berbew | 20651308c9a58b2f4bb0fec4b42a58b2665c65db9108535c50c0ff1b88c29ec4

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20651308c9a58b2f4bb0fec4b42a58b2665c65db9108535c50c0ff1b88c29ec4N.exe
Size

96KB
MD5

a716143ac34d6e43a43092e9677a20f0
SHA1

026e69b87f99de0a0baaec3f2a63b40171334441
SHA256

20651308c9a58b2f4bb0fec4b42a58b2665c65db9108535c50c0ff1b88c29ec4
SHA512

0e3dda85f0557791f929b7032560ee2622e107e43ef567baaaf9a99c1d792223554058876c37c21fda9ac3da00220457b8a9bad0290e61a159492e3aea204132
SSDEEP

1536:z5RqvPFssLUTSgdbVk+2Lo7RZObZUUWaegPYAi:dUHisLUTTkDoClUUWae3

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Kbceejpf.exeAfhohlbj.exeAnogiicl.exeAcnlgp32.exeBjagjhnc.exeDknpmdfc.exeMcmabg32.exeMiifeq32.exeOlmeci32.exePjcbbmif.exePncgmkmj.exeKbhoqj32.exeMedgncoe.exePcncpbmd.exeDjdmffnn.exeKpbmco32.exeKbaipkbi.exeLebkhc32.exeMchhggno.exeMgkjhe32.exePgioqq32.exeMiemjaci.exeOlhlhjpd.exePgllfp32.exeBanllbdn.exeCfmajipb.exeCffdpghg.exeDfiafg32.exeOlcbmj32.exeOcnjidkf.exeAnmjcieo.exeBcoenmao.exeCjkjpgfi.exeCaebma32.exeCjpckf32.exeNcbknfed.exeCfpnph32.exeDeokon32.exeLmppcbjd.exeOnjegled.exeQgqeappe.exeAgjhgngj.exeAfoeiklb.exeDaqbip32.exeCmqmma32.exeLmiciaaj.exeOponmilc.exeOncofm32.exeAjkaii32.exeBfdodjhm.exeCeehho32.exeNcianepl.exeNfgmjqop.exeOcgmpccl.exePjjhbl32.exePqdqof32.exeBnkgeg32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbceejpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhoqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbmco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lebkhc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbaipkbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmiciaaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023b70-63.dat	family_bruteratel
behavioral2/files/0x0007000000023d51-1183.dat	family_bruteratel

Executes dropped EXE 64 IoCs

Processes:

Kboljk32.exeKiidgeki.exeKpbmco32.exeKbaipkbi.exeKikame32.exeKpeiioac.exeKbceejpf.exeKimnbd32.exeKmijbcpl.exeKdcbom32.exeKedoge32.exeKlngdpdd.exeKbhoqj32.exeKefkme32.exeLffhfh32.exeLmppcbjd.exeLdjhpl32.exeLfhdlh32.exeLigqhc32.exeLpqiemge.exeLfkaag32.exeLiimncmf.exeLpcfkm32.exeLgmngglp.exeLikjcbkc.exeLpebpm32.exeLebkhc32.exeLmiciaaj.exeMdckfk32.exeMedgncoe.exeMlopkm32.exeMchhggno.exeMibpda32.exeMplhql32.exeMckemg32.exeMiemjaci.exeMlcifmbl.exeMcmabg32.exeMelnob32.exeMigjoaaf.exeMpablkhc.exeMgkjhe32.exeMenjdbgj.exeMiifeq32.exeNdokbi32.exeNcbknfed.exeNljofl32.exeNpfkgjdn.exeNcdgcf32.exeNebdoa32.exeNlmllkja.exeNeeqea32.exeNnlhfn32.exeNpjebj32.exeNcianepl.exeNfgmjqop.exeNlaegk32.exeNckndeni.exeOlcbmj32.exeOponmilc.exeOcnjidkf.exeOncofm32.exeOlfobjbg.exeOgkcpbam.exe

pid	Process
2340	Kboljk32.exe
4600	Kiidgeki.exe
1284	Kpbmco32.exe
4840	Kbaipkbi.exe
5068	Kikame32.exe
2816	Kpeiioac.exe
4620	Kbceejpf.exe
3864	Kimnbd32.exe
4108	Kmijbcpl.exe
4640	Kdcbom32.exe
3968	Kedoge32.exe
644	Klngdpdd.exe
2320	Kbhoqj32.exe
1180	Kefkme32.exe
1972	Lffhfh32.exe
348	Lmppcbjd.exe
2432	Ldjhpl32.exe
3292	Lfhdlh32.exe
3596	Ligqhc32.exe
1288	Lpqiemge.exe
4208	Lfkaag32.exe
228	Liimncmf.exe
2884	Lpcfkm32.exe
4956	Lgmngglp.exe
1432	Likjcbkc.exe
3012	Lpebpm32.exe
2156	Lebkhc32.exe
2172	Lmiciaaj.exe
3516	Mdckfk32.exe
2980	Medgncoe.exe
848	Mlopkm32.exe
1116	Mchhggno.exe
756	Mibpda32.exe
2040	Mplhql32.exe
1672	Mckemg32.exe
1784	Miemjaci.exe
4868	Mlcifmbl.exe
2472	Mcmabg32.exe
1856	Melnob32.exe
3616	Migjoaaf.exe
2060	Mpablkhc.exe
456	Mgkjhe32.exe
4824	Menjdbgj.exe
4912	Miifeq32.exe
4560	Ndokbi32.exe
3692	Ncbknfed.exe
3904	Nljofl32.exe
2476	Npfkgjdn.exe
1592	Ncdgcf32.exe
2016	Nebdoa32.exe
3348	Nlmllkja.exe
2104	Neeqea32.exe
3080	Nnlhfn32.exe
1324	Npjebj32.exe
2232	Ncianepl.exe
3928	Nfgmjqop.exe
4416	Nlaegk32.exe
372	Nckndeni.exe
2976	Olcbmj32.exe
1132	Oponmilc.exe
2640	Ocnjidkf.exe
1760	Oncofm32.exe
1616	Olfobjbg.exe
1888	Ogkcpbam.exe

Drops file in System32 directory 64 IoCs

Processes:

Anogiicl.exeKboljk32.exeLiimncmf.exeNfgmjqop.exeOgkcpbam.exeMelnob32.exePgefeajb.exeAgjhgngj.exeKmijbcpl.exeBaicac32.exeOgpmjb32.exeBfdodjhm.exeBnkgeg32.exeAmgapeea.exeCalhnpgn.exeBagflcje.exeLmiciaaj.exeOlcbmj32.exePmdkch32.exeAqppkd32.exeLfkaag32.exeNljofl32.exePdmpje32.exeBcoenmao.exeBclhhnca.exeCffdpghg.exeMpablkhc.exeNlmllkja.exeOponmilc.exeAfhohlbj.exeCeehho32.exeChcddk32.exeMigjoaaf.exeOgnpebpj.exeOlmeci32.exeQgqeappe.exe20651308c9a58b2f4bb0fec4b42a58b2665c65db9108535c50c0ff1b88c29ec4N.exeCndikf32.exeCaebma32.exeDobfld32.exeCabfga32.exeCnnlaehj.exePnlaml32.exeQfcfml32.exeBcebhoii.exeOqfdnhfk.exeAjhddjfn.exeBgcknmop.exeDddhpjof.exePfaigm32.exeKbceejpf.exeOjllan32.exeOddmdf32.exePggbkagp.exeAjkaii32.exeBfhhoi32.exeCdcoim32.exeLikjcbkc.exeLpebpm32.exeNnlhfn32.exeAnmjcieo.exeBfabnjjp.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Kiidgeki.exe	Kboljk32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcfkm32.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Lplhdc32.dll	Melnob32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ejnjpohk.dll	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Mdckfk32.exe	Lmiciaaj.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Kboljk32.exe	20651308c9a58b2f4bb0fec4b42a58b2665c65db9108535c50c0ff1b88c29ec4N.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Kimnbd32.exe	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Lpebpm32.exe	Likjcbkc.exe
File opened for modification	C:\Windows\SysWOW64\Lebkhc32.exe	Lpebpm32.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
7076	6996	WerFault.exe	264

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Nfgmjqop.exeOcdqjceo.exeBgcknmop.exeBclhhnca.exeKimnbd32.exeNeeqea32.exeChcddk32.exeDobfld32.exeBnbmefbg.exeMigjoaaf.exeNcbknfed.exeOponmilc.exeOcnjidkf.exeOjllan32.exeQmkadgpo.exeAnmjcieo.exeCabfga32.exeKlngdpdd.exeLffhfh32.exeMcmabg32.exeOnjegled.exeAadifclh.exeBgehcmmm.exeAjkaii32.exeKdcbom32.exeLmiciaaj.exeMlopkm32.exeMibpda32.exeOgpmjb32.exePcncpbmd.exeAnadoi32.exeBcoenmao.exeCmqmma32.exeDaekdooc.exeMgfqmfde.exeNpjebj32.exePmidog32.exeAqkgpedc.exeBagflcje.exeCfpnph32.exeCmiflbel.exeOcbddc32.exeOgnpebpj.exeAmbgef32.exeAgjhgngj.exeBfabnjjp.exeKboljk32.exeKikame32.exeKedoge32.exeLebkhc32.exeMelnob32.exeDddhpjof.exeCaebma32.exeKiidgeki.exePnlaml32.exeBmkjkd32.exeCndikf32.exeCjkjpgfi.exeLiimncmf.exeMlcifmbl.exeNebdoa32.exeAcjclpcf.exeBfdodjhm.exeDaqbip32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klngdpdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgfqmfde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kboljk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kedoge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe

Modifies registry class 64 IoCs

Processes:

Cagobalc.exeLpcfkm32.exePmdkch32.exePjcbbmif.exePmidog32.exeQddfkd32.exeAnmjcieo.exeAepefb32.exeCaebma32.exeMedgncoe.exeKlngdpdd.exeMiifeq32.exeOcgmpccl.exePcbmka32.exeBapiabak.exeCeehho32.exeKedoge32.exeQnjnnj32.exeNfgmjqop.exeDjdmffnn.exeNcianepl.exeOlhlhjpd.exeAglemn32.exeMgkjhe32.exeNljofl32.exeOqfdnhfk.exeAmgapeea.exeBfdodjhm.exeMibpda32.exeKikame32.exeLigqhc32.exeOnjegled.exeCfdhkhjj.exeKboljk32.exePgefeajb.exeMelnob32.exeBmkjkd32.exeCalhnpgn.exePqdqof32.exeNckndeni.exeAadifclh.exeMigjoaaf.exeKbceejpf.exeLmppcbjd.exeLpqiemge.exeMchhggno.exeNebdoa32.exePjjhbl32.exeLikjcbkc.exeAmbgef32.exeCfmajipb.exeDeokon32.exeKpeiioac.exeChagok32.exeOjllan32.exePdmpje32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplmmdoj.dll"	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjac32.dll"	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kedoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kikame32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ligqhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdfloja.dll"	Kboljk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdfog32.dll"	Kbceejpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpqiemge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kikame32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Likjcbkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

20651308c9a58b2f4bb0fec4b42a58b2665c65db9108535c50c0ff1b88c29ec4N.exeKboljk32.exeKiidgeki.exeKpbmco32.exeKbaipkbi.exeKikame32.exeKpeiioac.exeKbceejpf.exeKimnbd32.exeKmijbcpl.exeKdcbom32.exeKedoge32.exeKlngdpdd.exeKbhoqj32.exeKefkme32.exeLffhfh32.exeLmppcbjd.exeLdjhpl32.exeLfhdlh32.exeLigqhc32.exeLpqiemge.exeLfkaag32.exe

