbbb71a76a67043c8d

SHA1
834982e1ef65f0477393b9ff97f27782b1badb39

SHA256
4a0973d6280fd4f79966a0b2d3e92b7551ffec6320eb57d938b660d437572c75

SHA512
6cd7cd34078e70b988edbd37749ed796e2fd47708732893d7ea4bc0fb4616762d9adb4f178286ea8ca36ea0fc24e6795eef713a72b34ba741e67c5208ab2cd49

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
80KB

MD5
655ec279301b2473237eaa1995e47fc9

SHA1
d4f9b12d7302566d5e65c1d0d406208646586aaf

SHA256
f1c475d9cc4e1976dbf0208b16b517e27a443a43edd136a3310b451209d38f35

SHA512
35b3d7f176e954998c6fb5cdb4a0b103cab3525f058f31be5284be6c9d709c0b1149120e648190ab20ec8154c82d55e812eab463cdf662382df5355711ea278c

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
80KB

MD5
4fb1f3d9108a588735592266330a48a4

SHA1
a744da65067d818af6090f021d1658de8c1cd06b

SHA256
7821d81a30d3df016873664ac1d94251c7cfe52285dcee097cc591c5bf9a6970

SHA512
10e13073d469c32d475d1a41711cb97e876957dfe2dc212c1ae3a8954dded6b2c97cbdf5a129398543d3c70a05e56131eb3f67878a8c107b89e7815ec64a35a0

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
80KB

MD5
e41a585bfb486fdb329c2dbc59e6f6ae

SHA1
279e0f7515dc735581d9b54e60cfdc3feba31b1d

SHA256
4f784f773108a32e4907cec0f28d77e561a92720dd00c223b8195d24874258b0

SHA512
0ae0475c15fee61b036b48370919b5b8db4cba96584a89ad0bba85280907708b8df07fc52dd23b8306a84f4424c926d6b8ec81474906647cf1e243f8677acf34

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
80KB

MD5
d271cf9eab97d1a167204975bea7d4ef

SHA1
f3e9c4ae23fbb3905f628783710f7c0bbe593fac

SHA256
cfccb2802b5112fa3bc38a8e004ddecf05f8b0ca759faccb73d4d7c991803200

SHA512
4408f8f0db1a20818f8a7e9b4768aa374b2dd870fe965076eae72f288e36449716697766b6b15eb2a05c8b840ec8c573fc71c2d07c0841af9ddb26f45ba04b64

Download Submit
memory/208-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/220-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4276-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5976-1244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download