berbew | 95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416.exe
Size

96KB
MD5

994f7d368bd1e1234fde0f8e446e5249
SHA1

ab3df089b3e2b64d8d600f8c6361083df2fc6269
SHA256

95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416
SHA512

d7f9eda12c1e20320d4ed6aba28b8823406bb71daa46aa460b8433045fefae8b44cd16fdf49adbd4f4871ff8c0ada509e87a906c7ad8951f92451499df315246
SSDEEP

1536:aNKoabLf5qycUASiyJUtlgP2Lk7RZObZUUWaegPYAi:aNK1ffAyky67gUkClUUWaeX

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Pfaigm32.exeAmddjegd.exeAcnlgp32.exeAndqdh32.exeAgoabn32.exeKfjhkjle.exeNjnpppkn.exePncgmkmj.exeCaebma32.exeOgpmjb32.exeQmkadgpo.exeBmemac32.exeOlcbmj32.exeDeokon32.exeLdjhpl32.exeNngokoej.exeNloiakho.exeAjkaii32.exeBchomn32.exeCjinkg32.exeCfbkeh32.exeDogogcpo.exeMeiaib32.exeOgnpebpj.exeAcqimo32.exeDmjocp32.exeDdmaok32.exeMdmnlj32.exeQnjnnj32.exeBjagjhnc.exeCnffqf32.exeCdhhdlid.exeQffbbldm.exeAqppkd32.exeAjhddjfn.exeBelebq32.exeJpnchp32.exeBmpcfdmg.exeBfhhoi32.exeAnmjcieo.exeBhhdil32.exeLekehdgp.exeOnhhamgg.exePcppfaka.exeMgagbf32.exeCnnlaehj.exeDdjejl32.exeKdeoemeg.exeAfoeiklb.exeCajlhqjp.exeNdhmhh32.exePqbdjfln.exeDaqbip32.exeKlgqcqkl.exeLiimncmf.exeNcfdie32.exeOpakbi32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfjhkjle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meiaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekehdgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023b99-127.dat	family_bruteratel
behavioral2/files/0x0007000000023d5e-1144.dat	family_bruteratel

Executes dropped EXE 64 IoCs

Processes:

Jpijnqkp.exeJfcbjk32.exeJianff32.exeJplfcpin.exeJbjcolha.exeJidklf32.exeJpnchp32.exeJfhlejnh.exeJmbdbd32.exeJcllonma.exeKfjhkjle.exeKmdqgd32.exeKlgqcqkl.exeKbaipkbi.exeKikame32.exeKimnbd32.exeKdcbom32.exeKfankifm.exeKmkfhc32.exeKdeoemeg.exeKefkme32.exeKmncnb32.exeKplpjn32.exeLffhfh32.exeLiddbc32.exeLdjhpl32.exeLbmhlihl.exeLekehdgp.exeLpqiemge.exeLiimncmf.exeLlgjjnlj.exeLbabgh32.exeLepncd32.exeLljfpnjg.exeLgokmgjm.exeLllcen32.exeMgagbf32.exeMmlpoqpg.exeMpjlklok.exeMgddhf32.exeMmnldp32.exeMlampmdo.exeMgfqmfde.exeMeiaib32.exeMlcifmbl.exeMcmabg32.exeMelnob32.exeMlefklpj.exeMdmnlj32.exeMcpnhfhf.exeMiifeq32.exeMlhbal32.exeNcbknfed.exeNngokoej.exeNdaggimg.exeNjnpppkn.exeNphhmj32.exeNcfdie32.exeNeeqea32.exeNloiakho.exeNdfqbhia.exeNgdmod32.exeNnneknob.exeNpmagine.exe

pid	Process
3448	Jpijnqkp.exe
3088	Jfcbjk32.exe
1580	Jianff32.exe
3640	Jplfcpin.exe
3216	Jbjcolha.exe
456	Jidklf32.exe
3576	Jpnchp32.exe
2452	Jfhlejnh.exe
1924	Jmbdbd32.exe
4916	Jcllonma.exe
1712	Kfjhkjle.exe
5016	Kmdqgd32.exe
4084	Klgqcqkl.exe
2816	Kbaipkbi.exe
3424	Kikame32.exe
548	Kimnbd32.exe
4420	Kdcbom32.exe
2908	Kfankifm.exe
1448	Kmkfhc32.exe
408	Kdeoemeg.exe
4636	Kefkme32.exe
2228	Kmncnb32.exe
1084	Kplpjn32.exe
2128	Lffhfh32.exe
2456	Liddbc32.exe
2540	Ldjhpl32.exe
2636	Lbmhlihl.exe
2960	Lekehdgp.exe
392	Lpqiemge.exe
4104	Liimncmf.exe
1856	Llgjjnlj.exe
1152	Lbabgh32.exe
2196	Lepncd32.exe
4852	Lljfpnjg.exe
4864	Lgokmgjm.exe
656	Lllcen32.exe
4492	Mgagbf32.exe
3008	Mmlpoqpg.exe
2548	Mpjlklok.exe
3444	Mgddhf32.exe
4880	Mmnldp32.exe
2080	Mlampmdo.exe
3436	Mgfqmfde.exe
3596	Meiaib32.exe
3700	Mlcifmbl.exe
3812	Mcmabg32.exe
440	Melnob32.exe
3588	Mlefklpj.exe
3956	Mdmnlj32.exe
5064	Mcpnhfhf.exe
4712	Miifeq32.exe
2156	Mlhbal32.exe
4832	Ncbknfed.exe
3248	Nngokoej.exe
3884	Ndaggimg.exe
4940	Njnpppkn.exe
452	Nphhmj32.exe
3880	Ncfdie32.exe
2936	Neeqea32.exe
3528	Nloiakho.exe
1272	Ndfqbhia.exe
2572	Ngdmod32.exe
1036	Nnneknob.exe
4876	Npmagine.exe

Drops file in System32 directory 64 IoCs

Processes:

