berbew | fd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cef

Analysis

max time kernel
96s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cefN.exe
Size

163KB
MD5

a0e1c7103b9bb402fe58096d30153b10
SHA1

1f6dc8d12ea13bdb7999377f5f02be4e0b558e60
SHA256

fd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cef
SHA512

91692f8aa5c4b4f1ddc8664b7f7fb8d645f907b71feca9f6d74692aa842ef62fbcfbaf859269c8ca6f0ff53667a5afab645b731dbeaaf78215082d6750e8c4da
SSDEEP

1536:PNi1/Nm88H5jBQBJdy1foNsJXV6flProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:cgPQBJdy1QNsJXV6fltOrWKDBr+yJb

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ngpccdlj.exeAgoabn32.exeCjpckf32.exeDmcibama.exeDkkcge32.exeLingibiq.exeMchhggno.exeMlefklpj.exeIbqpimpl.exeKdeoemeg.exeNebdoa32.exeLeihbeib.exeNnjlpo32.exeAcqimo32.exeBeglgani.exeCjmgfgdf.exeFebgea32.exeHfnphn32.exeJcllonma.exeDknpmdfc.exeMiemjaci.exePjmehkqk.exeAjanck32.exeFoabofnn.exeGcddpdpo.exeHmjdjgjo.exeBcjlcn32.exeOgpmjb32.exeAgglboim.exeBjokdipf.exeOnjegled.exeQcgffqei.exeBnpppgdj.exeBelebq32.exeGlebhjlg.exeJmmjgejj.exeJlbgha32.exeAnogiicl.exeAjkaii32.exeAnfmjhmd.exeKlngdpdd.exeOdocigqg.exeCmnpgb32.exeJcbihpel.exeCmlcbbcj.exeOdkjng32.exePmfhig32.exeAeniabfd.exeDjdmffnn.exeDkifae32.exeImoneg32.exeJmhale32.exeLfhdlh32.exeMpoefk32.exePgnilpah.exeAjckij32.exeDfknkg32.exeDmefhako.exeHmhhehlb.exeJlnnmb32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mchhggno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibqpimpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leihbeib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Febgea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcllonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Foabofnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcddpdpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glebhjlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmmjgejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmhale32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmhhehlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlnnmb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Febgea32.exeFllpbldb.exeFojlngce.exeFomhdg32.exeFakdpb32.exeFkciihgg.exeFbnafb32.exeFoabofnn.exeFbpnkama.exeGlebhjlg.exeGhlcnk32.exeGbdgfa32.exeGkmlofol.exeGcddpdpo.exeGokdeeec.exeGdhmnlcj.exeGomakdcp.exeGdjjckag.exeHopnqdan.exeHelfik32.exeHcmgfbhd.exeHmfkoh32.exeHfnphn32.exeHmhhehlb.exeHcbpab32.exeHmjdjgjo.exeHbgmcnhf.exeImmapg32.exeIfefimom.exeImoneg32.exeIfgbnlmj.exeIldkgc32.exeIemppiab.exeIlghlc32.exeIbqpimpl.exeIeolehop.exeIpdqba32.exeIbcmom32.exeJmhale32.exeJcbihpel.exeJedeph32.exeJlnnmb32.exeJefbfgig.exeJmmjgejj.exeJbjcolha.exeJehokgge.exeJlbgha32.exeJcioiood.exeJmbdbd32.exeJcllonma.exeKfjhkjle.exeKlgqcqkl.exeKdnidn32.exeKmfmmcbo.exeKdqejn32.exeKfoafi32.exeKimnbd32.exeKdcbom32.exeKipkhdeq.exeKlngdpdd.exeKdeoemeg.exeKefkme32.exeKplpjn32.exeLeihbeib.exe