description	pid	Process	procid_target
PID 4076 wrote to memory of 2340	4076	20651308c9a58b2f4bb0fec4b42a58b2665c65db9108535c50c0ff1b88c29ec4N.exe	82
PID 4076 wrote to memory of 2340	4076	20651308c9a58b2f4bb0fec4b42a58b2665c65db9108535c50c0ff1b88c29ec4N.exe	82
PID 4076 wrote to memory of 2340	4076	20651308c9a58b2f4bb0fec4b42a58b2665c65db9108535c50c0ff1b88c29ec4N.exe	82
PID 2340 wrote to memory of 4600	2340	Kboljk32.exe	83
PID 2340 wrote to memory of 4600	2340	Kboljk32.exe	83
PID 2340 wrote to memory of 4600	2340	Kboljk32.exe	83
PID 4600 wrote to memory of 1284	4600	Kiidgeki.exe	84
PID 4600 wrote to memory of 1284	4600	Kiidgeki.exe	84
PID 4600 wrote to memory of 1284	4600	Kiidgeki.exe	84
PID 1284 wrote to memory of 4840	1284	Kpbmco32.exe	85
PID 1284 wrote to memory of 4840	1284	Kpbmco32.exe	85
PID 1284 wrote to memory of 4840	1284	Kpbmco32.exe	85
PID 4840 wrote to memory of 5068	4840	Kbaipkbi.exe	86
PID 4840 wrote to memory of 5068	4840	Kbaipkbi.exe	86
PID 4840 wrote to memory of 5068	4840	Kbaipkbi.exe	86
PID 5068 wrote to memory of 2816	5068	Kikame32.exe	87
PID 5068 wrote to memory of 2816	5068	Kikame32.exe	87
PID 5068 wrote to memory of 2816	5068	Kikame32.exe	87
PID 2816 wrote to memory of 4620	2816	Kpeiioac.exe	88
PID 2816 wrote to memory of 4620	2816	Kpeiioac.exe	88
PID 2816 wrote to memory of 4620	2816	Kpeiioac.exe	88
PID 4620 wrote to memory of 3864	4620	Kbceejpf.exe	89
PID 4620 wrote to memory of 3864	4620	Kbceejpf.exe	89
PID 4620 wrote to memory of 3864	4620	Kbceejpf.exe	89
PID 3864 wrote to memory of 4108	3864	Kimnbd32.exe	90
PID 3864 wrote to memory of 4108	3864	Kimnbd32.exe	90
PID 3864 wrote to memory of 4108	3864	Kimnbd32.exe	90
PID 4108 wrote to memory of 4640	4108	Kmijbcpl.exe	91
PID 4108 wrote to memory of 4640	4108	Kmijbcpl.exe	91
PID 4108 wrote to memory of 4640	4108	Kmijbcpl.exe	91
PID 4640 wrote to memory of 3968	4640	Kdcbom32.exe	92
PID 4640 wrote to memory of 3968	4640	Kdcbom32.exe	92
PID 4640 wrote to memory of 3968	4640	Kdcbom32.exe	92
PID 3968 wrote to memory of 644	3968	Kedoge32.exe	93
PID 3968 wrote to memory of 644	3968	Kedoge32.exe	93
PID 3968 wrote to memory of 644	3968	Kedoge32.exe	93
PID 644 wrote to memory of 2320	644	Klngdpdd.exe	94
PID 644 wrote to memory of 2320	644	Klngdpdd.exe	94
PID 644 wrote to memory of 2320	644	Klngdpdd.exe	94
PID 2320 wrote to memory of 1180	2320	Kbhoqj32.exe	95
PID 2320 wrote to memory of 1180	2320	Kbhoqj32.exe	95
PID 2320 wrote to memory of 1180	2320	Kbhoqj32.exe	95
PID 1180 wrote to memory of 1972	1180	Kefkme32.exe	96
PID 1180 wrote to memory of 1972	1180	Kefkme32.exe	96
PID 1180 wrote to memory of 1972	1180	Kefkme32.exe	96
PID 1972 wrote to memory of 348	1972	Lffhfh32.exe	97
PID 1972 wrote to memory of 348	1972	Lffhfh32.exe	97
PID 1972 wrote to memory of 348	1972	Lffhfh32.exe	97
PID 348 wrote to memory of 2432	348	Lmppcbjd.exe	98
PID 348 wrote to memory of 2432	348	Lmppcbjd.exe	98
PID 348 wrote to memory of 2432	348	Lmppcbjd.exe	98
PID 2432 wrote to memory of 3292	2432	Ldjhpl32.exe	99
PID 2432 wrote to memory of 3292	2432	Ldjhpl32.exe	99
PID 2432 wrote to memory of 3292	2432	Ldjhpl32.exe	99
PID 3292 wrote to memory of 3596	3292	Lfhdlh32.exe	100
PID 3292 wrote to memory of 3596	3292	Lfhdlh32.exe	100
PID 3292 wrote to memory of 3596	3292	Lfhdlh32.exe	100
PID 3596 wrote to memory of 1288	3596	Ligqhc32.exe	101
PID 3596 wrote to memory of 1288	3596	Ligqhc32.exe	101
PID 3596 wrote to memory of 1288	3596	Ligqhc32.exe	101
PID 1288 wrote to memory of 4208	1288	Lpqiemge.exe	102
PID 1288 wrote to memory of 4208	1288	Lpqiemge.exe	102
PID 1288 wrote to memory of 4208	1288	Lpqiemge.exe	102
PID 4208 wrote to memory of 228	4208	Lfkaag32.exe	103

C:\Users\Admin\AppData\Local\Temp\20651308c9a58b2f4bb0fec4b42a58b2665c65db9108535c50c0ff1b88c29ec4N.exe
"C:\Users\Admin\AppData\Local\Temp\20651308c9a58b2f4bb0fec4b42a58b2665c65db9108535c50c0ff1b88c29ec4N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\SysWOW64\Kboljk32.exe
  C:\Windows\system32\Kboljk32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\Kiidgeki.exe
    C:\Windows\system32\Kiidgeki.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\SysWOW64\Kpbmco32.exe
      C:\Windows\system32\Kpbmco32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4840
      - C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Kedoge32.exe
        
        C:\Windows\system32\Kedoge32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Ligqhc32.exe
        
        C:\Windows\system32\Ligqhc32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        25⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        30⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        35⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        36⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        45⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        47⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        50⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        51⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3348
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        59⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        65⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        67⤵
        
        PID:816
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        75⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        78⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        83⤵
        
        PID:592
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        84⤵
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3332
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2396
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4152
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        94⤵
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        95⤵
        Drops file in System32 directory
        
        PID:3868
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        98⤵
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        99⤵
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        100⤵
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        101⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        102⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        109⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        110⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        115⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        117⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        118⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        122⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        123⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        126⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        129⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        130⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        133⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        134⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        139⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        141⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        146⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5320
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        151⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        152⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        153⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        154⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        155⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        156⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        157⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        158⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        161⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        163⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6256
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        166⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6404
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        169⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        170⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        171⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6596
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        173⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        175⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:6820
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        177⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6864
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        178⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        180⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 396
        181⤵
        Program crash
        
        PID:7076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6996 -ip 6996
1⤵
PID:7052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
96KB

