berbew | b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exe
Size

93KB
MD5

ec419ce020ba9dfd6e37578398a0ce80
SHA1

b13f15ac1b3a942b0fb0c2e1a26de3284199bed4
SHA256

b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2
SHA512

b33487e26602c81ee795229db48f918bb7ea6d109b50200f5a4de6ec53605203f6e353f8ddc8b92f1ca890ebd7db6c2c1d4d6f702f0d5ae4234f2f66656c7b30
SSDEEP

1536:1vCPzPAMJZlWdHyCUYvJbe0ISfPeqdKtf1DaYfMZRWuLsV+1J:FMcMJrVWyVSfPefgYfc0DV+1J

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Njnpppkn.exeAeiofcji.exeBmngqdpj.exeDjgjlelk.exeNlaegk32.exeOpakbi32.exeOdocigqg.exeOqfdnhfk.exePjeoglgc.exeDaekdooc.exeOddmdf32.exeQceiaa32.exeBnhjohkb.exeDanecp32.exeDodbbdbb.exeDeokon32.exeNlmllkja.exeNcianepl.exeNdhmhh32.exeOgpmjb32.exeBganhm32.exeBalpgb32.exeBeihma32.exeCdabcm32.exeOlhlhjpd.exeNjefqo32.exeOdkjng32.exePcbmka32.exeQqfmde32.exeAcnlgp32.exeBfhhoi32.exeDknpmdfc.exeb604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exePflplnlg.exeAqkgpedc.exeBmemac32.exeOjgbfocc.exeQqijje32.exeCabfga32.exeCdcoim32.exeCmlcbbcj.exeDfpgffpm.exeAjfhnjhq.exeBjddphlq.exeBjfaeh32.exeDhocqigp.exeAmbgef32.exeOfnckp32.exeAgoabn32.exeOjllan32.exePjcbbmif.exeQnjnnj32.exeAjckij32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

Processes:

Ncdgcf32.exeNjnpppkn.exeNlmllkja.exeNdcdmikd.exeNeeqea32.exeNpjebj32.exeNcianepl.exeNlaegk32.exeNdhmhh32.exeNjefqo32.exeOdkjng32.exeOjgbfocc.exeOpakbi32.exeOcpgod32.exeOfnckp32.exeOlhlhjpd.exeOdocigqg.exeOjllan32.exeOqfdnhfk.exeOgpmjb32.exeOjoign32.exeOlmeci32.exeOddmdf32.exePnlaml32.exePjcbbmif.exePqmjog32.exePclgkb32.exePjeoglgc.exePqpgdfnp.exePflplnlg.exePncgmkmj.exePdmpje32.exePfolbmje.exePqdqof32.exePcbmka32.exePjmehkqk.exeQqfmde32.exeQceiaa32.exeQgqeappe.exeQnjnnj32.exeQqijje32.exeQcgffqei.exeAnmjcieo.exeAqkgpedc.exeAgeolo32.exeAjckij32.exeAmbgef32.exeAeiofcji.exeAgglboim.exeAjfhnjhq.exeAqppkd32.exeAcnlgp32.exeAjhddjfn.exeAeniabfd.exeAglemn32.exeAnfmjhmd.exeAminee32.exeAgoabn32.exeBnhjohkb.exeBebblb32.exeBganhm32.exeBjokdipf.exeBmngqdpj.exeBeeoaapl.exe

pid	Process
4540	Ncdgcf32.exe
2688	Njnpppkn.exe
3012	Nlmllkja.exe
1964	Ndcdmikd.exe
3756	Neeqea32.exe
4488	Npjebj32.exe
4876	Ncianepl.exe
1688	Nlaegk32.exe
724	Ndhmhh32.exe
4912	Njefqo32.exe
1116	Odkjng32.exe
2128	Ojgbfocc.exe
1708	Opakbi32.exe
1880	Ocpgod32.exe
3840	Ofnckp32.exe
1800	Olhlhjpd.exe
448	Odocigqg.exe
4940	Ojllan32.exe
4944	Oqfdnhfk.exe
4456	Ogpmjb32.exe
2028	Ojoign32.exe
2956	Olmeci32.exe
1188	Oddmdf32.exe
2292	Pnlaml32.exe
3540	Pjcbbmif.exe
2252	Pqmjog32.exe
3624	Pclgkb32.exe
2484	Pjeoglgc.exe
4308	Pqpgdfnp.exe
2504	Pflplnlg.exe
4452	Pncgmkmj.exe
1260	Pdmpje32.exe
5028	Pfolbmje.exe
4340	Pqdqof32.exe
1808	Pcbmka32.exe
4268	Pjmehkqk.exe
4068	Qqfmde32.exe
4632	Qceiaa32.exe
752	Qgqeappe.exe
760	Qnjnnj32.exe
1160	Qqijje32.exe
3764	Qcgffqei.exe
2744	Anmjcieo.exe
1868	Aqkgpedc.exe
1528	Ageolo32.exe
3564	Ajckij32.exe
4572	Ambgef32.exe
64	Aeiofcji.exe
3316	Agglboim.exe
3612	Ajfhnjhq.exe
2492	Aqppkd32.exe
4424	Acnlgp32.exe
3740	Ajhddjfn.exe
1744	Aeniabfd.exe
424	Aglemn32.exe
3216	Anfmjhmd.exe
4756	Aminee32.exe
2032	Agoabn32.exe
548	Bnhjohkb.exe
4512	Bebblb32.exe
4860	Bganhm32.exe
368	Bjokdipf.exe
4388	Bmngqdpj.exe
4568	Beeoaapl.exe

