berbew | 88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfd

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exe
Size

74KB
MD5

ca305bd8b7558df25511db4def9ad550
SHA1

fb62529e3b03f86a08da56f659b5d93a462edb74
SHA256

88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfd
SHA512

595af6c7eac08412c13c0fa3524a25e3d4327928e8e34870d529e7cdc0de28daf6f32f0ba2e054ac380ed4355331e337196b834089e9c5b0784fae0cb7f78e9a
SSDEEP

768:ruQPgpJBxrhBK9dpTIdnkrDFJc8g2YtoGlBKGrv+pTPS4knEL7R4FlHEcS/xJ1QC:iQOnKWpkrDVMYGrES4kutXx3Q6bd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Amddjegd.exeAeklkchg.exeDejacond.exeDhmgki32.exeBfabnjjp.exeDhkjej32.exePqdqof32.exeAfoeiklb.exeBnhjohkb.exeBnpppgdj.exeBchomn32.exeDmgbnq32.exeQceiaa32.exeAnmjcieo.exeCnkplejl.exeBelebq32.exeBebblb32.exeBjagjhnc.exeOgpmjb32.exePncgmkmj.exeCeqnmpfo.exeCfbkeh32.exePgioqq32.exeAnadoi32.exeBeglgani.exeCabfga32.exeDeokon32.exePfhfan32.exePmannhhj.exeCnffqf32.exeBanllbdn.exeBapiabak.exeCdfkolkf.exe88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exeOnhhamgg.exeAmgapeea.exeAadifclh.exeBfkedibe.exeAnfmjhmd.exeCdcoim32.exeDjgjlelk.exePnfdcjkg.exeCfmajipb.exeOjoign32.exeQnjnnj32.exeDmjocp32.exePcppfaka.exeAnogiicl.exeBgehcmmm.exeBjddphlq.exeAgoabn32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Onhhamgg.exeOqfdnhfk.exeOgpmjb32.exeOjoign32.exeOqhacgdh.exeOcgmpccl.exePnlaml32.exePdfjifjo.exePfhfan32.exePmannhhj.exePclgkb32.exePnakhkol.exePqpgdfnp.exePgioqq32.exePncgmkmj.exePcppfaka.exePgllfp32.exePnfdcjkg.exePqdqof32.exePgnilpah.exePjmehkqk.exeQqfmde32.exeQceiaa32.exeQfcfml32.exeQnjnnj32.exeQqijje32.exeAnmjcieo.exeAgeolo32.exeAnogiicl.exeAqncedbp.exeAclpap32.exeAfjlnk32.exeAnadoi32.exeAmddjegd.exeAeklkchg.exeAgjhgngj.exeAfmhck32.exeAndqdh32.exeAmgapeea.exeAabmqd32.exeAglemn32.exeAfoeiklb.exeAnfmjhmd.exeAadifclh.exeAepefb32.exeAgoabn32.exeBfabnjjp.exeBnhjohkb.exeBmkjkd32.exeBebblb32.exeBcebhoii.exeBfdodjhm.exeBnkgeg32.exeBaicac32.exeBeeoaapl.exeBchomn32.exeBffkij32.exeBjagjhnc.exeBmpcfdmg.exeBalpgb32.exeBeglgani.exeBgehcmmm.exeBjddphlq.exeBnpppgdj.exe

pid	Process
3992	Onhhamgg.exe
1376	Oqfdnhfk.exe
1716	Ogpmjb32.exe
3652	Ojoign32.exe
2160	Oqhacgdh.exe
428	Ocgmpccl.exe
4472	Pnlaml32.exe
4916	Pdfjifjo.exe
4012	Pfhfan32.exe
2068	Pmannhhj.exe
1408	Pclgkb32.exe
1468	Pnakhkol.exe
2516	Pqpgdfnp.exe
4820	Pgioqq32.exe
2204	Pncgmkmj.exe
2644	Pcppfaka.exe
952	Pgllfp32.exe
1916	Pnfdcjkg.exe
4304	Pqdqof32.exe
3572	Pgnilpah.exe
924	Pjmehkqk.exe
4724	Qqfmde32.exe
2264	Qceiaa32.exe
3448	Qfcfml32.exe
3360	Qnjnnj32.exe
4996	Qqijje32.exe
4660	Anmjcieo.exe
364	Ageolo32.exe
1220	Anogiicl.exe
3660	Aqncedbp.exe
3560	Aclpap32.exe
1692	Afjlnk32.exe
1264	Anadoi32.exe
2632	Amddjegd.exe
4520	Aeklkchg.exe
2796	Agjhgngj.exe
2216	Afmhck32.exe
344	Andqdh32.exe
1356	Amgapeea.exe
2776	Aabmqd32.exe
2200	Aglemn32.exe
4208	Afoeiklb.exe
2840	Anfmjhmd.exe
4668	Aadifclh.exe
3040	Aepefb32.exe
3452	Agoabn32.exe
3568	Bfabnjjp.exe
3980	Bnhjohkb.exe
4256	Bmkjkd32.exe
2212	Bebblb32.exe
3632	Bcebhoii.exe
508	Bfdodjhm.exe
4808	Bnkgeg32.exe
3984	Baicac32.exe
984	Beeoaapl.exe
1240	Bchomn32.exe
4332	Bffkij32.exe
3364	Bjagjhnc.exe
5016	Bmpcfdmg.exe
1776	Balpgb32.exe
3536	Beglgani.exe
3416	Bgehcmmm.exe
4336	Bjddphlq.exe
2172	Bnpppgdj.exe