Njnpppkn.exePjhlml32.exeQdbiedpa.exeDaconoae.exeLepncd32.exeMdmnlj32.exeDaqbip32.exeBfhhoi32.exeDeagdn32.exeLekehdgp.exeLljfpnjg.exeQnjnnj32.exeLbmhlihl.exeNgdmod32.exeNnneknob.exeOdkjng32.exeAjfhnjhq.exeLdjhpl32.exeLiimncmf.exeNeeqea32.exeOgifjcdp.exeAfhohlbj.exeCmqmma32.exeCalhnpgn.exeKmdqgd32.exeMcmabg32.exeNcbknfed.exePcbmka32.exeAeiofcji.exeJpijnqkp.exeJbjcolha.exeOgpmjb32.exeMlhbal32.exeOcpgod32.exePmannhhj.exeMiifeq32.exeBfabnjjp.exeCjpckf32.exeKdcbom32.exeOlcbmj32.exeOjoign32.exeBelebq32.exeCajlhqjp.exeJfcbjk32.exeKplpjn32.exeDdmaok32.exeJianff32.exeAmpkof32.exeAnfmjhmd.exeBnhjohkb.exeCdcoim32.exeKdeoemeg.exeNjefqo32.exeQgqeappe.exeCaebma32.exeCagobalc.exeDhmgki32.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Lljfpnjg.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Lgokmgjm.exe	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Lekehdgp.exe	Lbmhlihl.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Leedqpci.dll	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Llgjjnlj.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Ifndpaoq.dll	Neeqea32.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Klgqcqkl.exe	Kmdqgd32.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Nngokoej.exe	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Jfcbjk32.exe	Jpijnqkp.exe
File created	C:\Windows\SysWOW64\Jpphah32.dll	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Lljfpnjg.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Mlhbal32.exe	Miifeq32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ogibpb32.dll	Lepncd32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Kfankifm.exe	Kdcbom32.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jianff32.exe	Jfcbjk32.exe
File opened for modification	C:\Windows\SysWOW64\Lffhfh32.exe	Kplpjn32.exe
File created	C:\Windows\SysWOW64\Melnob32.exe	Mcmabg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Jplfcpin.exe	Jianff32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Kefkme32.exe	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Lpqiemge.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Gfkfpo32.dll	Kplpjn32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
7068	6980	WerFault.exe	262

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Ognpebpj.exeCmgjgcgo.exeCfbkeh32.exeDknpmdfc.exe95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416.exeOgifjcdp.exeOfnckp32.exeNdfqbhia.exePjhlml32.exeQmkadgpo.exeCnnlaehj.exeDhocqigp.exeKmncnb32.exeLlgjjnlj.exeNcfdie32.exeBmkjkd32.exeDeokon32.exeJfcbjk32.exeKimnbd32.exeQgqeappe.exeMelnob32.exeMlhbal32.exeNloiakho.exeOlcbmj32.exeOqhacgdh.exePqbdjfln.exeDanecp32.exeJianff32.exeJpnchp32.exeKmkfhc32.exePcbmka32.exePfaigm32.exeAjkaii32.exeAminee32.exeBfabnjjp.exeMdmnlj32.exeOqfdnhfk.exePcijeb32.exeOcgmpccl.exeAnmjcieo.exeAeiofcji.exeAcqimo32.exeCaebma32.exeKbaipkbi.exeLiddbc32.exeOcpgod32.exeCdcoim32.exeDmjocp32.exeOgbipa32.exeAqppkd32.exeAndqdh32.exeJmbdbd32.exeNngokoej.exeBhhdil32.exeDobfld32.exeLllcen32.exePdkcde32.exePfolbmje.exeDdmaok32.exeNgdmod32.exeCagobalc.exeCalhnpgn.exeMlampmdo.exeNpmagine.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmncnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcbjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kimnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jianff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnchp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkfhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbaipkbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmbdbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe

Modifies registry class 64 IoCs

Processes:

Nphhmj32.exeOgifjcdp.exeBjfaeh32.exeKdeoemeg.exeMcmabg32.exeNcfdie32.exeNeeqea32.exeOlcbmj32.exePqmjog32.exeNnneknob.exeOgbipa32.exePclgkb32.exeAmddjegd.exeBmkjkd32.exeDdjejl32.exeJcllonma.exePjhlml32.exePcbmka32.exeAeniabfd.exeJmbdbd32.exeLbabgh32.exeOdocigqg.exeAfhohlbj.exeAclpap32.exeJpijnqkp.exeJidklf32.exeMmnldp32.exeMcpnhfhf.exeAfoeiklb.exeCnffqf32.exeDdmaok32.exeDhhnpjmh.exeOpakbi32.exeOneklm32.exePcppfaka.exePjjhbl32.exeBmpcfdmg.exeDmjocp32.exeQffbbldm.exeCdcoim32.exeKmdqgd32.exeOgpmjb32.exeQgqeappe.exeAccfbokl.exeOfnckp32.exeAjfhnjhq.exeKimnbd32.exeLdjhpl32.exeLbmhlihl.exeMiifeq32.exeNpmagine.exeMpjlklok.exe95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416.exeNdfqbhia.exeCagobalc.exeNcbknfed.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcllonma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmfbg32.dll"	Lbabgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmdqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kimnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiecmmbf.dll"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejckel32.dll"	95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncbknfed.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416.exeJpijnqkp.exeJfcbjk32.exeJianff32.exeJplfcpin.exeJbjcolha.exeJidklf32.exeJpnchp32.exeJfhlejnh.exeJmbdbd32.exeJcllonma.exeKfjhkjle.exeKmdqgd32.exeKlgqcqkl.exeKbaipkbi.exeKikame32.exeKimnbd32.exeKdcbom32.exeKfankifm.exeKmkfhc32.exeKdeoemeg.exeKefkme32.exe