Drops file in System32 directory 64 IoCs

Processes:

Nlmllkja.exeOlhlhjpd.exeOddmdf32.exeAqppkd32.exeDfpgffpm.exeOjoign32.exeAjfhnjhq.exeCdcoim32.exeDhkjej32.exeOjgbfocc.exePdmpje32.exeQnjnnj32.exeAgglboim.exeBeeoaapl.exeOdkjng32.exeBeihma32.exeAnmjcieo.exeAgeolo32.exeCfmajipb.exeDddhpjof.exeOjllan32.exePfolbmje.exePqdqof32.exeBclhhnca.exeOgpmjb32.exePjeoglgc.exeCaebma32.exeNdcdmikd.exeBjddphlq.exePjcbbmif.exeDaekdooc.exeNcianepl.exePclgkb32.exeDogogcpo.exeNcdgcf32.exeQcgffqei.exeAnfmjhmd.exeAgoabn32.exeBcoenmao.exeCmgjgcgo.exeDeokon32.exeDodbbdbb.exeb604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exeQceiaa32.exeBmemac32.exeCfbkeh32.exeDhocqigp.exeNjefqo32.exeOqfdnhfk.exeQgqeappe.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndcdmikd.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Neeqea32.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
5276	5176	WerFault.exe	183

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Pclgkb32.exeBffkij32.exeCaebma32.exeBalpgb32.exeBjddphlq.exeCdabcm32.exeCfmajipb.exeOqfdnhfk.exePfolbmje.exePcbmka32.exeBganhm32.exeBcoenmao.exeDhocqigp.exeNjnpppkn.exePjcbbmif.exeBnhjohkb.exeDeokon32.exeDaekdooc.exeQcgffqei.exeAqppkd32.exeBjokdipf.exeDfpgffpm.exeNjefqo32.exePqpgdfnp.exePflplnlg.exePncgmkmj.exeBebblb32.exeCabfga32.exeNpjebj32.exePjmehkqk.exeAqkgpedc.exeAcnlgp32.exeCmgjgcgo.exeBmngqdpj.exeBnmcjg32.exeBmemac32.exeNlmllkja.exeNlaegk32.exeOjgbfocc.exeOdocigqg.exeAmbgef32.exeCfbkeh32.exeDddhpjof.exeAgeolo32.exeAnfmjhmd.exeBjfaeh32.exeOjoign32.exePdmpje32.exePqdqof32.exeQqfmde32.exeQgqeappe.exeDodbbdbb.exeNdcdmikd.exeQnjnnj32.exeBeeoaapl.exeDogogcpo.exeBeihma32.exeDhkjej32.exeb604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exeNeeqea32.exeOcpgod32.exeOgpmjb32.exeAgoabn32.exeNdhmhh32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe

Modifies registry class 64 IoCs

Processes:

Ogpmjb32.exeOfnckp32.exePflplnlg.exePfolbmje.exeAcnlgp32.exeBmngqdpj.exeBcoenmao.exeDkifae32.exeOqfdnhfk.exePjcbbmif.exeAqkgpedc.exeCfbkeh32.exeOcpgod32.exeOjoign32.exeQgqeappe.exeDeokon32.exeDanecp32.exeNpjebj32.exeOdocigqg.exeAjhddjfn.exeDhhnpjmh.exeNdcdmikd.exeOjllan32.exeAgglboim.exeCfmajipb.exeNeeqea32.exePncgmkmj.exeBmemac32.exeCmgjgcgo.exeb604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exeBebblb32.exeCaebma32.exeDhocqigp.exeOlmeci32.exeOddmdf32.exeQnjnnj32.exeAgeolo32.exeBffkij32.exeAjckij32.exeBjfaeh32.exeDaekdooc.exeBjddphlq.exeBeihma32.exeDhkjej32.exeDknpmdfc.exeNcianepl.exePqmjog32.exeCdcoim32.exeDfpgffpm.exeQceiaa32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exeNcdgcf32.exeNjnpppkn.exeNlmllkja.exeNdcdmikd.exeNeeqea32.exeNpjebj32.exeNcianepl.exeNlaegk32.exeNdhmhh32.exeNjefqo32.exeOdkjng32.exeOjgbfocc.exeOpakbi32.exeOcpgod32.exeOfnckp32.exeOlhlhjpd.exeOdocigqg.exeOjllan32.exeOqfdnhfk.exeOgpmjb32.exeOjoign32.exe