Drops file in System32 directory 64 IoCs

Processes:

Cmiflbel.exeCnkplejl.exeAndqdh32.exeBelebq32.exeCabfga32.exeCenahpha.exeBfkedibe.exeDfnjafap.exeOcgmpccl.exePqpgdfnp.exeAnadoi32.exeBchomn32.exePmannhhj.exeQfcfml32.exeAfoeiklb.exeAadifclh.exeAgoabn32.exeDmefhako.exeDhkjej32.exeDmjocp32.exeDknpmdfc.exeAclpap32.exeBmpcfdmg.exeCmlcbbcj.exeDmgbnq32.exeDjgjlelk.exeOqfdnhfk.exeAgeolo32.exeBfdodjhm.exeChcddk32.exeDhmgki32.exeDeagdn32.exeBaicac32.exeBnpppgdj.exeDhfajjoj.exeQqfmde32.exeBjagjhnc.exeBeihma32.exeCfmajipb.exeCfbkeh32.exeDkifae32.exePnlaml32.exeBebblb32.exeBeglgani.exePgllfp32.exeAqncedbp.exeAfmhck32.exeDfpgffpm.exePnakhkol.exeBfabnjjp.exeBnhjohkb.exeBjddphlq.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2940	992	WerFault.exe	188

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Bnhjohkb.exeBmpcfdmg.exePmannhhj.exeQfcfml32.exeAnadoi32.exeBfabnjjp.exeQceiaa32.exeBnpppgdj.exeChmndlge.exeDhkjej32.exeBchomn32.exeCnkplejl.exeOjoign32.exePclgkb32.exeAmgapeea.exeAglemn32.exeBelebq32.exeBeeoaapl.exeBeglgani.exeCalhnpgn.exePnakhkol.exeAnogiicl.exeDodbbdbb.exeQnjnnj32.exeBcebhoii.exeBaicac32.exeCenahpha.exeOqhacgdh.exeCabfga32.exeCdcoim32.exeAgjhgngj.exeBalpgb32.exeAqncedbp.exeAnfmjhmd.exeAgoabn32.exeOgpmjb32.exePjmehkqk.exeOqfdnhfk.exePnfdcjkg.exeAndqdh32.exeChcddk32.exeDhmgki32.exeOnhhamgg.exePncgmkmj.exeBanllbdn.exeChagok32.exeDmgbnq32.exePnlaml32.exeBjagjhnc.exeCdfkolkf.exeDejacond.exeDfnjafap.exeDaekdooc.exeDeagdn32.exeCfbkeh32.exe88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exeAclpap32.exeAadifclh.exeBgehcmmm.exeDmllipeg.exeQqfmde32.exeAgeolo32.exeCeqnmpfo.exeDjgjlelk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe

Modifies registry class 64 IoCs

Processes:

Bchomn32.exeCfmajipb.exeCnffqf32.exe88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exePgnilpah.exeQnjnnj32.exeBebblb32.exeBeeoaapl.exeBalpgb32.exeBfkedibe.exeCalhnpgn.exePnakhkol.exePgllfp32.exePnfdcjkg.exeQqfmde32.exeAnadoi32.exeAfmhck32.exeBaicac32.exeBhhdil32.exeChagok32.exeAmddjegd.exeAepefb32.exeBanllbdn.exePfhfan32.exePncgmkmj.exeAgjhgngj.exeAndqdh32.exeAnfmjhmd.exeBjagjhnc.exeBeihma32.exeChmndlge.exeCmiflbel.exeDhfajjoj.exeBnpppgdj.exeBnhjohkb.exeCmlcbbcj.exeDmjocp32.exePdfjifjo.exeAgeolo32.exeBfdodjhm.exeBnkgeg32.exeBffkij32.exeBgehcmmm.exeCdcoim32.exeOqfdnhfk.exeAnmjcieo.exeAqncedbp.exeDmgbnq32.exeDeokon32.exePgioqq32.exeAadifclh.exeBjddphlq.exeDfpgffpm.exeQceiaa32.exeQqijje32.exeBnbmefbg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exeOnhhamgg.exeOqfdnhfk.exeOgpmjb32.exeOjoign32.exeOqhacgdh.exeOcgmpccl.exePnlaml32.exePdfjifjo.exePfhfan32.exePmannhhj.exePclgkb32.exePnakhkol.exePqpgdfnp.exePgioqq32.exePncgmkmj.exePcppfaka.exePgllfp32.exePnfdcjkg.exePqdqof32.exePgnilpah.exePjmehkqk.exe

