berbew | a2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3.exe
Size

96KB
MD5

4f12ee15ef375a76850d656b8d0b118e
SHA1

90d63382ae8b0b0252a8987bba2a9bfbac35d274
SHA256

a2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3
SHA512

59be771ac7cf91572284f97cf001b62c2df4e95db8535e085f8317a6039f5c6547da6c542284db779392a9f9d4d8335454451a58ba623e3fe00f20e8864a8b90
SSDEEP

3072:QKeur9H2eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeePeeEeeeeeeeemeeejeePeee:Cur9H2eeeeeeeeeeeeeeeeeeeeeeeeel

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Jlnnmb32.exeJmmjgejj.exeJpppnp32.exeAnadoi32.exeBjddphlq.exeMnebeogl.exeBnmcjg32.exeCndikf32.exeCnicfe32.exePqmjog32.exeAndqdh32.exeJpnchp32.exeLlcpoo32.exePqbdjfln.exeCjbpaf32.exeKpgfooop.exeMlopkm32.exeJcbihpel.exeLmgfda32.exeNfjjppmm.exePmdkch32.exePcncpbmd.exeCfdhkhjj.exeOgpmjb32.exeKipkhdeq.exeOfqpqo32.exeOcnjidkf.exeBebblb32.exePjhlml32.exeMpoefk32.exeNcianepl.exeOflgep32.exeDmcibama.exeDfnjafap.exeKimnbd32.exeCnffqf32.exeKiidgeki.exeMchhggno.exeOcgmpccl.exePggbkagp.exeDdakjkqi.exePfolbmje.exeBagflcje.exeBcoenmao.exeDogogcpo.exeOlhlhjpd.exeQdbiedpa.exeDgbdlf32.exePmoahijl.exeCegdnopg.exeDmefhako.exeAadifclh.exeCjkjpgfi.exeDjdmffnn.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmmjgejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlnnmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023c21-135.dat	family_bruteratel
behavioral2/files/0x0007000000023d0e-762.dat	family_bruteratel

Executes dropped EXE 64 IoCs

Processes:

Jcbihpel.exeJedeph32.exeJlnnmb32.exeJcefno32.exeJfcbjk32.exeJefbfgig.exeJmmjgejj.exeJehokgge.exeJpnchp32.exeJeklag32.exeJpppnp32.exeKboljk32.exeKiidgeki.exeKdnidn32.exeKfmepi32.exeKbceejpf.exeKimnbd32.exeKpgfooop.exeKipkhdeq.exeKpjcdn32.exeKbhoqj32.exeKefkme32.exeKdgljmcd.exeLeihbeib.exeLlcpoo32.exeLbmhlihl.exeLfhdlh32.exeLlemdo32.exeLdleel32.exeLiimncmf.exeLlgjjnlj.exeLmgfda32.exeLebkhc32.exeLllcen32.exeMgagbf32.exeMlopkm32.exeMchhggno.exeMdhdajea.exeMmpijp32.exeMpoefk32.exeMlefklpj.exeMcpnhfhf.exeMiifeq32.exeMnebeogl.exeNilcjp32.exeNdaggimg.exeNebdoa32.exeNlmllkja.exeNcfdie32.exeNpjebj32.exeNcianepl.exeNnneknob.exeNlaegk32.exeNckndeni.exeNfjjppmm.exeOcnjidkf.exeOflgep32.exeOncofm32.exeOcpgod32.exeOfnckp32.exeOlhlhjpd.exeOfqpqo32.exeOlkhmi32.exeOgpmjb32.exe

pid	Process
396	Jcbihpel.exe
4392	Jedeph32.exe
4616	Jlnnmb32.exe
3360	Jcefno32.exe
4016	Jfcbjk32.exe
1944	Jefbfgig.exe
3028	Jmmjgejj.exe
1176	Jehokgge.exe
2620	Jpnchp32.exe
4140	Jeklag32.exe
5068	Jpppnp32.exe
2920	Kboljk32.exe
1108	Kiidgeki.exe
3592	Kdnidn32.exe
4244	Kfmepi32.exe
1396	Kbceejpf.exe
1384	Kimnbd32.exe
3032	Kpgfooop.exe
1960	Kipkhdeq.exe
4160	Kpjcdn32.exe
3644	Kbhoqj32.exe
1260	Kefkme32.exe
2092	Kdgljmcd.exe
1956	Leihbeib.exe
4292	Llcpoo32.exe
4912	Lbmhlihl.exe
1768	Lfhdlh32.exe
4704	Llemdo32.exe
3692	Ldleel32.exe
1640	Liimncmf.exe
4436	Llgjjnlj.exe
1380	Lmgfda32.exe
3168	Lebkhc32.exe
4492	Lllcen32.exe
4008	Mgagbf32.exe
3192	Mlopkm32.exe
5008	Mchhggno.exe
2520	Mdhdajea.exe
2896	Mmpijp32.exe
1196	Mpoefk32.exe
2272	Mlefklpj.exe
2456	Mcpnhfhf.exe
1540	Miifeq32.exe
3524	Mnebeogl.exe
1076	Nilcjp32.exe
1556	Ndaggimg.exe
3616	Nebdoa32.exe
4432	Nlmllkja.exe
4088	Ncfdie32.exe
2596	Npjebj32.exe
1904	Ncianepl.exe
3136	Nnneknob.exe
932	Nlaegk32.exe
3832	Nckndeni.exe
3948	Nfjjppmm.exe
3164	Ocnjidkf.exe
3620	Oflgep32.exe
2464	Oncofm32.exe
1636	Ocpgod32.exe
3588	Ofnckp32.exe
2312	Olhlhjpd.exe
2404	Ofqpqo32.exe
2200	Olkhmi32.exe
4956	Ogpmjb32.exe

