berbew | 4ee8817ae0415822baf53a17f7b1d025fccbcde90d4fe942c664aef7892667a7

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ee8817ae0415822baf53a17f7b1d025fccbcde90d4fe942c664aef7892667a7.exe
Size

93KB
MD5

38f156b301df460fc7f456a5c4ef3bc1
SHA1

2015047ed4d7fa99f835624e222476fecf50e3fe
SHA256

4ee8817ae0415822baf53a17f7b1d025fccbcde90d4fe942c664aef7892667a7
SHA512

196b7ccf6df1a2a00138655221c36b8d4d2e9fc97ee34247ec67c3c810e1d740fb2187cc92ef04f0340e1b8dd795a724861198585b55d8589118d4659036a0cf
SSDEEP

1536:TXOCrsnPN5WtgGwR1ziLgJAgj391DaYfMZRWuLsV+1R:TFtCggZNgYfc0DV+1R

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Mlcifmbl.exeCmiflbel.exeCnicfe32.exeChagok32.exeBaicac32.exeMdjagjco.exeMelnob32.exeCdhhdlid.exePnakhkol.exeQgqeappe.exeQmmnjfnl.exeBclhhnca.exeOneklm32.exeCenahpha.exeDaconoae.exePdifoehl.exeBcoenmao.exeDaekdooc.exeDddhpjof.exeBnpppgdj.exeOjgbfocc.exeBfhhoi32.exeCmgjgcgo.exeCjinkg32.exeCajlhqjp.exeOnhhamgg.exeOgbipa32.exeDoilmc32.exeMibpda32.exeNnlhfn32.exeOdkjng32.exePqbdjfln.exeNjciko32.exeOnjegled.exeAfoeiklb.exeQmkadgpo.exeAgglboim.exeBebblb32.exeCjmgfgdf.exeOddmdf32.exePnonbk32.exePjhlml32.exeBchomn32.exeCdcoim32.exePcijeb32.exeMdmnlj32.exeOfqpqo32.exeNdcdmikd.exeNeeqea32.exeOpdghh32.exeQceiaa32.exeCfmajipb.exePggbkagp.exeChmndlge.exeDdjejl32.exeDjgjlelk.exePgioqq32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

Processes:

Mchhggno.exeMibpda32.exeMlampmdo.exeMckemg32.exeMeiaib32.exeMlcifmbl.exeMdjagjco.exeMelnob32.exeMlefklpj.exeMdmnlj32.exeMiifeq32.exeNpcoakfp.exeNgmgne32.exeNljofl32.exeNcdgcf32.exeNgpccdlj.exeNlmllkja.exeNdcdmikd.exeNeeqea32.exeNnlhfn32.exeNdfqbhia.exeNjciko32.exeNdhmhh32.exeNggjdc32.exeNjefqo32.exeOdkjng32.exeOjgbfocc.exeOpakbi32.exeOcpgod32.exeOneklm32.exeOpdghh32.exeOfqpqo32.exeOnhhamgg.exeOqfdnhfk.exeOcdqjceo.exeOnjegled.exeOddmdf32.exeOgbipa32.exeOjaelm32.exePcijeb32.exePnonbk32.exePdifoehl.exePggbkagp.exePnakhkol.exePqpgdfnp.exePcncpbmd.exePgioqq32.exePjhlml32.exePqbdjfln.exePgllfp32.exePnfdcjkg.exePqdqof32.exePcbmka32.exeQmkadgpo.exeQceiaa32.exeQgqeappe.exeQmmnjfnl.exeQgcbgo32.exeAnmjcieo.exeAcjclpcf.exeAjckij32.exeAmbgef32.exeAgglboim.exeAmddjegd.exe

pid	Process
3940	Mchhggno.exe
648	Mibpda32.exe
3532	Mlampmdo.exe
3944	Mckemg32.exe
4596	Meiaib32.exe
1520	Mlcifmbl.exe
4448	Mdjagjco.exe
1824	Melnob32.exe
4588	Mlefklpj.exe
1512	Mdmnlj32.exe
1912	Miifeq32.exe
4016	Npcoakfp.exe
532	Ngmgne32.exe
3432	Nljofl32.exe
3356	Ncdgcf32.exe
4424	Ngpccdlj.exe
4804	Nlmllkja.exe
3636	Ndcdmikd.exe
3324	Neeqea32.exe
4772	Nnlhfn32.exe
2932	Ndfqbhia.exe
1584	Njciko32.exe
636	Ndhmhh32.exe
1988	Nggjdc32.exe
1152	Njefqo32.exe
4544	Odkjng32.exe
2440	Ojgbfocc.exe
1464	Opakbi32.exe
4008	Ocpgod32.exe
3216	Oneklm32.exe
1124	Opdghh32.exe
2696	Ofqpqo32.exe
1604	Onhhamgg.exe
3820	Oqfdnhfk.exe
3600	Ocdqjceo.exe
4044	Onjegled.exe
3424	Oddmdf32.exe
4324	Ogbipa32.exe
3040	Ojaelm32.exe
1168	Pcijeb32.exe
1280	Pnonbk32.exe
1792	Pdifoehl.exe
2164	Pggbkagp.exe
4280	Pnakhkol.exe
3192	Pqpgdfnp.exe
1948	Pcncpbmd.exe
3924	Pgioqq32.exe
208	Pjhlml32.exe
3348	Pqbdjfln.exe
1128	Pgllfp32.exe
2756	Pnfdcjkg.exe
3236	Pqdqof32.exe
1904	Pcbmka32.exe
3664	Qmkadgpo.exe
4940	Qceiaa32.exe
4128	Qgqeappe.exe
4984	Qmmnjfnl.exe
3316	Qgcbgo32.exe
1068	Anmjcieo.exe
4472	Acjclpcf.exe
428	Ajckij32.exe
1144	Ambgef32.exe
2640	Agglboim.exe
1804	Amddjegd.exe