description	pid	Process	procid_target
PID 3488 wrote to memory of 3992	3488	88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exe	82
PID 3488 wrote to memory of 3992	3488	88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exe	82
PID 3488 wrote to memory of 3992	3488	88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exe	82
PID 3992 wrote to memory of 1376	3992	Onhhamgg.exe	83
PID 3992 wrote to memory of 1376	3992	Onhhamgg.exe	83
PID 3992 wrote to memory of 1376	3992	Onhhamgg.exe	83
PID 1376 wrote to memory of 1716	1376	Oqfdnhfk.exe	84
PID 1376 wrote to memory of 1716	1376	Oqfdnhfk.exe	84
PID 1376 wrote to memory of 1716	1376	Oqfdnhfk.exe	84
PID 1716 wrote to memory of 3652	1716	Ogpmjb32.exe	85
PID 1716 wrote to memory of 3652	1716	Ogpmjb32.exe	85
PID 1716 wrote to memory of 3652	1716	Ogpmjb32.exe	85
PID 3652 wrote to memory of 2160	3652	Ojoign32.exe	86
PID 3652 wrote to memory of 2160	3652	Ojoign32.exe	86
PID 3652 wrote to memory of 2160	3652	Ojoign32.exe	86
PID 2160 wrote to memory of 428	2160	Oqhacgdh.exe	87
PID 2160 wrote to memory of 428	2160	Oqhacgdh.exe	87
PID 2160 wrote to memory of 428	2160	Oqhacgdh.exe	87
PID 428 wrote to memory of 4472	428	Ocgmpccl.exe	88
PID 428 wrote to memory of 4472	428	Ocgmpccl.exe	88
PID 428 wrote to memory of 4472	428	Ocgmpccl.exe	88
PID 4472 wrote to memory of 4916	4472	Pnlaml32.exe	89
PID 4472 wrote to memory of 4916	4472	Pnlaml32.exe	89
PID 4472 wrote to memory of 4916	4472	Pnlaml32.exe	89
PID 4916 wrote to memory of 4012	4916	Pdfjifjo.exe	90
PID 4916 wrote to memory of 4012	4916	Pdfjifjo.exe	90
PID 4916 wrote to memory of 4012	4916	Pdfjifjo.exe	90
PID 4012 wrote to memory of 2068	4012	Pfhfan32.exe	91
PID 4012 wrote to memory of 2068	4012	Pfhfan32.exe	91
PID 4012 wrote to memory of 2068	4012	Pfhfan32.exe	91
PID 2068 wrote to memory of 1408	2068	Pmannhhj.exe	92
PID 2068 wrote to memory of 1408	2068	Pmannhhj.exe	92
PID 2068 wrote to memory of 1408	2068	Pmannhhj.exe	92
PID 1408 wrote to memory of 1468	1408	Pclgkb32.exe	93
PID 1408 wrote to memory of 1468	1408	Pclgkb32.exe	93
PID 1408 wrote to memory of 1468	1408	Pclgkb32.exe	93
PID 1468 wrote to memory of 2516	1468	Pnakhkol.exe	94
PID 1468 wrote to memory of 2516	1468	Pnakhkol.exe	94
PID 1468 wrote to memory of 2516	1468	Pnakhkol.exe	94
PID 2516 wrote to memory of 4820	2516	Pqpgdfnp.exe	95
PID 2516 wrote to memory of 4820	2516	Pqpgdfnp.exe	95
PID 2516 wrote to memory of 4820	2516	Pqpgdfnp.exe	95
PID 4820 wrote to memory of 2204	4820	Pgioqq32.exe	96
PID 4820 wrote to memory of 2204	4820	Pgioqq32.exe	96
PID 4820 wrote to memory of 2204	4820	Pgioqq32.exe	96
PID 2204 wrote to memory of 2644	2204	Pncgmkmj.exe	97
PID 2204 wrote to memory of 2644	2204	Pncgmkmj.exe	97
PID 2204 wrote to memory of 2644	2204	Pncgmkmj.exe	97
PID 2644 wrote to memory of 952	2644	Pcppfaka.exe	98
PID 2644 wrote to memory of 952	2644	Pcppfaka.exe	98
PID 2644 wrote to memory of 952	2644	Pcppfaka.exe	98
PID 952 wrote to memory of 1916	952	Pgllfp32.exe	99
PID 952 wrote to memory of 1916	952	Pgllfp32.exe	99
PID 952 wrote to memory of 1916	952	Pgllfp32.exe	99
PID 1916 wrote to memory of 4304	1916	Pnfdcjkg.exe	100
PID 1916 wrote to memory of 4304	1916	Pnfdcjkg.exe	100
PID 1916 wrote to memory of 4304	1916	Pnfdcjkg.exe	100
PID 4304 wrote to memory of 3572	4304	Pqdqof32.exe	101
PID 4304 wrote to memory of 3572	4304	Pqdqof32.exe	101
PID 4304 wrote to memory of 3572	4304	Pqdqof32.exe	101
PID 3572 wrote to memory of 924	3572	Pgnilpah.exe	102
PID 3572 wrote to memory of 924	3572	Pgnilpah.exe	102
PID 3572 wrote to memory of 924	3572	Pgnilpah.exe	102
PID 924 wrote to memory of 4724	924	Pjmehkqk.exe	103