description	pid	Process	procid_target
PID 1080 wrote to memory of 3448	1080	95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416.exe	82
PID 1080 wrote to memory of 3448	1080	95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416.exe	82
PID 1080 wrote to memory of 3448	1080	95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416.exe	82
PID 3448 wrote to memory of 3088	3448	Jpijnqkp.exe	83
PID 3448 wrote to memory of 3088	3448	Jpijnqkp.exe	83
PID 3448 wrote to memory of 3088	3448	Jpijnqkp.exe	83
PID 3088 wrote to memory of 1580	3088	Jfcbjk32.exe	84
PID 3088 wrote to memory of 1580	3088	Jfcbjk32.exe	84
PID 3088 wrote to memory of 1580	3088	Jfcbjk32.exe	84
PID 1580 wrote to memory of 3640	1580	Jianff32.exe	85
PID 1580 wrote to memory of 3640	1580	Jianff32.exe	85
PID 1580 wrote to memory of 3640	1580	Jianff32.exe	85
PID 3640 wrote to memory of 3216	3640	Jplfcpin.exe	86
PID 3640 wrote to memory of 3216	3640	Jplfcpin.exe	86
PID 3640 wrote to memory of 3216	3640	Jplfcpin.exe	86
PID 3216 wrote to memory of 456	3216	Jbjcolha.exe	87
PID 3216 wrote to memory of 456	3216	Jbjcolha.exe	87
PID 3216 wrote to memory of 456	3216	Jbjcolha.exe	87
PID 456 wrote to memory of 3576	456	Jidklf32.exe	88
PID 456 wrote to memory of 3576	456	Jidklf32.exe	88
PID 456 wrote to memory of 3576	456	Jidklf32.exe	88
PID 3576 wrote to memory of 2452	3576	Jpnchp32.exe	89
PID 3576 wrote to memory of 2452	3576	Jpnchp32.exe	89
PID 3576 wrote to memory of 2452	3576	Jpnchp32.exe	89
PID 2452 wrote to memory of 1924	2452	Jfhlejnh.exe	90
PID 2452 wrote to memory of 1924	2452	Jfhlejnh.exe	90
PID 2452 wrote to memory of 1924	2452	Jfhlejnh.exe	90
PID 1924 wrote to memory of 4916	1924	Jmbdbd32.exe	91
PID 1924 wrote to memory of 4916	1924	Jmbdbd32.exe	91
PID 1924 wrote to memory of 4916	1924	Jmbdbd32.exe	91
PID 4916 wrote to memory of 1712	4916	Jcllonma.exe	92
PID 4916 wrote to memory of 1712	4916	Jcllonma.exe	92
PID 4916 wrote to memory of 1712	4916	Jcllonma.exe	92
PID 1712 wrote to memory of 5016	1712	Kfjhkjle.exe	93
PID 1712 wrote to memory of 5016	1712	Kfjhkjle.exe	93
PID 1712 wrote to memory of 5016	1712	Kfjhkjle.exe	93
PID 5016 wrote to memory of 4084	5016	Kmdqgd32.exe	94
PID 5016 wrote to memory of 4084	5016	Kmdqgd32.exe	94
PID 5016 wrote to memory of 4084	5016	Kmdqgd32.exe	94
PID 4084 wrote to memory of 2816	4084	Klgqcqkl.exe	95
PID 4084 wrote to memory of 2816	4084	Klgqcqkl.exe	95
PID 4084 wrote to memory of 2816	4084	Klgqcqkl.exe	95
PID 2816 wrote to memory of 3424	2816	Kbaipkbi.exe	96
PID 2816 wrote to memory of 3424	2816	Kbaipkbi.exe	96
PID 2816 wrote to memory of 3424	2816	Kbaipkbi.exe	96
PID 3424 wrote to memory of 548	3424	Kikame32.exe	97
PID 3424 wrote to memory of 548	3424	Kikame32.exe	97
PID 3424 wrote to memory of 548	3424	Kikame32.exe	97
PID 548 wrote to memory of 4420	548	Kimnbd32.exe	98
PID 548 wrote to memory of 4420	548	Kimnbd32.exe	98
PID 548 wrote to memory of 4420	548	Kimnbd32.exe	98
PID 4420 wrote to memory of 2908	4420	Kdcbom32.exe	99
PID 4420 wrote to memory of 2908	4420	Kdcbom32.exe	99
PID 4420 wrote to memory of 2908	4420	Kdcbom32.exe	99
PID 2908 wrote to memory of 1448	2908	Kfankifm.exe	100
PID 2908 wrote to memory of 1448	2908	Kfankifm.exe	100
PID 2908 wrote to memory of 1448	2908	Kfankifm.exe	100
PID 1448 wrote to memory of 408	1448	Kmkfhc32.exe	101
PID 1448 wrote to memory of 408	1448	Kmkfhc32.exe	101
PID 1448 wrote to memory of 408	1448	Kmkfhc32.exe	101
PID 408 wrote to memory of 4636	408	Kdeoemeg.exe	102
PID 408 wrote to memory of 4636	408	Kdeoemeg.exe	102
PID 408 wrote to memory of 4636	408	Kdeoemeg.exe	102
PID 4636 wrote to memory of 2228	4636	Kefkme32.exe	103

C:\Users\Admin\AppData\Local\Temp\95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416.exe
"C:\Users\Admin\AppData\Local\Temp\95d58912ac62c050a6702ca01daa4a1b79e194fe079e892d020233226bcd5416.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\Jpijnqkp.exe
  C:\Windows\system32\Jpijnqkp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\SysWOW64\Jfcbjk32.exe
    C:\Windows\system32\Jfcbjk32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\SysWOW64\Jianff32.exe
      C:\Windows\system32\Jianff32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3640
      - C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Jfhlejnh.exe
        
        C:\Windows\system32\Jfhlejnh.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Kmdqgd32.exe
        
        C:\Windows\system32\Kmdqgd32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Kbaipkbi.exe
        
        C:\Windows\system32\Kbaipkbi.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Kmkfhc32.exe
        
        C:\Windows\system32\Kmkfhc32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        25⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        30⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        36⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        39⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        41⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        44⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        46⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        49⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        56⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4324
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        69⤵
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        70⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        75⤵
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        76⤵
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2896
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        81⤵
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        85⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        87⤵
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        88⤵
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        89⤵
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        91⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3116
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        97⤵
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        98⤵
        
        PID:552
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        102⤵
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        105⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        106⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        110⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        112⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        114⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        121⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        122⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        126⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        128⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        130⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        131⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        133⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5756
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        138⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        140⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        145⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        146⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5860
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        151⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        153⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        157⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        159⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6184
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        162⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:6324
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        165⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6456
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        168⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        169⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        170⤵
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6672
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6760
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:6892
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:6936
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        178⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 216
        179⤵
        Program crash
        
        PID:7068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6980 -ip 6980
1⤵
PID:7044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
96KB

MD5
5aa44ff77d7169a818b75c7c546e7dc1

SHA1
a5c165701a66155494128b35eeb3e838900676b5

SHA256
e81d277a83b35948d532b91ab48c2494c74fb1605a103e7541928701e3f97352

SHA512
ee5696c4d67ca34f5e2fa85a4fd01819be0fcb762209979078c5dc8d1b5781c3dc64008ba2fb87156c77ab2f53c33227c9f50786955bb397ebe4beb7b6d149dc

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
37f3f63d2bada53ec4103c0762e0fedf

SHA1
8d3b586f831ad6d66471f8f56ffa3134ad895fb0

SHA256
2dce2ab7963103d510478ce5c3bbde6d1e31f705c6a0c7544338e16e0c38e6dd

SHA512
106ed8082ccf4379a5b66fbc7804cb06bc368964a16ec07fd94e2a694f8a4514d4a52bb68d7f62a0fac1bb11e9dba9f584e741f597b9761b6d20b78a2811a248

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
96KB

MD5
c412579fd5660dc1aaca83f9af6fce93

SHA1
68767930e974ea5f457976c035eb26641aa4c193

SHA256
1ab55ee3326d01bc155b3cd55acd72f20518297f1f0425256e95632e033cfe45

SHA512
2b621855a74dff9568b8df0247ffed8ec389cc04083e24f14b7f49a2bfb82716e9527e8f05297a6c8d4ade0e70e1dfdecda80da08a197f12e01bb9eead43b264