Drops file in System32 directory 64 IoCs

Processes:

Mckemg32.exePggbkagp.exeBjokdipf.exeCenahpha.exeCmqmma32.exeNlmllkja.exeNnlhfn32.exeQceiaa32.exeAgglboim.exeAfoeiklb.exeChmndlge.exeCeqnmpfo.exeNljofl32.exeOnhhamgg.exeAmddjegd.exeBffkij32.exeCmgjgcgo.exeNdcdmikd.exeBnhjohkb.exeDdmaok32.exeNgpccdlj.exeOjaelm32.exeBchomn32.exePgllfp32.exeBmemac32.exeDaqbip32.exeDfpgffpm.exeDddhpjof.exeNggjdc32.exeCjmgfgdf.exeCnicfe32.exeCjpckf32.exePnakhkol.exeBebblb32.exeBnpppgdj.exeDfiafg32.exeDaconoae.exeCffdpghg.exeNeeqea32.exeBalpgb32.exeBfhhoi32.exeCeckcp32.exeChagok32.exeOfqpqo32.exeQmmnjfnl.exeAabmqd32.exeCjinkg32.exeMlcifmbl.exeNjciko32.exeBaicac32.exeBcjlcn32.exeNdfqbhia.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Meiaib32.exe	Mckemg32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Nodfmh32.dll	Mckemg32.exe
File created	C:\Windows\SysWOW64\Jlingkpe.dll	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ndfqbhia.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
5756	5544	WerFault.exe	207

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Npcoakfp.exeQgcbgo32.exeCjpckf32.exeDjgjlelk.exePqpgdfnp.exeBfabnjjp.exeDaekdooc.exeDddhpjof.exePqbdjfln.exeAndqdh32.exeCmgjgcgo.exeChagok32.exeCdhhdlid.exeCmqmma32.exeNjefqo32.exeOneklm32.exeOpdghh32.exeBjagjhnc.exeDfnjafap.exeOjgbfocc.exePdifoehl.exeCfmajipb.exeOjaelm32.exeBfhhoi32.exeCenahpha.exeDdmaok32.exeAnmjcieo.exeAabmqd32.exeBebblb32.exeBclhhnca.exeBmemac32.exeDfpgffpm.exeNjciko32.exeOgbipa32.exeBjokdipf.exeBnpppgdj.exeChmndlge.exeOnhhamgg.exeCfpnph32.exeCnicfe32.exeQceiaa32.exeAcjclpcf.exeCjinkg32.exeCmlcbbcj.exeMdjagjco.exePjhlml32.exeBchomn32.exeDfiafg32.exeMiifeq32.exeNcdgcf32.exeDoilmc32.exeOqfdnhfk.exeOcdqjceo.exeQgqeappe.exeAminee32.exeMlampmdo.exeMelnob32.exeOnjegled.exeAcnlgp32.exeCeckcp32.exeDaconoae.exeNgmgne32.exeNgpccdlj.exePcncpbmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe

Modifies registry class 64 IoCs

Processes:

Cfpnph32.exeMibpda32.exeMdmnlj32.exeNdhmhh32.exeAfoeiklb.exeCjmgfgdf.exeDdmaok32.exeDaekdooc.exeNdfqbhia.exeOddmdf32.exeMlcifmbl.exeNlmllkja.exeNggjdc32.exeOdkjng32.exeAmddjegd.exeBfabnjjp.exeDmcibama.exe4ee8817ae0415822baf53a17f7b1d025fccbcde90d4fe942c664aef7892667a7.exeDaconoae.exePcijeb32.exeCmqmma32.exeDfpgffpm.exeNgmgne32.exeNjefqo32.exePgllfp32.exeAjckij32.exeCmiflbel.exeDfiafg32.exeDjgjlelk.exeMiifeq32.exeNgpccdlj.exePjhlml32.exeBnhjohkb.exeBcoenmao.exeDdjejl32.exeMlampmdo.exePnonbk32.exeCnicfe32.exeDkifae32.exeQgqeappe.exeQmmnjfnl.exeAcnlgp32.exeBfhhoi32.exeBnpppgdj.exeNpcoakfp.exeOqfdnhfk.exePnakhkol.exePqbdjfln.exePcbmka32.exeOpakbi32.exeOjaelm32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijlad32.dll"	Mibpda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4ee8817ae0415822baf53a17f7b1d025fccbcde90d4fe942c664aef7892667a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhmkaf32.dll"	4ee8817ae0415822baf53a17f7b1d025fccbcde90d4fe942c664aef7892667a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4ee8817ae0415822baf53a17f7b1d025fccbcde90d4fe942c664aef7892667a7.exeMchhggno.exeMibpda32.exeMlampmdo.exeMckemg32.exeMeiaib32.exeMlcifmbl.exeMdjagjco.exeMelnob32.exeMlefklpj.exeMdmnlj32.exeMiifeq32.exeNpcoakfp.exeNgmgne32.exeNljofl32.exeNcdgcf32.exeNgpccdlj.exeNlmllkja.exeNdcdmikd.exeNeeqea32.exeNnlhfn32.exeNdfqbhia.exe