description	pid	Process	procid_target
PID 4088 wrote to memory of 4540	4088	b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exe	82
PID 4088 wrote to memory of 4540	4088	b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exe	82
PID 4088 wrote to memory of 4540	4088	b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exe	82
PID 4540 wrote to memory of 2688	4540	Ncdgcf32.exe	83
PID 4540 wrote to memory of 2688	4540	Ncdgcf32.exe	83
PID 4540 wrote to memory of 2688	4540	Ncdgcf32.exe	83
PID 2688 wrote to memory of 3012	2688	Njnpppkn.exe	84
PID 2688 wrote to memory of 3012	2688	Njnpppkn.exe	84
PID 2688 wrote to memory of 3012	2688	Njnpppkn.exe	84
PID 3012 wrote to memory of 1964	3012	Nlmllkja.exe	85
PID 3012 wrote to memory of 1964	3012	Nlmllkja.exe	85
PID 3012 wrote to memory of 1964	3012	Nlmllkja.exe	85
PID 1964 wrote to memory of 3756	1964	Ndcdmikd.exe	86
PID 1964 wrote to memory of 3756	1964	Ndcdmikd.exe	86
PID 1964 wrote to memory of 3756	1964	Ndcdmikd.exe	86
PID 3756 wrote to memory of 4488	3756	Neeqea32.exe	87
PID 3756 wrote to memory of 4488	3756	Neeqea32.exe	87
PID 3756 wrote to memory of 4488	3756	Neeqea32.exe	87
PID 4488 wrote to memory of 4876	4488	Npjebj32.exe	88
PID 4488 wrote to memory of 4876	4488	Npjebj32.exe	88
PID 4488 wrote to memory of 4876	4488	Npjebj32.exe	88
PID 4876 wrote to memory of 1688	4876	Ncianepl.exe	89
PID 4876 wrote to memory of 1688	4876	Ncianepl.exe	89
PID 4876 wrote to memory of 1688	4876	Ncianepl.exe	89
PID 1688 wrote to memory of 724	1688	Nlaegk32.exe	90
PID 1688 wrote to memory of 724	1688	Nlaegk32.exe	90
PID 1688 wrote to memory of 724	1688	Nlaegk32.exe	90
PID 724 wrote to memory of 4912	724	Ndhmhh32.exe	91
PID 724 wrote to memory of 4912	724	Ndhmhh32.exe	91
PID 724 wrote to memory of 4912	724	Ndhmhh32.exe	91
PID 4912 wrote to memory of 1116	4912	Njefqo32.exe	92
PID 4912 wrote to memory of 1116	4912	Njefqo32.exe	92
PID 4912 wrote to memory of 1116	4912	Njefqo32.exe	92
PID 1116 wrote to memory of 2128	1116	Odkjng32.exe	93
PID 1116 wrote to memory of 2128	1116	Odkjng32.exe	93
PID 1116 wrote to memory of 2128	1116	Odkjng32.exe	93
PID 2128 wrote to memory of 1708	2128	Ojgbfocc.exe	94
PID 2128 wrote to memory of 1708	2128	Ojgbfocc.exe	94
PID 2128 wrote to memory of 1708	2128	Ojgbfocc.exe	94
PID 1708 wrote to memory of 1880	1708	Opakbi32.exe	95
PID 1708 wrote to memory of 1880	1708	Opakbi32.exe	95
PID 1708 wrote to memory of 1880	1708	Opakbi32.exe	95
PID 1880 wrote to memory of 3840	1880	Ocpgod32.exe	96
PID 1880 wrote to memory of 3840	1880	Ocpgod32.exe	96
PID 1880 wrote to memory of 3840	1880	Ocpgod32.exe	96
PID 3840 wrote to memory of 1800	3840	Ofnckp32.exe	97
PID 3840 wrote to memory of 1800	3840	Ofnckp32.exe	97
PID 3840 wrote to memory of 1800	3840	Ofnckp32.exe	97
PID 1800 wrote to memory of 448	1800	Olhlhjpd.exe	98
PID 1800 wrote to memory of 448	1800	Olhlhjpd.exe	98
PID 1800 wrote to memory of 448	1800	Olhlhjpd.exe	98
PID 448 wrote to memory of 4940	448	Odocigqg.exe	99
PID 448 wrote to memory of 4940	448	Odocigqg.exe	99
PID 448 wrote to memory of 4940	448	Odocigqg.exe	99
PID 4940 wrote to memory of 4944	4940	Ojllan32.exe	100
PID 4940 wrote to memory of 4944	4940	Ojllan32.exe	100
PID 4940 wrote to memory of 4944	4940	Ojllan32.exe	100
PID 4944 wrote to memory of 4456	4944	Oqfdnhfk.exe	101
PID 4944 wrote to memory of 4456	4944	Oqfdnhfk.exe	101
PID 4944 wrote to memory of 4456	4944	Oqfdnhfk.exe	101
PID 4456 wrote to memory of 2028	4456	Ogpmjb32.exe	102
PID 4456 wrote to memory of 2028	4456	Ogpmjb32.exe	102
PID 4456 wrote to memory of 2028	4456	Ogpmjb32.exe	102
PID 2028 wrote to memory of 2956	2028	Ojoign32.exe	103