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
63429fc57acaec20c98f9b65b3125b38

SHA1
5a9da4677a1b7e0e3855cf70f64c3a5f0dd42840

SHA256
f5552694b597077108c11b5d0a18e3543f4ba12877a8be46a939b5ed7b7dd9e3

SHA512
b72eecf8ce1e2f159a56ea77be9e828a5ad01052c5132b9e0d38e251a9e71196568c485b391584e8eee2a76d016f145c883694443c73be8da5b76a7802d3ebe6

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
96KB

MD5
e31ad9027e5168dfbac7a8fc8937c788

SHA1
1958ffe3a1d1dd616e02233b0fdfb1630024a34a

SHA256
b8268db43cd767e6fbf309d58749cf5233e1e185e3e4370734f394a3c5dc6424

SHA512
a3455a19cd657ed762331c7aadd668330aed1afefb262e7787b5907eda467ff476042b86c2e537fdaf6bea8c708e7eedfeb8a5ddf0245685f4dbbe63c1a2fd45

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
a10164e8dce1f2afa7db06dc280c0fbf

SHA1
dc3068e5e575f76cda2747def19100bcd12c2592

SHA256
1e660776aac8761ca643b6a5a6da957757405a9ae0509ee57a97bcf5ec90295c

SHA512
e48e430cb0f1587533428f25ab34b4a9e69a2cb5fe0941b5846b8d911ab5be9342a751a53c311f5a91540e81d0789443b1aff908bbc635738b82ef2a0f037708

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
ee7f0ff2f81a9a273eac6d1a112bb9a4

SHA1
a7a60e8152a78ed53fee38b61e54550170256bed

SHA256
714de54e53aae8e956e165d7636c4b00b3834905cca7aca1e2061df70a721f40

SHA512
2aa0a16f711f203750a772699c78eb7c7619171ea588fe50fee7e3c5bf39d2a5d257f39aefcbbcefa16ea2d641c61fa0071ab1ba5190ea1c933d29c923fc8de0

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
96KB

MD5
f91d8209f67d37a135ce23f6c474b83c

SHA1
95f0fa6c921680213f7a957d13f8d2bf84dc3b85

SHA256
dace4b69cfb3ce30a27385e1d31ece2d652835571d1a5e6af70dfa0f56bac8b6

SHA512
0f11564fc60cc290ce2931d1ecfa7efc958d153e1c549412ed7dfbdb6f530c6b12938eb7892f6df5643b671822fd49e4c38e526b44b0d8aeef402f7be1fb6084

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
96KB

MD5
bbf68c57bff2995e131f5d32859b9c4c

SHA1
87fe3f9bb66eb0a0e81c70ad2c920620376ae2f2

SHA256
46c2bda8cef3581c5e0812aa538e78637aee2f619589d0a0ec6a800b4469a202

SHA512
e16ab4eb2e545c22c600e38b21ed1bccdc51c4dda41bf617e03245aa17325529843862f0296dce18f43b9c576982bcdddcfdd1d2a86ad37ba77d3673e3f6add7

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
96KB

MD5
fb732230f8a68cc75254aa9e9dcd64b7

SHA1
2d9f30e0307581e3ba3c88d6e947f66a8458c6c3

SHA256
bda201ad7dbcccab152c65f307381b361c1202e7a39303e83b56c074e00db05c

SHA512
97e82a49cc7d0a9bdca5dae08459bd0c848d1078bf06c861de303d42525ffdafd06b33765231f08c92df98fe9e088da9f0dee2aa5b18c0bf230f82b9db95fb50

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
071650ddbcbc67bbadbbd87cd83143c0

SHA1
26f12e0ed00ffbe1afeb77b63f8735927062baa4

SHA256
2f08fd63fdc66ecf62302ff33477617fa8363d2f3c5a9a537bcb931dfe29c9e6

SHA512
8f9692ec5b6e07b9cbaa96a6d016ec0be6f341b461793266105bc3aecdc5d910c0feea56a2dcc90050543914754c7931730b66afa019043dfb7ba6f09548242b

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
94af4eedbcb5808f3274d11cc91ef810

SHA1
f655cc7c7a40b5e13ad5b6a5d0ea9c58f624e9c5

SHA256
4909251d0b2e0b2003503e6e932e369bf5e1d7cf48e6b96db23e33d047d03aef

SHA512
ce30cddb09bb46418f4c79cb5d467b03f64253ae60aa83e1317299db493d4f8978a4ba24572586867ed0d80e69961093b9270a0ab76121659006d6123840f353

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
64KB

MD5
742471a9670453f5e587668711bce8bb

SHA1
43caf5919e4203d05352457eb9f815d239c6a5a9

SHA256
4772e09affca56cd0b31fc4f25e430c41da573d012aa6a2dac9709d1d3cfadd9

SHA512
1bdec181c76ab08cf9014ae077f6872f2e525b0a8836231c272f6a294aa4bd4f2a3f15b97fb9c128cc706e3cbfec0892c59232e98b3eeef30b5a544a665d614c

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
128b937390d00d1b4e85613f8a97e36b

SHA1
34d72ae16f4c4c124213b29d595eb1b609b60e6e

SHA256
8eab24114dad03560ab6315683abeee8e676dcda837a0a348eef3d8ce9a1aab5

SHA512
8999ac0d8c77a674444cd50a30728656ef3128bb7018a35c3dff29b3abe9ad696d646c5a2d88c7e7e0ea347f64cc05a6ffc884fbe881ba2fd967088fe7d3ae4a

Download Submit
C:\Windows\SysWOW64\Jbjcolha.exe

Filesize
96KB

MD5
f90d674577299762e57fd890ce8de42d

SHA1
279119e8480a21a9c66f5fa381f9b9278b6250d4

SHA256
5f1557395d4d10aad409ed7b3c01a1cfc1f28196529be97c2a02fa423a1b90d1

SHA512
f5e33d6d0c5e08104a7cd2b3f0537277b2f9305d66b8dbccb1fbc58985d6b59135ff6dba67cf755fdd78b808baabef525b8ecd9cb16f8bafafe56146f4e3c084

Download Submit
C:\Windows\SysWOW64\Jcllonma.exe

Filesize
96KB

MD5
b1d64a211b425b007853886f6ab8b331

SHA1
bf5cfc2051854adda8e1b39c2fd582f4405823f5

SHA256
0b13ccb4f0e22b1439950a2dfe40a9f44dafb330e8c24e7f946d216a6cef0850

SHA512
9847fb29a2fd875931ec1f2bcbe03de957ce648d9f8e90bc07474aa56e0cb16b0fe448cc26b539e7083e015c6c886f60bc65135927112795e7dcc013129ed35a