description	pid	Process	procid_target
PID 716 wrote to memory of 3940	716	4ee8817ae0415822baf53a17f7b1d025fccbcde90d4fe942c664aef7892667a7.exe	83
PID 716 wrote to memory of 3940	716	4ee8817ae0415822baf53a17f7b1d025fccbcde90d4fe942c664aef7892667a7.exe	83
PID 716 wrote to memory of 3940	716	4ee8817ae0415822baf53a17f7b1d025fccbcde90d4fe942c664aef7892667a7.exe	83
PID 3940 wrote to memory of 648	3940	Mchhggno.exe	84
PID 3940 wrote to memory of 648	3940	Mchhggno.exe	84
PID 3940 wrote to memory of 648	3940	Mchhggno.exe	84
PID 648 wrote to memory of 3532	648	Mibpda32.exe	85
PID 648 wrote to memory of 3532	648	Mibpda32.exe	85
PID 648 wrote to memory of 3532	648	Mibpda32.exe	85
PID 3532 wrote to memory of 3944	3532	Mlampmdo.exe	86
PID 3532 wrote to memory of 3944	3532	Mlampmdo.exe	86
PID 3532 wrote to memory of 3944	3532	Mlampmdo.exe	86
PID 3944 wrote to memory of 4596	3944	Mckemg32.exe	87
PID 3944 wrote to memory of 4596	3944	Mckemg32.exe	87
PID 3944 wrote to memory of 4596	3944	Mckemg32.exe	87
PID 4596 wrote to memory of 1520	4596	Meiaib32.exe	88
PID 4596 wrote to memory of 1520	4596	Meiaib32.exe	88
PID 4596 wrote to memory of 1520	4596	Meiaib32.exe	88
PID 1520 wrote to memory of 4448	1520	Mlcifmbl.exe	89
PID 1520 wrote to memory of 4448	1520	Mlcifmbl.exe	89
PID 1520 wrote to memory of 4448	1520	Mlcifmbl.exe	89
PID 4448 wrote to memory of 1824	4448	Mdjagjco.exe	90
PID 4448 wrote to memory of 1824	4448	Mdjagjco.exe	90
PID 4448 wrote to memory of 1824	4448	Mdjagjco.exe	90
PID 1824 wrote to memory of 4588	1824	Melnob32.exe	91
PID 1824 wrote to memory of 4588	1824	Melnob32.exe	91
PID 1824 wrote to memory of 4588	1824	Melnob32.exe	91
PID 4588 wrote to memory of 1512	4588	Mlefklpj.exe	92
PID 4588 wrote to memory of 1512	4588	Mlefklpj.exe	92
PID 4588 wrote to memory of 1512	4588	Mlefklpj.exe	92
PID 1512 wrote to memory of 1912	1512	Mdmnlj32.exe	93
PID 1512 wrote to memory of 1912	1512	Mdmnlj32.exe	93
PID 1512 wrote to memory of 1912	1512	Mdmnlj32.exe	93
PID 1912 wrote to memory of 4016	1912	Miifeq32.exe	94
PID 1912 wrote to memory of 4016	1912	Miifeq32.exe	94
PID 1912 wrote to memory of 4016	1912	Miifeq32.exe	94
PID 4016 wrote to memory of 532	4016	Npcoakfp.exe	95
PID 4016 wrote to memory of 532	4016	Npcoakfp.exe	95
PID 4016 wrote to memory of 532	4016	Npcoakfp.exe	95
PID 532 wrote to memory of 3432	532	Ngmgne32.exe	96
PID 532 wrote to memory of 3432	532	Ngmgne32.exe	96
PID 532 wrote to memory of 3432	532	Ngmgne32.exe	96
PID 3432 wrote to memory of 3356	3432	Nljofl32.exe	97
PID 3432 wrote to memory of 3356	3432	Nljofl32.exe	97
PID 3432 wrote to memory of 3356	3432	Nljofl32.exe	97
PID 3356 wrote to memory of 4424	3356	Ncdgcf32.exe	98
PID 3356 wrote to memory of 4424	3356	Ncdgcf32.exe	98
PID 3356 wrote to memory of 4424	3356	Ncdgcf32.exe	98
PID 4424 wrote to memory of 4804	4424	Ngpccdlj.exe	99
PID 4424 wrote to memory of 4804	4424	Ngpccdlj.exe	99
PID 4424 wrote to memory of 4804	4424	Ngpccdlj.exe	99
PID 4804 wrote to memory of 3636	4804	Nlmllkja.exe	100
PID 4804 wrote to memory of 3636	4804	Nlmllkja.exe	100
PID 4804 wrote to memory of 3636	4804	Nlmllkja.exe	100
PID 3636 wrote to memory of 3324	3636	Ndcdmikd.exe	101
PID 3636 wrote to memory of 3324	3636	Ndcdmikd.exe	101
PID 3636 wrote to memory of 3324	3636	Ndcdmikd.exe	101
PID 3324 wrote to memory of 4772	3324	Neeqea32.exe	102
PID 3324 wrote to memory of 4772	3324	Neeqea32.exe	102
PID 3324 wrote to memory of 4772	3324	Neeqea32.exe	102
PID 4772 wrote to memory of 2932	4772	Nnlhfn32.exe	103
PID 4772 wrote to memory of 2932	4772	Nnlhfn32.exe	103
PID 4772 wrote to memory of 2932	4772	Nnlhfn32.exe	103
PID 2932 wrote to memory of 1584	2932	Ndfqbhia.exe	104