C:\Users\Admin\AppData\Local\Temp\b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exe
"C:\Users\Admin\AppData\Local\Temp\b604074d96ec6885ac1784400f02f6330bbee7240b1aa39b626de2e5a4aa40e2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\SysWOW64\Ncdgcf32.exe
  C:\Windows\system32\Ncdgcf32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\SysWOW64\Njnpppkn.exe
    C:\Windows\system32\Njnpppkn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\Nlmllkja.exe
      C:\Windows\system32\Nlmllkja.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        25⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        55⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        56⤵
        Executes dropped EXE
        
        PID:424
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        58⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1636
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        72⤵
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        80⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1928
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        86⤵
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3700
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        89⤵
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        91⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        99⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 396
        100⤵
        Program crash
        
        PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5176 -ip 5176
1⤵
PID:5252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ageolo32.exe

Filesize
93KB

MD5
969b87c13e910cec2d97f32dc2b30b6e

SHA1
753b5ddcd0dc2519d6e0cdca06c296909eb510a3

SHA256
cc833579d2148f170ed836ad3b9dc527726fea5d1251c5c80cae3ae8f768c25d

SHA512
69f6ff1de1c560f331d83503118992b5b3f2d4ec4ae597bbd829c8e5ed528a7ed7d0d9519ad04697a3ebce55a86f099176c79f7b3937c9316c79e3c96749468b

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
93KB

MD5
b148569ac3a127d0ed3dcf5aa57d8137

SHA1
89dfe25631dfa61755ae95ccad18e25bd26535c1

SHA256
3d9ba4e51f0b499415e126574f5d0d55c42cc1d9a8be2cd37242ccef31bad275

SHA512
b82f224b9ff1f0249cd6e0a8569ced3fbc501e06422e1355c731be84f773015bbbc8cfe89dc680584a91fe17edc138051b09fa972eccb149ab2949696a3c1bdb

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
93KB

MD5
fb712b7e590eea62153cd4bc16afe74c

SHA1
0c5f0c0d04edfc7579284ec874dd35f41eb5a561

SHA256
6d7fcbeb8397778cbb5a477e1cd9c196e0253010e6e39f94af6e506cf1b620bb

SHA512
f6bb00495611b4f0c267e5ac940d4567170a4ffa84910c9dfc05879b93475082b60cee9715d1732f835bdc78b515a1256964207378cec3188b0bd0e45cf486a0

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
93KB

MD5
88cbf400aa22ae9400ecc3d6120d71a2

SHA1
8f65036e9b786502cc00c717fed5a47c9f9ae570

SHA256
483ac1eb6023592558ce025669c89d6b37ce17c1451c58aae0d07e64a6a85447

SHA512
5e515f95e90a92830bc4f20e16b6cd29271a300566fceca3b947b4e5d0b01fec6f13eab43aa884f998c353726e1f27c1d3226ea8459aec34de9f7fd9026ea36d

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
93KB

MD5
eb22e3445c4927a81dea7a5e585b4a18

SHA1
799dadbc1b5e130c94fe8a1df1c07f70e6c0b51d

SHA256
9c85400187396d6995c3cadfe9c918801751ad2af13205de75aa5bf73cad9a42

SHA512
36835a211de992d467eec46ec0c5ecc7423758e1593822550fa7d62eac53f22c34e1393ba06e4594f6a6a78dbee8293d32483d7baa82df93baceb34357f5832a

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
93KB

MD5
7d3c74b4e231c64fd2b0c0c4b395aeef

SHA1
e58306d69db66c505a13cb99c65d28b96fb26c02

SHA256
d0c1e4b05ebddde341d0182b1ca0c1ea142567f14be1e5679b12574cea9b7cbf

SHA512
167fab1716136ec2790b5accd58de94f37da4500a08e35ed92531455377b70d610af2b987733c1fb6e67b3c8d705efe68772963b66bde2bbff10a66312244224

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
93KB

MD5
a8423fe016c09c6e8cfc0ff40e857ff5

SHA1
352f6cff64575efce3d15e2646e7b76a114d1e5d

SHA256
9d7b4bc0fef429e1a8fc88a8d5c103ee7fb361255cece7a27f37adc84182a836

SHA512
5a88faa56facf45cc4165aa71f1a036887e5fd1692414ac6bf47c27f3142d16bb35563c7109dedec3cc82c529ed9966f42c607f8fb1bb4d65c2c9e634df84beb

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
93KB

MD5
28af6e5138e053c0c77ad97477633134

SHA1
78e97ca76ad7dd0deaaefaa73b96e6761f129f49

SHA256
101d170f77512207475e3166a8adb67a97513ef41b26f9ffbe60fb359e3f92f9

SHA512
a45210518f2b1347e5203236b446fb1329c8707c639d463edb553723d5ecf669d965cd22b843788061990f6c7a6b90a0182b78898dab872a4611c9799b929e2b