C:\Users\Admin\AppData\Local\Temp\88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exe
"C:\Users\Admin\AppData\Local\Temp\88fc3428f4bdbdcf521287b83709ee7df66ebf49ef3c8abada1cd4de94ac5dfdN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SysWOW64\Onhhamgg.exe
  C:\Windows\system32\Onhhamgg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\Oqfdnhfk.exe
    C:\Windows\system32\Oqfdnhfk.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\Ogpmjb32.exe
      C:\Windows\system32\Ogpmjb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        33⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:344
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        41⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        50⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        68⤵
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        70⤵
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3612
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        74⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        78⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        93⤵
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        96⤵
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        102⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        106⤵
        
        PID:308
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        107⤵
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 420
        109⤵
        Program crash
        
        PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 992 -ip 992
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
74KB

MD5
3268fade86650af6b373cb6b9189a803

SHA1
363da874e01019c7c594dfa6a6d8994fa13323cc

SHA256
a65f6e0318707797430a5a32bf6407c37b57eb7164ab1e9ec5ed0b41b36ef97f

SHA512
e7aba6661fcced5939f6a66bb06913b55bc9ca0d37161e62a636590b7b3771938d84aad14431bbde0b0f2e1ee0ae7c4e2d90aab28258c36d5f589280f7924f39

Download Submit
C:\Windows\SysWOW64\Acpcoaap.dll

Filesize
7KB

MD5
e7f1372a45c08d7ae6dfb5660aef55d2

SHA1
4a8000c7d4b14eceb1769c710b8538e2bcb08586

SHA256
510196a1272c2cc44461f08fa69a9d4f0c11e7420c8f7332c854d5bf041c1cf5

SHA512
2d7f71903ca3e57722d7f22842072c265f737db9179097cf8bcde2b51a253412b830184edc5a064fd47d55d2338c652ca2a767fd78383482f8b79644b4a4c555

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
74KB

MD5
76dfe3cf55eeb8968f6a78665faf2ba9

SHA1
95d7ca4ab8679af249c48dafa991faec9dd02891

SHA256
130c84766c3895e7cdc2036a656f5138819a91e90077e6c19e19ff082cdef1d0

SHA512
c41d841b4761fa0336ebf4cbea650719cacbd1398d855a8108725abb5636dd9a2ea14420610ade8d40054cc6eea0c74557748a464892bb0c6c8d4e5deb7cdc04

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
74KB

MD5
669e86bdca87f2e889dc754d57c735aa

SHA1
47dd331f0d1e1cc8c7443a558682fd34c2e03f15

SHA256
8bcd3c7ee9d4f0a9e17f8af0f2f60b62c906b6e19ff929a3ac672489adc8af98

SHA512
e48bbe874ebc7d5210af1da0ea6facce96d4261a188e72b9804bca1855860632c5e3040ea5bb3ab72c1c1430678977c67c966c429f61934b98fde203dbeb2c0d

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
74KB

MD5
508c2185b7dede6e157694aa8e9c27ad

SHA1
16c8a66e3a919e4d568af715de2fb93e94acf4dc

SHA256
d7bdf2487b84514d440c7f639ed1c890d4e42d1e3b408638aff5a36c6a1a572a

SHA512
c793340dc4bcda96d62a7115693b13c7a42344dfa9c2303db7cd9efb952ea943e6034c381f0cc36e634218143c5bad7efea3b9e5acce6aac96b0e4ffdd62fe16

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
74KB

MD5
2bb7cdb4849f1ae69936231e1a4a3762

SHA1
aab4ffcf428969164dfc8beb7e6bb53f0f39ea0c

SHA256
25157a7bbe835265ccccdcb24448bcaed134a89fb408a5ffb1b2ac1cd097cb59

SHA512
86393442b5936fa0522c1592a1b3280baf124f43554a194be1a430110b670ba2502da2c5b59bc42a86907e13e356472eba7012fdd389249ea1a7829de2f3a2a5

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
74KB

MD5
e0e115aeeeb183fed21a41fab6d96458

SHA1
6fa74fdd49658893ca7a8820381d2afc42e55aa9

SHA256
f8fabbb89a97949060859f5cd6eef20106915a59a71326f67eb93c737f5bc294

SHA512
f3257511c013fa131ba827f750310d5138b53ee2b435a7a2eacd9932a90db71fceb5d8175c914fab2342c85c9bc494912bd0d699f0268a1029d06d70fb9b124d