Drops file in System32 directory 64 IoCs

Processes:

Qmkadgpo.exeQfcfml32.exeBgcknmop.exeBcoenmao.exeCfdhkhjj.exeNcfdie32.exeNnneknob.exeNfjjppmm.exeDodbbdbb.exeDgbdlf32.exeNpjebj32.exeOncofm32.exeCagobalc.exeCmqmma32.exeJmmjgejj.exeMmpijp32.exeNlmllkja.exeCegdnopg.exeDkifae32.exeAndqdh32.exeJfcbjk32.exeMnebeogl.exeAmbgef32.exeKdnidn32.exeLeihbeib.exeDmefhako.exeMgagbf32.exeAepefb32.exeCmnpgb32.exeQdbiedpa.exea2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3.exeLlcpoo32.exePqbdjfln.exeAcjclpcf.exeKbceejpf.exeKimnbd32.exeOlkhmi32.exeJcbihpel.exeJefbfgig.exeDfknkg32.exeDfnjafap.exeKiidgeki.exeLebkhc32.exeAadifclh.exeLlgjjnlj.exeOflgep32.exePggbkagp.exeLfhdlh32.exeLiimncmf.exeCenahpha.exeDjdmffnn.exeJehokgge.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Jehokgge.exe	Jmmjgejj.exe
File opened for modification	C:\Windows\SysWOW64\Mpoefk32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Jefbfgig.exe	Jfcbjk32.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Kfmepi32.exe	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Leihbeib.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jcbihpel.exe	a2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3.exe
File created	C:\Windows\SysWOW64\Leedqpci.dll	Llcpoo32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Mpoefk32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Aoohalad.dll	Kdnidn32.exe
File created	C:\Windows\SysWOW64\Kimnbd32.exe	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Kpgfooop.exe	Kimnbd32.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Jedeph32.exe	Jcbihpel.exe
File created	C:\Windows\SysWOW64\Jmmjgejj.exe	Jefbfgig.exe
File created	C:\Windows\SysWOW64\Dmamoe32.dll	Jefbfgig.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kdnidn32.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Ingbah32.dll	Lebkhc32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Jjhijoaa.dll	Llgjjnlj.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ojhnmh32.dll	Kimnbd32.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Lfhdlh32.exe
File opened for modification	C:\Windows\SysWOW64\Llgjjnlj.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Jpnchp32.exe	Jehokgge.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
5844	5712	WerFault.exe	203

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Kbceejpf.exeOfqpqo32.exeOgpmjb32.exeBgcknmop.exeDgbdlf32.exeKdnidn32.exeKpgfooop.exePqmjog32.exeCagobalc.exeCdhhdlid.exeLlgjjnlj.exeAadifclh.exeLllcen32.exeMdhdajea.exeCmnpgb32.exeDogogcpo.exeMlopkm32.exeNpjebj32.exePqbdjfln.exeBebblb32.exeJedeph32.exeNlmllkja.exeBnmcjg32.exeDmefhako.exeJpppnp32.exeLebkhc32.exePmdkch32.exeBagflcje.exeMlefklpj.exeNebdoa32.exeNnneknob.exeAnadoi32.exeLlcpoo32.exeLfhdlh32.exeLmgfda32.exeMcpnhfhf.exeNckndeni.exeMmpijp32.exePjhlml32.exea2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3.exeQfcfml32.exeDodbbdbb.exeKiidgeki.exeKipkhdeq.exeKefkme32.exeMnebeogl.exeNcianepl.exeOcnjidkf.exeBcoenmao.exePfolbmje.exeCnffqf32.exeCjbpaf32.exeDaekdooc.exeJlnnmb32.exeCndikf32.exeCnicfe32.exeLlemdo32.exeNlaegk32.exeLdleel32.exeOcpgod32.exeAmbgef32.exeKbhoqj32.exeOlhlhjpd.exePcbmka32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbceejpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgfooop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lllcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlopkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedeph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpppnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lebkhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmgfda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiidgeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnnmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhoqj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe

Modifies registry class 64 IoCs

Processes:

Kimnbd32.exeNlmllkja.exeDjdmffnn.exeKfmepi32.exeAadifclh.exeBagflcje.exeCenahpha.exeKpgfooop.exeLiimncmf.exeMchhggno.exeOflgep32.exePqbdjfln.exeOfqpqo32.exeOlkhmi32.exeOcgmpccl.exeJcefno32.exeJpppnp32.exeKdgljmcd.exeMdhdajea.exeNfjjppmm.exeCnffqf32.exeDdonekbl.exeOgpmjb32.exeMcpnhfhf.exeAnadoi32.exeAndqdh32.exeDfknkg32.exeJfcbjk32.exeKiidgeki.exeLllcen32.exeQfcfml32.exeKpjcdn32.exeMiifeq32.exeAmbgef32.exeDmcibama.exeDfnjafap.exeAcjclpcf.exeCagobalc.exeLlgjjnlj.exePcncpbmd.exeQffbbldm.exeNilcjp32.exeDdakjkqi.exeJlnnmb32.exeKboljk32.exeKbhoqj32.exeLmgfda32.exeMgagbf32.exeKefkme32.exeNnneknob.exePjhlml32.exeCnicfe32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgfooop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liimncmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcefno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgdelcpg.dll"	Jcefno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdgljmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll"	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfcbjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijloo32.dll"	Kiidgeki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lllcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbbhk32.dll"	Kfmepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhijoaa.dll"	Llgjjnlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenqea32.dll"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgpfak.dll"	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kboljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbinq32.dll"	Kbhoqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgagbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kiidgeki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll"	Kefkme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3.exeJcbihpel.exeJedeph32.exeJlnnmb32.exeJcefno32.exeJfcbjk32.exeJefbfgig.exeJmmjgejj.exeJehokgge.exeJpnchp32.exeJeklag32.exeJpppnp32.exeKboljk32.exeKiidgeki.exeKdnidn32.exeKfmepi32.exeKbceejpf.exeKimnbd32.exeKpgfooop.exeKipkhdeq.exeKpjcdn32.exeKbhoqj32.exe

description	pid	Process	procid_target
PID 3932 wrote to memory of 396	3932	a2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3.exe	83
PID 3932 wrote to memory of 396	3932	a2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3.exe	83
PID 3932 wrote to memory of 396	3932	a2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3.exe	83
PID 396 wrote to memory of 4392	396	Jcbihpel.exe	84
PID 396 wrote to memory of 4392	396	Jcbihpel.exe	84
PID 396 wrote to memory of 4392	396	Jcbihpel.exe	84
PID 4392 wrote to memory of 4616	4392	Jedeph32.exe	85
PID 4392 wrote to memory of 4616	4392	Jedeph32.exe	85
PID 4392 wrote to memory of 4616	4392	Jedeph32.exe	85
PID 4616 wrote to memory of 3360	4616	Jlnnmb32.exe	86
PID 4616 wrote to memory of 3360	4616	Jlnnmb32.exe	86
PID 4616 wrote to memory of 3360	4616	Jlnnmb32.exe	86
PID 3360 wrote to memory of 4016	3360	Jcefno32.exe	87
PID 3360 wrote to memory of 4016	3360	Jcefno32.exe	87
PID 3360 wrote to memory of 4016	3360	Jcefno32.exe	87
PID 4016 wrote to memory of 1944	4016	Jfcbjk32.exe	88
PID 4016 wrote to memory of 1944	4016	Jfcbjk32.exe	88
PID 4016 wrote to memory of 1944	4016	Jfcbjk32.exe	88
PID 1944 wrote to memory of 3028	1944	Jefbfgig.exe	89
PID 1944 wrote to memory of 3028	1944	Jefbfgig.exe	89
PID 1944 wrote to memory of 3028	1944	Jefbfgig.exe	89
PID 3028 wrote to memory of 1176	3028	Jmmjgejj.exe	90
PID 3028 wrote to memory of 1176	3028	Jmmjgejj.exe	90
PID 3028 wrote to memory of 1176	3028	Jmmjgejj.exe	90
PID 1176 wrote to memory of 2620	1176	Jehokgge.exe	91
PID 1176 wrote to memory of 2620	1176	Jehokgge.exe	91
PID 1176 wrote to memory of 2620	1176	Jehokgge.exe	91
PID 2620 wrote to memory of 4140	2620	Jpnchp32.exe	92
PID 2620 wrote to memory of 4140	2620	Jpnchp32.exe	92
PID 2620 wrote to memory of 4140	2620	Jpnchp32.exe	92
PID 4140 wrote to memory of 5068	4140	Jeklag32.exe	93
PID 4140 wrote to memory of 5068	4140	Jeklag32.exe	93
PID 4140 wrote to memory of 5068	4140	Jeklag32.exe	93
PID 5068 wrote to memory of 2920	5068	Jpppnp32.exe	94
PID 5068 wrote to memory of 2920	5068	Jpppnp32.exe	94
PID 5068 wrote to memory of 2920	5068	Jpppnp32.exe	94
PID 2920 wrote to memory of 1108	2920	Kboljk32.exe	95
PID 2920 wrote to memory of 1108	2920	Kboljk32.exe	95
PID 2920 wrote to memory of 1108	2920	Kboljk32.exe	95
PID 1108 wrote to memory of 3592	1108	Kiidgeki.exe	96
PID 1108 wrote to memory of 3592	1108	Kiidgeki.exe	96
PID 1108 wrote to memory of 3592	1108	Kiidgeki.exe	96
PID 3592 wrote to memory of 4244	3592	Kdnidn32.exe	97
PID 3592 wrote to memory of 4244	3592	Kdnidn32.exe	97
PID 3592 wrote to memory of 4244	3592	Kdnidn32.exe	97
PID 4244 wrote to memory of 1396	4244	Kfmepi32.exe	98
PID 4244 wrote to memory of 1396	4244	Kfmepi32.exe	98
PID 4244 wrote to memory of 1396	4244	Kfmepi32.exe	98
PID 1396 wrote to memory of 1384	1396	Kbceejpf.exe	99
PID 1396 wrote to memory of 1384	1396	Kbceejpf.exe	99
PID 1396 wrote to memory of 1384	1396	Kbceejpf.exe	99
PID 1384 wrote to memory of 3032	1384	Kimnbd32.exe	100
PID 1384 wrote to memory of 3032	1384	Kimnbd32.exe	100
PID 1384 wrote to memory of 3032	1384	Kimnbd32.exe	100
PID 3032 wrote to memory of 1960	3032	Kpgfooop.exe	101
PID 3032 wrote to memory of 1960	3032	Kpgfooop.exe	101
PID 3032 wrote to memory of 1960	3032	Kpgfooop.exe	101
PID 1960 wrote to memory of 4160	1960	Kipkhdeq.exe	102
PID 1960 wrote to memory of 4160	1960	Kipkhdeq.exe	102
PID 1960 wrote to memory of 4160	1960	Kipkhdeq.exe	102
PID 4160 wrote to memory of 3644	4160	Kpjcdn32.exe	103
PID 4160 wrote to memory of 3644	4160	Kpjcdn32.exe	103
PID 4160 wrote to memory of 3644	4160	Kpjcdn32.exe	103
PID 3644 wrote to memory of 1260	3644	Kbhoqj32.exe	104