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
93KB

MD5
b84b78c5ce71b370c1a60d490d06ed86

SHA1
e8b21d35470f90d2a3742f3ade509acbf85bfcc4

SHA256
5c0e80b9db52d39a27ab8874a7cdb9471c8454fe11d1377d92166f3521b2b448

SHA512
4b66624940a9afd9e5809a502a6aa287e4fb2279ab0a69809bf41e6c5f718c27d60ee62dbc12c8e582e660713d161eba29f7fc047ffb44ae3c49599b9a62e416

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
93KB

MD5
ddeede66eb1fb1da61016cf6ac79f9d8

SHA1
5cce7c6cbc484c4e78873a1eae1710450dac47c6

SHA256
0c9bcad291a25178017897e32e4be34bde259c06fb5385a4e7a124e04712ecb2

SHA512
28ec9ada8852c9a419eed206ec434ce2d70d4a67ea3030438180c6c99527a26c84cc8ca62d24c0b30156e75c5dc65057b56a844e377a6d628bb3186781c8332d

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
849ba7663139422d3bbefcf83fded02f

SHA1
6628dccbff79d9ee1d52e5d6371dbe56299b1f99

SHA256
1dcffb5699ad24507b1679667e73f814976c9abee2c3448303b3facec8fc3810

SHA512
c0beb60d2082d33a6261aa803d4925c3305049ff1b6031f319b78b0b47dd7182c8134a435fd5bbc7b73056657511910b345355c5f5d7e0efa6a267dae3142ca7

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
93KB

MD5
5a587b6042951e98c01954b4d5741e30

SHA1
de8cb8402dfc7300b2840a2cca48206dc14c425e

SHA256
47256b2165d80b6368a56a88b81a5e4da3bcfb0b9949530217e04eab910c0b4e

SHA512
330b8791e0b2945896e5bfb1964b36b8b91fd37bc7e2b94daf340182b1caf789b5e8f139a188147551fbf195473e8368354e0b3102e3d4c5eb0403152aace998

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
93KB

MD5
a0aa4e46c94b794160a5103adc0fbed4

SHA1
9291fce7419203be03fcd44fadf1353b32156ffa

SHA256
5c62b981dc98e11d6c73908ae8a4d6dc5efb802009203983fa3c593f456845b3

SHA512
36f5cbbe46119aae6bd703b3ae45a9dcbfa0adc1750f9d322723cbb53a02364fe5b5d5b590a0779f3605ac70b883a44353ae4aed3854e82952553738739a7706

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
93KB

MD5
a94882eea7424e02d38d0eb3cf1eb9e1

SHA1
4bc9583a89b032418370ca312c6d396174d2a7fc

SHA256
ad98fc01bc281487ba4dd777000d9475f319eed6584ac58c88ee7e9223dcbe4b

SHA512
dcfe8924c4898d972751181148c485cb52f2c8f75cbcd0fa2016a1e69e4b77e71bd3c41c3f243c2471a12c17953c27e11fbddd04b7aeaaff6213696b57e43eda

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
93KB

MD5
cd9062886211ec0eb749d596e984b7fd

SHA1
e8dc395a28837286c2f766103fb25def92bc5f54

SHA256
15f781ad87a1c52ffc3e8d58644552c7bcc66f3bd06c84d7410fe91299e7f3dd

SHA512
11152075d7345dc1bba077b6128ecf4faa9dc054894170f6adf2cdba1857a6b60face4e740cd2cf488e783a1b6f849a91ac1594daffeaaeb7153e21b71c9c279

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
93KB

MD5
a92d5a5d3c70dd2ceea7898ca863407e

SHA1
24834f844fbb6f60f4c52c3304a1d8ece448cf07

SHA256
440f5d5796072800fc54081fe02de35e9d82577eacdc2229e26f903be671dbd2

SHA512
24c13f1ed05a80417e17cf0d455e442cbf423535c71be0716dfca0436e12fe87c8557d3f538cf9113192820fcd153493f45486de1256166f82948f35a827ed17

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
93KB

MD5
e76f7ba5ff8a9784bc4dfd4549d3754d

SHA1
f4fb2c8b042c5d1921c565866281e3f90e1515a8

SHA256
41303876eefdede9bbb839c020488eb20bcd3491eb27b0cc83fa87cd3525046d

SHA512
fafbca8b481ed25aa3d97eb6a8e59b4792e90e80eacc6810e6f4cffec32a22a3ddb6c0e54d5470971ab34f8e908bbf09ad45946e55c2742988d4a658acf875fb

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
93KB

MD5
068d5df509860d9e722df3ab98980e2f

SHA1
3539f3ece6e5accf1e8dc2723d40c3cd25ee6aed

SHA256
2b60a34901124d8c26694b0f9eee59e10fc5b98357cc87ced90018b7ca8d812e

SHA512
a0cacc788c7a00255127533b299161ae1fab7dabb727094d6bcba82767a7581ff2f06e4ccd9b3771b84a19b6345fd8e152e1f5336b080cdce3175350b9245a29

