berbew | 2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13

Analysis

max time kernel
91s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exe
Size

96KB
MD5

86587cf2148799aaf2040ad8ea263a2f
SHA1

3452d0e4bc8c217e95c4cdd5bce766effd3c8f7f
SHA256

2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13
SHA512

6265603fdd8ffe0f67ed5f5152d2f8c4c220b89095fb4a0442ce84076bc31f7b6c2cc2169b7ff65b950739203cf578d1317155bfb314348216305bb41825cd07
SSDEEP

1536:lBBhzdrLS5u4CqBxG2LHki2L47RZObZUUWaegPYAG:lBHdfah3Y4ClUUWae9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Doicia32.exe2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exeOdhmkcbi.exePmoakd32.exeBfoelf32.exeCffkleae.exeMgmnjb32.exeAceidl32.exeBepeinol.exeCcjlfi32.exeDomldpcd.exeNfbdblnp.exeOmhlkeko.exePgplnmib.exeAdplbp32.exeAfaijhcm.exeAamchpmk.exeLbjlid32.exeMipcambi.exeMplhdghc.exeNgfqqa32.exeDhcdhf32.exeLdjhcgll.exeMdqncffd.exeNcakqaqo.exeQqoggb32.exeAgeopj32.exeDhokmgpm.exeMlgjmi32.exeNjifhljn.exeOciaap32.exePfcmij32.exePggbnlbj.exeBcebkjdd.exeCabfjmkc.exeDdjemgal.exeNnpimkfl.exePjcbeh32.exeAmmnmbig.exeAgglej32.exeAnogldng.exeLekekp32.exeNjlcmk32.exeOjgbij32.exePnghdh32.exeAnedfffb.exeChhdlhfe.exeCjhmnc32.exePqmjab32.exeQcppimfl.exeBcnljkjl.exeCjkjcb32.exeMcfkec32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doicia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odhmkcbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoakd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfoelf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffkleae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgmnjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aceidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bepeinol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjlfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Domldpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfbdblnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omhlkeko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgplnmib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adplbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afaijhcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aamchpmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbjlid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mipcambi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhdghc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfqqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhcdhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Domldpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhcgll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdqncffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncakqaqo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqoggb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhokmgpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlgjmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njifhljn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ociaap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfcmij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbnlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebkjdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfjmkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcdhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjemgal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnpimkfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ammnmbig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffkleae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfjmkc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogldng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogldng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekekp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgmnjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njlcmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnghdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anedfffb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chhdlhfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjhmnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbjlid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njlcmk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcppimfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adplbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcnljkjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doicia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfkec32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Lbjlid32.exeLiddfolf.exeLdjhcgll.exeLekekp32.exeLdlehg32.exeMemapppg.exeMlgjmi32.exeMgmnjb32.exeMdqncffd.exeMebkko32.exeMllchico.exeMcfkec32.exeMipcambi.exeMpjlngje.exeMegdfnhm.exeMplhdghc.exeNgfqqa32.exeNnpimkfl.exeNcmaeb32.exeNjgjbllq.exeNconka32.exeNjifhljn.exeNcakqaqo.exeNjlcmk32.exeNfbdblnp.exeOfeqhl32.exeOnlhii32.exeOciaap32.exeOdhmkcbi.exeOdjjqc32.exeOjgbij32.exeOdmgfb32.exeOfncnkcb.exeOmhlkeko.exePjlldiji.exePnghdh32.exePgplnmib.exePfcmij32.exePmmefd32.exePcgmbnnf.exePfeiojnj.exePmoakd32.exePcijhnld.exePjcbeh32.exePqmjab32.exePggbnlbj.exeQqoggb32.exeQqadmagh.exeQcppimfl.exeAnedfffb.exeAdplbp32.exeAfaijhcm.exeAqfmhacc.exeAceidl32.exeAmmnmbig.exeAedfnoii.exeAjanffhq.exeAakfcp32.exeAgeopj32.exeAnogldng.exeAamchpmk.exeAgglej32.exeBmddma32.exeBcnljkjl.exe

pid	Process
1484	Lbjlid32.exe
2304	Liddfolf.exe
3428	Ldjhcgll.exe
1104	Lekekp32.exe
2972	Ldlehg32.exe
4520	Memapppg.exe
928	Mlgjmi32.exe
4352	Mgmnjb32.exe
2928	Mdqncffd.exe
3020	Mebkko32.exe
4280	Mllchico.exe
1440	Mcfkec32.exe
2840	Mipcambi.exe
4960	Mpjlngje.exe
4832	Megdfnhm.exe
2120	Mplhdghc.exe
228	Ngfqqa32.exe
4544	Nnpimkfl.exe
2708	Ncmaeb32.exe
2164	Njgjbllq.exe
4696	Nconka32.exe
1532	Njifhljn.exe
1620	Ncakqaqo.exe
2192	Njlcmk32.exe
3612	Nfbdblnp.exe
3940	Ofeqhl32.exe
4372	Onlhii32.exe
820	Ociaap32.exe
2812	Odhmkcbi.exe
4752	Odjjqc32.exe
3048	Ojgbij32.exe
1232	Odmgfb32.exe
4080	Ofncnkcb.exe
1980	Omhlkeko.exe
3760	Pjlldiji.exe
3456	Pnghdh32.exe
4932	Pgplnmib.exe
2600	Pfcmij32.exe
4328	Pmmefd32.exe
1888	Pcgmbnnf.exe
448	Pfeiojnj.exe
1148	Pmoakd32.exe
972	Pcijhnld.exe
4592	Pjcbeh32.exe
872	Pqmjab32.exe
4684	Pggbnlbj.exe
2484	Qqoggb32.exe
3784	Qqadmagh.exe
2552	Qcppimfl.exe
1272	Anedfffb.exe
2400	Adplbp32.exe
3704	Afaijhcm.exe
244	Aqfmhacc.exe
1188	Aceidl32.exe
2452	Ammnmbig.exe
4852	Aedfnoii.exe
1472	Ajanffhq.exe
2816	Aakfcp32.exe
1524	Ageopj32.exe
3960	Anogldng.exe
2724	Aamchpmk.exe
2308	Agglej32.exe
420	Bmddma32.exe
4732	Bcnljkjl.exe

Drops file in System32 directory 64 IoCs

Processes:

Adplbp32.exePcgmbnnf.exePggbnlbj.exeMpjlngje.exeMplhdghc.exeOdhmkcbi.exeBcnljkjl.exeBepeinol.exeCjhmnc32.exe2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exeMllchico.exeBcebkjdd.exeAceidl32.exeAedfnoii.exeCabfjmkc.exeDkdmia32.exeBjokgd32.exeDoicia32.exeDeckfkof.exeOjgbij32.exeQcppimfl.exeOdmgfb32.exeOfncnkcb.exeAfaijhcm.exeBgnafinp.exeDdjemgal.exeMebkko32.exeNjlcmk32.exeDomldpcd.exeMcfkec32.exeOfeqhl32.exeNjgjbllq.exeMgmnjb32.exeMegdfnhm.exePcijhnld.exeCnopcb32.exeLekekp32.exeMemapppg.exeBabmco32.exeCcjlfi32.exeOciaap32.exeNcakqaqo.exeBmddma32.exeMlgjmi32.exeAnogldng.exeNjifhljn.exeCeleel32.exeAamchpmk.exeLdlehg32.exePqmjab32.exeDhokmgpm.exeDmnpjmla.exeNcmaeb32.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Afaijhcm.exe	Adplbp32.exe
File opened for modification	C:\Windows\SysWOW64\Pfeiojnj.exe	Pcgmbnnf.exe
File opened for modification	C:\Windows\SysWOW64\Qqoggb32.exe	Pggbnlbj.exe
File created	C:\Windows\SysWOW64\Ddmgkb32.dll	Mpjlngje.exe
File created	C:\Windows\SysWOW64\Ngfqqa32.exe	Mplhdghc.exe
File created	C:\Windows\SysWOW64\Odjjqc32.exe	Odhmkcbi.exe
File opened for modification	C:\Windows\SysWOW64\Bgjhkjbe.exe	Bcnljkjl.exe
File opened for modification	C:\Windows\SysWOW64\Bgnafinp.exe	Bepeinol.exe
File created	C:\Windows\SysWOW64\Cabfjmkc.exe	Cjhmnc32.exe
File created	C:\Windows\SysWOW64\Nponnj32.dll	2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exe
File created	C:\Windows\SysWOW64\Diikmo32.dll	Mllchico.exe
File created	C:\Windows\SysWOW64\Bgjhkjbe.exe	Bcnljkjl.exe
File opened for modification	C:\Windows\SysWOW64\Bjokgd32.exe	Bcebkjdd.exe
File created	C:\Windows\SysWOW64\Kggfknab.dll	Aceidl32.exe
File created	C:\Windows\SysWOW64\Ajanffhq.exe	Aedfnoii.exe
File created	C:\Windows\SysWOW64\Bfhdbkjp.dll	Cjhmnc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjcb32.exe	Cabfjmkc.exe
File created	C:\Windows\SysWOW64\Ojiefj32.dll	Dkdmia32.exe
File created	C:\Windows\SysWOW64\Lbjlid32.exe	2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exe
File created	C:\Windows\SysWOW64\Cffkleae.exe	Bjokgd32.exe
File created	C:\Windows\SysWOW64\Qhigml32.dll	Doicia32.exe
File opened for modification	C:\Windows\SysWOW64\Dmnpjmla.exe	Deckfkof.exe
File created	C:\Windows\SysWOW64\Odmgfb32.exe	Ojgbij32.exe
File created	C:\Windows\SysWOW64\Kbheqgmg.dll	Qcppimfl.exe
File created	C:\Windows\SysWOW64\Eanlej32.dll	Odmgfb32.exe
File opened for modification	C:\Windows\SysWOW64\Omhlkeko.exe	Ofncnkcb.exe
File created	C:\Windows\SysWOW64\Aqfmhacc.exe	Afaijhcm.exe
File created	C:\Windows\SysWOW64\Bjmnbd32.exe	Bgnafinp.exe
File opened for modification	C:\Windows\SysWOW64\Dkdmia32.exe	Ddjemgal.exe
File created	C:\Windows\SysWOW64\Ppmopd32.dll	Mebkko32.exe
File opened for modification	C:\Windows\SysWOW64\Nfbdblnp.exe	Njlcmk32.exe
File created	C:\Windows\SysWOW64\Ekeinhcn.dll	Pggbnlbj.exe
File created	C:\Windows\SysWOW64\Cjkjcb32.exe	Cabfjmkc.exe
File opened for modification	C:\Windows\SysWOW64\Degdaj32.exe	Domldpcd.exe
File opened for modification	C:\Windows\SysWOW64\Mipcambi.exe	Mcfkec32.exe
File created	C:\Windows\SysWOW64\Fljkoc32.dll	Ofeqhl32.exe
File opened for modification	C:\Windows\SysWOW64\Nconka32.exe	Njgjbllq.exe
File opened for modification	C:\Windows\SysWOW64\Deckfkof.exe	Doicia32.exe
File opened for modification	C:\Windows\SysWOW64\Mdqncffd.exe	Mgmnjb32.exe
File opened for modification	C:\Windows\SysWOW64\Mplhdghc.exe	Megdfnhm.exe
File created	C:\Windows\SysWOW64\Pjcbeh32.exe	Pcijhnld.exe
File created	C:\Windows\SysWOW64\Nbhlhm32.dll	Cnopcb32.exe
File created	C:\Windows\SysWOW64\Lgafjlgq.dll	Lekekp32.exe
File created	C:\Windows\SysWOW64\Kcmfjh32.dll	Memapppg.exe
File created	C:\Windows\SysWOW64\Lppjgf32.dll	Ojgbij32.exe
File created	C:\Windows\SysWOW64\Bfoelf32.exe	Babmco32.exe
File created	C:\Windows\SysWOW64\Geqfeclf.dll	Ccjlfi32.exe
File opened for modification	C:\Windows\SysWOW64\Onlhii32.exe	Ofeqhl32.exe
File created	C:\Windows\SysWOW64\Odhmkcbi.exe	Ociaap32.exe
File opened for modification	C:\Windows\SysWOW64\Njlcmk32.exe	Ncakqaqo.exe
File created	C:\Windows\SysWOW64\Bcnljkjl.exe	Bmddma32.exe
File created	C:\Windows\SysWOW64\Olheph32.dll	Bmddma32.exe
File created	C:\Windows\SysWOW64\Mgmnjb32.exe	Mlgjmi32.exe
File opened for modification	C:\Windows\SysWOW64\Aamchpmk.exe	Anogldng.exe
File created	C:\Windows\SysWOW64\Ncakqaqo.exe	Njifhljn.exe
File created	C:\Windows\SysWOW64\Cjhmnc32.exe	Celeel32.exe
File opened for modification	C:\Windows\SysWOW64\Agglej32.exe	Aamchpmk.exe
File created	C:\Windows\SysWOW64\Bpnqpd32.dll	Cabfjmkc.exe
File created	C:\Windows\SysWOW64\Memapppg.exe	Ldlehg32.exe
File created	C:\Windows\SysWOW64\Knobie32.dll	Pqmjab32.exe
File created	C:\Windows\SysWOW64\Fageamqg.dll	Dhokmgpm.exe
File created	C:\Windows\SysWOW64\Kehnkl32.dll	Dmnpjmla.exe
File created	C:\Windows\SysWOW64\Lhhdfpaa.dll	Ncmaeb32.exe
File created	C:\Windows\SysWOW64\Chhdlhfe.exe	Cnopcb32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2752	2712	WerFault.exe	176