MD5
a67e9bee77412150ecc104ad8e565bda

SHA1
02d3775ae788c234bf89500e0c87371e3c9566bc

SHA256
12d67cc73ebc2a653eb1a4f22be92ad1a3d56e6a7496ff655d085b1565812752

SHA512
e171f840b6144e1695bbf85ada172b9656e56efd891751690492e5147ccb161be78270f9d09e2084864f5698142eec1a45854303ff00eedbc0fbcedb2cf5beda

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
96KB

MD5
596b71828e7e2b0ce42c49cd4dca545c

SHA1
9d6aa14cb08463215bec1ad26e798798618bf504

SHA256
a350bb51532bbdd72ed269676d104838440e0cb562df03e514ebbf367c0902a4

SHA512
d2ab1ff4cea3721d4b4b63d06c3c8ba32436814d56a904eeb64e83e450227088f1e2cabd9fdeac12f8f489984b6f356757561d24db61abcddb7075529f382df3

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
96KB

MD5
77931e1b1f844c8866b2b3190a8ae965

SHA1
6270535c5c3be67ccea6316d88cb78cfbaeba858

SHA256
1767818780a7116db9279412c1105bed7d0a66b890853900072641c39b81d053

SHA512
cca3a64a4049936a087dd853e170e246f2f16634b32d4854007047ebc7c2a03a153ed139427961708ef3b5d6c21972485b6d0a6a6551a850a16bd839a41ce5b2

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
96KB

MD5
7f29eda59ef7e9873245edb9a486f343

SHA1
6cd333c0e7d358c5e27ba599ca0d791a1869d245

SHA256
9cd7534d92a14ca1d34126174b181f1b6662c019f996189c41845152bfccdac7

SHA512
1032910d123f840aa33e42e27f5f4b7c5b9fe7fd268166a529baf90337e882528c406c94b142f051ffa7760045af2a647026f5587930404606b39458e6eea76a

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
96KB

MD5
c2cb6a46d4ac1dc909a18bc929d974b2

SHA1
e310964f523d8e11b23a58d211d871893d794ad6

SHA256
6b70b7173356a78dc8f3fa7ac6eb83293b542f0200e605856a702aefa6348b14

SHA512
789a71cf18e62a2b5414fe948c0590fd3a4307cf7e19e28fcd58924ae8c14d513f6b781477b4de60405b7e81dca32e3cb127e1a816d5723446ae30353384d470

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
96KB

MD5
8824c36ba39b3cfd0b10d818c1765d37

SHA1
ec2cea628de691c5d17fd11ca2a9739ec0ce8db1

SHA256
7578bb3d0e1fbdde5d9c9dd8e0551542b98e14f55e2820b11d4e3d0c52fb1bfc

SHA512
069f2fedfe0ecff1ee77cce4738b3942c46d937275cadfd6f3779c9328e83414f46f11e68163e4440500c5cb23940d1edb35907ac16197dca6b2cc6ea7db9fb9

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
58add417a3eb3aab338566145033fe4e

SHA1
64d4f28dd5d6bd7e1c5b33623d429d74ee57f26c

SHA256
66ab09f6a3874c68cb86e7adb6d8eae78f9b5e25ffd2472d32b78b3d9eab3aa5

SHA512
21052e763e7b0e1f551b1cc814379a7734f6099508b52117652376d23247b93f13a41231e161ecf092d215a29872aa80d45cbfaaa9af0750bf295cd02086c2fb

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
f1ac030e4b59613fee259d60b671a847

SHA1
4745de00cbc0a8d45cbc68e648eb3c2d0b7e975c

SHA256
4283976832fccf26804c42e7a76d51821d282825feaf8bcfe57741ffe633a999

SHA512
b60c7278991435f950179c1d63b55ff5f85e49c090189bf0f82e92202d8f0469cd857ca3f011ba93a332f702d8e07f0d334bbf2bc3159c97370c3a084e74252f

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
96KB

MD5
17988c53dbd5dadf0ecee039a33c2f51

SHA1
99e4c5fad50dd3c9e3b0247c5df1145b0604418f

SHA256
106fdea7744dcee4f11ccf954155872fd794034fcfb15a458011876d9edd00da

SHA512
e5a5249a89a2bf63db435e9adb6b9abc445b79cdca3e42cc3d9210aba69c407971aaca2f8ade659b2622017e115445465a25d778a408f986b9528c1604b69877

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
96KB

MD5
9cbd8596d31744a782fc7e07d7a56f16

SHA1
0c3021b8caced59d8c1c6e5a48be90d56a72b853

SHA256
c30bb2f3824d32a573db4399a8c14d36a157ba20aeb46763803a1575717a25df

SHA512
1dadbd223d5d4db62e1588463c66482942aaee208f170899faee1eb0ab7a3ea786b483b5e00b21322b73343ae169e4cb78d393fdc123b31b92e1aa01cf091b72

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
96KB

MD5
57f56254e48831fe227e5223f183a42c

SHA1
fa984e483a45ba8415eec9bb1c513d207cd51167

SHA256
54abce18c1b2562124447a121ceb04fe6294cbcaf9a73835fd82c04da0a775b7

SHA512
ffd488a9b0004784b2b16d2ec99a2e11b4d6a237e68c2440f128fd648181a8c80a58736a92cab886fb0c2a8df6e5a2606ebdc88ff90da808c97a2c965d177092

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
96KB

MD5
1bbb64637a123a1460212a6fd3f36ba3

SHA1
f68c973e44638a1a5885275a3a1d74adfa531973

SHA256
0b5c3adf864f11831c3faf9517dcea4db562c78a1d7d8e490ad44c02505cdb61

SHA512
32b527e62393756ce612bc4ca1497e222fd2d955788bf8dea381808596cdc58efbe9814ce98a5f06a37ed85e3725a16b92db9c4cb7d0f4a3077dda4b1bde9443

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
96KB

MD5
654a7c806e4a2c68e1d2a25a7439d65c

SHA1
603dcd35c7045d550fc981937bf908cdcef4e434

SHA256
a7f5988579ed56701cc16b8babe220d93fa6bfa4ad2d9d16dcdd385c977d67a6

SHA512
7cf91c76287d335b06ab62cfef98cd346094f6179017df09016e09cf42bdc4cb5e6351a1a20e4ee29a66a52a317d89e9ef074d017e1b1a815400827815b71077