pid	Process
644	Febgea32.exe
3000	Fllpbldb.exe
3296	Fojlngce.exe
728	Fomhdg32.exe
2724	Fakdpb32.exe
2316	Fkciihgg.exe
4940	Fbnafb32.exe
3104	Foabofnn.exe
544	Fbpnkama.exe
4804	Glebhjlg.exe
2624	Ghlcnk32.exe
952	Gbdgfa32.exe
2632	Gkmlofol.exe
3004	Gcddpdpo.exe
700	Gokdeeec.exe
3768	Gdhmnlcj.exe
3816	Gomakdcp.exe
1644	Gdjjckag.exe
1904	Hopnqdan.exe
2664	Helfik32.exe
3672	Hcmgfbhd.exe
4416	Hmfkoh32.exe
5092	Hfnphn32.exe
4244	Hmhhehlb.exe
4000	Hcbpab32.exe
4344	Hmjdjgjo.exe
3652	Hbgmcnhf.exe
5024	Immapg32.exe
5000	Ifefimom.exe
3612	Imoneg32.exe
992	Ifgbnlmj.exe
1272	Ildkgc32.exe
5028	Iemppiab.exe
4388	Ilghlc32.exe
4932	Ibqpimpl.exe
3716	Ieolehop.exe
2952	Ipdqba32.exe
2312	Ibcmom32.exe
4648	Jmhale32.exe
3288	Jcbihpel.exe
4840	Jedeph32.exe
2700	Jlnnmb32.exe
4444	Jefbfgig.exe
4996	Jmmjgejj.exe
1624	Jbjcolha.exe
692	Jehokgge.exe
788	Jlbgha32.exe
3052	Jcioiood.exe
756	Jmbdbd32.exe
4268	Jcllonma.exe
3724	Kfjhkjle.exe
2364	Klgqcqkl.exe
2056	Kdnidn32.exe
2272	Kmfmmcbo.exe
4008	Kdqejn32.exe
4892	Kfoafi32.exe
732	Kimnbd32.exe
3092	Kdcbom32.exe
4640	Kipkhdeq.exe
3256	Klngdpdd.exe
4468	Kdeoemeg.exe
1964	Kefkme32.exe
4420	Kplpjn32.exe
1188	Leihbeib.exe

Drops file in System32 directory 64 IoCs

Processes:

Fomhdg32.exeJlbgha32.exeAjanck32.exeAgglboim.exeLfhdlh32.exeOgbipa32.exeGhlcnk32.exeIeolehop.exeIbcmom32.exePqdqof32.exeAndqdh32.exePmfhig32.exePnfdcjkg.exeHelfik32.exeOqhacgdh.exeCenahpha.exeNdfqbhia.exeOdocigqg.exeOjoign32.exePqknig32.exeBganhm32.exeCjinkg32.exeHfnphn32.exeJlnnmb32.exePgnilpah.exeCjpckf32.exeKlgqcqkl.exeNgpccdlj.exeNgdmod32.exeAfoeiklb.exeBgcknmop.exeJmbdbd32.exeAqppkd32.exeAjkaii32.exeGomakdcp.exeIbqpimpl.exeJmhale32.exeOlkhmi32.exeAeniabfd.exeLdoaklml.exeMgddhf32.exePfolbmje.exeAnmjcieo.exePgioqq32.exeCjmgfgdf.exeAnfmjhmd.exeFakdpb32.exeLingibiq.exePjmehkqk.exeQffbbldm.exeAjckij32.exeChmndlge.exeGdjjckag.exeIfgbnlmj.exeAcqimo32.exeHcbpab32.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Lgmlbfod.dll	Fomhdg32.exe
File created	C:\Windows\SysWOW64\Ingapb32.dll	Jlbgha32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Lfhdlh32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Lcgdbi32.dll	Ghlcnk32.exe
File created	C:\Windows\SysWOW64\Ipdqba32.exe	Ieolehop.exe
File created	C:\Windows\SysWOW64\Jmhale32.exe	Ibcmom32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ciglpe32.dll	Helfik32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dkcfedla.dll	Hfnphn32.exe
File opened for modification	C:\Windows\SysWOW64\Jefbfgig.exe	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gijloo32.dll	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Ocljjj32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ihlnnp32.dll	Jmbdbd32.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Gdjjckag.exe	Gomakdcp.exe
File created	C:\Windows\SysWOW64\Ieolehop.exe	Ibqpimpl.exe
File created	C:\Windows\SysWOW64\Jcbihpel.exe	Jmhale32.exe
File created	C:\Windows\SysWOW64\Jcioiood.exe	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Lbabgh32.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Gfhkicbi.dll	Mgddhf32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Paadbk32.dll	Fakdpb32.exe
File opened for modification	C:\Windows\SysWOW64\Jmhale32.exe	Ibcmom32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnidn32.exe	Klgqcqkl.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lingibiq.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Hopnqdan.exe	Gdjjckag.exe
File created	C:\Windows\SysWOW64\Mfadpi32.dll	Ifgbnlmj.exe
File created	C:\Windows\SysWOW64\Bkblkg32.dll	Ibqpimpl.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Choehhlk.dll	Hcbpab32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
7044	6916	WerFault.exe	270