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Bjokgd32.exeCnopcb32.exeChhdlhfe.exePggbnlbj.exeLbjlid32.exeNcmaeb32.exeOnlhii32.exeAdplbp32.exeAnogldng.exeDhokmgpm.exeDegdaj32.exeDanefkqe.exeOmhlkeko.exePqmjab32.exeAnedfffb.exePmmefd32.exePjcbeh32.exeBcebkjdd.exeNjgjbllq.exeNjlcmk32.exeOciaap32.exeMplhdghc.exeOdhmkcbi.exePfeiojnj.exeCjkjcb32.exeDeckfkof.exeMlgjmi32.exeMebkko32.exeMipcambi.exePnghdh32.exePcijhnld.exeAjanffhq.exeCffkleae.exeCjfqhcei.exeLiddfolf.exeMllchico.exeMcfkec32.exeDmnpjmla.exeOfncnkcb.exeAakfcp32.exeDdjemgal.exeLdlehg32.exeMdqncffd.exeOdmgfb32.exeAamchpmk.exeBmddma32.exeBjmnbd32.exeNgfqqa32.exeQqadmagh.exeAceidl32.exeCcjlfi32.exeCjhmnc32.exeNnpimkfl.exeNcakqaqo.exeBgnafinp.exeAmmnmbig.exeAgeopj32.exeAgglej32.exeBabmco32.exeBjjalepf.exeLekekp32.exeNconka32.exeNfbdblnp.exeQqoggb32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnopcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhdlhfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbnlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjlid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmaeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onlhii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adplbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogldng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhokmgpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Degdaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danefkqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omhlkeko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anedfffb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebkjdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njgjbllq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njlcmk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ociaap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhdghc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odhmkcbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeiojnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deckfkof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgjmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mebkko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mipcambi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnghdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijhnld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanffhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffkleae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfqhcei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddfolf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mllchico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpjmla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofncnkcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakfcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjemgal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldlehg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdqncffd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aamchpmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmddma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfqqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqadmagh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aceidl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjlfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjhmnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnpimkfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncakqaqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnafinp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammnmbig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjjalepf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekekp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfbdblnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqoggb32.exe

Modifies registry class 64 IoCs

Processes:

Njgjbllq.exeAceidl32.exeBmddma32.exeDkdmia32.exeLiddfolf.exeMemapppg.exeAdplbp32.exeMgmnjb32.exeNcmaeb32.exePcgmbnnf.exeQqoggb32.exeAjanffhq.exeAnogldng.exeOmhlkeko.exePfcmij32.exeDoicia32.exeLdjhcgll.exeNgfqqa32.exeAmmnmbig.exeCjfqhcei.exeNconka32.exePqmjab32.exeOnlhii32.exeAgglej32.exeBjokgd32.exe2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exeNfbdblnp.exeBfoelf32.exeAedfnoii.exeBcebkjdd.exeAamchpmk.exeChhdlhfe.exeMcfkec32.exeNjlcmk32.exeAnedfffb.exeAgeopj32.exeMllchico.exeNnpimkfl.exeAfaijhcm.exeCjhmnc32.exeBgnafinp.exePjcbeh32.exeCcjlfi32.exeMdqncffd.exeOfeqhl32.exePjlldiji.exeAqfmhacc.exeMlgjmi32.exeBjmnbd32.exeDhcdhf32.exeOdhmkcbi.exeBjjalepf.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njgjbllq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aceidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olheph32.dll"	Bmddma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiefj32.dll"	Dkdmia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liddfolf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Memapppg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adplbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkdmia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgmnjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmaeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcgmbnnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnjkkod.dll"	Qqoggb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanffhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanffhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogldng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omhlkeko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfcmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgljnc32.dll"	Pcgmbnnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhigml32.dll"	Doicia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldjhcgll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpbed32.dll"	Ngfqqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mppakdik.dll"	Ammnmbig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjfqhcei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npokka32.dll"	Cjfqhcei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmodcn32.dll"	Nconka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onlhii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfbdblnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peodfhjp.dll"	Agglej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfoelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adplbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aedfnoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebkjdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakaefma.dll"	Bjokgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjflhj32.dll"	Aamchpmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chhdlhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igikac32.dll"	Mcfkec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonfbg32.dll"	Njlcmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anedfffb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggfknab.dll"	Aceidl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mllchico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnpimkfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afaijhcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhdbkjp.dll"	Cjhmnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgnafinp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmfgcnl.dll"	Ldjhcgll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqoggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqfeclf.dll"	Ccjlfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdqncffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeqhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjlldiji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqfmhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmfjh32.dll"	Memapppg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajaijjb.dll"	Mlgjmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhcdhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggeihia.dll"	Odhmkcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjjalepf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exeLbjlid32.exeLiddfolf.exeLdjhcgll.exeLekekp32.exeLdlehg32.exeMemapppg.exeMlgjmi32.exeMgmnjb32.exeMdqncffd.exeMebkko32.exeMllchico.exeMcfkec32.exeMipcambi.exeMpjlngje.exeMegdfnhm.exeMplhdghc.exeNgfqqa32.exeNnpimkfl.exeNcmaeb32.exeNjgjbllq.exeNconka32.exe