C:\Users\Admin\AppData\Local\Temp\4ee8817ae0415822baf53a17f7b1d025fccbcde90d4fe942c664aef7892667a7.exe
"C:\Users\Admin\AppData\Local\Temp\4ee8817ae0415822baf53a17f7b1d025fccbcde90d4fe942c664aef7892667a7.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:716
- C:\Windows\SysWOW64\Mchhggno.exe
  C:\Windows\system32\Mchhggno.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\SysWOW64\Mibpda32.exe
    C:\Windows\system32\Mibpda32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\SysWOW64\Mlampmdo.exe
      C:\Windows\system32\Mlampmdo.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3532
    - - C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3944
      - C:\Windows\SysWOW64\Meiaib32.exe
        
        C:\Windows\system32\Meiaib32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        30⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        52⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        53⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        63⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        71⤵
        
        PID:512
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        78⤵
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:460
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        80⤵
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        81⤵
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        94⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        104⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        108⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        111⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        113⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        119⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5544 -s 404
        120⤵
        Program crash
        
        PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5544 -ip 5544
1⤵
PID:5668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
93KB

MD5
abe636faba92003fbf98080db431edf5

SHA1
476ab684c6f064488192b4ad85ce7733a950d28d

SHA256
44a116cbdc76c6d036af5eb3fb8b241261390e27c065c5e3f6c15a3405520c4f

SHA512
a59838d6b3c1a6cf64b04175eff0ff5a22951115a21590eef84f2ef7c46694c71e269985e41258aeba07b8aed413cbce537f45f003f61671d377aaef97ff3772

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
93KB

MD5
f8929881c77d249654084c4d47c0cdf5

SHA1
22206c2945778b8c8e0eb54ca3a1a0a8ef011a1d

SHA256
4486f2e5d9566e0413bd89ffe766e7b32562258b91c9011520b0b19ce5778073

SHA512
c020d56a7f0d45174825201590e18f7019c7e8ede361df2fb985876eb4f277701f889fbbc99e758257e7da18daac7c4fd20ec6529b51d520e88bdc5117c616a0

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
93KB

MD5
175d63663505d695d413c63c23548d56

SHA1
f6241ae673205a13aadbc647f0dab86b8ea5bcaa

SHA256
342f2ea49df240d1aa921e097dcf4496ff1c19c0908f2b431891dbc06b5fcb5c

SHA512
0705585ff89243073dbac5a8ebbdf5b6c993df210c0f39d945b58b01a4a60f9c593079ef32c9fe780df03453e7ec9c92ffecf4c66c2bd3f5abd44821bbbf775b

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
93KB

MD5
0ed5c6a4a98989af82b369983fa226a8

SHA1
2cb71905f4eba8acde374e86d70a7ceb972005d1

SHA256
0db2816efaf2a88bf4a2ed886c70b26d730e3c3c2475b0ef8728bcd39752b76f

SHA512
64ccbdf2965889acd78d4dee17e9e47d28c98912ef408e174060470f0fd755e2c63c347dc3c8708bc64b152141b0e07e534d5ddceec7efc19eecb891155c789c

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
93KB

MD5
3d5380d1c221d3c85774f0b5b90d5dc7

SHA1
43ad4ab290784b2c5dc968ab5be35138f98fcad5

SHA256
481c2690fc049c239f2ec4429320b98800fbcbcc90aed578648f3ef304c5192f

SHA512
2dbc87c0238675d41e8279bc5f7930e3e8022c9fb5c01c24c3130e9fccc596b66009e70a5114f7d15e27e24946f02db186caced4ecb13a38349583fddc937785