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Cmnpgb32.exeFojlngce.exeLikjcbkc.exeOnhhamgg.exeQdbiedpa.exeAmpkof32.exeAmddjegd.exeCdfkolkf.exeFbnafb32.exeGokdeeec.exeQffbbldm.exeGcddpdpo.exeHelfik32.exeIbqpimpl.exeNjciko32.exeQqijje32.exeBmngqdpj.exefd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cefN.exeFoabofnn.exeKefkme32.exeOgbipa32.exeCaebma32.exeJedeph32.exeNloiakho.exeHbgmcnhf.exeJehokgge.exeKdcbom32.exeKdeoemeg.exeLpebpm32.exeOdocigqg.exePnfdcjkg.exeCeehho32.exeHopnqdan.exeKfjhkjle.exeNnjlpo32.exeQcgffqei.exeFomhdg32.exeFakdpb32.exeIeolehop.exeJmhale32.exeMchhggno.exeMiifeq32.exeOcpgod32.exeQjoankoi.exeJlbgha32.exeOlhlhjpd.exeIfefimom.exeJcllonma.exePmoahijl.exePjmehkqk.exeAjkaii32.exeAnfmjhmd.exeCjmgfgdf.exeBhhdil32.exeJefbfgig.exeMiemjaci.exeOlkhmi32.exeAgglboim.exeBgcknmop.exeBeglgani.exeBnpppgdj.exeIbcmom32.exeOfnckp32.exeAndqdh32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fojlngce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbnafb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gokdeeec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcddpdpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Helfik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibqpimpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cefN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Foabofnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedeph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbgmcnhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehokgge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdcbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeoemeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpebpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hopnqdan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfjhkjle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fomhdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fakdpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieolehop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmhale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchhggno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifefimom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcllonma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbfgig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcmom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe

Modifies registry class 64 IoCs

Processes:

Lingibiq.exeIlghlc32.exeIbcmom32.exeIldkgc32.exeKdqejn32.exeOdocigqg.exeQdbiedpa.exeAmddjegd.exefd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cefN.exeGdhmnlcj.exeDjdmffnn.exeImoneg32.exeLgokmgjm.exeCjmgfgdf.exePclgkb32.exePmfhig32.exeJefbfgig.exeOdkjng32.exePnfdcjkg.exeAqppkd32.exeDhkjej32.exeDkifae32.exeIeolehop.exeKipkhdeq.exeAjanck32.exeAcqimo32.exeGdjjckag.exeHfnphn32.exePjmehkqk.exeBnhjohkb.exeFakdpb32.exeMgagbf32.exeOjoign32.exeBcjlcn32.exeKlngdpdd.exeLdoaklml.exeNckndeni.exePqbdjfln.exeBelebq32.exeCjbpaf32.exeHmhhehlb.exeMckemg32.exeKlgqcqkl.exeOfnckp32.exeQddfkd32.exeLfkaag32.exeBnpppgdj.exeChmndlge.exeMlefklpj.exeQjoankoi.exeFkciihgg.exeNfjjppmm.exeOlkhmi32.exeQqijje32.exeFoabofnn.exeGokdeeec.exeJcbihpel.exeKimnbd32.exeKplpjn32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdjapoo.dll"	Ilghlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ildkgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmqkjel.dll"	fd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cefN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdhmnlcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imoneg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afomjffg.dll"	Ieolehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpocg32.dll"	Kipkhdeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcdak32.dll"	Gdjjckag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfnphn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadbk32.dll"	Fakdpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klngdpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldoaklml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmhhehlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilghlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bncfnnbj.dll"	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gijloo32.dll"	Klgqcqkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onliio32.dll"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkciihgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Foabofnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gokdeeec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kimnbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplpjn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cefN.exeFebgea32.exeFllpbldb.exeFojlngce.exeFomhdg32.exeFakdpb32.exeFkciihgg.exeFbnafb32.exeFoabofnn.exeFbpnkama.exeGlebhjlg.exeGhlcnk32.exeGbdgfa32.exeGkmlofol.exeGcddpdpo.exeGokdeeec.exeGdhmnlcj.exeGomakdcp.exeGdjjckag.exeHopnqdan.exeHelfik32.exeHcmgfbhd.exe