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
81b934efd1dcea033c4239805e9c76da

SHA1
42a14dfb62973630a1a02dd696095e7b39c02aca

SHA256
ab5d03011335b4e4fae565f584c041f6996db8687b1ff200e2187e7fb222ba5a

SHA512
cd9cb7251e6e007305f3dec20468b990dc053b57d8281c72cb2f9a984cfbe286306e432c31b002660bc047c431d2f14e4fc5483d888c4743c22de3dfeac38087

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
ed4f2e2c4294c8189470e4c6d9cce85d

SHA1
75543d9b587929470ace0f1517025e704fad884b

SHA256
bddb149213676ac8df27bfc378acc8ac436a356118dc768bd3ff875d06d6f654

SHA512
93f06d0aed8e282d195a9106a2d05829681e57c4ae1378c66edcbde2909c494b041666802d45350fd220ae20632f457f115f02ffaa32db6f5b5163c56b0d28bc

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
96KB

MD5
f30efa5c80fed4cacc5ed16c3863eee9

SHA1
609e256a77655b8fbf3d72905b1ea79e649989ae

SHA256
f603eca8bc31eab6a8e69ac80ef932913f42f652e1e5d17c47ef6d6f64fbf295

SHA512
5b418a614eeb32cd7820d39a142b7ca98d020eb25694e133ba46d669f00a65d35a711db318c2fb5bdf6655bdffad55a8d3550e0913abf64d6c4ed5cf4e9e14b7

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
96KB

MD5
d9479156c08b2403198d865750ef52fe

SHA1
ab1da825585054b2863e0a426be58b6f05cf9195

SHA256
e1b74ed35e9ef6efb5547edf9bb227b84b28a828dc26770b7ce9675db36a5936

SHA512
a8fe15eedbf62890fb64a9d299a3296e4186e8781151c05f8d74ad93422c245138ab345b49aba152e56c7fb3331e021dc406038de4db45f0e6df2364c581661c

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
96KB

MD5
ff2f15f79b1201c97e2d51c8f0801402

SHA1
257bbbbc2a1e1598bb81501201380de8e21043a7

SHA256
1c766f2b54fbb442ccdbca633a4145929df0478244c33572c66cd0489514a932

SHA512
7db750278f7f1687724b2939628919b12cfc227e4ced687c890e2a304408a837ddcd7d7c42c0e07bf6fcf0858d16002d2cb893dd4eb5c4cf40085798df8bc6e8

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
96KB

MD5
e39f57760cb9d1046416bfd84de6a125

SHA1
73ff02725d422b215969176ca93e013f27a86509

SHA256
ca05156701a47b05f4d60c486410d07371572af26b70e891ba8eb97d647be390

SHA512
77a61e69d944101645e6181284144b2b19945d93306c65be965d5549ab5d9654bf6ff1f00cc6db8b102188323aca987121db750ea26befd08ce4bc6c6bb68a53

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
96KB

MD5
5b2b1040c1d4cd5781201c0263516fa3

SHA1
3c63045ef399a553c6222aa1b5a7fdf23b7a181d

SHA256
5e6ea8dbfff903d87185832a76df8a64d992d5a83e310dce3b94076ca48dc104

SHA512
09a691ace6b79b08c41a1efeb1036fdec4543c26c94e605fc2143ef521c331f3ff87d35a0ec3e0be91929dddfb0a6e0ab680dd0330381b1913d475f16743c3ab

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
96KB

MD5
e4a9779710341d32f2a50191dcc71a41

SHA1
07ddb4f52189528e2509e05344924e6c74a16551

SHA256
029d4021f81c765b299cf2ccce57785b973e319a7e78241fdbdbf1047268ddb6

SHA512
69037f179dfac64311dcfa76b1869b208eced1a2462fc483a86f20f9262f180b704b59b9f81d081f7572ccaacb6858925f21c734e962e71ea719acf6ca833f86

Download Submit
C:\Windows\SysWOW64\Kedoge32.exe

Filesize
96KB

MD5
974c3d190a6c63d9d75ebb9611fef45b

SHA1
5a1189da02149e08829c194d5c0879ade17ecb87

SHA256
6b12fd674c63d48fc455d2ed322cf6466ece4097e9179a05d34a2e80a22ce115

SHA512
dd20d9061c3ddcfb08408a4054baf4a25583fb046a3f01ca12404475cc9a2a23c71189fc3ecdbd9ee7c5707f2dcbe96950e4ba56fcead85c949588637a39b314

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
96KB

MD5
a29b25dd16eaf8591e23407a6e9fddc6

SHA1
446bb77b3e600db3fd55db53f3111814271bb389

SHA256
9ef0300b9173a6e1d7f701d91ebf7d600f14966843b53a41c1c7be6494d6b54d

SHA512
3f2eba992e9b67f209e120621c140ca3a7a44e61810d04583783006e90184aedb8c645a6d66795a012c5d2ff8a813513667dcbeb398693ffb95d16acc5db063b

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
96KB

MD5
e67202ad77a8972ccb345e3c902da016

SHA1
842f769fd73ca9ed0390fc7e5f7dc1414e0f89a7

SHA256
dcf9082bc2c319d56a3f0e16f2bb3de27c39a95156bfa52b34d4cd21ebd9e5d3

SHA512
fdd4f7ed2e01316461acbf4be8e8c55f0fc2d2f287fe307955d2990431dde204cfd1f2414c0521b29afa5e95cafd076cca67424211baf6489b5b3d6f8c00b8f6

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
96KB

MD5
9a1cd790b8e340aee28c1cdbf466ce6d

SHA1
25806cea81a24ebcb4518fe4c7bd8fd644ecd256

SHA256
e383af41714e49f67876616957f0d7a7ed82e2830f31d2ae6124ca5fd195c29b

SHA512
b840cf4ac96e074350301da40710376d5256f10cbd4a4987c3e56c0af0c8ea03dcb25420784a3378a4e15e3624486265656f307579b653f9a9b52489c443c53d

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
96KB

MD5
2ca799986ec78aecaaada0e2169ae80d

SHA1
d98773b062b4f1618eed59bbb2fd43365849adcc

SHA256
8991e2769ec04f51eb22ee9426bafead489f32df9406d1208d196694b5243917

SHA512
3d62f090bfc69f8ce22839bd60990751baed2d885f46f139b9c306c5f213deff6f2ed47294a665e5ee0005a4f570cb58c45bbda3d528272db34d51c20cf20ec7