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
96KB

MD5
9ae1135c8bdc50d492d26639eb9f00e0

SHA1
bafeee813d7d462d7fdb8e00a4088168781a1ccf

SHA256
ef58d71735842489195be15d012ce97198b6d6fe7410935c818754e3dfe3438d

SHA512
fc7f13bf0e35ccc257f9599e3dd1bc9f984221e96cbdcde145054a51bb8b3c1f5dcac375db4b560c375d40b3edf97095f9ff767fef30840cb462dde55028a367

Download Submit
C:\Windows\SysWOW64\Jfhlejnh.exe

Filesize
96KB

MD5
11335583ce5918a4f73d129d76e83f13

SHA1
4b41208db9e82e808da2437d8bfd3e23c8958d16

SHA256
93f4205f9423d87bb30f3d5e199aaddde6ab5bfb4d16ca46387ae643283bf8c7

SHA512
046d8adeaf0771b29550ec8e6fa989b969ac905c736029c7369e8f08ce8d4f6fdff6e4def35837036eec8185d4e0a1d818c10e57c8b3f2cc5afbd34a66a5ea83

Download Submit
C:\Windows\SysWOW64\Jianff32.exe

Filesize
96KB

MD5
ca75ed17db487078e7b7d99c5c1e4c3c

SHA1
7819c39a2e4345c47c25f8e497dcdfa6c115749b

SHA256
4dd6eb4ca4744a4287c73b88b1d79bac76ef2f38dc09f1c6dd24b07658caaaed

SHA512
01d4c196c180febd29cc4518e353f59bba9feb17eb6a7762f5f9737295a873b102c5fa5a0cdf50613dd47dad2bb8bd4e875c3f7ea367372c2172f5965fc8e887

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
96KB

MD5
b30b6ce4668260c48dd15f1aa40a5507

SHA1
34de80d19a6900a217619f71f9ab4757e597fc59

SHA256
456cc4438736fb7b6e091d7f034e8e8937dfc90d9d357fd13c91441ef10fccbb

SHA512
100af1935dca4ee19d88610d751f89423e4ca50352bac17e839b6d8dddcfd60f4c97e7af7ab1ccd9c9bdce68ca2ec4d5904a1fac338931813da09e93dce65231

Download Submit
C:\Windows\SysWOW64\Jmbdbd32.exe

Filesize
96KB

MD5
e0f8f9f116eb5e07a1f060971bee3189

SHA1
b39864c8e21d9114a1818a25cbc73ee4d893a86f

SHA256
de3dd094c18b93a17f52ee67efc26379495b44f3a530dfed79c82cf371e47bec

SHA512
d6da528a47405dcf0a4675ccea6395fc0d91e25e7cab7aa3c7336018519ded94c194249e431581f4c6e39d85068ef95feb0404703ef848c83cdab671d8696067

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
96KB

MD5
7303bf7382e8e7993f54dc6f850451fd

SHA1
aabd556eaf50ca4039b70250088b7b714962a9c0

SHA256
c50de2b47f59760a66af1afd8e53895b55465638026334510a9e11ef853c9219

SHA512
db9fdccddeac53144f5e70498d7f3f0d02034547c81d53b2e8835a5f80b6ac24a57e0dda163819ec68ee4571af0fdaa31aa487073dc552185da8f73cb5e195d1

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
96KB

MD5
5cbb47dc80222a025a86dea2bfe0500b

SHA1
df4a8b3ff22cee65aca253bea76f15100c4d60b4

SHA256
24e343c82409acf4946cbea3ea5056d233e8c982776e461b4779d58872d42e7b

SHA512
c06dca39e8322bad74cb8c8b23a54c0ef96bced1a3b344347e92ba9ba3aaf4a73d8ea54bd1d489e8c50c13491f05b518f38c9f6544f85e0991d4f9f9c6c8da17

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
96KB

MD5
ab0087770a319d27a97fa23e3f0bd69c

SHA1
2777c95d9d9fa79af103dea6632483f5721f9f60

SHA256
f2c7eff647e0b4ea8819c92e9dff587f509f963a389f8a1dee64493327d80c47

SHA512
91938610e53eb7bd9c8ea246d0a26275e7f958fc9ca7dc38b911017058995044353c0572e2dbf74aa1fe19af08d6cec4a55937efc81b231b5c6580dc020fe71b

Download Submit
C:\Windows\SysWOW64\Kbaipkbi.exe

Filesize
96KB

MD5
b92efdde5d0592769f84ff7dde13e21c

SHA1
a82f0f9e2c83afa0ba6da75e1d03afd7a56b6ede

SHA256
5823dc34f44ab02d26ac326947badcf32d405659c27e967c41584ae6d47a7429

SHA512
8060a6f2bbf88d9f67a5c6d82cc1d7340be1120068c128df20e2e2c6a5e83b9b56ada62cb540c3abce4a4e356eb5ce0e0a26e11abe69a90394fd38fc7716613f

Download Submit
C:\Windows\SysWOW64\Kdcbom32.exe

Filesize
96KB

MD5
9787cb7ba9fda171e4bbe8c6a7d94af0

SHA1
d9121803a8c29d116657a6ca9e68957388208687

SHA256
432b7b0882564c285428b51a2e2a956daf22ef9d7267a12376bd3252631ede50

SHA512
62961a76b5beb62b424dbfd429558f9a13f82b20b44e72106f2d6ab58ad084909b281d9604b3fd171946607365cff2a01b462dabf0a03b7fb8e8e1c5f047f51c

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
96KB

MD5
17b5987fa0e4cbf2881536f01b3e30a8

SHA1
d069a00e9bcb9cb70538a1a05301542c8970ab60

SHA256
0c9c6177ecc66782a729b7678e78a3c52b4e597f8e504ca0fd1c86b6772aed38

SHA512
2a5d7576500e0d7f993a4a7c44238e6886465ab6416b9cfacf975664b53624208b0aed31ab8d87f00eecde762bea0275a8076ae53b8018b97c3b4d83d297f23e

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
96KB

MD5
f5576754dcda2784f7ec36413c3b225d

SHA1
ce6761a3b6abd4b1d1d823130db8801d13df50a9

SHA256
74ae2f04352057bb3908908091f169502e09783e237981ffbae702b757a4ef1e

SHA512
2598994b364476de39ae26336739e7969deedb667e4b7f6c27452114e74add97367479fb20f257b97b91870f160e2fcdad7c742fefee0dac1d2a6ecc74824e84