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
93KB

MD5
08b1653d92d030f59fe52ae92de00c08

SHA1
696f25a4dde5e5f35a31cd139177347b4b43006d

SHA256
1bec3edcc4fc930af633c41219d41914b2043fddb0ddddd89495ef306d694c22

SHA512
556b538c2956a4f6f6e930eb0f2970337e9b84ef90f90ddb957dea39838d28154ab9d400ca2b959003942a5034586c51c579bf81ab83046ab2005ef1aefa8570

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
93KB

MD5
93093cbce272fc5b844e52119c412dfa

SHA1
45e947d270060e73170dd1530afaffbeebff6b5d

SHA256
3fc0bdbaaa7ed8056704b312148e25ed7b1ae2e9fcd94ee4b7672aa0e42abfa0

SHA512
0f45743eb642070dfad420b2937bdecb4523712d7870fdabcb98e3eaf701a62b0c25a95cfcbf02bfd8b1f372f6e75970b17cf83ca0e92eb5be00a7c721d9089b

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
93KB

MD5
4a1a6022ca4b90252eac657cf6eacb0a

SHA1
c7f17a17bc51ee68b710260fdf0b20867dad0dff

SHA256
9d6543aa3684ae99ad4997c9e439edaa7b6077d3bde5512f50b2df935ca04351

SHA512
aa3b3c73387367e39e62d8a316ceead810d03a022395c0ca5097caabdf4b616c96ae49431211af281104054ba1734c2326759d810e90c86e17bdb5eed94d37d1

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
93KB

MD5
d9b4fc5adfce3873c5f951c85d73f1a8

SHA1
dbdb2cfd5b0a74e47042323e097dca49e2eae55f

SHA256
d29faf66635f0cff99e1432c2e1608b446f752c355a6d268ccb303657221978c

SHA512
d7938505ee78e5f56107f459dbc00ed0c5833ed0c6034f747e6d27d28ca3574f90b11f93c16555a6faacb97f983b544f58541fefc0ff0b74be0ce9b4eabbca78

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
93KB

MD5
14dd11a9d56c395d3467766c31b4a5f1

SHA1
6fa72bddbaffa842c901c37f836e6ac9d0752065

SHA256
a09308603b668344dbd8623097b59058305fb6e6950674366772f20fe53aef87

SHA512
265b33fc4478ea30d91c8541556a3524144d36e555148d388bb060ef36d4ca6efdafe915fc062dd79cda7bf16e2fe873c877b06aa4fb89caed3cbe64ba3fb794

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
93KB

MD5
78b6d1e7dd3d44ba1fbf71a4f425c2de

SHA1
f2e69374bf2315ea5fadbf4fd3f3792e3b6d4fb9

SHA256
f19ac1a87eb64244a66097d5d9457c93e7f1ca97eb63c0cb1970aad151f18096

SHA512
5e0f6a619c715bae88bc28ae05ecfc231efd770c207421356f2b211867d522df3ab72cbce48a7127effe67bbdc1643dd712b59c9469555eb5c51bdf52d898dff

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
93KB

MD5
b8b670e6e07dabcc14430ed6fecaeec5

SHA1
49c816b56bbe16022d7c89bd9c9d6e407d1f3397

SHA256
a62d0466b7f29388808dc2ec0d339029fda50acd9b59a8dfe2044fe319e8545f

SHA512
119b218578f9d49bd04056f727451bc1fa611ef4f4de3cfba360829cf839878f6eca77c0d4675489acf20785c64b18b9c5a320e8873136ebca5c5374495b0c44

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
93KB

MD5
aef75d21746ac6ef9f9cdaaa388ba536

SHA1
5278dfbd6d77ebc5796a3568dfbfe988e761f507

SHA256
6c81cddc84f13eda880623014e57c1ab8b7c36f53097a08754f79c27552e3341

SHA512
0ca41133fc6efc6d4b6bdd82ddd4463fbfc94666b1ff0c187fed68204c5b1eed738625d898f05ceb1f5f2c5d728fdb08dd4bc86e79b276d095a8b8c14bbb300b

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
93KB

MD5
64431c25474424f9364192226a86685e

SHA1
1b7515a9f10cc860d2b0a377555e723d0b26c526

SHA256
00e3b954981e020f1a1aa9c3ca51e3c187b11c9ed3c4b9ef7763f181e3316ff2

SHA512
1ddda986e0d4a4890787b4e55902a17376b254529c59f4513f838cc8c71e49538bf1d8bf92bba23b11523df6044ad322691d4afcf8c5258bab12409d57616209