C:\Users\Admin\AppData\Local\Temp\a2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3.exe
"C:\Users\Admin\AppData\Local\Temp\a2c1387bca1c12f514de07889beb36a77c4d53f766e5bf34cc4cf107c0e27ba3.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SysWOW64\Jcbihpel.exe
  C:\Windows\system32\Jcbihpel.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\Jedeph32.exe
    C:\Windows\system32\Jedeph32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\SysWOW64\Jlnnmb32.exe
      C:\Windows\system32\Jlnnmb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4616
    - - C:\Windows\SysWOW64\Jcefno32.exe
        
        C:\Windows\system32\Jcefno32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Windows\SysWOW64\Jfcbjk32.exe
        
        C:\Windows\system32\Jfcbjk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Jeklag32.exe
        
        C:\Windows\system32\Jeklag32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        27⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        47⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        61⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4416
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        68⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        77⤵
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3896
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        80⤵
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        86⤵
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        91⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1820
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        93⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        94⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3884
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        100⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        107⤵
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        113⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        121⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 404
        122⤵
        Program crash
        
        PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5712 -ip 5712
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ambgef32.exe

Filesize
96KB

MD5
6f976e0c7134762020ae8bf8e44a912d

SHA1
387d674bc2526371ff21bc5cfd87c89f01c7f33a

SHA256
c37e328645d30eaa101b09366873e039be6f1ec501ecc6b0d9042550febc35e1

SHA512
130acd096e9e7e747c654e8daa3ebd55c667bb36e5c1c45f06b341b98a6abbc3042877358b7ae9150b2e041cb2350797ba4ba002a28017c47aeec0595cfb3655

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
96KB

MD5
011a1c00b1e57806fb5d15bbeea128e1

SHA1
6ef4d1771c98d909d653fabfed0107262cb50328

SHA256
0d8d535b5d9eb3955ec968618ec0c7329414eb25fd4e14bc8ad926dbe4c886ba

SHA512
58bd4c87e8dd4d213a693b39acbbe95216009c7b7ab19c9ef484b9a4053d15c23b77d0f0ddea823d706fd8086a974e1b5fc1b76821ccc2539cddd5123dc2ddc4

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
6c46d5fb1f4b02758fb5a593f09ef12a

SHA1
cd64d19fe858682861a47de45b8f64d1c583aff7

SHA256
8677ff27e6448892025cffa9b2caf7f33dd69b96811be17938063f53cc643f92

SHA512
d3bd28b7be7eca6e23013f86f88582b2dae0b135f99e6ac58370764587c21c67e6cbfd7297ee5b918e7372659928b43a1b6c31ceb24c6b4779400e870ab491f9

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
0c43e6ac3a4dbc62ee11c530d129ef74

SHA1
4435e2764903371c35fdd3f4bdfcc4882a2897eb

SHA256
c09954f86a5db1207861401bbeff50eb99b85f324887700ec4513da1a8054ce4

SHA512
0c7aeb1d1fdab5f8012f38fd9d3c033caac00854aea625709db4cedafa8e235e3dae7cf7cb346c0fd208cf4d2df4f5a66a07ce84d55e14930dcf1f1e669a56f6

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
c127b9e8910aae5da1dbb129773088f0

SHA1
3e63d825b32fba31bd283a5817b3013fb93e7ffb

SHA256
29b9906b957525be977c558f8fb37404db14040da2ca353e02871f0c83c60165

SHA512
0e54d858a6f1c14bc3c6bb7de49c3c103f6dfde5b2898a6a945c3083f5d7d63df188b6e8f351fd310cc45176b807bdab78113b6319578d24414d00dcf2130c99

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
96KB

MD5
f4cab5d6b8bc4b01ad85ceecd36dbbe4

SHA1
3df94584b49eddd23750fc62104916b2f59d6fed

SHA256
29072414f06a4bad7cfc3fc999edfd92e68bb49891f917a41450eab50f7b6edd

SHA512
2f3a8679097f5f2f35743366dc8834628e1b06ce3ed246807ea7d5c72ecbdf50e047a94c29105a50554f61366a29acd4003f55b86d30272d09b97a4b9d130351

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
19445896b5c4279fb6a27eb2b1fb1781