description	pid	Process	procid_target
PID 4088 wrote to memory of 1484	4088	2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exe	81
PID 4088 wrote to memory of 1484	4088	2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exe	81
PID 4088 wrote to memory of 1484	4088	2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exe	81
PID 1484 wrote to memory of 2304	1484	Lbjlid32.exe	82
PID 1484 wrote to memory of 2304	1484	Lbjlid32.exe	82
PID 1484 wrote to memory of 2304	1484	Lbjlid32.exe	82
PID 2304 wrote to memory of 3428	2304	Liddfolf.exe	83
PID 2304 wrote to memory of 3428	2304	Liddfolf.exe	83
PID 2304 wrote to memory of 3428	2304	Liddfolf.exe	83
PID 3428 wrote to memory of 1104	3428	Ldjhcgll.exe	84
PID 3428 wrote to memory of 1104	3428	Ldjhcgll.exe	84
PID 3428 wrote to memory of 1104	3428	Ldjhcgll.exe	84
PID 1104 wrote to memory of 2972	1104	Lekekp32.exe	85
PID 1104 wrote to memory of 2972	1104	Lekekp32.exe	85
PID 1104 wrote to memory of 2972	1104	Lekekp32.exe	85
PID 2972 wrote to memory of 4520	2972	Ldlehg32.exe	86
PID 2972 wrote to memory of 4520	2972	Ldlehg32.exe	86
PID 2972 wrote to memory of 4520	2972	Ldlehg32.exe	86
PID 4520 wrote to memory of 928	4520	Memapppg.exe	87
PID 4520 wrote to memory of 928	4520	Memapppg.exe	87
PID 4520 wrote to memory of 928	4520	Memapppg.exe	87
PID 928 wrote to memory of 4352	928	Mlgjmi32.exe	88
PID 928 wrote to memory of 4352	928	Mlgjmi32.exe	88
PID 928 wrote to memory of 4352	928	Mlgjmi32.exe	88
PID 4352 wrote to memory of 2928	4352	Mgmnjb32.exe	89
PID 4352 wrote to memory of 2928	4352	Mgmnjb32.exe	89
PID 4352 wrote to memory of 2928	4352	Mgmnjb32.exe	89
PID 2928 wrote to memory of 3020	2928	Mdqncffd.exe	90
PID 2928 wrote to memory of 3020	2928	Mdqncffd.exe	90
PID 2928 wrote to memory of 3020	2928	Mdqncffd.exe	90
PID 3020 wrote to memory of 4280	3020	Mebkko32.exe	91
PID 3020 wrote to memory of 4280	3020	Mebkko32.exe	91
PID 3020 wrote to memory of 4280	3020	Mebkko32.exe	91
PID 4280 wrote to memory of 1440	4280	Mllchico.exe	92
PID 4280 wrote to memory of 1440	4280	Mllchico.exe	92
PID 4280 wrote to memory of 1440	4280	Mllchico.exe	92
PID 1440 wrote to memory of 2840	1440	Mcfkec32.exe	93
PID 1440 wrote to memory of 2840	1440	Mcfkec32.exe	93
PID 1440 wrote to memory of 2840	1440	Mcfkec32.exe	93
PID 2840 wrote to memory of 4960	2840	Mipcambi.exe	94
PID 2840 wrote to memory of 4960	2840	Mipcambi.exe	94
PID 2840 wrote to memory of 4960	2840	Mipcambi.exe	94
PID 4960 wrote to memory of 4832	4960	Mpjlngje.exe	95
PID 4960 wrote to memory of 4832	4960	Mpjlngje.exe	95
PID 4960 wrote to memory of 4832	4960	Mpjlngje.exe	95
PID 4832 wrote to memory of 2120	4832	Megdfnhm.exe	96
PID 4832 wrote to memory of 2120	4832	Megdfnhm.exe	96
PID 4832 wrote to memory of 2120	4832	Megdfnhm.exe	96
PID 2120 wrote to memory of 228	2120	Mplhdghc.exe	97
PID 2120 wrote to memory of 228	2120	Mplhdghc.exe	97
PID 2120 wrote to memory of 228	2120	Mplhdghc.exe	97
PID 228 wrote to memory of 4544	228	Ngfqqa32.exe	98
PID 228 wrote to memory of 4544	228	Ngfqqa32.exe	98
PID 228 wrote to memory of 4544	228	Ngfqqa32.exe	98
PID 4544 wrote to memory of 2708	4544	Nnpimkfl.exe	99
PID 4544 wrote to memory of 2708	4544	Nnpimkfl.exe	99
PID 4544 wrote to memory of 2708	4544	Nnpimkfl.exe	99
PID 2708 wrote to memory of 2164	2708	Ncmaeb32.exe	100
PID 2708 wrote to memory of 2164	2708	Ncmaeb32.exe	100
PID 2708 wrote to memory of 2164	2708	Ncmaeb32.exe	100
PID 2164 wrote to memory of 4696	2164	Njgjbllq.exe	101
PID 2164 wrote to memory of 4696	2164	Njgjbllq.exe	101
PID 2164 wrote to memory of 4696	2164	Njgjbllq.exe	101
PID 4696 wrote to memory of 1532	4696	Nconka32.exe	102

C:\Users\Admin\AppData\Local\Temp\2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exe
"C:\Users\Admin\AppData\Local\Temp\2075451c705fb977ee3b9c7cb0c05a32e02255c40f809a509ba14ce1949a2d13.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\SysWOW64\Lbjlid32.exe
  C:\Windows\system32\Lbjlid32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\Liddfolf.exe
    C:\Windows\system32\Liddfolf.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\Ldjhcgll.exe
      C:\Windows\system32\Ldjhcgll.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3428
    - - C:\Windows\SysWOW64\Lekekp32.exe
        
        C:\Windows\system32\Lekekp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Windows\SysWOW64\Ldlehg32.exe
        
        C:\Windows\system32\Ldlehg32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Memapppg.exe
        
        C:\Windows\system32\Memapppg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Mlgjmi32.exe
        
        C:\Windows\system32\Mlgjmi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Mgmnjb32.exe
        
        C:\Windows\system32\Mgmnjb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Mdqncffd.exe
        
        C:\Windows\system32\Mdqncffd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Mebkko32.exe
        
        C:\Windows\system32\Mebkko32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Mllchico.exe
        
        C:\Windows\system32\Mllchico.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Mcfkec32.exe
        
        C:\Windows\system32\Mcfkec32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Mipcambi.exe
        
        C:\Windows\system32\Mipcambi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Mpjlngje.exe
        
        C:\Windows\system32\Mpjlngje.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Megdfnhm.exe
        
        C:\Windows\system32\Megdfnhm.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Mplhdghc.exe
        
        C:\Windows\system32\Mplhdghc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Ngfqqa32.exe
        
        C:\Windows\system32\Ngfqqa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Nnpimkfl.exe
        
        C:\Windows\system32\Nnpimkfl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Ncmaeb32.exe
        
        C:\Windows\system32\Ncmaeb32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Njgjbllq.exe
        
        C:\Windows\system32\Njgjbllq.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Nconka32.exe
        
        C:\Windows\system32\Nconka32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Njifhljn.exe
        
        C:\Windows\system32\Njifhljn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\Ncakqaqo.exe
        
        C:\Windows\system32\Ncakqaqo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Njlcmk32.exe
        
        C:\Windows\system32\Njlcmk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Nfbdblnp.exe
        
        C:\Windows\system32\Nfbdblnp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Ofeqhl32.exe
        
        C:\Windows\system32\Ofeqhl32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Onlhii32.exe
        
        C:\Windows\system32\Onlhii32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Ociaap32.exe
        
        C:\Windows\system32\Ociaap32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\Odhmkcbi.exe
        
        C:\Windows\system32\Odhmkcbi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Odjjqc32.exe
        
        C:\Windows\system32\Odjjqc32.exe
        31⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Ojgbij32.exe
        
        C:\Windows\system32\Ojgbij32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Odmgfb32.exe
        
        C:\Windows\system32\Odmgfb32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\Ofncnkcb.exe
        
        C:\Windows\system32\Ofncnkcb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\Omhlkeko.exe
        
        C:\Windows\system32\Omhlkeko.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Pjlldiji.exe
        
        C:\Windows\system32\Pjlldiji.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Pnghdh32.exe
        
        C:\Windows\system32\Pnghdh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Pgplnmib.exe
        
        C:\Windows\system32\Pgplnmib.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Pfcmij32.exe
        
        C:\Windows\system32\Pfcmij32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Pmmefd32.exe
        
        C:\Windows\system32\Pmmefd32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Pcgmbnnf.exe
        
        C:\Windows\system32\Pcgmbnnf.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Pfeiojnj.exe
        
        C:\Windows\system32\Pfeiojnj.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Pmoakd32.exe
        
        C:\Windows\system32\Pmoakd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Pcijhnld.exe
        
        C:\Windows\system32\Pcijhnld.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Pjcbeh32.exe
        
        C:\Windows\system32\Pjcbeh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Pqmjab32.exe
        
        C:\Windows\system32\Pqmjab32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Pggbnlbj.exe
        
        C:\Windows\system32\Pggbnlbj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Qqoggb32.exe
        
        C:\Windows\system32\Qqoggb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Qqadmagh.exe
        
        C:\Windows\system32\Qqadmagh.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\Qcppimfl.exe
        
        C:\Windows\system32\Qcppimfl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Anedfffb.exe
        
        C:\Windows\system32\Anedfffb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Adplbp32.exe
        
        C:\Windows\system32\Adplbp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Afaijhcm.exe
        
        C:\Windows\system32\Afaijhcm.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Aqfmhacc.exe
        