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
74KB

MD5
f157dab827fc4fd427dfb948b1eef9a0

SHA1
532cf4fe78cd10dc3b6735a06b7d1871fa55b5aa

SHA256
181eb8b5705fccd11384c2feb20d2dacdd1dceb24b701bbde2fa2539e2518851

SHA512
9f2b5b3ebc9ed6bd7b93a3b371406f16e5bdb86f9c228a07b38b0e910684377ea2e277f874f9e37c03b53444a39a2afe9a2e3198e8e66c44e785b24128dd1dd8

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
74KB

MD5
86a23b241b6705c06a50ef728b2bd2c1

SHA1
e4d4834193464c2ad7c39a813553bc1f8653c441

SHA256
e539d8e18f5bde81baf3e70bfa5780129068ceb7ae4007a69d6b1f5b24043dab

SHA512
40b8fd30a7421f9aa90a7512bf88eea34a2f8bf9dcd14fe414e668e91e05e959a9cdc8c1de982ecdde77a57506cd788ee2d8e5a014c7a3f2a13e350f6e4d2863

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
74KB

MD5
7610ce502d50b6675a6c0bb6aa635bb1

SHA1
5da02bc1ccd99aa739a6cde46a712aa7ba3a948e

SHA256
b3d4cab35b0b8d6ef4419106feb4cccbb01e648263e2826cddfcd8d8cec1555b

SHA512
f7a5afdfcf5e74f3d018eb2b23f4d278ffc13303769005f55dc02b7dcacc314ea8983a87ab67b9b533a7d8546fa5db38a6b3f3f67d427568c0507b436c8661bc

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
74KB

MD5
371e18963d7a5300f06df8f70bc47a97

SHA1
0925dd35ba8bff2aa804380f95f7e552777fc70f

SHA256
3a3f4a458ea327ebf0f8119143757a76c92fb64fa98fd1e96f57fe1c67569e17

SHA512
c0391f9fbf49db4ef589985552ec3bbd413f8d3ee271add0fa3eeeb188a50133fb113533007b70ecd7fbb2e299f07ccf440ddfee3251ef2d332c941128ffd693

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
74KB

MD5
80bc9993011182eddb712b1ebc8ce916

SHA1
1a62356e0aa6a39de9fbb99e892e3f2798e7e8aa

SHA256
6a0f8cab3b5efc3ce53a5d230d364072bd8ebb5d23324168f660ec97b1260a3e

SHA512
096deef74d61dbe8e29ca9b8d263991d73c7c6b916e3e307f3e2de6e059aca1ea69c75febb8d8d7ed2da1d438242f3dec98a2a56cdfa64f1fef8da71ef58b61c

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
74KB

MD5
4a586f88c1075ad685db0d23e0225d1e

SHA1
19b8e235e458112f947b55fd9862c167ca03fd99

SHA256
70f1576ebc4ac4701cd54e4fc9cb5c50a064c3d237954e1ed5e2dc53e252c24d

SHA512
c5cd2db4de98923d0db7ba6d0677f14f83338722c8931989e9a873d70f6d4dbd05232063da0c01a8c1c7642f08275b7ee68979044bec53dd7207dd0e8e2396bf

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
74KB

MD5
ba224ee39850e89cbe7fc9886bf61733

SHA1
ecafb1766780c60920541b5b3fdf06279df334c5

SHA256
6952319f8440fd52a24f3396b3f9c881329f1b59bf0b446e34eeb3e0e76a206e

SHA512
5ae732cef11a84132584d0c725dad74af888b8ad531552b6f1ec822a3a9c2b27dd5bc792bdbe63e9e82533b1e2ae7237211b1f3383ab0b451b3eaef2d6b03608

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
74KB

MD5
fc2173d2a7f6c1b6ba40c4fa831c5071

SHA1
b826b4d30e894e401d167f1a009a5d32af8d94e5

SHA256
d4bc32e15976e3d3796ea6a79da46b240fbeec773dd0ad46061565c3b50ea495

SHA512
078c1cb06e73556be9d271d35804ae6879fdebdc92fe5fd3769976869ada1d334969326472e376dbe945240ddcb0815dbc5620ee4cfee04142249ec083c1a81a

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
74KB

MD5
3a7b3dd0a81be0d6d4d5e0fadf7ad31c

SHA1
aa1494e7b0adadcf5022268976470789fba6b534

SHA256
aeb0a71da3085e8e59e7f4dacb99a4b6d737a3a86a6f73d9f3b4c163cf86570c

SHA512
19d8bb7fe115aa85a1f348688b9790d69153996b824785d202fb430e0bc2ad315f65ebea83f668f4d62cb4a9a894cb1d2fbdcaa853be57f6532acca8af8eabda

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
74KB

MD5
b33081b4f355f6ad6faab51e65b77352

SHA1
556ae969fdf5ad52e0aed905efe6d57e0755d53f

SHA256
a4a7ebe60ad9e4932ebe4ec0bb92cc87ab2378d9be3bf1f432280f43c99aff17

SHA512
72d603ff919426036a80c476f5f72fa115d7c6bb07f3842111be04b28e39f51748e706b5b1bf11d38a1a406148a7cc8f55b876af86fa207d06e6b652a2c5b70d