description	pid	Process	procid_target
PID 2372 wrote to memory of 644	2372	fd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cefN.exe	85
PID 2372 wrote to memory of 644	2372	fd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cefN.exe	85
PID 2372 wrote to memory of 644	2372	fd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cefN.exe	85
PID 644 wrote to memory of 3000	644	Febgea32.exe	86
PID 644 wrote to memory of 3000	644	Febgea32.exe	86
PID 644 wrote to memory of 3000	644	Febgea32.exe	86
PID 3000 wrote to memory of 3296	3000	Fllpbldb.exe	87
PID 3000 wrote to memory of 3296	3000	Fllpbldb.exe	87
PID 3000 wrote to memory of 3296	3000	Fllpbldb.exe	87
PID 3296 wrote to memory of 728	3296	Fojlngce.exe	88
PID 3296 wrote to memory of 728	3296	Fojlngce.exe	88
PID 3296 wrote to memory of 728	3296	Fojlngce.exe	88
PID 728 wrote to memory of 2724	728	Fomhdg32.exe	89
PID 728 wrote to memory of 2724	728	Fomhdg32.exe	89
PID 728 wrote to memory of 2724	728	Fomhdg32.exe	89
PID 2724 wrote to memory of 2316	2724	Fakdpb32.exe	90
PID 2724 wrote to memory of 2316	2724	Fakdpb32.exe	90
PID 2724 wrote to memory of 2316	2724	Fakdpb32.exe	90
PID 2316 wrote to memory of 4940	2316	Fkciihgg.exe	91
PID 2316 wrote to memory of 4940	2316	Fkciihgg.exe	91
PID 2316 wrote to memory of 4940	2316	Fkciihgg.exe	91
PID 4940 wrote to memory of 3104	4940	Fbnafb32.exe	92
PID 4940 wrote to memory of 3104	4940	Fbnafb32.exe	92
PID 4940 wrote to memory of 3104	4940	Fbnafb32.exe	92
PID 3104 wrote to memory of 544	3104	Foabofnn.exe	93
PID 3104 wrote to memory of 544	3104	Foabofnn.exe	93
PID 3104 wrote to memory of 544	3104	Foabofnn.exe	93
PID 544 wrote to memory of 4804	544	Fbpnkama.exe	94
PID 544 wrote to memory of 4804	544	Fbpnkama.exe	94
PID 544 wrote to memory of 4804	544	Fbpnkama.exe	94
PID 4804 wrote to memory of 2624	4804	Glebhjlg.exe	95
PID 4804 wrote to memory of 2624	4804	Glebhjlg.exe	95
PID 4804 wrote to memory of 2624	4804	Glebhjlg.exe	95
PID 2624 wrote to memory of 952	2624	Ghlcnk32.exe	96
PID 2624 wrote to memory of 952	2624	Ghlcnk32.exe	96
PID 2624 wrote to memory of 952	2624	Ghlcnk32.exe	96
PID 952 wrote to memory of 2632	952	Gbdgfa32.exe	97
PID 952 wrote to memory of 2632	952	Gbdgfa32.exe	97
PID 952 wrote to memory of 2632	952	Gbdgfa32.exe	97
PID 2632 wrote to memory of 3004	2632	Gkmlofol.exe	98
PID 2632 wrote to memory of 3004	2632	Gkmlofol.exe	98
PID 2632 wrote to memory of 3004	2632	Gkmlofol.exe	98
PID 3004 wrote to memory of 700	3004	Gcddpdpo.exe	99
PID 3004 wrote to memory of 700	3004	Gcddpdpo.exe	99
PID 3004 wrote to memory of 700	3004	Gcddpdpo.exe	99
PID 700 wrote to memory of 3768	700	Gokdeeec.exe	100
PID 700 wrote to memory of 3768	700	Gokdeeec.exe	100
PID 700 wrote to memory of 3768	700	Gokdeeec.exe	100
PID 3768 wrote to memory of 3816	3768	Gdhmnlcj.exe	101
PID 3768 wrote to memory of 3816	3768	Gdhmnlcj.exe	101
PID 3768 wrote to memory of 3816	3768	Gdhmnlcj.exe	101
PID 3816 wrote to memory of 1644	3816	Gomakdcp.exe	102
PID 3816 wrote to memory of 1644	3816	Gomakdcp.exe	102
PID 3816 wrote to memory of 1644	3816	Gomakdcp.exe	102
PID 1644 wrote to memory of 1904	1644	Gdjjckag.exe	103
PID 1644 wrote to memory of 1904	1644	Gdjjckag.exe	103
PID 1644 wrote to memory of 1904	1644	Gdjjckag.exe	103
PID 1904 wrote to memory of 2664	1904	Hopnqdan.exe	104
PID 1904 wrote to memory of 2664	1904	Hopnqdan.exe	104
PID 1904 wrote to memory of 2664	1904	Hopnqdan.exe	104
PID 2664 wrote to memory of 3672	2664	Helfik32.exe	105
PID 2664 wrote to memory of 3672	2664	Helfik32.exe	105
PID 2664 wrote to memory of 3672	2664	Helfik32.exe	105
PID 3672 wrote to memory of 4416	3672	Hcmgfbhd.exe	106

C:\Users\Admin\AppData\Local\Temp\fd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cefN.exe
"C:\Users\Admin\AppData\Local\Temp\fd5d01c63c9cbe10fdb9f84498c8daceccdb56e3744d5cc50c1f3053557e5cefN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\Febgea32.exe
  C:\Windows\system32\Febgea32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\SysWOW64\Fllpbldb.exe
    C:\Windows\system32\Fllpbldb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\Fojlngce.exe
      C:\Windows\system32\Fojlngce.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Windows\SysWOW64\Fomhdg32.exe
        
        C:\Windows\system32\Fomhdg32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:728
      - C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Fkciihgg.exe
        
        C:\Windows\system32\Fkciihgg.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Fbnafb32.exe
        
        C:\Windows\system32\Fbnafb32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Ghlcnk32.exe
        
        C:\Windows\system32\Ghlcnk32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Gkmlofol.exe
        
        C:\Windows\system32\Gkmlofol.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Hmfkoh32.exe
        
        C:\Windows\system32\Hmfkoh32.exe
        23⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        29⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Ifefimom.exe
        
        C:\Windows\system32\Ifefimom.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Imoneg32.exe
        