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
93KB

MD5
8943797738161563ae1fbfeb94a32d24

SHA1
3c4db527f8279f185ad9f05e926751d9592038a6

SHA256
438f874d977e04b6f061954a0925459de4ad23d6c107ca9f2b2a3b46c88cf940

SHA512
822242ba9322323fe71b8b1e5ebfcfcd998e1f79609ea6c021baeda88a3c6edfe35b335679b2313c3f0208d7f96ffaad3a6b6e7702f04bb5b58d4aaf2baf978c

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
93KB

MD5
8b090de7466fa4a94f3a56ac5eadaa4d

SHA1
2f6af836cd200de9a0249c06071f26d77f349f38

SHA256
082cd5f6fcd3b4e58bcfd0d260d31c2967d84f238186ea0c81c39ab285f10a11

SHA512
d2311fe54e5fab985f813ac8c7a60c5843129eb1b61cb80c1ce3101809a3c7d516029eda1af8a1970e47b69939a3d6e517d3bbac8d3dcab626c1de0095832efb

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
93KB

MD5
94853a5c6b29392eaccd38dacc4d0825

SHA1
31ec239605bf78ba3438878f7bdeada17dde8f36

SHA256
16f324e0e2df5336c575144a4019f9c0e56e533458d2bf4afc9bfe266c91fbfa

SHA512
ea95ebb958fcc9415cd298a2f0c0c0fe201ae8c45a9380aaaae4c78e579165a264b3db0a1730555a4038ffda564a07db7596831470ff180ab849598ff89e7dc0

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
93KB

MD5
641edd39b1aacb312127caeb04aafe00

SHA1
8fc1bfc66cd677563b5618d70bc83debf977f1bd

SHA256
c72f053200be7d31da3733da0cacbb6001973841ef6c6a1345463f009b9203c2

SHA512
2ec3b0485736f1a9a8f9a287d61604f717a16234a96c1ccda1c5d00ab941ec6170062a4b54bdd653b372e2cf5921f04904a3810073395ef8bb723b005351b768

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
93KB

MD5
5c9cb777a6f875f0c271ec96c02a947b

SHA1
911c2e6e7ea7cd1091fde2fc34b5de3ac5acdb46

SHA256
1635bd2bb5bfd2da8087bb44c3f3d767c705b0c190f23ddda56dca765e58226f

SHA512
6f7aa8bd7de9f84ab80462c062da6fd9bcf4d6f7405212988b0e07118d828229333d99922ab8f41f24071678cf34c10ee26e822acb0f04f4939c44e5f6bd6371

Download Submit
C:\Windows\SysWOW64\Mchhggno.exe

Filesize
93KB

MD5
14046ea95d2468e8a99ef09adaf7d915

SHA1
b0e660a4330a0505f1f83f2543f825f76a4ac94d

SHA256
ecf08e3b08bbde76308e890dbbd77f7e3197376b2eedb3228dc1868ab7bd838f

SHA512
a234eead5043c6caf42ea08db280f7d9d6c4fbddf0d687328b77037be5d3bb7390b26ce934d1108e11cb2332c236b02eb2f6edd7be8286b22c8890e74495e2e2

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
93KB

MD5
8abf30c11ee1e42acc611a0c53a46f5b

SHA1
12e5b4c152d75ef6baa8c6c991a58a235556b54c

SHA256
53a006c82a078113a7a8bd8425ae855b2c14faa8351c6a11a264175dd7da8d29

SHA512
13d43f543620082564484852308ae406af45b5adccd16b6072e5980d2dcce7e68f3afd7e5dc21b9568c46a31cb176e6f4804fb1d527bc7d5d5dcfddf2c4e1c97

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
93KB

MD5
61101142a4e0c0e745c2425779ef88ac

SHA1
94933268c4878c1f8ffa9b55dfce99dbc5236b25

SHA256
a44b124d54636a3f8c2a3b27274ec2b749c1e72f89434c6df5d01edb55209b86

SHA512
ffec872bbc8ccb4adda688594b1c9de3f3e10dfdad3a83491e439268c50b057b67a1786481db8f191226ac85e0d2affa5de61805ef0adf1ed394692aa9866144

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
93KB

MD5
190dc2e829f7294390ff5c512e4087e2

SHA1
5ad922eeb198c3d93e8cc6ee9fa414f29eecd5ba

SHA256
eb9038c3716e4305e62d0765d97eb0a8501d89a5248d5deb6d53f3f44a17a6d8

SHA512
d519858794780967657c898f9bfce53071ff90fe808071913263af07a0302fabeaf6c3f342491a92d81d53b40e7094272edce0757d05bf32c69673637a804c0d

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
93KB

MD5
d3049f5c76ca9d90656748ccea94340d

SHA1
6cfc533a0540af1a3e4ce7b92b8aee3fc5db5f52

SHA256
e5844ee839ad5595dd0dcfb9b706bab9be9168cf298e3519c38d3db53a4069c2

SHA512
8b9a399415340fe6c4b4bacd40edff3108ea7a2d79ddc723ccd465beb28b31255637d41ba2614b5a172e150f3561ab3baee6403c14ca0a450f4fae46479d67d1