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
74KB

MD5
38dba517d518cb2a6c8cd4502061aae6

SHA1
7766794f2b60ce902d557e35b2dddc92ec61d20a

SHA256
ec147c03fe52023f40fcc807a0fdc46d2caa432f4420217ccc9a8e51b37a9571

SHA512
0844a14381596c39ea4c3e4be0334994dbdaf67e9093cd3f07954732bb52da79c7fc8f02780c26a620fef4f4606b7a947fe1f0771076fe4d626d216e8f7e2d3e

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
74KB

MD5
2e4fb6217530027bf78d6831cace826d

SHA1
844948e47756aeb1dce8079b47b07907afed3b3c

SHA256
cd5731570cdddf497ecf5f7ac0dfb79284267055314af00a003e9789b7e8b442

SHA512
7dd2c6f17c5ecdeae9b704458c888d629fb14d0b5f2733de56a5482999ede85dfbf368f4b700e2eb13af837bfd2fe5a696c5ce497700718d73bc3133c7ff8551

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
74KB

MD5
5b7006f0815cac94f4cb3fabe3256af8

SHA1
a99c91fae8fe2c01536223f714d406580a212fe7

SHA256
9379b03e31a57cc16ca4eb668b1bbd1471334a831a53ff7c0c87a7d5749db6de

SHA512
51fe921e268af44a6ccfe170d33fac23c3b4c1fd3cd25eb52436670beec08e9a9c46d172b8794f9b113897ecdd0b29899c8c56fcd01170b47063ad634151df32

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
74KB

MD5
8b2f7fd3ff619a17231d29c00c74eabb

SHA1
487b4f6efad91665b1f8ae2670345409174255a1

SHA256
64f636a8520900d7d495862e5a27d92df9d481f856cc80580f17590dc50ddd37

SHA512
24c6b6bfc3b8bc33d05e852ab84d391ba092515376b1c38780bb42bc3fc54d20084f212347cd81adf6c51953fdc89352422cea9fbfb67dc5eeb09b7f45324430

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
74KB

MD5
23cde6a390545d19fd769114746ff48a

SHA1
9858a2ff9bfd34c25f33a691cc46b1b4d766668f

SHA256
d06637f7ad9e43d3b703bcb97d93a5bf4154eba64bf547c1349c93008659d2b3

SHA512
232633a38a68e7a6a513f30efa47655900226c870858b67ea629ed6a5209072884478c053f103775fdef48f2fdc6076d33d7555d91b81146f1f5fef8ee980d55

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
74KB

MD5
adfeb41a60af0873d4641c857120f7ff

SHA1
20bd7553892571839662c959cd45d8c84292d9aa

SHA256
73f84a5b8bac49419b5aac1f72f0c10ad95e872bd9b58efbf1a035d4f4919b2d

SHA512
485e29e2d7b9bd2bffd27f602bdef6247651f8946fd15e4459594cf696c8d7cc97e48ab1771e8309356fe148fcb2cc605b5cf7c3e0aaa70da0b3476ecc8f0f36

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
74KB

MD5
662bd95995261ebbf4e0178f7990d0f4

SHA1
e0cd945807aa6e377e2f85f6b87e71449cb34962

SHA256
87c7aaa6fa93b901a3bbfe8ad51b0da8d479be091151664db952fc8ef6a62ab4

SHA512
cd402dd88547c511720af684e29035d6203e169540ef116bef3a1678380e8049044c39865e22f290537092a5e541b6d8dcf5f87baa60fff81e99963b9a2e4742

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
74KB

MD5
2e4432fe6aa8047d74f270f8db5d046d

SHA1
ed8f75585170034538e7b66b716d3dc526851d93

SHA256
c8740bf71593a15a36edf2a8ac56f8608dd6e6dd061572709b097b05bbf1a5ef

SHA512
4efd48553203ef876c5d3deb79d66911133772a99368c3325d4fe6032c40191c0617108b95f7ce732c435f049e05cf160eddc89b75f17643542181f86a76521a

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
74KB

MD5
02e280c407cb0437e5845813b340f71f

SHA1
842cbc93725cbc42e82e40efc8c07dd79b331b7f

SHA256
fa0bc67e26378a993c3d670ef785daab8c02178190146f816d5e129d773ea78b

SHA512
16035ea565c528e9e6d86acb2cb38dd2de02d3e7db45a54c1262f53c9b2707eaf29178441dcb7fc9dab77da03b0333bd77e4e414bc77c3235a7eabaee550c19f

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
74KB

MD5
eee280972dc2d119fb2e6e1cb15e5c6c

SHA1
0f291b37196916585f83d3b85d84390104caad8e

SHA256
9b6bb29ecde51b4e86af9e0520a16149f6694bcfb2394e695a79a1f11a5a3322

SHA512
c6bccd2938932c01e357f4b38535e45856e62f3dc47176fbd8422d48a1014bf2fdcfb5f6071a0cde2eaa8e10177b4ce5ec7a552470fb772952bbf0c4c2060ac1