Download Submit
C:\Windows\SysWOW64\Kfankifm.exe

Filesize
96KB

MD5
49e72f458ed7002348f0842421c0f94e

SHA1
943ae090b4e5796949fcd3eb8110ec011862873e

SHA256
6b55c2388278293d2081f15e097ad50177c54fdea615af7bd3ab0dce606a050e

SHA512
df33eed0ac8a5fd85f48c272d15b8edf5bba5235160527a7e8a29c67eadb8d1427cabafbf8db180211c8a7959afb80727f7e3c416e06be38f8c66b66630e06fc

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
96KB

MD5
6fe681a5aebb7ab53c5264b356e94e33

SHA1
b706d7356b23c4a3bee547a3a12878f8cf252b0e

SHA256
7e2e5bd35c5627f59b66a644fb36ff1cb35255d7daf4eda3d829b757b5e605d2

SHA512
6eb7904561f4a1cabf24dca612b73600b2c65c941c952475dcbe006804e41c76cfcd8554e44879b08fce17f15b93071cdbe3e06bab918c2829cc2dd7adddf24f

Download Submit
C:\Windows\SysWOW64\Kikame32.exe

Filesize
96KB

MD5
def7d282c8617f0eaf0815eed28cfa07

SHA1
eaf9d885a66b54902d5e695361482628b87a065f

SHA256
f2977134e870b8d0f494b1ef76c82decc0eeb330e5f68697120d4af496b3d390

SHA512
5f54046150502ef50bd60daeb0c6e5dca19c2a96870e0cb634a35a562c53e0b484750610b8e6a57dea2cc9b7ed4d4ce10e7e016fa37359daec119ab1eca29f72

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
96KB

MD5
51dda39ddbc47511814a5dbb10bc593f

SHA1
8b601efc706e08a532a42a886376d35b7bbeb0c7

SHA256
3f42d65dafe1d107077818e652034735013098a8cd75d02706443abafb318d58

SHA512
948d0632a79faaab2f665d6905c51b77cf47a8cdc0b332d902ff0ed43d53a00a574e6da94c397031c4238c934853281247fa9095def0fc5694bab60643256fad

Download Submit
C:\Windows\SysWOW64\Klgqcqkl.exe

Filesize
96KB

MD5
c69c02b460d9e21ec7534e76ae4c580d

SHA1
1a1a86a20e84adb9843bcc4b58833dc6daccb0d5

SHA256
46d92b6a59450975d83c2ed15e5cba63bb051cf41dc98064179297dc386d0899

SHA512
f6fc9ca6c7475942b7ad1586ed5d27a3a7bd2b30702e4f0813abf4af9edc677310db14ccfc133a572d71abfb854eee946b90aaac10a81dabe8a166097245e5a3

Download Submit
C:\Windows\SysWOW64\Kmdqgd32.exe

Filesize
96KB

MD5
3de08aaafa41493835aae654d92b828b

SHA1
9621dee5a322b40c1db49314e721433b11ee594d

SHA256
879586f50de6c0d18b75f33846f49a2b11d2b15eaefb994a58e57eec04473452

SHA512
d04b241d42bf2977b8185c5b26c88eef1e6f6ca9aca1efeae343db63caf5d8d512ee172f0e393e8825b012d9a37087c977e0760ee55f6124221180690c10a794

Download Submit
C:\Windows\SysWOW64\Kmkfhc32.exe

Filesize
96KB

MD5
131c518c09cb5d9517a711a6f8f3c4d1

SHA1
90e231d355e8e108ddb61115a9100aaead4df9aa

SHA256
5fab111e49a8e221af14f87139803ef25c0cdd9598d5e98208a810e7e056878d

SHA512
c391996ab4da399416fd8c048728c69e8f48a63dca1032cb4f3d1d18181eda419ccb15b33d82d8986082f4c962b046792b2e4ec794efda56f72e1df38536e0dc

Download Submit
C:\Windows\SysWOW64\Kmncnb32.exe

Filesize
96KB

MD5
3455d9abf98225713877edfe221190ca

SHA1
4a0520ce83f586a8077e54e46b23c284239d2d57

SHA256
cb982902493e6bb1e299ac63131fb4bea2d56a4881f729fd401cee1d2919b039

SHA512
b1d4df5e2da6c75137ac1476002a7ad133b773ee726409492e8929e43c200bfa1c7dbd0d336f600d29d8475e4f078362a809da0349c8240459b2afa168ca7acb

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
96KB

MD5
392e8fee05fce2bc9c551da3bdc40a20

SHA1
989880e0ad7176dff9052732fc00cdc4ee864648

SHA256
e9f3418d5034c0407dba948a5b4372fca5c8006b6452939953b5daf112eac4c0

SHA512
a9137fa4af4e276f410cf7d8148eadc62e78cbd7b574489d9ffbdfde8d6c2e3d4a724e15f33ed8f24cf2b136e1ded1eb8d9f9bf8b75502adf1ad4f126924a81f

Download Submit
C:\Windows\SysWOW64\Lbabgh32.exe

Filesize
96KB

MD5
90ddfc615a0a16ab195eb5b7063ee45e

SHA1
012ac21c162894c2410480f618c1475e3d528781

SHA256
eea1f549556bc7cf0a0d30776fa8c1ab6368ef3e6a4a6fa1b3bdede73cec0647

SHA512
2663fe7eb7de44c5a6d5f97a6c66873490ba3c55483b788262033d00be3a22ac9cb6ef6bb9e0da5a817762156937e2a7342fd9dde4917b5d6973aa49fe507778

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
96KB

MD5
d930b046b09564c9fdfaae3334c0a7ef

SHA1
58d54bb94b81f40b5ad9f98145df64196f5f5921

SHA256
030e133397249975dd44ef65c29d89e06f021fc864d3f438ceded61f70060746

SHA512
00e26414e9fbb4ab16e8695ef4e19a515f8efe08986c950edeb44c7a8c945821a5b568dc63de2102a2e29647c54b7d1fe1afd497ffc1d166a14968d020ca6099

Download Submit
C:\Windows\SysWOW64\Ldjhpl32.exe

Filesize
96KB

MD5
b9d3e375d89d77c7d91f891d591d44fa

SHA1
d50bfba846340f55054d29c5aa8c34203b12e0d8

SHA256
fda35230961cf676130a6c8c30cf633d5ae01d0c0d69c79415662a5a62ef9042

SHA512
cf042f1d73fcf6efd7bc4fc1447355192cb8608e4f9cf3cccf21d48d12e5e101cde6bfa995606c2befe422399753497828e21346cf541be3b00a456dcca4cec7