SHA1
fc10f77dc7dbb276dff2030ffb2ec8f904a966fd

SHA256
b713e245897ad51c567d60743d12dc4cdebe46452add82960a0f295009c9472e

SHA512
c4a1b3ab1d5748a5bcc2393e95c69c4e2fb1661683cdc0751be439c8e48e7e8f732ccb2143b44a2a145e25419ed034bb335ebea0bb4e9ff2b85e9dcdf24d64b4

Download Submit
C:\Windows\SysWOW64\Jcbihpel.exe

Filesize
96KB

MD5
388194966f299a98d0cdd8e06fdfdf3a

SHA1
b08955d416d331bbae7f381e4ce82a3eaa460f5c

SHA256
b326d39a8353320a5ba5c4b351f6893c06d8a8944f31c79057afa3ae1968797c

SHA512
80ad8f161f9eaea2f20620caccbc01c1adb08df7acd7cc462de6e215a381826eb61b691849caed3f050294d3f4f76f4df2b3151ec9f0c670d490d12797a2f54e

Download Submit
C:\Windows\SysWOW64\Jcefno32.exe

Filesize
96KB

MD5
61382dfff0c71cf2c89f6adc111aee4e

SHA1
ca620b887a58b03c5b5cf8a476a542c770447cef

SHA256
6a872b34b7f31e906d1a2631a9182c9438c9d98073146c2ab46a37991313f54c

SHA512
c81744179a1e887b80cf87777c4ab17f8da05297efef597c9bcd2400166d075c5236295485c7c9e847f31d0e822e01421a4275c37e84629e39d3353846bc9710

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
96KB

MD5
328040166d43dc59a5c65a3ed038d985

SHA1
7fedacbc124931fa56866b3ddeaa4ef991495b86

SHA256
27572e1759a3a98514969421af856b959fe9d701a6f4c1a6e4fc3139ecc21706

SHA512
9d0d028b12c3efc47b4adb69529a7a6e039d3efdc2e6d86b32cc506b16dd1ef1ecd273c2b9e8f2ca0fe076985d308dcb53c85f5143047cf1916545540d5906b6

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
96KB

MD5
67a68f1da3d895f44cc285d2f1aab0b4

SHA1
8ac24d2413fd5f08a956a3b5f1be371621743121

SHA256
f6436341158b96b9ecbf7a0e89c000ddacd3542de267cf6c6c40386eaa4c47a8

SHA512
7005361bdae8f1fd55625078d9313bcd8105a2a5f83c811a7f24c9068a2aa954c129797ef2c4600712da5f89c936964655326d3a019319d7f386a22b2c370ab8

Download Submit
C:\Windows\SysWOW64\Jehokgge.exe

Filesize
96KB

MD5
8be3fe06de3fa66a1c5f6f9c4bb8c70f

SHA1
3dc1364a6aa04f9011ce0b1bd41c5dbb00fcf87b

SHA256
da35b926a38788099cd06740562ae0ffb78f6af62415b368f264a7bbb30574b2

SHA512
44d95f14ca4642cdda4834fb46d24000592b8ba9879ec0326ffaae02c7c17bed462f12d41d123d181364095041696bbbfce105fce3a2b51d48708f25f75239de

Download Submit
C:\Windows\SysWOW64\Jeklag32.exe

Filesize
96KB

MD5
76738a27397d8fc12c7a9f268f6e8afd

SHA1
6666d9a627d2037b1bdae12e3f21ee5f933d3e1e

SHA256
ad354a940b477208f8df54df4b010badc9d0c9ddd4cbc40c02615c96df0d703b

SHA512
77c8bed4ab053ead456b6f08cbd57d130d05e992e2f0fd8d797ada3a05813afdc70f24c65807433f1d075729455c743b927d22b508fbb7758634b05dd0480f86

Download Submit
C:\Windows\SysWOW64\Jfcbjk32.exe

Filesize
96KB

MD5
b908de73b3ad260111fae8e170e3c7c4

SHA1
08217cb97f3f8d7136fde278d8b9a080b64327aa

SHA256
3f3f39314491b29820053a30dee1699927cc2e7dda5adffda9b2482a2c400d57

SHA512
636ca2a322d6dbe49bbb34bb4928c2ca8e4fcdece3662338c4d4f9a4242707a25c5404b8bf3063e444bbd07ed704d4f2d2aab8152e52e60877267b8b0f9bb1c8

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
96KB

MD5
bf2c6d297f0c5c5b371b3547a5414581

SHA1
d87753c2e5f54c0bcbe37a6030c14501dd90c061

SHA256
6a4418e2ff4e324d4b15599a83b685209a10406696fa4b78da3536166e4924f8

SHA512
100e34289632fe718600615091cbe577c8cd3103a3d8f75e121d0667604c3f5fff144c56b232cbcc00ce9906884db0a35310777bf74faef14af8911d0321f682

Download Submit
C:\Windows\SysWOW64\Jmmjgejj.exe

Filesize
96KB

MD5
fbbe602f517282d26d2d97201cfab928

SHA1
2c8b03bdccded2a7a434a2b835ba278778152317

SHA256
82f39d411b7a144cb0c95f329fd07854d29ea123c8120a32e0bb54a935f616ab

SHA512
5bcc3b13a64642526a5f8e08861bc6a3d03e98cbd38817e5439fc275c2d1ffb1fea941c0732340bc69311172636ac4c6c97c753abe51ce7e187bdd45c39df850