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
74KB

MD5
588e9642488ca21599c9e8be77d7b0d7

SHA1
55c9320d0e7262f701022e5611384cb4e552939e

SHA256
97db59d138ae378d08157bcaf0ecabd9cc7b06d16d49bb83e1d110ac1ba9330a

SHA512
533461952fbd01e264f5b35f273182c079d1c5007034e38fbb7dca2877a057ea513e7a2b81a1010ac4f9d9ffbef02d881e8a523816ce1dfba30825f4940b8812

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
74KB

MD5
54d46fc46baf35ce10a5c887a21d60a5

SHA1
e3fcd5848d4c1f16f3894c624d4787a1c2c5aa2d

SHA256
a08ae20d9712ff38b1ac66747f8cb2f2521f5a21600a891254ea90eda5ac0ec3

SHA512
b71b2a4203d7560270c03912d9a72e95a8e3b2dc457a1a1b4d22b4ad11ea98039c191ff0bed4c4e4b39dd5098fed39104fadad38dd6914c08f5b1eaa150cb5a5

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
74KB

MD5
212857b2b45b8b1d5cb9df472b062c09

SHA1
25fc90153a2798316ea7f1f41e31d38f29a9abc8

SHA256
fab1d5d5bc9f23f73f81b31ca0e29ed78fe50a5c017208fc4f65d68dde458737

SHA512
cb2aeadeea2c75cfed2c5301f74d2935ce191d757eadb6a4886665c3d56c5802608b9787e56ad713e889af0875fc775a0cd72bc257b14a82856c8037bbad94a5

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
74KB

MD5
6cb9311a0d584a80892008903af07d72

SHA1
db757a7cdcff80a59fa65b3221e70d8b258a49f1

SHA256
226ce75d6618139990b9ae30fc86aeaeb0fe14a18f6477af11fbfbe623426e16

SHA512
5bd5f6acdd9d00ad783f306d25b5174806577adbd12a30cd5e9d02be5eebf07b3db3ab83c8a69bfe8216c45c9db6616bd34cb56313c2d7531d584a605fd9e809

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
74KB

MD5
21da1f91782f4efd2343105554d998cf

SHA1
c6984b7292ab1c219dc7147f0079423e2ababdba

SHA256
d39a8224e53ff621e58bdc4d6bf08f8712c55cc864da9ed241b90e75797889b1

SHA512
7870c7af8767e7f7353e80c59f2d1e123ebaad391cb80fb8b4108f4ff1e779faa930600b2525900fa829164c259f7011691c79ae37bd7bc3d978f074753c9283

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
74KB

MD5
85a5baf3cf5fcaa7531d754f422b5fc3

SHA1
8303df7b8701c98d760007043a0a34b0f70fd8d6

SHA256
4304b7aa7cd52d44ac4fe65e25c7fd675babc767e5da14b9927071cddaee3517

SHA512
5656c084a67e7a5d850e22c25b1959cfa59ae5e33d71752c3baf469f55cb1f61a725de2b74dcfed58238c2acd386ae3714ae3270713d842c71e67e78c5a937f5

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
74KB

MD5
71b03f41c2b911b2a818c77c6baaca11

SHA1
2a76980a25041a5c6a5bce25e38b8026cc04b409

SHA256
512c7a87b983f59154d64c88ce01e1674db7430a67d6abaf304e574c3840a6a7

SHA512
b764abf3ae989ac7bb2f75dee9c0abc2ddfcc9543527c5892346961077fc7c2f99916e0442ec4568d84159de8906677951fd24a645cac9cf0313c4f2dfb7d323

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
74KB

MD5
5fac46afdb2d0088c2ef0ba2faf2a666

SHA1
ee1b6943f4cbc16b74f913002c5c05f19ca8d74c

SHA256
646c16d97d6803c8b60eb7212c9d072a47ee52fd09a51a298d5ebbfd1e80672d

SHA512
fb4cd595fdd12533de8aa5bef179ce2defb8db09277763e34b0ca6ba6ece33bbc5c21625cb8a09d653a0d4f71141dcce814725bd3d567ee3ea0fa2a29489d8d7

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
74KB

MD5
f862f2576d7fea3fbb56cfbee5359ca6

SHA1
5b2fcfede8ca6e0a1d6027322af0a21c96772cc9

SHA256
831b1d9a7ca9694691d044026409714dc958cbf1582bb577065f6fd47f739a1d

SHA512
ca138eb2c5c9b88687f04f256de603420efd3dd535d64f753b3a46b1638cbd2b08e7520a64b551fd0485126f96b9b85aef0bb561e61b6fbc07751a289a79e00a