        C:\Windows\system32\Aqfmhacc.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:244
        
        C:\Windows\SysWOW64\Aceidl32.exe
        
        C:\Windows\system32\Aceidl32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Ammnmbig.exe
        
        C:\Windows\system32\Ammnmbig.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Aedfnoii.exe
        
        C:\Windows\system32\Aedfnoii.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Ajanffhq.exe
        
        C:\Windows\system32\Ajanffhq.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Aakfcp32.exe
        
        C:\Windows\system32\Aakfcp32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Ageopj32.exe
        
        C:\Windows\system32\Ageopj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Anogldng.exe
        
        C:\Windows\system32\Anogldng.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Aamchpmk.exe
        
        C:\Windows\system32\Aamchpmk.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Agglej32.exe
        
        C:\Windows\system32\Agglej32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Bmddma32.exe
        
        C:\Windows\system32\Bmddma32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:420
        
        C:\Windows\SysWOW64\Bcnljkjl.exe
        
        C:\Windows\system32\Bcnljkjl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Bgjhkjbe.exe
        
        C:\Windows\system32\Bgjhkjbe.exe
        66⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\Babmco32.exe
        
        C:\Windows\system32\Babmco32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Bfoelf32.exe
        
        C:\Windows\system32\Bfoelf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Bjjalepf.exe
        
        C:\Windows\system32\Bjjalepf.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Bepeinol.exe
        
        C:\Windows\system32\Bepeinol.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\Bgnafinp.exe
        
        C:\Windows\system32\Bgnafinp.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Bjmnbd32.exe
        
        C:\Windows\system32\Bjmnbd32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Bcebkjdd.exe
        
        C:\Windows\system32\Bcebkjdd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Bjokgd32.exe
        
        C:\Windows\system32\Bjokgd32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Cffkleae.exe
        
        C:\Windows\system32\Cffkleae.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Ccjlfi32.exe
        
        C:\Windows\system32\Ccjlfi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Cnopcb32.exe
        
        C:\Windows\system32\Cnopcb32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\Chhdlhfe.exe
        
        C:\Windows\system32\Chhdlhfe.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Cjfqhcei.exe
        
        C:\Windows\system32\Cjfqhcei.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Celeel32.exe
        
        C:\Windows\system32\Celeel32.exe
        80⤵
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Cjhmnc32.exe
        
        C:\Windows\system32\Cjhmnc32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Cabfjmkc.exe
        
        C:\Windows\system32\Cabfjmkc.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Cjkjcb32.exe
        
        C:\Windows\system32\Cjkjcb32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Dhokmgpm.exe
        
        C:\Windows\system32\Dhokmgpm.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Doicia32.exe
        
        C:\Windows\system32\Doicia32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Deckfkof.exe
        
        C:\Windows\system32\Deckfkof.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\Dmnpjmla.exe
        
        C:\Windows\system32\Dmnpjmla.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Dhcdhf32.exe
        
        C:\Windows\system32\Dhcdhf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Domldpcd.exe
        
        C:\Windows\system32\Domldpcd.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Degdaj32.exe
        
        C:\Windows\system32\Degdaj32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\Ddjemgal.exe
        
        C:\Windows\system32\Ddjemgal.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Dkdmia32.exe
        
        C:\Windows\system32\Dkdmia32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Danefkqe.exe
        
        C:\Windows\system32\Danefkqe.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 400
        94⤵
        Program crash
        
        PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2712 -ip 2712
1⤵
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aceidl32.exe

Filesize
96KB

MD5
90e4626cadf76128d7032066c0e5db32

SHA1
7699b6dbba88b1d744a7e9286c44578b4d8d6c46

SHA256
638c7b25458125d977f6f03fac7041e6aaf9d7abf0cf9b67d1add4afe3e8c134

SHA512
2cd07c2c0628fe78415621274de9e5cb59c24a6280e70a8528965c7d7722a3402e6319d3775701c07d345e047995b996925d9c010a5b4ff1689dadd5e88a3d1d

Download Submit
C:\Windows\SysWOW64\Afaijhcm.exe

Filesize
96KB

MD5
19b6f0a9ed11fbb58093f9cc4be8ebee

SHA1
fe4d10b8c27cc8c8530d2ecc0bd94d6d10994ea9

SHA256
fadf7484a77e3f233cb0ec260ba6ab79cdd698e34a712fdfca5d7a9e268929f3

SHA512
f299bd998e4c190a985a8595e033b9054ac68a356d6edbd67aabdcc2dfb89796b00beb7d4e1a2754b969ce677eddfde051682fc71168065cddf1c0e29a605e28

Download Submit
C:\Windows\SysWOW64\Ajanffhq.exe

Filesize
96KB

MD5
a3fbfd9161e2b37787967024fd1ed23b

SHA1
fcdf7b98eb502cf1ae4ae17a5272fe5f04f79334

SHA256
5ab418b917155d7b17f1f339ca842357e7eed2415bc16a4a258d838d698ce686

SHA512
210a3308f396035981ce0ab91372cab451dc152dcf80e2f7f41a79a3fcbc3d324a1cb84c90cac4bad40c6b74d79cb3525d62e8f69094e85abc4d8f6f0b43e041

Download Submit
C:\Windows\SysWOW64\Anedfffb.exe

Filesize
96KB

MD5
ad3e7a9d1327cf464af3e222ba061b6e

SHA1
862bc5a2fa3db3137475a9a2d7e941e6ce0dc333

SHA256
c58bd32c65ab295f17ea1ea34a8adfb10d67c271a2ac8823fb13b5fd82a4f8e5

SHA512
bc534e4a00aaaafcb04866ee5f2952e97e4141ce9512bf0513d93738c8b438b45a476bc73b60d43e1cf969fff3ffc404f683dcaae063739804e4318e38a70d84

Download Submit
C:\Windows\SysWOW64\Cffkleae.exe

Filesize
96KB

MD5
227d4e70e22d70540387533066758b8e

SHA1
819113862ebb1b44891921badec049e8554dfdb1

SHA256
a800ed852f736cd5c3af88d4f44aa8bbd632b77463e322e6a59511db4de2da9c

SHA512
eb9930b2abf48dba4fe60f6765179a3fdc73e3f26942868eaa8e2bce57fd6fe0b61950d2b159d9565c18ff58090f226a7eaebae16db8dac51070bc018a72a4e0

Download Submit
C:\Windows\SysWOW64\Chhdlhfe.exe

Filesize
96KB

MD5
85936172718d74b546da5e3433b1bc50

SHA1
b943ba44ea66b6a728800e823223634da4fbcccf

SHA256
617555a5f9e93a782873027cfa00c80d54f6703921842ff041a53ce0aee1d228

SHA512
f772a9287448f970063cd62c0699bfec66f23d6a3ca82148b3a3621df1bb13a0f4a991a9d0d5d665594e61f5c0118ea80446d7a8eec2c209ecdac35ec8243881