Download Submit
C:\Windows\SysWOW64\Jpnchp32.exe

Filesize
96KB

MD5
a56ddb7ec4579a5b1a60ca8c23c56df0

SHA1
7431720e4777f4342d753a2d74c39cc76b274713

SHA256
6d52beec5f3e54dcdb9a61316b89fff6aeae219fa2a3243785ab7d402ddde1b1

SHA512
ce8ec3583ca9e23102f812febde188ce16b78e43c1d079e2e37d761a6d9eec8ffd0b385b0dde7c81c510785abfc58cf65204754fb2c6be409373148d120cfa25

Download Submit
C:\Windows\SysWOW64\Jpppnp32.exe

Filesize
96KB

MD5
bbd6481e67e7a0ad0ff13972968f7b69

SHA1
c68d6f9c2be621525816cb09fd64ae44161a833f

SHA256
113f4fa3d9f1416d7f57e74cc86e8b4046edcf8317771bee65b29da62e89172c

SHA512
0fc0150c57666b438ff0610d7098f3d1019d072de214d4fe3f38b32352d23dadbb68afe9e680d44d1576ded896984637c92e92fb19f5451401bc9d766033ea3e

Download Submit
C:\Windows\SysWOW64\Kbceejpf.exe

Filesize
96KB

MD5
041d5b698455835b941fd7f426f764c9

SHA1
95850c216544c926be3204a24e8919b1afd37d64

SHA256
c28ea3eec680761fcb1e930b00a18c7b696e28f64055729f1df581a58c298a95

SHA512
bd75415ac4aa90cd63b08eefa80a8f58101bb4ae43164c72a143fbcdae7d332ee0a908d3d3ebc54e2d0cb0611510835d4e74166be9be82b319ec1a06af03b47b

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
96KB

MD5
1976a1209e3baeece70e293621d5e802

SHA1
1e66f0f3b584cda6cc40887880a03554f899bdb6

SHA256
b37bdaeb01e16253e625eaaf6ee0c94401cc7a452e2c1a143b1a6b4ee0271a3d

SHA512
6baf920b4083744cd541314dda30381f703723027095275378e36e80a928ad8b5b4598a49fe1fadeb40b69d54a5150576add10ce8e928c0e99614b7736092a66

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
96KB

MD5
04275c5d2aef3198781102735690c0d7

SHA1
9894a2af41a069c20dfb84e5f3799fab8ae4250a

SHA256
9ec5d79eceee7ca898ae9875a8604cb6f704a6d554406e0821f9b2d4de4b5eae

SHA512
d72ba8df8c3738eee7cda7f9ee8e3e22b71ebf815dcc2135bd84abe75c13d25aefb85ccc1b55a2cecfecaf861700fd5ff1d35062773abfc1971a776eb36d85d4

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
96KB

MD5
9be7c40639b83ede8e1eb88eaa8b7bf3

SHA1
2774805891b802adacfb78a178b17e05e7120e3e

SHA256
b388f376edaced9e7937b0aa232d0b0b577ac4ceb93b32cf73c5f207dbc7adf0

SHA512
c33819b45ef1df49e97eecf5fda0cf7abcacbc277145bb767e889ef658b5e1843c3f2a6efed19d139e84c1a4d6a5d8c2757b38ffc2e6cbac9bfa66895d1fce8a

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
96KB

MD5
c8609ba0b4021233f41b9f4786076a4e

SHA1
4588340a6c58808c01f7bad95316cd3565075b4e

SHA256
f66d938a9514f5d86e56576fc8427fca5e5d275a710754ffdd7d3ee6324be3e7

SHA512
fad92069a2833d864eab9f6ee670151b72d3ae5f833c21f71c0261a593de71402dab30afec2cdd08adec5344327d2abbed3eaedd8f711dff4f847fb768f83cc1

Download Submit
C:\Windows\SysWOW64\Kefkme32.exe

Filesize
96KB

MD5
f5aec30f1eadf5df84535c45449378e9

SHA1
288607198c81a9868b81123ad0c64058953aeaff

SHA256
c59e07468207ed77a49fd2663023b477ccbe6ac4ce025a104d386e192006bfb3

SHA512
2cc48d6c52dec14af6760de4dfbd8cb99e255dc79820d3948ef1fbcafffcb847c97ab1308393a094a642e5ab6da66d16c155d6b492f6ce7e3bf124f45a876b7f

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
96KB

MD5
f919dc0cbfdcb121170696b75cc4c1e8

SHA1
c4bdb750e4dfd7867ec4883013c995e70b0ca44e

SHA256
c7741dd5410aa0a95f6af2b3df9e67742c18476c01cb3849be4b15f781185ada

SHA512
6b65bc26a98eac44a9b7941e3d39ed2d16ea67113c32a31147be13604369d6d33350a40eebe4153fa04aba703c5a3247cc1c0773302a2c44901ba34f2fa3dc8e

Download Submit
C:\Windows\SysWOW64\Kiidgeki.exe

Filesize
96KB

MD5
e5603c97b33c717b243b35c85bc9ccd2

SHA1
8c0d60f60a91da4aba511aaa11c2f30a30f783b1

SHA256
6af3db774092cba767510c63eec6d385619b354fc66ad90faeecea9314eb18ab

SHA512
cb87ce6c784836049577549798e1cb5c7cc791ef5671303d689458fa6a448ee59e0d661ff4200eb1d4b0ce49a3da5276b772d9f16393085681a8e1ed0151ae44