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
96KB

MD5
3720a36c32d3061968132738066802a9

SHA1
318859091aa737634a3f7f1fb94d4de7b45976bd

SHA256
f7fbbc0444a891e3e207f7f87580208c8140cffc5212da44f1ec75ca9e40c447

SHA512
85cf0a34712cac42167bdc5446ed3f2a5e7a161a5255bd1ed32f9456df56111e4efc2d1401819afa7ec1a3fc2966380a6503ab7f1d791926c1b04dde61f41bef

Download Submit
C:\Windows\SysWOW64\Lffhfh32.exe

Filesize
96KB

MD5
f4ba6eb110011433fdd4f3b58a362c6e

SHA1
85d140ea76da8fc260c2778c6ecd427940a9e5eb

SHA256
b51067b00e81e899fb1657ff9ce5700c2c549f36b0fce4cffa395bd7747b7a5b

SHA512
1edc9efcda689b0ed4695778e404e55e30d9fb1151397663450c0df0a6cba1373dd64eeebf9c92029b4e7e12061fdcb957b2a5786a92d873e8d853449b7b702d

Download Submit
C:\Windows\SysWOW64\Liddbc32.exe

Filesize
96KB

MD5
ca1e39fd323b39406f06f6f4fe2f4c72

SHA1
d3385bf81ec149d536bb58eb5b02b5188c601807

SHA256
a5d22cf45a71fc97dbb60aec2ba6c995f7ddf5bfc917b793de5d3314db4a1ba0

SHA512
9146d4184b4e11bfe7745bc100d054ea58c1e01f2e41d8dd02878b39550f40f708af13a1b08af9ac8afc31b4b6f76c19e59ed691398e7e09531cf7d26e6e12d3

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
96KB

MD5
8ccd63ee661c59b9021b2e58a68b3652

SHA1
0c8436455ea30e007e7f45e8bc51e970bfc42c21

SHA256
489134bf661d2a11c18ba2b8ad7b73a40c2bc98eb61a5f490a57bf89663b725a

SHA512
21aac39ae58d20ad8eba76ffbc4f457e528b7ec5033e3b49f35939df75e1370d8252f26a95e02ab9c5b316f50d1532f66759564858381c93a1fc8210583b0adc

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
96KB

MD5
c201387f2b9d172d91c79bcddb86419b

SHA1
d81668849a4ce94188f25f64770c21ad84df80f0

SHA256
e5acfaad10d4f10de53795a9c51a17246b059e331bbc70c934fda87652bbeee7

SHA512
e6748e1b073c5cc6e5fd234fb75dcc6175dd593170ddafb095ab2fb3149014d3d172116154b221577f7dbef93fb07e31a4f571376c068d1b415d5b85d894551d

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
96KB

MD5
4b1fc3c1bb2b95b8ce65dd06c09277dd

SHA1
69a291a24107c27a28ec1daced504376b96a7258

SHA256
1091ec937a7fa15c2eb227e6d9eae9771a9d8a86cb2e58f6e29868a2292704c6

SHA512
cbf08c6de199bead574428335952e70ed2d0a01050cc4cdb66e5f3dfb13a26d46c923ecd4849a48f711a241947b18abe649c69f386ab857c35fcccc4b2751548

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
96KB

MD5
ad74dd273612509ad26d80baa85be55a

SHA1
fc287d25da8cb04c7670b41b0df9fd11a4d29f82

SHA256
5d71daa0b8e56288e148794e42585090512034d4f217c9db102799e3a5769f9f

SHA512
d361905f2a2c6fb09f3f3468c685e701683f4ac15918ffcf389caa4c56194a651f66122de4da651706508a1b343921a0298d1ed793d76c53f726b26c11515e19

Download Submit
C:\Windows\SysWOW64\Mgfqmfde.exe

Filesize
96KB

MD5
d6a24bf1c26e9c918ebaa6f77b427098

SHA1
e10955efbe82706df55e02b1411c05164c038ccb

SHA256
45b96439a40f030479bb416ef587d93519d3e242a680c056fc7fc309191929b9

SHA512
eff088da2e95437e9cd8c3ec9e4f02cbca70e24647e7b3265af905180619656138166023a9a5fffddb1cf3a97d9808708b94a401c41c889eaba4dafa0e77870f

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
96KB

MD5
3ae28ddf78db0a601805bc3ecbc4f214

SHA1
3f9d22fe62183e01aa8d2704fcc21ae49d83e83c

SHA256
4a80837f248bff87405022fbb0784a3a7e3c38cc490018ec61fa8248f3ca7655

SHA512
006a50bad45942b8efb92a0afd67a025142d0459559fb7d73fa83811fb5ec51fef307dba573ece9ac43a7201d1af9428212335b0be36fb664ce3357a1d81cbbe

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
d34770d385fe82974a14a507416f0ced

SHA1
e651f8ea1aabbe8e4f001b48fa3658ffc93e3d98

SHA256
46e382d17b7b633f6d3087cd0c19a09c2d065a8d597e2f109fef37e794a5ef7e

SHA512
4483f8ea8997a9f2f58399ead7cfa5d5c6d4141c645cf8b21a8285b4698409f4a64711e5c1aeabcb32da4f7867ed5cf4ed17ec9faba84ad7211968ccf076ccd5

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
96KB

MD5
e65dfed116435ec35bd2d5a30de1002f

SHA1
5e007c27961aa60e66a48a335e9fe338d468f3c3

SHA256
afba9432fe89723b395ff646007e452636264cb1da97223bfd8d046dac34b2b6

SHA512
0d36b1d7b5fc245098d17cd704fc731f04d4e6bf2fa24c41538fccb15eeb308c57f4f948ec6c39241084468d556ace43b6a3d279ae2315bf80ed89d929771ef9

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
96KB

MD5
f410822f4011a953ff582f6f6088d43c

SHA1
fe34f8c41124e5a7c6edd1a993af9ba4e73cd770

SHA256
91dc3566dba4454cd2624fe0f72be02ebd44e2918585dce86eb4e5569896910f

SHA512
b2fd205ffa85f21939664fa207081b187780eeaa53da782b1c9999ce89cd937ad0f6aa151ab9ca21795b639d6c77f14f69de6a775c99cd5fa479f36f2dc67af2

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
96KB

MD5
3580de939c000e76b3ca2260e255dab9

SHA1
0950824a3ead3940efb79a80cf7e9b634ceb01e6

SHA256
832e40879476c7a92bd3591f22c37f3d570d209ac3249feadc1eaa114866028c

SHA512
aa7388f2ec5053f43fddaa988cc4619ce425e19f8c12d5f7e258587f8915d208fead13115707bf22f3e9071fa96d362679482a3dc4d02399625da37a720c5c26