Download Submit
C:\Windows\SysWOW64\Klngdpdd.exe

Filesize
96KB

MD5
3d7101559b634800c02f00c7d2b8c00d

SHA1
40d6ad50803b80e0be910b4acf29107d9754d70d

SHA256
507615f1c5e058f1ef916c695e30c454ce129925775d690e66a64b1167aaca6e

SHA512
be51e011485ffb50c057fa7b276d54bc1079f80beb5d73a05e93621b6893b6b5e8a344a095951925247d35c9b452aa588127143c64de1c19e51ab488ee64ee41

Download Submit
C:\Windows\SysWOW64\Kmijbcpl.exe

Filesize
96KB

MD5
76c8baf434586fa1c4db84e17d27dfe5

SHA1
c34eef6f05ab027f30b6ccfcb40f9a5ed3038a66

SHA256
63170fe345894fae46a6450070f6406358c2c929687736ae3d57074fa018f903

SHA512
5bf525751e3a46880dd65ea335640620349538d73d7dedce58e534ab0cb1eaf80014acdf0361d40b3a76743d62a226ec55c7b8a293acb337fda431b083f17e6f

Download Submit
C:\Windows\SysWOW64\Kpbmco32.exe

Filesize
96KB

MD5
31afefe7b0866c958050ab9a89bbad95

SHA1
a606c876727655e4e7ff213d9e55e0f432878945

SHA256
0dfc3b3eb86754da7126a38539e7fed3abd002bf5c88bf5e4b0b18e96615e6b4

SHA512
d7d67b701ae0f7f3ee7502f48e74c17e933ef11372c0805a119ab2d7cfc2ac397e23b44e7e229881546117f1a066aa11b7ff4c7e04dedbb77c1e3765043881bd

Download Submit
C:\Windows\SysWOW64\Kpeiioac.exe

Filesize
96KB

MD5
904e0266f7b96cce68910a3143ee9e39

SHA1
92f59f877bb68ef6b05b161e731daf721d9c2055

SHA256
dd06cbfde59cc434d55fa932143e65d7ce0248280df134576c6d6dffbb587da2

SHA512
6e2ed2f1eb546bc2b1a4b8ab385afa9d7c6f0be188f5fc4250b0615490895f7466a492d8d1c783e49c3025b5d79f5ab61824eb5b9d298f7ac3208b13dc97ca1f

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
96KB

MD5
d0b8d6d3fcce9ebfcb6c6eedc2eb4ccb

SHA1
ab54602d47206c04f480a6cdbc0ee701bc469a2e

SHA256
ad8c32e85007cf1e0a4a5a62bf1ca674c56fdbbbefa0018fc921ad9313c9dee5

SHA512
281184d316d6b77c26451d5e103a1b1148294e94113635cf19123e44b10371750e57f18f0fad7573614f83a0490626315d6bcdf6bcc60e9337831d90260b46ff

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
96KB

MD5
1e8df75d5b601d410b837062fad2722b

SHA1
dc4e559bf0d2f483a738427d00a711594bb63509

SHA256
cfa0187f1ee4dc28e827ef0c9adf905cc9388b987f0d1c23232a1579bd47e154

SHA512
efdef6540a99cde722d9218976f029ed9c36bcf126f94f154437e18320d23803a6554e34ffb0b7a162966e602e43e7497468e3a20e7e0d6b8c1a35aeff2954a9

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
96KB

MD5
a07ebd6d911e5fa2f3677ca21d53c802

SHA1
b48c38f871ca089dbc2c98c67d67396488758d83

SHA256
f087e791cc98cee4b08b8e1a7d276d733cf20d8d9a6401354ef1bbf07657724d

SHA512
1d325e8804b5eb7abca932378d82299b3eb971a02032a67e32df542882c7560c64a1eb2c67458c202d49ac00d5c4458c0ab9ce1ece4dfa915cfc341c459be33b

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
96KB

MD5
bbec213228a5ee63395d3651d0cd251b

SHA1
34eaa5819842666a84fd96191cde9a9db50076d0

SHA256
59d6e23d57201723321b95db4dfc17eb406c46218ef448c34e0494018877bb78

SHA512
b6a00d939fa25202c1f8327a732f447574d15c2f8cd22a8b77537ca66df14b6ebc88522cd5a86b4a8d986421b74038526154296dc4c95a7f422050f55f9dc720

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
96KB

MD5
6346f58c6480326872e9c219b1f0d408

SHA1
c2a6d6b7bd29171e28395da44e5ebdbf07ef7041

SHA256
a8f250d8d88bd79f410243a30885144d910051481df23b08079701f390695871

SHA512
8e684ef507cce7e8e594e38cbf8086836af6284beffb76cc1424d2c72c92f84b9a674debb628c333e70ef396c2e923aa62cf50c17e23787e9435458553b41051

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
96KB

MD5
09c2863d59029734474b0464e8054d1c

SHA1
791afe37c7b8cd4012ac7d94e590df395e83ea95

SHA256
b8314954cdc6105aedb8489001a7c589c30476028ace29d47b3cbd13aa5af8df

SHA512
34d22d683ceee5dc4cfa2f266a5956da3bed36f460ec3a99e0945ff17fb6c77b65f3ac8f8f6253fc852298cd524311bcab82bd812c8d10e112d07b6a357b370b

Download Submit
C:\Windows\SysWOW64\Ligqhc32.exe

Filesize
96KB

MD5
86028776ab5f396b594be352751671e2

SHA1
952c5140a3ff1fa3c2c72307e03d634d84677ec7

SHA256
64c9482c8e9cd6e57ad1aa5d69f6684c3b3601b4036095beba2f5979ae409c7a

SHA512
50771585211e3588af6a381f2f2cbf62361477b5815c87012d4b7d8a96a9ea537aaf793b437ca2f323a11faeca391f83d6bf7a0a44e4ac02eb04068eba1aa693

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
96KB

MD5
d4ef7973119b839f6bb47720a323f60a

SHA1
4151dbaee13b9029dabaa73a918b7844a9584374

SHA256
08e20c1c7dd41426d5f8c905c3a3480f703ec56558499eb9c57d3e9a628e685a

SHA512
39398cb3acea36d7aaa903fd2e4b8aa47fef70ae05b5200c6968d8f35738f531f74abfeab554b38309b34427fb014a61016b77f86dfc4290524df7c397876489