Download Submit
C:\Windows\SysWOW64\Kimnbd32.exe

Filesize
96KB

MD5
608f8cebef6c9abca6a8940485f95184

SHA1
7473cb149b84c46d01fb0526fe742a8419cd5c9d

SHA256
ebd347479889cf423432aaf0a13fd8e625b7ff64795257829d140f1fb548babb

SHA512
0b9445f0546f276928f8af3c40f548b4b46fb97fb90bc2fdf332a2a2c0be266887e62a2b3186c9e171993b82f89c31a82af5a0099761c4fc2e46ab9cb96afc43

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
96KB

MD5
0578bfbff1889d1023a2f77f84a02e28

SHA1
d4c97be35fbbf15f519545dfb52ccd9c24dc6761

SHA256
8b15c9b30e8489578cd9aa51979eb612b1d2b7af48a6415e938a549d2d03ad8f

SHA512
152f5834e8420e83baf43041e9b7f1f3c67650c42265f161dba49c51ec6a8b6576e847731e5a09b2df3ee72a5dc0c2aa7282fc7bb77913bafaac5ea946074ea1

Download Submit
C:\Windows\SysWOW64\Kpgfooop.exe

Filesize
96KB

MD5
eaec3e42d173aa203ef8005e25401307

SHA1
d095c5e855e6ea93c6f13226332cb2406b7dd638

SHA256
cc95880adfe37dcd4c7214e7b05acdff8873eadf2e7363011c1ad9c536ad61bd

SHA512
d408bc8b68645ddf6b17bca1e326e3a7420d1df1a4ce53e2c6fc105080d4a05cc7f111b39f45d3dbe750456be400b69a1844d934246a7a163f0eaf106522f59c

Download Submit
C:\Windows\SysWOW64\Kpjcdn32.exe

Filesize
96KB

MD5
5195b486d4b93edbaf5771d781209d21

SHA1
ebe84fc21daa607731612309cbc0881015e80ac9

SHA256
e802bab8ebfb42b35f620b5d504b14b7a6cfe31d03318521bdbeb32f49a997b1

SHA512
63c6362aa513e75d11e02a4df970b4ac732ba03408c5d0fd7a2694809a89b965945a419a80f7f3064a611e562239d118a8297a6746ec8347016f449c0ff7428c

Download Submit
C:\Windows\SysWOW64\Lbmhlihl.exe

Filesize
96KB

MD5
bbe664ea582dc6e54290f278e702b951

SHA1
4124d1b7c0b803774eac0b9ba7b80beb5c2df1fd

SHA256
e5150eff096a6c643286fa6238f0c3250e2c67223ca77ebb16f7f397987b0561

SHA512
0d29b94ddcfde8c4b75f74dcdf85a8b2b24451afaddd05ab0f98b54b9e09d821a789e10851576d7388a87ccd27995e9159e51a99c34225001fd54e52e91803bf

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
96KB

MD5
6d95930f337a8fdc82a0e10a31e5aa27

SHA1
aa4ccc35f730bac8c17b15f4f0eedb2e2b59e929

SHA256
05b3c8313b1fdc6b48b24214be68f48090a3f8ab2e0eaa834d8a51ea53cec54d

SHA512
cc32141fdd6395e63b90576d843bbf9de10d1087260d878c8f1ad0f7b5948ce41d478bef24375ca12f7259815eaf52de20975e207b134376aaeb11bc4f792770

Download Submit
C:\Windows\SysWOW64\Leihbeib.exe

Filesize
96KB

MD5
21ee914f614437ef2c2d2e49b64e7710

SHA1
3d736663a462ac6103b89dd20c180633360d6f12

SHA256
4fdb4e4e69aa22b35b341611659cb5ad14ff2a4e78a75bcbb3bb8d852a31ddea

SHA512
dd445e1c05e273762b1e0ea956d0a4f08218cc50c92396f6dedf3ced20b1e1ee1c2dec0556ed0c33db07e3012258f215802c571fac76f1ea1f0be71aef8ab428

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
96KB

MD5
a02fdd396d2eb8702b39a0c15beb1d7d

SHA1
2195ebf783e060f3a66b91f32e2ce81a86fedb28

SHA256
73f05267e59824c7015f260100cc5130e06217c0d561153253e8e8bcce7e6138

SHA512
f22de98d3a7e42747f3a415b90d50092c1f7479376a3a355edb88a325b3719e94996eaa94f7709b17549302798cab836e21dfb24f101aa67372f84e0ad165843

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
96KB

MD5
769157f0678dfa7b02f4061a17bca0a2

SHA1
b6e4511c5c91d0137e70cefbb39f81dab1d056bd

SHA256
ec6d7f0c2bfa9cecf93d01d1e2a3eb7021a20907e611520ca925130e572f2cf7

SHA512
19db1974967ead3456f77165e93fec1e0d92c6a4618fb8aec9defdff8ccf0a0270d7e74d1b440445ab64e8dbb25c37de6f12d69dea8c040613a2adf9d17cc40b

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
96KB

MD5
21040b515d4518ebf87bc31472fe7a0c

SHA1
0339924ee5d9efe77f2c1a8b0556b28ff9a6a9c3

SHA256
3b06d0bbb1bf8fd75a0071d24e869a0e8158c000e878d13665f7c9eeb3490a6f

SHA512
2686d28f06fe42bd877cc408855efb333bb2dccc2a666ef6cf3e8196918118348979a4993529830f981ff13cca3142db22dbeca27dcd7a0c849bb1550f3f5a1f