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
93KB

MD5
52a1d4aa750a818c81f93100c8b29901

SHA1
2079475a978d629a066482f57af3881bd95b0c16

SHA256
c06702487c948496011010148b423a7dea9d0c8e531a608d65f6c7a7ffe38cca

SHA512
aa8622ece4f5c7f5fd4366951c0fed97f7625e235fd9b84559ec07a5ac769c1f3261b7923fdd737045f480dfcb5fe8b818c0680d08cc3bd8b3cea8a0f360d51c

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
93KB

MD5
177bb46fb06737bbba57123d5fa56901

SHA1
f6e487ac8c2c7f36d4104b8869208af67b9a8a51

SHA256
c17462d2705f25a82e2319ce40c4b823da6d3742edbe528e0d98deb8ebc0d2ea

SHA512
5d8a313c91b04c7cf17bdde1a9acee737a15b2238df8ca399601ab5b2ffb9f7b77d6c40b60c0dbed1a2ba771b7c73e57bea5bd7854ff9c00580305496b1c8de1

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
93KB

MD5
617a94ce6cce32a89873757478b6e90e

SHA1
4e5ef2e5b0b97af5f48afca801250fe6b13e49a0

SHA256
9a596a2db706d66573f28363a109a13d5999a3e1b43fc328a200e45a3e2e9fb0

SHA512
83c68e16fb88874df1b52be9d92320a0acb4d46c35aa44e047ff1f858aae33111f07e98ef774983ae2126766456ffb71a5e4068c6a857514058dcf99306fbc17

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
93KB

MD5
2f0718edf847879b19cf25bf3b32593c

SHA1
dc49fd3c2362a020533e9dd0ddf77a0a41ea82f6

SHA256
78682ad672cfd68d206720090990a01df082583e246e789f73426a8da733b30f

SHA512
0bdc721b9c100f41b330e27fb302dac5405b1667725a22f80b9ab6fec970e00992b29628e6cd1d95c511b508f9f4b69b0a5fc9bf612d545de26c33397044311d

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
93KB

MD5
138e6e0f19fb7ccdee1ba971ae5b7076

SHA1
e0f0a7e4d8759397ce85712099f030b7f8a76349

SHA256
d52ad23b2eb61db5eb7384034bcb6b36e45cefb0afd00c933084d84c8e186dd7

SHA512
d47903d01aa0a548fd6a0af910ce296b17662cfbfa4eba9f7d018ed2419167d2b619cbcca6a78231533ebafe3208d889ef50c2bd00d0415a02a0fa9eabb24c9f

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
93KB

MD5
66ff81ccdf8520ad10a3d8bbe56e5b35

SHA1
b2c990779f8e76ba828e6ffadfa8c72a16f80387

SHA256
7b7f03c103b32734f023e20c036f05f7fb02f73125bf9805dd261af4bdbcd71f

SHA512
2c6521cb503b6c7f1f65c91a1d6d56eaa0d6fef761ed4c5380aa8a81d709f08c4c2cb917fbaaab5a2207ed88890a75cdbaf4b31c885e710f3cd760260e670dff

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
93KB

MD5
c0c2b446cf703663812c1bd412eec051

SHA1
a0b7ca2440b5ed3cdc546edeaf7627f4c80ecbed

SHA256
46aacf1967544f017afd392be95fed84e6e273244af7551fff391db441b622c8

SHA512
ef7b2b1adb0894cd1c503a4c07559c119e188c894ad0e3f015b94dd7c9a0549e087aa1c201b9f016e1b56541ed05f15f42cd1f24a7716c02164b233696490ae0

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
93KB

MD5
c80ffa069549dc54928a0e9c7d58af30

SHA1
c0122428e8c9f22183675d01ca787ac01b667ddb

SHA256
475024e6f6b2751911aed420d40d38044e21cc9ee2eedae5eb08aa1ab1647e3e

SHA512
5d7559da053acecd07267d95292f097001d375da7ec681172c7697d263cf5faeb956ff3b780dee5376d0517992aab090c08fe818b54c2137219949d31a7c98d2

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
93KB

MD5
3e5184af5f1238964f6e5e48b468a9a0

SHA1
02be5f71998b8c9b17e28256e2bdf2257fd0b32d

SHA256
a547d7d3eb2b397905eacb6b789aef91f0aaff70456e743bfa10f80fe11de483

SHA512
49b55c611cfddd5df166e24866ca8e2e6df673d767cb3b12c93eb1330e2b7cddf4d038a39787960ac14810a665c209a6663c9acc5295411c33106266a8842e01

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
93KB

MD5
6d73e5a7ef26d3066650c361c91321d7

SHA1
0e47c06b8c634acd1643bee1a203b8e19519a360

SHA256
107fe9e6c6ec88798cda9ccf07e12526827fd28d52d4af9c930023b4ac5a2c90

SHA512
fc703e760c8ba46aa3a0038fbcdd9dd87b3af573237606bbcdbed477b0804e6d6e46995476b30978a0f34268e134c3c4d073d3630e30154b3e07a90356b83939