        C:\Windows\system32\Imoneg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:992
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        34⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Ilghlc32.exe
        
        C:\Windows\system32\Ilghlc32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Ibqpimpl.exe
        
        C:\Windows\system32\Ibqpimpl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        38⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Jmmjgejj.exe
        
        C:\Windows\system32\Jmmjgejj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        46⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        49⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Jmbdbd32.exe
        
        C:\Windows\system32\Jmbdbd32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Jcllonma.exe
        
        C:\Windows\system32\Jcllonma.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        54⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        55⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        57⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Kimnbd32.exe
        
        C:\Windows\system32\Kimnbd32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Kdeoemeg.exe
        
        C:\Windows\system32\Kdeoemeg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Leihbeib.exe
        
        C:\Windows\system32\Leihbeib.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        67⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        68⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        69⤵
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Lenamdem.exe
        
        C:\Windows\system32\Lenamdem.exe
        70⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        72⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        75⤵
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        77⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        78⤵
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        79⤵
        
        PID:352
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        81⤵
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        82⤵
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4104
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Mcpnhfhf.exe
        
        C:\Windows\system32\Mcpnhfhf.exe
        86⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Miifeq32.exe
        
        C:\Windows\system32\Miifeq32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        88⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1692
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        92⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        94⤵
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        95⤵
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        97⤵
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        98⤵
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        99⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        101⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        102⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        112⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        116⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        117⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        118⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        120⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        122⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        123⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        125⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        128⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        130⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        131⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        135⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        140⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        142⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        143⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        144⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        147⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        151⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        152⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        156⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        160⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        162⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        164⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        165⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:6156
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6236
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        170⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6316
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6396
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:6436
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        175⤵
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6556
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6596
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6636
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        180⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        182⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6836
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        185⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        186⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 396
        187⤵
        Program crash
        
        PID:7044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6916 -ip 6916
1⤵
PID:6980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
163KB

MD5
723c809e71e94c6ef8015d0eeea1fa84

SHA1
9cbe9a86b18812a983926210b7d8fe0277f1acac

SHA256
e4101d8d2d4596013dfe875cc2f9231c632b9fa1f61426994c5d5b5dea5764db

SHA512
c97680d25c170d26637a604b4e7a693cd6ee972eb7f7a557c1bb35186fac9ba17ee00fd0e0ab10cdbaae9dc7434841c469e13a110541d0e9369145a03fa2b012

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
163KB

MD5
469787d922fb55a53168fffc8ce092a8

SHA1
57c9036b921ac5af2c8b229f0e7a2b7ba6d42bad

SHA256
9ca8fb8f6629a1263aa28e4216dd0432c643927342d96d53739eac10155c728b

SHA512
854a6937af7eddf7702f0f5c1566519fc4dbc5164f888d0de1eeccb42dd922da065b7ac8beca5bde89c289e5ab25600811b60b9581795294396255701f999365

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
163KB

MD5
918843eaeb287257d7a135b229205633

SHA1
20ee77e06ccd50b84201bf55c36e93ada88336ac

SHA256
92b5220936bd675b182450df06450191d32b8c0061fb057594f8a80494da3333

SHA512
06f95ff7a04b5ee6406eadd68ee6158b108b71a5aeba083471eb2d3ad4903662c47e63e9d1f760f45df1fbd6521496ff6e775d6c7fdd2a8e6e85b3aedecee746

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
163KB

MD5
0bb3e24c8674d9b11381f1d2f9b1fb1e

SHA1
9e2006e2a6e3e90d4f3aa412ccc78c151dd12691

SHA256
e8d3bac37dd8ea4d0d48237cf4af05de6651b98f788a6ef16132e0c6ee3afa37

SHA512
bb76d8a8b3c3fdd740c10b84250451176a948aecd54399df845af5adbabcd608207edfea1cbc326b4117b731047ddce7df71aba72e31695c0d1e3c74d0dc440b