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
96KB

MD5
89848b991afd7d417c1560a76daec57b

SHA1
91fea6423076c9e54390e8829c990cccb3aae8a3

SHA256
794562a6bf5f88f08dbaef7470a687edb66355ef0beb11250a63728d18d70fe0

SHA512
59fcaf6928c9af8fbedc8a87e0d3caaa7086a5ff8f06896d015d96498409e9555b03b940fde99896e61c745c5498438e826d62ee23a5c09473eb4870dfc524d5

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
96KB

MD5
c087ec3604f126125e7ee378a8d17de1

SHA1
9f4a01faee662c370361616a7091c7ab5902cd4d

SHA256
02a46ef37471243dbb98ba1862dee1b5c45f53e707df90f881519db2d10e0290

SHA512
0a78e053fb9f2140879e4aacfadfacc472293664e64ce1710b15818dac4abbb157bfd592c2e139835dd64ebe3860dbaa4c78a67940f4a4961f1f1e47a59721c3

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
96KB

MD5
8ad8727d8241796d571054eacf57aa8a

SHA1
1408643bb4afde501400f9100e6606365a6282e4

SHA256
b8b79c86a585026740f9849ee5d8f1afa82030dad36c41e7dfc38bdfcd7de951

SHA512
e05f87bdbcdb47fc9a137852e1aff74ccb3c4310b35225af962d0074b12af42b8b97f733e5be55ab995db2267061ee40dfdd278fe1e55e57e8d5c2d28811b081

Download Submit
C:\Windows\SysWOW64\Lpcfkm32.exe

Filesize
96KB

MD5
81641cc802d58bc60da2690070abafeb

SHA1
20374f8b3aa236900368e0ba5040005dcbbd620c

SHA256
4fc5edfdd1b3f897d82626e4ade7409c5107ce2e3a09d0d6c5f775b847ab5f89

SHA512
394d253a95f8def3243cecb65da5fddce1e3aa09e6bf6624c22d679efc683e61ebea4e83c2f173d8ea59df2e919b7fdd3f6ce85351d74701a1ae083d7679f2b0

Download Submit
C:\Windows\SysWOW64\Lpebpm32.exe

Filesize
96KB

MD5
23018395b8ddfd002bbdcdce78e36d32

SHA1
d3ba1a043e159fc6af2266b85ac6746a0cf9f0c6

SHA256
7d5333319300c43e6076ad1910f6f6083002b692de4d128689b813d91c137a24

SHA512
b2321bc4f43f2504a9a8c3981063cf5639e950faaa644e860531c01491d261b61e26969f665c46fe7fe507f8abf6870e036108aab57798809bc04c9141a61901

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
96KB

MD5
8a127cbffd8325f29619037bc8221611

SHA1
cce92dc91024ec8fc52e50cde9929a557dee095f

SHA256
7aa28007b3e366d734be3b3059d2b087e7793405404483cc4c8a47e8b05a8750

SHA512
6c0b79a8ac49ce01539d8b531e4366bc6d42c981b58c1789ad9c50f7caa2c2824ce949dfa995cea9ff5a955553c68127cb4b244486b6b1f0a57e8a036f108b9d

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
96KB

MD5
b84750613801908198fe9bed2d6ce516

SHA1
fdc112427d119a828acf920e9a785334ed695eef

SHA256
c33a8ef9abd2896d48f6b1ed8fe8c07eeb29bbd6d8e40aff6f89c4ae9e751d1e

SHA512
1754bdc464e383c0642f45244294501eedd0aa7a6109a4c6fd80b59a85875cbdf528551dd9cb3cd396ed300d241f06a4edbde8f2a8350c2b4f8290addc45cbc7

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
96KB

MD5
d8d608baba43d1aebd4f9d32a2dec4d2

SHA1
5efae846f8256a1a0015c6108e25faac58186d35

SHA256
2b016be585be2630b9089df761c153a844113a6ec205b7977008ad90695d22c6

SHA512
865bf12e9f39e858517067c0301ec40f5e0c289902338262e1dce595edb438013520499d5462744bc266fa1d9042184891786a18e044fecfde1d88fef4d06907

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
96KB

MD5
1dd386d3b738680ba4c22141533c09a3

SHA1
9be7a0b4bf4346cbde528302d84e5852daf1a93e

SHA256
7d6d4fac9e9affedef5b7ef46fbec7232d8bfa59256acf0664d2f5799f396b5a

SHA512
319d6ed28a40ce1e4a42c1898adc91a147b6298cc8b10cef98abf96c89415bf61a28e7fe5eba0e3041cc26cf6e53e8450a72b606bd397cbf8067094fb61fb043

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
dc39e72995f3edd43abdf2dfd7e43deb

SHA1
f718a1cc2c2a7ef232adf9c3760c4ee6b22d8344

SHA256
178be17eaacaec68cd2346c4fdfd6fa0bf58154fd64f1e094868602844799f92

SHA512
5b84eb86c5fbfb8313b4ab632734472279f1a75036dab6c3bff56dfa6767dcf3bc86c31b817a24981999f48b6a228ae68946d4a6950fd6c6b4115fe92ba7ebec

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
18d77bc8953258ede1282ce83e56c212

SHA1
0ce91b774a3e125dcd5e04e680c9bcef1af18b78

SHA256
c843046c386ae86a23c4a9cfca35a03b0c3e2d17e4d24361e3dfbb21fa38a7ff

SHA512
bff6e16780459b066d76abeb2dcc53648b23bf382bf384ab32224a841832906f7a2727e9700b52cce91bc00ca8e18c730d98a77c01456f18a4d6cb2ebce9d65c

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
c56b93d494cadb2110d83f4c75b47b7d

SHA1
7477dfe8590cabc55ff4e06797896df53e7b5ff0

SHA256
2bece102ccf8c5c08c8a218ec04f2dc93d1e256ef9eaa61323f315421dd80e35

SHA512
af7d914a7a98b8495cbac12cefb934c29991c6508baaa1c97bae0dd1a4a1fac24697c68d36bc7fc2afe4672e32722b7494f8a3c52b064bdb7ab06bbdedf90c26