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
93KB

MD5
68e9e3ff28d8397a6b83b615c74aa671

SHA1
723d85507d36bbce69ad4e2de742b1e13bd377ee

SHA256
5ef584ecefaed59d3fc8cf6683272b4544fabc5d1bc866e1c2ec3b15c15966dc

SHA512
cb2fa2563523b4401abdb21b1658fe38ba65ed86f46ac12d2d17b8243da167a06d6a5d632ac8041c15afcdf2c451dbd0e6ef9b98cfc94d3055c6842af72f3696

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
93KB

MD5
24f41a1579cae7d25dcc8a90a0d9be49

SHA1
4fd83a96c3683066cc3501ab31b4b766d281c992

SHA256
70ea11eb19ad12408f04a38d71365e607e24eba065e33bd22ea0a2815ea7ceb2

SHA512
7865b4ad30b8572ef597c4f3f1edd81e67edd5fb6b370a4b1fd246f6a45fd33c4126ece1a26948b337cfb2082bbcbaadec31f58573932faab073b45b5902d41c

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
93KB

MD5
7e737566ae5c056c91b35a7a3d491b01

SHA1
cdba3544cc569ee03df68a9ffd2b9c20f31cf883

SHA256
0810e406a1ea48869fce3c95edb86a2fd168246253f1df379279f12fb0a04c84

SHA512
8f291995dcbdb3b766f4e329659a9a367c0cadb386028450d04b1c0ae09a38035b800a6416397660a8b28470805d66cd00573fae62beff9ed3882ddcce3639ba

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
93KB

MD5
145f4d1e5bff8bfb61c3230bc66c417a

SHA1
21d4fa936f93de3e063ffa0abe9f5a9d36589a25

SHA256
92180dcbe84cc80eee6d572b4de2cd1a40aeec80f2301f4ce3087237c2f2cd5c

SHA512
31d856be0f4fdddf0eeb362dac12cee323585ce4e22a41eb0caeec016d184923ba502c80a94e668a4346769a367a895ad7446029db3471b169a57800b5fa93f3

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
93KB

MD5
685ea0cab6effd2b50636060410f74e7

SHA1
ef2241cdd174de9eb0bb03cc182a9e4274b0e70b

SHA256
4e1d357d559b5a4b3be6d9660a983635652e21d3d484b7db590e60c02ae74498

SHA512
ba7c5b775bdfd8f73ba8e8331973797b8c1833aa652ccb6d7facf8e4b36fdcf790a50d7101b6a3f08832975fb868aafdcb9d6598d9aaefbf6fda9157df80a4d0

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
93KB

MD5
174c4c4878d895ecb56c1e9717c88f6a

SHA1
3e49d86593c689d39f5ab5e6effa1d145e6014d3

SHA256
3a38cb448ce52aef2664e46c440b5820005f33c449d162652b2e1b16f127e933

SHA512
26455779ff8d8cd48b4dc48fb4bc9a1cd2cb3f4973d36de245844e4b52661a96396c682bfdd14b960bb9dd237240bf7bababd4328fd79857277aec81a96e61e7

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
93KB

MD5
a537215d56ea881398dff91fab94db9c

SHA1
34952c846dbd67be3a1d914a2247254b8e078821

SHA256
6d1bc87f9c1b0dd7e892db3650b3924befae313b6018073b2d59cf89068f6935

SHA512
a36638b3e17cc625634b131854245d0d898f83af7ad9cff1c2011f95b4020f41a039a809d5b7de47333f88de7bd8281b2f0720de6dabf8003269509f10203bea

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
93KB

MD5
f5b30f4f7a8210fd0ff23d4f8b500e3b

SHA1
07a044b26bd48958d1bb605d7a04047eb7d21208

SHA256
36706b40a9ffd2853158bccc8a3ccfa3b990e55096192783e5180a4741da971d

SHA512
183fb5428fe4ea98c67ef4e2493c95506e68b54b22de1397ccbd0f045f220eea9f3331a896395d5cb1fa88afd9369eede4a2cd5141ccd78afd2592a1891ae9ac

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
93KB

MD5
5b63b86c336b12ed6351506ba7acfb98

SHA1
246f73966aaee803f4cce59111f08bd4a03ab6ee

SHA256
13f574be6cbed04f359004f05986e64d45938638672eb2e1794a980780d80a46

SHA512
0e466b05a84e17c5af046d5cd380a23a1737b1d1f07afd1ef3f90f008f726243a7c8b00bc01719329249ebeff6c5a7cdaf8fec82c2def5cb910e69f89d06d8f8

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
93KB

MD5
c3e55cdc45dc53e20a7a4295cebb901b

SHA1
58163045ac3990c3919b16295cd686733e908630

SHA256
b6d7edbb81d8f44b9d79ce9996d87f8d67e2c2c4cc4400a6e12bfe9e84104290

SHA512
d03c04871bc10864337f089f06db2e280182622dbd28806c496a34a943289f4498b8882fa4e89bcd8adb14e7fa5da5b2eb745741e6a95f1d1914fb55b0e0b0c3