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
96KB

MD5
75709e43f200d19884933fdd7b0972e2

SHA1
77126e2eef6f5d82b70a855001397be60e987442

SHA256
74e5458deea08ef857f14c03f415954e66bfed6f09de9b493c2b92e0af9ff526

SHA512
99750997dd21b7ab6a5a3ecbdf59a4cf16acd9c81c5f207b0fa8001f272061204b4841dee4addedaf3cfc56ecef775f35ddbcab056fec79c50a57cbe165f168f

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
96KB

MD5
8d3053b84d6f47d891778d1d0c93cbd1

SHA1
657b4e83c8e46744b73b9109755312fc48e2ddb5

SHA256
30c506e7a3d5b20c084f2462433dfdf2c4c67a6c4a189541fb3d64e97bb10e3e

SHA512
069d0ba1951f9568e2c7c66b5e4ebbd0ce0835919da9483eb859cdff24ed8caebf4921948ee7a56343038b7ade8aa232bddb7ada23c6571d6129dcc608e5b85f

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
96KB

MD5
649c5881405ad65a4989891efd0f760b

SHA1
292d7261bf51f84505f51032e2318f282c298a0d

SHA256
8c24329d8c3d9acf51e373e1e29f775322bc8a546ef8e29fdd0696f648029c58

SHA512
b4861db6985854c2c4ecfbf6373744ccbe649f42d2a07a7543e8b56443b0c0c0245bfac27bfa95517afaa94d01a4fafabc02480c9ffb2ef443593e0f1961cbbb

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
96KB

MD5
bb980f7e1551face4083f469cdc60295

SHA1
e1ed5257b0991c14bfd77f7f443acb73c2093a4c

SHA256
3e4dca690c1d88cec041f693900cf42e6500941564f464c92ff7110d87660f42

SHA512
2832f3ea58ae70a5c695d60584925d58e2740bcb7ace0d6f101bb9e646e79c72001fcd0b378fbcbcf0f37ec70aa1e2639eb9b3c292d7e55c990549b8daeff322

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
96KB

MD5
145d07daa8409113f17e712b72d6acd0

SHA1
c279951ffd307dfbdde6032cde0291d17351edd1

SHA256
c006c48d1874c541f680a718b5bae5de4f89f66281a937eacc258fc4ac2f50a2

SHA512
f2bed994fed4f169459e1f93d6b01944d753f4deca66066aeae98b77a89eabd2eff7a15b065be430a67c5e4d4be34c58f28943e14774807a9a45a51799db8227

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
96KB

MD5
d2fe1b8d0ec495a220a416430984d57a

SHA1
c002917e567e90aee26a81cc64277e7416cd5772

SHA256
00badb64643c26307ded373b3fbd0bc6652f66adb2916f84d99e1d19b216ffe7

SHA512
080e1bdb4c31f5bf00e5f2c2548e5be2a198b2463fed39ffff85902f36bcc207c9437b0129b51b49e7f906b17135c45977f25d79868bf68ae9a2e5308f97c262

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
4c198d3dc25f584f6d3804702f28e0e5

SHA1
687d72d63491e815d234c4d9eda6e9a32a915038

SHA256
7a76ce58cd8df1f335d86efd1badb48824fc956f1609be618a28923d335c53d1

SHA512
66f412b93873306926eddabeb69d90d928e30a2fbc775d29fb42f7e0e424a4bb185f731d01f926864e6db1a52f1aaeb98e2ecf541e1385a49f261441565bed1b

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
96KB

MD5
db86c36525d669204756eeb38216a6ec

SHA1
fa5d884c95ca31298fdd0dea4e3f13ba220113b3

SHA256
145f8dd660d2d64205b6fc8f4bf5b78cce33aa34f042866df7e859abbe2220f7

SHA512
5ada91f3481028551ffa1b7238f244e6d578125ed9808839f7a0d86995e59558d748849e82ff9f089b81cba68d018760f79a1e30853fb6ebbe4cf5c785bb1486

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
96KB

MD5
b43fbaa90b24d8905a13013c09367d9e

SHA1
4261cee69c080c5621674b1f1a40f4c75a7e3ef3

SHA256
7e7710aa2047cf17fb310a4d6256338f306b4ce0efe6feb8791a83cddacd1a77

SHA512
ee2b18d9b9399eea4e41a209722f28c17ad9870c1d401e626e65f457765622d46f8842b998bbeb321d167804b2b39c8c604384d36482a8aebd4ef2048e9587d1

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
96KB

MD5
72c2aef7447a46fccc36313f9ea9ad43

SHA1
0ba585a5f253f9fd2bfa37eacb89c4e1dda53e05

SHA256
b7b05d349c2718145b212d7385147788560134bce539fae49d22f84e2b0d4049

SHA512
3f97bba1331f3c05e26df6942d1a16304448494ebe596dc692b780fbc97e1a4b206a1421116164d2f2e5b2c753286ef6e451bbb02eb5448d1535f616be5e1f1d

Download Submit
memory/64-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-918-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-929-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-905-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-941-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-938-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-906-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3948-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-915-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5668-825-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5712-824-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download