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
96KB

MD5
67e1811e291152d07f6c0fb6b1563755

SHA1
3e25b778835fe7ba5af720d8d68a4f8810dbedab

SHA256
adcdae16a1c68fad3a4773b4f8fe632087ae8aecf4695c2112b29d83d2edba48

SHA512
3a35853e9d83c5fc68d4a0bae5eee06fd411cf43324feb84f14000eea296a84a48e43c3e0e1a19357c47a14fd32f3d4567ae47c8528d690ac98a55fcf6a72646

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
96KB

MD5
7681f0a304b20ae517c5355d5fc49951

SHA1
bdd926c5fa1af89aa1fac1c578956f6f8e951759

SHA256
c1eb378dde6a39a2106d401047b0ae9039dab47eaf57d9c89baee3a0c0d02909

SHA512
4f26d4a808fa393dd5b9adaa6d669b1229eeaed0adcd3c1ff27d7334bafd5a0db114f323f2f891fc950ca50275cd9b92a29e01172aac61d24291d5b99ebd60d5

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
96KB

MD5
55b40933cd9f1cfe7c4774bc64750dac

SHA1
86c6c932c8d996548f4d9947dbb172177f669a2c

SHA256
06c50a50a4f4034029b927f74c5ae47399c8d4a6ed8a85b9fa5561e73f01856c

SHA512
c1e1269d1ea5d55dd8f11fbe4e4fa8f7e1c74d218c81b6195f09be2e49da8ff1fc57501db222ca4cd726a96a89fe85872183e23df3bf9f93bd0e25d881eb9ecc

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
46b610e71391f2ec3080e10b8da73528

SHA1
587ea659b7c5b2b38f8d9f652cc832831b990b9f

SHA256
df6dadf36a76e07d68ffa90f439479dad21b9d85d099b487467fd3879655a24c

SHA512
68e710910c6ae3c5c6da74c3b135d3efa4d9f1a408c0b463a8d9d1a65937d09face3d21ff078db4deadec9c99cae666ba5f072dd8409617073cc625bc77c9dc2

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
96KB

MD5
9d9426e089a19bd89028d31597a2a333

SHA1
1288878ec362686ab56ee4eccb840c0b6a55d3de

SHA256
8164ba57fdc5d168b1eb7eda2978cb7fda03dd7c8ba4402cb67ae75c899dd1c5

SHA512
9640166cfdd0ce448c5492ab596625d2283039920111fd5b354eeeed11043a8345ba08ec7e5af0fcd19f84a520d1618c11f475627656eca9ab6bf5c5f76361e6

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
64419c9fe846e097faed426eee208906

SHA1
f73f73378ee2050651c91e097d37a666e5a1ae82

SHA256
3ae16250adbc45d1f6fc8348631c5d5a0c7245fad750d39a156f101886b16319

SHA512
885eb78e6988bea88430c9fbe646d66395ce4a194a45cd83e27c900aa98650ebc090c3ae1968f13e38802fb657db5d7f12b3d8a8a2ce2755f55b85e6c18a82d2

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
38147c635e9bf757d5143567bc4fa817

SHA1
5c9ecd660d0c4a7f4309179425a8d01a2c117e6f

SHA256
01d1aca0cf53e3ecfe450b51654b5aaac91b7259a0ff0d530f3472bb05e95f06

SHA512
ff16f9ebffbdd1ec7a0731e80945e3158ceb2964baf0e45c0b086e2ef32813c29d7f71c5cb2bfd614db3930d52f849b213a233c75416d62c1292e2da5af3f089

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
96KB

MD5
47130bc6f4411d397d71675471728145

SHA1
1c35489001b18bc33674baef079443819db5e364

SHA256
1996c330298262ecab180c44bf99171f9dfbb1eade724d41844bf94cf906c780

SHA512
f158c47154d748f1d69234a33c52c5aaa760bf10deede9cbd24b318e7c3532abf2bc6470330e6cceeaa75b753b1f6d84a51aae23f6a84cf2762bf083ce591448

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
96KB

MD5
e4ebac8ae7b7d93c2e1047dfbf1097db

SHA1
7dfefc6a82727832e8a24f1a76086aeeaf1c3eaa

SHA256
5c03681d87980b44f4accc27c89a52105a38431b86d55bea2112ed013567e75f

SHA512
343f825705b7fce4384c6f9f9d6d060fbc27262595068a47f8c4fd28ac2c8fd93e176c89fadfb8b944e912d0fd84bf37b8e405274df2f9f31c77b50c9793050a

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
96KB

MD5
79d0fe09dce30b2aa9520e0dd21dc661

SHA1
b44bccd40599ced74e987c710755cc4d5b8522e1

SHA256
a73b6bc63bf3173a99eeb5f1d0b3aab1909cd60e42d8cd0fbcbe2608bf286ca4

SHA512
8ba81cea1de0320f31ab95dfd0bdbda6d922ac2f5f875ab36a504cb0cfe73de48712c089321d254523982aed15288c38522c70b1cd9c95ae79193f278a288d19

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
96KB

MD5
1cacac4eae2a803c573d8ae28731706e

SHA1
549e6b052869faf6aa8f35c8dd75c8fecbc90328

SHA256
212ba8ce43eae75ae913e0d07df98f7c2918a002062fea2e31db1da8678d8d96

SHA512
531071e9fc85013beb8cdc0cefcbe609dc95de755ef9df7600d519c56cfd2398cea64d5abfbd19b921e67762023fc48f046c338b6577bfa5154f7c3244922a37

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
05c107fd7d91ce1078876a99959e9cad

SHA1
6a86a0fdc74125e18eb7d6e829a3e04c9896c6dc

SHA256
48864f1025cca261dd68000fa2236f3a7de165203725345d310c8cb98aa2bd92

SHA512
333352b89828cc8f7b65129a0873eee8ed3aa5f1eacfd1eddaf77fc7fbc94058c44f478ffb16dca04cfcf7a0130872c04ee607c0cd2f66e838da68222f0d92f0

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
96KB

MD5
6c8da831150416048e9fe67ac6f8cdd3

SHA1
0bb7bb2b1fd8ebb1ce167a61b75795166c0d439b

SHA256
fc40c5fae713804af29ee9c7efc19a4717774dde32a6af56cae9b1775f5a1395

SHA512
fa54fbb784a28332784246bc6437152b0680f4a90ba900724c3755c52e6332b5f9cc17fa1ce70bca13fbd570b42bb088d6d36a383581153266c443bc5532e1a7

Download Submit
memory/224-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4076-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5928-1331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download