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
96KB

MD5
4f2760a19b47ce61bfd9d4d0951dc723

SHA1
bc4b71c8c4c2429348c8e1c4895ff06ae9b56980

SHA256
f3c3cfc7ef5c2473efd4cc5e1ee9d56f623ca3f0e09039fbf5b62f1f06cd0ab2

SHA512
95cfe4145b9c882740143b29c401c1a78289f69971be1a1fa5c8f66382d51272010326f9b4f525a763fff94c720938ac1539a82f5ba4baeca0c5b79dc6bdbdb8

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
96KB

MD5
d0fe7165b936a15b6b6c391d407dda0e

SHA1
643e39e033cb14bafdca837379e644461e772683

SHA256
d9ef90b6acf61b40b0be2c424ef219e06d8d0268952ccac51534a7fe53fc6ecb

SHA512
f626cfa95985bf5fe037a13acc3c9386630ffc1670c2bc0bd9b21f13e59e86c9d4f406b9ad8554156d2b9b13d703e3dc34f9c90cb2af2a1bc80e4e7415dedfbe

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
96KB

MD5
97b43a230ede5795fb1eaecff2ec7651

SHA1
4b6000aa3d44e522fa7c039a5bcbf54c0acd9f9c

SHA256
8a3e5fa4fb1a4f01b8c1ca5639a18e930f1134ec1c9458f03f11bae7fc8ea79f

SHA512
98573a6beca75085f983994df711f8052ccfb7ee9488e5fe7cfa8f1c0de0958aceb7b2a426a2d94c9058eeefe1aa8dee125de8d436d880ef43bc8bbb9150471c

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
96KB

MD5
d7491ddb2f1cabd797f82d47f0db9889

SHA1
b72a9b755d56bf0e1c1a175f48a512b5b042269c

SHA256
be6ac96d0006a68e4183b10e46c0c4243673aeac1fcb0b14e779b9be38f68e11

SHA512
b9b3dc3680b182ba8e5f08bd0536dc9fc8a286026599bd3d3fcbd0675c3da0fdc414cef61a6514a47c4b154956422973c8bc94fcf5b3114585fbeebfb0b4c1f5

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
96KB

MD5
deb8dfeebdd30830510ef738dfafe6f4

SHA1
43797a18127d1e8858a686d684b4b4cf6c8561e3

SHA256
e2d4931591dd79bcc531d9f737f474e2284e07577f55c3525571552363e5f32e

SHA512
0cef3cd1d5b04949d55327188170507578cca9b0b5153226bc07c568036770b22b74302ab4e4dd10ccd1e3ef9be916af76b642668cdac037e29a378e499a7892

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
96KB

MD5
3cf556c5366139355d327c074752f8be

SHA1
879043ccf593c1f8d44a931b3bdbb8556a3bbb50

SHA256
b1e7b3304a555e02313e8f2cd371b6b07c55f25cd2f9966bbde004604c010f8c

SHA512
1d765993c8c2b72b7992675872b76b349e9ff5bbe34fd39760af438c6e1d20ac62a166edb2c8e34f0081729f116b073e838c89fdce36079f48f7344066795563

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
96KB

MD5
de4b7f1940c5fa5b3b506bfe45059410

SHA1
a4448b5f72b20976b8ccc07b60de524db757af3d

SHA256
a1680fe624df2b08e465c7e99fe4dbf2cd869f93483afd389e524fc209bfc829

SHA512
7d4ddb1c8297f89141eb9bb0d64b3b676f82ce47cf9c26505ae3a3f16c2d021e5e78e5b89bb19f7a6106474198051bcf96cebf8c446254f12f8f958c8ceb99ff

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
64KB

MD5
9fba1dbf6d8ba768893fbd0885637d80

SHA1
8e0c3896a1245634891f4bb9b1030c5cb215407c

SHA256
3d62cca8bcdb07056bfba874fdd1556efe3e0c99999237984dbd0e7f8702f765

SHA512
43a7a5a5aaa1d6bfe7cf90d13902617d93cfbf68d6429aee5c5de16b485231eb26459438f5787b6daaaf192bd9b5f3d14c8dcb59e8a569848a68ae022cbe6984

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
96KB

MD5
4e5efa3e9931f48b8cdf25ceb8314fb6

SHA1
ca512f8c5f1165589f23b9f51f98fa7ac0992202

SHA256
01c5aaa072bd5b6c91362236a3858031d9c26e3f0efc6eefad43823c5d430d49

SHA512
14abd6cda4291d18708d38da3f6c8533984b4a0a1ee868ea3dcf208bddeaa0d1bf63f479111dffdefce3dfeb42f99512860885c20b02379381846cefac4a9626

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
96KB

MD5
b092a21dee0613c15911eb656d603e9a

SHA1
c29a5b806eeb3ce1c632a1eb4025129273b1df02

SHA256
04462493a83270e32bbfdef090935b56595c3936efef30d7014cc422758428d5

SHA512
d4b32c1a52037ac518c583a54052aeccd6485414e3aef89e22296ad5cc7fa53bc959d8a2dfba50982a1c5242fba1e835278c5b998997d063d3f1f9e8c44fd08f

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
96KB

MD5
0409b0f2585e4ecef828b9fae006d087

SHA1
e2fc8d5004ee2ce02f261212b46039ff9114d284

SHA256
a9d340725610ef1741c4d01aeda6aef6f020d0cf1f5a616a9d212886fb2fef75

SHA512
9e0276a0bf14862fdb40c5b7840669ea5de92cd0466e2ba2456eb1656b4ad8350ecf4be3b17d7908bd5164143a7a78441101c8096da11c98b36866facdec6ebf

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
96KB

MD5
6808af124926259c1a29cb69846fdae7

SHA1
a9629f97a15cfd7138ed8667661cba9da169c77b

SHA256
941f783bc98ce7795e7d23a7f6901cb1f75f4ae38f35b6c0e7adcdaf5c5b148d

SHA512
7cefc1104b03b4198f9d42ea16d074123c73686eccd16b98934f3d16db3879b7de69b27ffa00a1cdb86f584d4cdf257261c8be1cff8108949be8bc415e6adcae

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
96KB

MD5
caeb9b2c1e045ef2dfcdd36784982042

SHA1
af97081c16b81ac7f42af53dd5ef5b50c41c8875

SHA256
1fabf42660555ccfd832f19d60b062ec2863c572f78d21a48aa07e233a3b707a

SHA512
0373590d3de69a561e8ccfca2c9c6cfde4f22caf061a1d7f9ab29b2c023d630b4f3ca2ea2707b9b06c979994790596ed73b4ef745e8580483c86aa33b297fcd3

Download Submit
memory/392-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1080-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3812-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5192-1292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5464-1274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5740-1326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6100-1315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6128-1293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6500-1240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6632-1235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6980-1220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download