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
93KB

MD5
9dd8d8b28c89f1c17ddf81aab5f11315

SHA1
b88de6318c33275ea75d666f02302f78ad14b0cb

SHA256
388200e46d760a785cb2f3b2f324d0303b24c1736f21c11d766fc66dfeb8a1b0

SHA512
fabfa4f90a8293e8beaaae603a80e564ef33ef864b5d4edb803505c1edf7ce99b602e3949b5a718b14435408e87f2c492c5ecfe7523637995e8d08db42e68845

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
93KB

MD5
ef538b190b64971cddac3d7b97ec8065

SHA1
ae169f30748652bf521c0000063cb569e3154f6b

SHA256
012f78b6b9c6b2580c77d2abf60798a0ca4308352b68e7ef19e6b8bc09a91b98

SHA512
dd46a047b38c588b7167e95af3bf5a79e462fad0ef9818f42daf3c6b939057adba13aabd20c828fb550c0b03160c9ddb220c0468fa22ca92ff7525fdf63db906

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
93KB

MD5
5e6e44f922d22be312db9689aff3de74

SHA1
bfde491c790bd650792e8e0e4306f08c254c6b95

SHA256
acba6f5028e9c9e90c3a17f621061daff5c567d2d11666d2c57f4dc810b52bf6

SHA512
bf018bf135c55b67bc3df7823842f3b07b747ba8d17222a8e51d3f12f53a7043189f7d2e13503f0e7286ee4723290935f75df26b4328db7b2a826cf083c18ac8

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
93KB

MD5
976f6323f2a812e3f58f81100ef136b0

SHA1
6279757911e1d6a6267cca9e64549da47de52eae

SHA256
29d7eee49c737c8998b0dde91e2cf1586d9e3534b678c7a8b853565573f56932

SHA512
c0644ad43724c0199a4d2b3d7933a5e7e2a31f3f06d33565760086c7b9f5058368c9004688dbd2ff93392519c68137e7db51fb770491a97abcce17e507661e16

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
93KB

MD5
ea02da809413b592ab85294a9bd81166

SHA1
f2deebc59dc4f7ae4d3a1fd50c6c126e7257da48

SHA256
17e383e76bc8978783eafcf8f9a88eaf656bdad264726ae584f733c5b4d2fba4

SHA512
a0c2c4d3cb23a5a3dfc3d805d6e4af1264d42515cb5f1b345dec3a4fa7d407c554f2a2ce11f925e0bab6c0077001ca1140648ab0e8e1e361404c929f0517fe2f

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
93KB

MD5
0705f51135cc5e8249351f686cfcb3fa

SHA1
812720df9002ba36636d34aea465967efa47e8ca

SHA256
7e6e7f912d472ae74bc45324a5a0950491ec8737018d7c7d11512862e1e028d2

SHA512
da058a0fc68416b0dbc4ba09b829b9aafca4ee7523c9c08ebe68a804502e2bb2160cb268302fa779572b16e55e9035a6aab62e4f339b5a98e91382f7d94be363

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
64KB

MD5
38c5606b57511913c1aa2b1bc0fdb4f3

SHA1
caafdae5c8be4a86df2e5acb2cbc6d7cf9c64467

SHA256
a2510f7a6170b4de172a1c11c524a3469993e9f7acb4d8b13de78deb49ebc330

SHA512
a27225f745539cbebf571cbeba3552df0e5d67e0a7176149b5503e58484f07a5cf3616f1353c420403b93bdadcd6e52ad90c5eefb0d9b82d2a45320dbedb0776

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
93KB

MD5
fb78c5146702aeb69429992d86bdfe35

SHA1
ba458cffad96618073b72d4eba635e670cd75884

SHA256
7b363f6e8036a009a4cffbaa2233f3f2a543be4fa8240d244a9aaff92431c224

SHA512
dd98da3e2e86fe48fc66e0b04f39f7ee441428fe74af2bac98fb623ff826464ba19f2248cac29dd2e17d38e059fae2f0222bcaafc50888e7930a19f10b0de20b

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
93KB

MD5
64e748c7373d5addd67e04f025c071a0

SHA1
2de48c40aafca6ab50310800ccb0afd0a40425fa

SHA256
0bb62488b64c00e50d3b7f80a1103c942210c7f4f806df574563a8d73fd458d0

SHA512
05a3bcbbf4bca6b23c362a6004a837a2a928d7d1082cc74f6979fd07e3f0a9e445348660a7cddc6e7b968df34508234f52941e032880ffa36891e96cb05993c4

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
93KB

MD5
12790a71e9fbf49ab61ea7392f0b9725

SHA1
fb8e7cb2264d27156d407bef9ee210381e29ef51

SHA256
544e6cb84864f741c6340c3bb8be20291e5922af7c0e8a9ff9be2d232c258eee

SHA512
ac78cc6ae70146aff0ad5f8296caf3d853a9a8a718d6722387aea473e69e23edb4c5154241e2f707a7e325c5132064871ba2ffdd7c8359824a8788d5255797a8

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/208-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/460-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/648-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/648-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/748-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-915-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3036-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download