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
93KB

MD5
f044ebede5353c42452ba5724f89479c

SHA1
88877f873c6ee59faf5f3326673385d1af6b2ae9

SHA256
63cd6f3f6c65cc0b1f9595260a214b6216475ca8cf48e3cb99a7739ab5de9994

SHA512
df960fae667924bb5be6f2ba4ef7f7c752cb29aa4b6f18109d8c88c43078025ee55af05a7d0642db99e4930991a544289fc3708c279672c0be20c0ce7152c070

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
93KB

MD5
d0506c1492f2a2ed0781101e890dd214

SHA1
35da9fa685f6a257415b999e2f7ed767f1a98989

SHA256
87141d62cbbba475bc049b69832ebd3f9891a191eea0ace09488add7edc052c9

SHA512
78ab4babf8ac70d9d2a4952cc9a5220dd58215e69aa2412120856c9d39fe8d070b2c1fa211312bbab82700acc5d774f943865b027987e09ba14ddd02aa3685bd

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
93KB

MD5
f685266fc3637f3d556b4fdd1cf60f76

SHA1
9a7b26a41d39a19f391ffa7f02861ca604f8b71d

SHA256
171d8e864c8f0ea5f1732c87125370eb8a21d458f3c15df2131ef80fdb157491

SHA512
fb3d433bb317a7cbc8177f7f25a104f5fdea4c7ba605e76908f2ae1edd28a606977c1bceb20b6b07e198eb32408b9485375fbacc459c0ef66f2dd8d6444c1ab2

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
93KB

MD5
78700b91c4de8909a5661d7411d3a388

SHA1
b61d562aa16fb568005b3e39d213b2b6af80bbc1

SHA256
4c299f75ba48e5908eb6affa0312758a86e8a76bcbf720f406ec2ba18efae6e8

SHA512
c7220fa292b308e548070425f67ffb97b6087bf94e8083caf29d1f5a1c698476354c293be317692e55d2b629f1ec51843fdc449ba7b0c3cbab361f22e569d6b7

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
93KB

MD5
07525d309a13fea6ec8c1d51f3125217

SHA1
e10aa628601a2914af79ccc51221704a9e6ecee2

SHA256
a8dde0341cbcd537ed8d9dda4ecdc846309075ee86b71d2409fb742215d90d56

SHA512
75bcdcf12d583b5d6aff70d5cf615f5231993fc41f88685c114da40ead622d1eab78982527b4ba019c27b3fbab52ef509ffc119dbbe8675d2c55902e95b204d5

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
93KB

MD5
59330398ef371a18a192ad74864e6e8c

SHA1
760c6eeaedb79544223ee8174e144103df5e8432

SHA256
028918be9fb64aaf6ce9602ec2831932cad2f1f3ca576698d89ec925e96c0caa

SHA512
622cd48a13f60f0802e522bf0971cbed79c636c85a7c8bad82926e012a7ad2ff682e1f3474f75e8ef9f4080faac3749c6037fec1ee4094b0f9ef2761bfe5f2cd

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
93KB

MD5
dfc6be4256eb1fe7d1eede79507fa1e2

SHA1
07dbe2798958000aa7cac597ea3251e93aebdbf1

SHA256
59e548c38f33322fa029093c314261c82ba715beb563e48d707eefd72bf97a5c

SHA512
a21cff5b894f96b764ffb6b539469a92de0c7e22a2c3b41019bee0ad675a0d22ca23d140e22095e9c3642867f1115af62fde1ca3f3606186cd399a3d06460d39

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
93KB

MD5
3375778288d9e93aebeed75d39b60b6f

SHA1
fc4caaa63e835b5d7e8520a758b2d694ab08f462

SHA256
4688f237e3341c0a9a3e701d9413eca14fe847e213ad1722e2186f44d7c907c2

SHA512
b54b18c0864c93b445427057b8eed1799f887a733a2da93d4895d10707a3699ac1f7ae1684c5f9c5741832e72ffad9b56a1a7c9b04fb0ba39dc1935ccd026e87

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
93KB

MD5
0b3c3558c05192237b26bfbed6da07c7

SHA1
284e5e763402e6648772b7d4dd58807b125dd42f

SHA256
4182e9743291ca0c5597ea14dceb98ca92a3cedfd36e27ab928994d8a3fde9b1

SHA512
28e782807cbc0aa966cc9f0e5f79e4c33a8d0f1b998fb31f632580fef366aec73198fd056880abd0e3da48e06d2d726e89b7c488046e09200bec83b503a229a1

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
93KB

MD5
aa65f91212926aab5bbb11287272ceaf

SHA1
c1e50f58b9ff9e9e18e93a4f56d6fefd88a5298f

SHA256
5c4bf8bb458e780a6353875dc58e0d5bf9b12d1c93c073b6e681c75c7fa0ff2b

SHA512
4bfdd64826696784df446ea13ec1a36af542e13f3d352c2be2d131ec6d1461bf4219ef4338fc8c1708de5b4c91dce07457e2f4aba52a83c00c9a5eeee7c5d6f4