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
163KB

MD5
7a15626a598a3b53d098785f58e46a41

SHA1
8ac5001d19a5f766824e475c4c0f17ac70df6986

SHA256
20223ce94254feeb5f6289e3d367350e5b07c951473e883e6113a53cdc3a39ee

SHA512
d45c9b1f4c78b1c4b14e110f8c6c87dd2f2176322256ad55e6b6f2f2912d41b510a9c3b0b03982615c4a644a2846f268b8fec3373e4247f2cbde0c1a3b834522

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
163KB

MD5
d93c136e898b4204d7765db5587210ab

SHA1
a2b5558a870db8ac987cfe3bbda5237edabb8c3d

SHA256
5e8fc645faf6f53983033df83f3079f9f5aecc9b4543262e8d6e9b49224d41ea

SHA512
f231caa5c460f63a3cd36d41e9ba856e5fbfea08179e5be5b2130cf4b4b3da7968d5b6ecb8726ac67802998904b38d40e986640f1f73c484a56dc988fda3eb5f

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
163KB

MD5
6df77d270101615ba0ae008a9edf4138

SHA1
f0148bbcb93fab39a32587121ce1fcdc2d4a3c3a

SHA256
5b370c60fd03232d3eb39df236043458665d69374a90b085e4a1a694fadaa4b3

SHA512
3183f2b8631646e78da2cf2c937b4a0e6272f85187d2bb3c9615a3efe655d0666f499d7922af54fdf0d29e9d6b7eb982581ce612ada51d153a6ca9cad1389d35

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
163KB

MD5
e1ca15469c9f06467a8e0f76791bf137

SHA1
0b5456eccebe03371ea559bc01fbf9e3632b87ec

SHA256
d1d4fff844ca0ddbac37841b8a9765d2b082ca84f65f6b14debd9cd5fa1c7b22

SHA512
f3544b3198ac0b09a055f6b960b0b97196142c743b7eb537be6e4fb24b8aaf199e895d42d31fa698b1cef31367c402a5b2950d974293c18eae73ca34183f0e04

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
163KB

MD5
f76bf608c8af40cb10b854247afe0c2c

SHA1
58e1b31ea8ab1e76cd5366b6edb59cf8587ea949

SHA256
84d799042f189de05bebb5ef9e0353eca9936da7d4de54e3ae9bf07aa2a0617a

SHA512
9e81c7dc0bf84cbaff75bbbd2059a56f323384cb919f4df112de2fc43d5c6c9de8c118fc4b1797eec050d98c6af56e5f1be9c0d554080d405f6154e05e36ba50

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
163KB

MD5
d924a644d4fdf0d3ce4943e5d16a06d1

SHA1
d56f057d48662cf01023819a8a6d50efb3cc575a

SHA256
f5437c68d8934d0487dfb5104d1953b6939220f0d9b0cf0dc483ef532fc09bbf

SHA512
ce5f629da4bfbbc11823d0e76f0d360960734e5235493feac162aa32b62f1f3f1db10c38f3b156ea44ed135bcdb5a3ece1829f980ccc08ebdbd280ffa72f4903

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
163KB

MD5
faf60c9e65160169299dd62d88b4a562

SHA1
66c5bf2330fac5f6e07cc2a0f5abd25ca3dd353c

SHA256
bdb39574042a2dcd2e45d30afb7c437fbdb5b9edbf1577ccfd1d52302e140115

SHA512
1aec7134067d6399572629315b9f61330c7df07d7e0fcffdbc2cd1ecd8fe6dde7eda246211117f99b60666df5b703318a4b2afe010f5df6431550e14fa1d0a99

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
163KB

MD5
f94c4aee478689dd11a5e378489432b8

SHA1
8447e5d9b05c069db949b9eba2e7edbccb0d0ebe

SHA256
3e631249c1ad0f8848bfc4430fc1b233ad977059474020ec1f86722103b61793

SHA512
0ceffb75c8a5b38f72f96b03115f24d47ea8f19569493d35be245fd4e48252cd47c531eb86fe83db8f80bc933e709790ba4ce7214c7fb0d05721f7feac5b294b