Download Submit
C:\Windows\SysWOW64\Dhokmgpm.exe

Filesize
96KB

MD5
7e6f0ec440930f5b430881f8ad7ffc2c

SHA1
e3defaae1ea78e5ee03db9d3847b8f3c86dfe8d1

SHA256
72daafda6b33a0afe6ba42339f4f98f254d5facefcd35b5a53d13a3eeec9f107

SHA512
8749724c44bf7373f9f852e7e9bba6eb2ba5692b60e1b23d48bd08f0ed8e5a92edc4a7a6570cc50d2859991a2a3cd97178aa4bfef9b1d962bcb2d246797e9362

Download Submit
C:\Windows\SysWOW64\Domldpcd.exe

Filesize
96KB

MD5
9ea24dc807359aed2c7907b7e599ad19

SHA1
10e3a2ff4fc7f5f12c6ffead8ecdf198f47dd60c

SHA256
34f8efd3c1731f0aedc73f4aa3585a03b6ce7f0aca02e3766807f36b4183e793

SHA512
451b50b60929bcab407f474d06c10c3605fbe1fe33fd891d596e99dc0b84341564da9d49c86ad9b62defa2e67975f81ccb37e1aae2e38cfa6e38c85f1492d3b3

Download Submit
C:\Windows\SysWOW64\Lbjlid32.exe

Filesize
96KB

MD5
a947b939971f437f684afb70e893ec8e

SHA1
2f06d16b34bea70140904b3389d01ecafd17efea

SHA256
94a37fb40677f5ffb4a567b74c0af4492363e64a84e441e6b6f94bf52af1c73c

SHA512
004c7ce371738f2d4e43d5c483a6e13926bf3e85b22a745ca7f41abac41ee48cfc46397c03c392ac72c50fd388c6f6e98fcb9fcaf18232e261db935481184c73

Download Submit
C:\Windows\SysWOW64\Ldjhcgll.exe

Filesize
96KB

MD5
af387ba65178b862cf7ec2321e1bc57a

SHA1
ea2afad812023fd06cf3b6f917f6694f9e79c74d

SHA256
75def513368e7652430818bf3eb138ba2def8f231ba7b0803c9972e8f3b54f31

SHA512
42ca9826eac0d39c817dad721586318af38e36b977877fd612786dd2ddc0a5ea92ba0d75c8fe996b5f96d63ef23a9534bce79c53fa7902cb7af9efc658b3610f

Download Submit
C:\Windows\SysWOW64\Ldlehg32.exe

Filesize
96KB

MD5
9603e548402100a04be0cc6690998836

SHA1
80afe1e1451c58c9fa4c537f503d61f34e8f6fd6

SHA256
945fe72ca27d4416356445fce2ec05a741a60a07d78dac2167a7fde455a02fdc

SHA512
12152cdae38ee9f174fb80a4bc6449a32be969f69f33c021061ee7625ecccdd91abb5f416a777f5ce7a012fcd4b414865cd25c5ed5dd0269bd4db72e431bb129

Download Submit
C:\Windows\SysWOW64\Lekekp32.exe

Filesize
96KB

MD5
f8f5cabd653e85ff685238d2801a75e8

SHA1
040605884b6692187d9bd1d655d73af56af4108a

SHA256
3bddd0d751bb3e2934a4f451e9f48485e0b2c787618d89d0efc6ab991ceacedb

SHA512
5b7b497c53b782c279ec83dff4259c6f6e4b4f9e1324b916db2b0b18e7b954f7a82ebf3fa4c36da2c17a5d9f3ddb3c726add523782243b4ce5c389916287f631

Download Submit
C:\Windows\SysWOW64\Liddfolf.exe

Filesize
96KB

MD5
d7f921033a05c75a92238463c6bbc627

SHA1
4eeb132b9ec130ad31a74f0de11d7124ea183c0c

SHA256
200e98f9ce4485b6573a3535b0f534a9d299037e776e5c5f12723e3e19431b5b

SHA512
7adca820e618e5e7bbb44afcf95eaddf7d3ca3fba73b829873473a3117dc90c4b595bac8ef03e620e2c08c0a16fc77fad22b0981a62b8a082b635c0662dd94c1

Download Submit
C:\Windows\SysWOW64\Mcfkec32.exe

Filesize
96KB

MD5
31110646da8e5f7ab28a84d9ee630f43

SHA1
23ec3fe942cb83be4021a64c14064b976ebe3742

SHA256
f5fc11c83b17f3bc0904b0125745905db2e8e259264649b6d5b012a412c7c9d7

SHA512
49da4554870de77552d65be11226bc926fd90df7ab9cd012cf38a3dd7328e28e4b31bc09666a52bb4aaf11a84e7b25198f5771a34b9c0bf7f3b24760d455611c

Download Submit
C:\Windows\SysWOW64\Mdqncffd.exe

Filesize
96KB

MD5
38f07df113d7af18293a06bef0bbcebf

SHA1
7d1c43394657aa4333b48e83d746934905f1f644

SHA256
9f904663ac75cb051e66e3f3ed62be05c78435caf5faee62e25a794fe54b3f1b

SHA512
80040d28b168e128e3ed0e25eb30da787f2100bb3be8ebddc7cee628acf8b41fa3e20f4124febe4a36b2314aa1460d201aae14d5c88687aef91d6193637eac7a

Download Submit
C:\Windows\SysWOW64\Mebkko32.exe

Filesize
96KB

MD5
92f094d28742e7d185c21f66f88c11c7

SHA1
3c27e120bb922799e6644f284548d8a16ee6e243

SHA256
14666ce894792d4615326fb5982c9a7aafac37a27b6fa8320612a854df4f0590

SHA512
a672be138020b16518431e07ea8aeba6598e941462400b81991d9b2684b77bfa057367dcdb1541dbb174ad3c940897469d991dad5cc2dbb5ac3676c47beb63a0

Download Submit
C:\Windows\SysWOW64\Megdfnhm.exe

Filesize
96KB

MD5
b3913863f20b1a76cd92b4b40a839b1f

SHA1
9d2b4c474ea827a5f0b620efd8336962db6b5479

SHA256
f55da4c2e62d7eaa55e5f94a05ba094178c7320b0d46a4d444febd2b0ba0c44a

SHA512
2f498023b9b39e5cafa58a62016a0634f583d1e3cbec55752cc8effcef81ac6c46b9efc7cf476a44ef26ac354f36d2f679e8b151e0f9fecf3580eb9d13a50496

Download Submit
C:\Windows\SysWOW64\Memapppg.exe

Filesize
96KB

MD5
94a057a9b08c9395ac25815a8acf5fd1

SHA1
edd34486b98830b5c285baf0b21afbfb98e76bf6

SHA256
54876262161e50562d8be0c2f804db9a7ff2a6680d813d6bb0feb0c3336135f7

SHA512
1d2f10fbe88b2a71dd873114478598f78bbf5e4da9f7fa7022b8f2bf1fc473272362092bca5d1c3e02311260dde239aec598a9d2d48428b6225ea204be259b32

Download Submit
C:\Windows\SysWOW64\Mgmnjb32.exe

Filesize
96KB

MD5
e3a4202ce81c2f4ae2f12988c73c5505

SHA1
17a2e94383265ec58eff5d9c1ea3b2d181de375a

SHA256
0b5c2c1bef630391bc6fa73085197ef01686c087dfc8b92221c8bd65f3e0030e

SHA512
49ffc0dec1cd29334f4c555b3802f60a824066d70227aae26c12b5bc664fe48d5f02455a0f3391184fe75f2cd3a8a6758c225f710987c8657fd302df3ccc750e