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
74KB

MD5
7bb975ed6eddb39539ef68e04326bd03

SHA1
cec816143dc9309b6a257c06c02fe6e6510fbcaf

SHA256
15d1e448dbdcb988eb1a6ca20cc74d6f858cf8157cd8f6f9befb8a28f09246ad

SHA512
3742ef7a0fffdc323ab41823fd8e066e481d1bb3161beb5b6ae247c802e2d3001e4f4ccf4a71a2ba03432460d0dc370bfe6fed612ad9bd899cb22d5b39fc5aa0

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
74KB

MD5
196f2369415399003b4e5d0f5b7614cd

SHA1
e6c6333fb79a3bcdc31cf2f8bd4c97922cb4106e

SHA256
e66be4e77938e068d0a2135dc99955a5546b5ff4614dc66d42a6161894cb1018

SHA512
b7265eebcd8dadf55965be70def652c4a0a38a16eef00be0220469b7a383e103e2bbe1df6b7f6c7ba0156139fd4ca72e0ba92aad26867636f9bdacb019b3f611

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
74KB

MD5
d6877a4ac3b0a8ddfd93e2741ff9c689

SHA1
c6b2450285445a00c0081b17c7957dd3119589af

SHA256
bb9d1a371e63da3c1732a0a6935ba6516797735564881c6f591517eb90ba19b4

SHA512
ed78d6b1fafee2d60d59996f2a84418a366442dee10a30d16241ef1c2d8c4c584f5e05dcd85df7dde44de6012e8e02b156a4919ad0a1f96f1448149b48847f07

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
74KB

MD5
7fa1682af41f78ec4aab8659d34734d2

SHA1
61fad64ace0481560c3a31119412178ef133eb9d

SHA256
d47ea9a06003f4b4bc722e2463b86aa9fe85061f441440d6dc130b2ff664f1f3

SHA512
9881d5beea56c14cb84bfdda7b9492fbf2de43ec197252250cdadc4f4f42c186b5351df2867259cf77eef5e7507b731cc3eb14e3a3db9563349d5f25af03d5dc

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
74KB

MD5
067a367e1648126e29e4331886b478b3

SHA1
aa2bc52ce2de50c4ed2b5326dac53fcd67c99ca7

SHA256
91e33ed95c2504b7f6c60f4ac41d6f8f01d80c98acb2e5e0c684d00124c690a5

SHA512
5ce756f9e21383803a2ebcd11a84abf346f9d112bf67ea363ef3ae74031adf44a485cab861917abc9afbc3c4d26b612c143dcc34d6c969859d2b84f5d2247099

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
74KB

MD5
4ca1b1e5077ca927f0fbb150ea083ebd

SHA1
68f74f13dc7d333a6155fa3bbfe8ba5b4a5a60f4

SHA256
9c5d7489fdb479b648e00fcb63fb4dd9a6f62cab8b7660a0d3a70286326f00a1

SHA512
01ddecc204d9180ca0dd5e71699a98a1a0c0dc96b6c500252e9ed9dc9fb1b70bb2d36134153bde4721ea44706035be6b85ef34d3984159588445cfd8d34da512

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
74KB

MD5
86c92ba9f94023cdaba48243e0d40828

SHA1
38259f552549235ec85500c992924550a8796284

SHA256
dc228068211cd89e928c82c2e19f9c36f8adc1a26a33e79b3a815d8cbc4f8b88

SHA512
903169ede089cf088905bfc88762dfa2e49bc94b5e3bb3bf1f8e6efd082a321e16b6e8b48990e5b09a441d98bb8e91c50d3daade9f9f599b948a6366e12a605b

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
74KB

MD5
191c59159684a4f8b1180790e25a5f5a

SHA1
1120949021d55ed09dded191660919495ca0e2c2

SHA256
8b1fc8b5b2749b09d601f80949b6a7bc8299271cfebf92e0e91a54a036954b5b

SHA512
59341895ca4e23d01475760c5a3fd396b63f09ff1cdf4863f0d3f54c6ada479cd6335aa327cacb6ce1e1972945dd6aa1323e09445903337b297b0d358f1325cf

Download Submit
memory/344-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/364-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/404-508-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/428-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/428-581-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/508-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/924-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/952-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/984-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1012-460-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1036-471-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1216-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1220-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1240-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1264-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1304-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1356-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1376-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1376-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1408-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1428-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1468-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1692-256-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1716-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1716-565-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1776-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1916-144-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2028-490-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2068-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2108-559-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2124-580-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2160-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2160-579-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2172-453-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2200-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2204-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2212-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2216-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2264-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2516-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2632-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2644-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2776-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2796-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2840-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2952-477-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2964-582-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3040-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3196-483-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3356-573-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3360-200-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3364-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3416-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3448-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3452-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3488-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3488-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3536-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3560-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3568-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3572-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3612-489-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3632-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3648-545-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3652-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3652-32-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3660-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3792-566-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3828-589-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3980-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3984-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3992-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3992-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4012-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4200-538-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4208-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4256-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4284-500-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4304-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4332-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4336-446-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4472-588-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4472-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4512-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4520-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4568-504-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4660-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4668-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4724-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4808-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4812-552-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4820-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4916-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4996-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5016-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5080-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download