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
93KB

MD5
e8d821a00ac3383dab6ba99805986967

SHA1
c60e8e5d301786e14ebafe307ab80ee9b3df35fd

SHA256
5d5715d6ff7ec157cfa3086dd7b102df1a51a9368a6eda8cdc94c79209d4fe46

SHA512
7451addf0a200c1e4fa51ffc228461c7ab6b3862669e0093772bdf104c34f1b7a15dc8ac8289713252fa93e4074b55a65d581af9a8b7b85323a452627691ce72

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
93KB

MD5
29d724b32602a7604e181408a5b7f935

SHA1
996bf822ce7dd60011a622b61caf20af56c25a33

SHA256
61d7160a1a2a9cd0019a963e8853db00b3157b46a905c2fa1531b78f0cfdf57c

SHA512
74da9379fbf78d704c85457de6a354bb9929145ac142a8e94b1fb35e6351c319aaad8d95968d40c10eebf2955669de3f05fe8ea032470dd0390dad56f184a086

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
93KB

MD5
8327b498b7ceebd15f1fec9ba0434c04

SHA1
dc260f3940ea1154550ab8573fd4d06f25b7986d

SHA256
29d2d6c4d1895adc47f3993e00ef31e026a84f611177a697f775932a3a7983d4

SHA512
5ece046e85d6cf4a65b06ac9911581318b3049745668bed674a4d3912c5315e5d4e24c196bbf8e269891d801f98e74fdcee382103e1fdc32b96006293960b128

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
93KB

MD5
a1530ab73b3382a75daa9f41ea684bdf

SHA1
359ce585d1aa95d5d45c5f718599605108fa1695

SHA256
ee79f55263b965907be0ddaab2d43dced139a40ee63cbb335c860062fcf4c106

SHA512
b0c962ab256ba7c459e8c7899bda3f693424d0d0dfe0aad94e0745f3032d7659f4f879da1cec6aaaa5cf232c87bfb367880ff8a45fe75f4903e81d4b9c932a96

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
93KB

MD5
95dd93c4f15d563f2606efc54f32faae

SHA1
30ff0387a8e691674082c563d4b8698abdb6599d

SHA256
589dd7ba9bffc669c8ff89cb7cd81c094cfe9774f62a516ddab09a06e4eddee5

SHA512
512a79dfd9155739b294344f748b3dec0157f44647e1d7ebc49c829df33224cda722269c80882fd79e0d2233773b492c03c05342c4bc5b1ae9074a1d4dc7cada

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
93KB

MD5
fafcec581c3a583ec8aa5a8144a7274a

SHA1
93dc345cf44072fd55f4c53d020789540b3d066b

SHA256
3a9533cb243a5b7de746571b9629f6cc58b54a1cda25e98d3bfb0410828dff59

SHA512
e7f31345e8a95c94e1fa41607a218f29fcfff4a92a7022a2e25d6f07739f4f3dae2ebd0c7ab50a0efa85a935bdef98cf6cf1d1192de847835f8e9286c707bbe9

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
93KB

MD5
a4c591c7ecf89189882e22a1ddc489a0

SHA1
a825d742125d46d65e8963ada129ce4e3b3209e1

SHA256
1a981d1f4554415310c65ed948fe6010acbe2d197cb66a9e5de82690e2089f97

SHA512
7ced90627a5e8e66988d23c307ef748c426cb0577d43b66db69200dc99b377bd1f792ec6fc2ba789cb815f38c7721ac76bcfe8c51eb947fb8be99f79b48690b1

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
93KB

MD5
3c357f18a333c6babe89cf0074066fc1

SHA1
f54f1604d416df2eb896836f573182bc82cab8f7

SHA256
7f793a31cc8312545d3c7f5fbae88d3fe4bb5a7b73823bc2fa6fae99bc6e0cb1

SHA512
502ec07cb2a974f6196d0f37ceb93f4bfd1c4530afd07528a79dbd25d3d58aced8b104b6c995c39ab97fe1a393f0c6b1ffa4138072378a8eeb0ba9960c99f6b5

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
93KB

MD5
0835195cd8e731cfbd6375a4edebc643

SHA1
840c151145809f83fd9d99468ae4e6bc74f1d0a7

SHA256
ebc04b8e219a361ecf9d27cc0e73798c65fca3be15d96f8e359293bd04f27533

SHA512
88bea9a7ee7aec5c3aede80555df55c69237e5e09f4ebf318b46422363c8079b48559900aa216e620f13f5cc1b89c6f04a5fbc2c3de3d6b179cbfcc987388665

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
93KB

MD5
8fa6207b66d2165c8cea156b57c30960

SHA1
1629e2d6f663344aaab7607c4c08ab085f75a64b

SHA256
1ce678c4ddfd40f996b075158894c39165118688fc342c22213f588dd9148840

SHA512
36bb74668c790d35512a949ad18e0e06875bb662510eaa224951bf90a74be4ceb3b28115866bc5d04fe11a5b43d9d2a8a9568e282c29fe58cd713ff6c6ef5168

Download Submit
memory/64-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/368-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/424-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/752-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-678-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-677-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4088-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download