Download Submit
C:\Windows\SysWOW64\Mipcambi.exe

Filesize
96KB

MD5
d6d0508cc4f2ec48423e4fc92c2890e3

SHA1
ed6cc6170627a5d2840488c2960b97683f9497c2

SHA256
4971b2aed636be4bcbce981de6f252ac8d493f85e617dbaf4a6975559f999522

SHA512
3fd15d18db6d6d724898adc359d293bd561b11a0da6e0922bfd574f0df9750a021d1aaa198e65912abd452f8e79308e23bcfe3fa936adcd0bffd8d3dd4ed8fa0

Download Submit
C:\Windows\SysWOW64\Mlgjmi32.exe

Filesize
96KB

MD5
adae8b8f68e2128842b2cc2fa12cfdbb

SHA1
4e38db6fa0158e0b11d7a289300caa451f838284

SHA256
92a79cac0eaff681e65c9455f8315da02a01fb718cbfa4ccc3c733efaa254b20

SHA512
92a45d60d7f3e6dfd0b40a8bfe2dda8b317e92e2c333c0c618a9692fdd371ad96374011d4df13d32cb5b2f0e42fd88e654eed8a377f91d3656369e8f3dcd42a2

Download Submit
C:\Windows\SysWOW64\Mllchico.exe

Filesize
96KB

MD5
da35c219d17ef5b4a4a734b97e903f76

SHA1
3cf6baa9b3d5c09fc6a0f6974a338d55f6be3586

SHA256
0473971d87f2cb80597a729882c6fbef7c1725be2c8feb0211724d02e6d8e706

SHA512
909a961faf0b17b1c4bc6ea6e5c10d87c9bda00c03dab6989fff81e4d6c4a55cd9db8986b5d7cc5f8ff19bef43d9c22f45ff9c8f20ba1dc95e6569a50834a86d

Download Submit
C:\Windows\SysWOW64\Mpjlngje.exe

Filesize
96KB

MD5
e89966e108684a2958143b6374262104

SHA1
3c92e92de1b173148c7b3f4bdba21f61d606bfea

SHA256
e337efa1ce6a9e3324856580fbe19d954e6825a382ca75ec729b4bfb11ce076f

SHA512
1ea31660920c945e57aa4e609b533643472bbaa5c6c9a9bd708eb4f5ee1a8a77fd962e458c83cfbe509e7f87a5f0571242996cbdbe483d42419c6e3497e917d3

Download Submit
C:\Windows\SysWOW64\Mplhdghc.exe

Filesize
96KB

MD5
69c98880492de1bf57899c4eb1d68f42

SHA1
4d03fd77d0544c27d963d0dbd27e7d19f712eb12

SHA256
ed4cf61e0f22297086f86ed43e135ece976cf4b311ccf697a87b448d8218a555

SHA512
c28382771c1b6ba6a56c1587d9cddd405b36b4d10dddffeae46aab472b069e49b906256decf443b329e9f15665069d442e7b9abd026e5dcb88af7a0924281bf4

Download Submit
C:\Windows\SysWOW64\Ncakqaqo.exe

Filesize
96KB

MD5
d99c12e3d695959b11bfd43c50bdb411

SHA1
8c496c80f804df4f923bc81794a365893a85d7db

SHA256
0aed071df5579fc5e022062f72ac93ab81985d8605f1b3f86045bc08a5b35e5e

SHA512
fee0a7324344c39301e5878c789f36baf42173f0d0a1365c995b434af196ab42e3b4adb4a7a3021e9f56063125e11f278ff803bf4091181dd4547c152d3ceecc

Download Submit
C:\Windows\SysWOW64\Ncmaeb32.exe

Filesize
96KB

MD5
4f4dba3e66a8aeddaa5d8d2b7decd1f1

SHA1
46de0b0c44f8e6f5c26d407c9d5a69801a6be245

SHA256
1395c4ee2f5cee2aebe98a5c3e7360495e4168b5a4ea1dda6b8f3832f207c32a

SHA512
c865d4062d94f669af6e52e79228eb243bbb4981bd3de477a2794e7312e2667db4b20d01301e1b843591378e0d5cbf74db588c118d262ae7314c08e973e3043f

Download Submit
C:\Windows\SysWOW64\Nconka32.exe

Filesize
96KB

MD5
66f863e9de89b0313ec2621480898a2f

SHA1
080de5c88c1c67f0132d5c4a2f0bd0f8287ef2d1

SHA256
d7aafb16c983644eda3d3410181a8ba892d120eab3708ed07706036b9413d31c

SHA512
703cdab57908ab4ac3eaae72fb15e0b9803b6169f969d11f5308b87fd91a8207afe2d23498ef2a896bcbc1da28727b33331fc07fe774d121232ba3911f8feb5b

Download Submit
C:\Windows\SysWOW64\Nfbdblnp.exe

Filesize
96KB

MD5
1feb099b8cbb2857b827b169bbf411ec

SHA1
4929ce9c6fe42aa4623035a3560dec19da19beb0

SHA256
199ed32cff2f36f8cd58218a156cffe78ed278c2832965b27ff85777d1b17e1e

SHA512
bf97f2237144937f5f0a94cc020548529f8cbb7770a25299ff39ac91142889c0ab938012520156cba74b7c0a93d4b462397686fffcee8af66d8795350c53008c

Download Submit
C:\Windows\SysWOW64\Ngfqqa32.exe

Filesize
96KB

MD5
d464d06fad3113634e25d35b8632da51

SHA1
eb2fc860d79dec00a3071089e6d23c5a6bbbe708

SHA256
9e87e6271c7e964a7e59c4060c7862f03ea94d2a686dee7206c9fcc64a836484

SHA512
543d08c47dd9fef3172e3d1b893dcac4edba9694e5474dc43509e6d950cc9d9656ea3122dc474f6862acd816cad87b242ab82c8d48657ef7bafde23ce286e478

Download Submit
C:\Windows\SysWOW64\Njgjbllq.exe

Filesize
96KB

MD5
5218891799b7195103b6996b4c186f6b

SHA1
51f6ab85fe098847c0f392f7798001927e6bf77f

SHA256
1d5c50ac6325e42d9c3d973d62f802510eb04f0e4c0635d55e4968f0b7cc7df7

SHA512
4d1395b419fce8cb6c4c84ac686e2bb5b3d3c02bebefa50981c3809689db868d6e2fba2514ae7df10609f0c2e3930688168057b91e11942341659dbe2fd89b66

Download Submit
C:\Windows\SysWOW64\Njifhljn.exe

Filesize
96KB

MD5
9041a147fb067869e7af041dc5c1b244

SHA1
bad9f1d2931506d21fdafe3189dfd4af50105430

SHA256
c1db43dc924aad364687103bd01220292fb9362e373f9dd1a30a7180a97ea0d7

SHA512
30d923b58635b8a239808793d1de7b84fc95cc5a2402b35fdd71f20a93a2ac2a72e80e2524b4a51a9713d6af12cae46aa83e5d4e44af7e0cb2b4e82e3a9dcbda

Download Submit
C:\Windows\SysWOW64\Njlcmk32.exe

Filesize
96KB

MD5
7d4251337007e6c16e6169fbac40701d

SHA1
bac6a83f2c1b5f9ddcae43fa67229e15d05f0421

SHA256
d73f834d48bbc69f6ff23a50776e597a80d49d5494ad88b74d2b252f744a94a1

SHA512
f7b176004ddc6a8c9e417a32ee97e5dac13a966e5f3a9c342712fd9ea10910f96681fdbfaa8556417dcee03d671e35fdf787f4f6bc9dc5b49c40f89c4200c3e0

Download Submit
C:\Windows\SysWOW64\Nnpimkfl.exe

Filesize
96KB

MD5
260018e9d25f3e92450498b4750bc935

SHA1
26445274f1b4121a56c0e4143d3657ea709879a7

SHA256
df778dcf4a74c170712a8cbc32a1116b5afa6f661c2140bede3351b9b00cb626

SHA512
0a94b00bd5b877ed76da8df3fadf37064645d107005fe51448a15c284725a1d4a29d5d2e41bd88cdfe4153aef580f1b5cee5bf03d6da8191a5e2c737c06b72cd

Download Submit
C:\Windows\SysWOW64\Ociaap32.exe

Filesize
96KB

MD5
16ccf783ea2d4ae29741c004cba6c881

SHA1
7a31b939f0d271f7f21a61572f836624b08c2077

SHA256
a84285ae93089f04711d9c6ab084f94bd7755f8dcba8404e5911a8f1dcd0a728

SHA512
76da19e55236fc805e21a1963f5cba650babd33c186841d8752bafda524e3a12ddddd6b61371ccbd0b0a360e919b185158d2f30baa25b7119dc4a5a8469ac07e

Download Submit
C:\Windows\SysWOW64\Odhmkcbi.exe

Filesize
96KB

MD5
d30170728022f84c43572108ff4ef533

SHA1
1bf975b3b3ef169ed3bf8c5b3942f29f6984c588

SHA256
b632a39ee65c01ba58fe6e17642dd57b3e230a622f0e71b9ef06c94aa99bc088

SHA512
32e015b3e1cfaccdcaa94d7cdfed4f177ea5d6a8fa9718736a50d7f2d169c42b5c391fc915c65b1bd58f261ee1b9a037360723d26296765807b116eb39497d82

Download Submit
C:\Windows\SysWOW64\Odjjqc32.exe

Filesize
96KB

MD5
91d0ff63dc6056609be5e67f79051f39

SHA1
7d9057c4685366473562f515a4db02df9169d021

SHA256
f3e395ede26b455f853e7f95df3b5a7953c6544c1e1125e968419f59b6ba1da8

SHA512
e024d776a32735025d96257c12fce7ac0cddd2363cbb1db2037edd69a6d6caea059c0aa8c4dc0469bb741df415cc524c6b1c21e806b80bb0303053831f378c98

Download Submit
C:\Windows\SysWOW64\Odmgfb32.exe

Filesize
96KB

MD5
759a3696c042a0bcf8ade495abe27906

SHA1
d3accf0570cd293377ea91f1a1e7d5a7796b67fb

SHA256
c693d142c454ec45782964796eeeeb5915a819632f1f6fd0caaba1f05e7a54ba

SHA512
3a709020a76320c154136357325473eca80554cf21652b48d95a92bf1e7cf8a6dd70f2e5206195893d79686018b82aced24446a4b295c422fa77336a19428ce5

Download Submit
C:\Windows\SysWOW64\Ofeqhl32.exe

Filesize
96KB

MD5
7c55903a5239e14639d311992a2ccea3

SHA1
252d646a63344e1f4436bb8fd5473bb262336f0e

SHA256
2c99c2010c5e5d12f38a945a10a14fa158b0ba5acf12df6c0505bd7ed52faff6

SHA512
2252b90e0c868540e1b574e7470d43f3148190dcc53a21b0c356e299a106910602cc8cb4c1b2ec2cc98bb3315a34cf6121a22226cb61745194f1d03a8a18a899

Download Submit
C:\Windows\SysWOW64\Ojgbij32.exe

Filesize
96KB

MD5
80861a4e0f146b247e983754948ebc0d

SHA1
7f3366944092fc5d0d649afb38c1025417ec8a8a

SHA256
bc1eae3f13f6cd45a7ac1cda5d03d757d85fa0490b23692383b11c570510ccc2

SHA512
19685a9412b66f5ba491cefc68d5d5eb00c067e20fa26fa96741ba864d5dcf45938cd43b17a377788e23cf22cd179ce1e0946d5fbe23cda31761cd4b648b7d06

Download Submit
C:\Windows\SysWOW64\Omhlkeko.exe

Filesize
96KB

MD5
3d02d5ecb93bb6fd3c85d60a940541ed

SHA1
c38c8882388f255765fe6d7491ad39ead8bd076d

SHA256
74a62cabfc9a60041cf2247a569921d2ceda3de1e4ee93da5325d37a8198f0c0

SHA512
69de0d01c14901b0879100941ce7c6c433f310fd9fc1984cdc0049b40bdd4116129bfb9211cfe148577be841b13f471f06d4616fb9c0716a6b7f0ace5d1adbe0

Download Submit
C:\Windows\SysWOW64\Onlhii32.exe

Filesize
96KB

MD5
6016c0a035ad6494889697e756f7c0e6

SHA1
efbdc690d195f31e24c094b34f3a725f89e0fb8e

SHA256
5c127ccef98e1ce12dddbd51c9ab39856a9233816b8e9a12f96b3393bd433fc1

SHA512
937fe3da20e31dfaefb743d492f11fae962df357fd16c531eb005263f36afff64423c9b4600d0a6773066213611273b929341301746eeb7566d17e7bd5120763

Download Submit
C:\Windows\SysWOW64\Pnghdh32.exe

Filesize
96KB

MD5
920086569dcd7b451c25d26e855d4844

SHA1
0681530295eaf9e4f86d417b4329cdf4603b143a

SHA256
22614ed22ec770b48474b867ff2ffd33990a856986edc1dadf9f616607fa5dad

SHA512
1bbd49188fe63023b026fd5841b0e53d21612038ac5f99116b4e61939c19af4203b9ccd1c827175fa750eaac6fc48c2ef0eb79d63a95a4e0e92b1436938da403

Download Submit
C:\Windows\SysWOW64\Qqoggb32.exe

Filesize
64KB

MD5
94796362139ffc20d6da668b0772bfc3

SHA1
5b85080e0aa3897ef8a977dc2028e20e4c188d71

SHA256
285fefb7e77d111deef0436af54ec9ceb03576fa0bf448f515efe3bf8a221296

SHA512
799fd5a5b0aae40f081d2332a088c9d05d43a059d301ae4099cf7c554d051ad118ffee39421e1af1abdf749fab9d3d3df6fdc8091034cab1b75dac9d7da500f7

Download Submit
memory/224-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/244-704-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/244-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/420-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-707-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-701-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-710-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-643-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4280-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-651-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download