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
163KB

MD5
2947186baec6f58164ea2130d72ca3f6

SHA1
fb07b412494f6ce287a904634522e924431e6f2d

SHA256
907ce283dd7dfd5e2fa22db8b47a9b2322bfe4d4b1e032bd26bac101a5f29a81

SHA512
7da4cf76f8a31a1b683759c18c859478bd77caef2bb65ddf5fc6f087a85cf9c588e246fc4e0b9f4c15d0fbdb25ef1011ba252ccc53f3c88d1ac6def8a5620314

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
163KB

MD5
4267fe9a1d38bc243db445ff3f2ca048

SHA1
6b54e78d24879a2033f7cab6c6d3ab3b9c436659

SHA256
e6dce49acc87a2f0210dc4fdd18283e578fc5b9b95cbcacc9d774d09de46c9c5

SHA512
3cb2e3a3591473dbc18c705954a00b0077ae9d44cf0c4be630d3742ea43eea4f7f6b53dabbe2d3b1236ea12b3252a1036ab2512d4f4a904ee0aa12869995c098

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
163KB

MD5
4843a3ebb760b2a19bc49d4077ea254d

SHA1
1fce76776787889ade2984aad8abe06986c7605b

SHA256
f0182f8ed4a00450ee508fcca349fcd39bca42fb6751f872fe5b048c2ca48343

SHA512
c34b4b7ddf5f68b6f1f10dcabc4c937d7d0ec89db3334dc401df2acaab3c20cda1605b2cd67eb38b2e69b2a35eb8af46fed30e88a4f660e73762c72da955c107

Download Submit
C:\Windows\SysWOW64\Fakdpb32.exe

Filesize
163KB

MD5
6ef1a17ea85419429e13a886caf76dbe

SHA1
8836d8ceba97f3f32504187658d2ea9a8e56f649

SHA256
359e1293cd29e7314517a78d5664e31a96ec7e73e191cc55511adcb67c5d32f0

SHA512
439d506454f3b5bea1cfee9f841ea848f5cefd36b185f290d6076fbe8db1dbfa12020eeb5595cc7ecd777f295a49a0ff0c3caa59b13609354394a7161026e84d

Download Submit
C:\Windows\SysWOW64\Fbnafb32.exe

Filesize
163KB

MD5
9fff9f8e001de1ce221d829aa296bdd7

SHA1
7d75aad03ed691b9a88e93ce5c70eaacb99b5f3b

SHA256
103323e92fcd538e00ee12fab542d325420d28dc336576cfa49d894fa515919d

SHA512
a6984a4177fcb3ab6e6c9db5cedaa656860dc01a47ca58f5a29eda8a55b55a2a4b7849e64cc06e040d304ee7e7de52946f3704f8b648118c6ba8fd0d35666b64

Download Submit
C:\Windows\SysWOW64\Fbpnkama.exe

Filesize
163KB

MD5
d6a023af38e2763e667d4db60dee2da1

SHA1
c61e2fd2b5a172b146630f82174b216e6423923c

SHA256
f15dae5350b4f071fbc42485de19088543941c839eefcc72d34a5fb6530cfb79

SHA512
8d83de33e46e74980c2aeeb15bd2bb75dc32f0e21df996ffcc685da90afd82a818f549c401aa005c043d115adfc1839f03be43221ae1d3243c4e091e0cd74588

Download Submit
C:\Windows\SysWOW64\Febgea32.exe

Filesize
163KB

MD5
848da56e486c713c72f06a3b81d8ae19

SHA1
308f998bffb5bd7807ff059ed7d7414d270d231e

SHA256
0d6ff817923846d540d8e0e42cef81b1db2618fe06c8db629e0d1bb63215c98e

SHA512
c7eb1624ba2ca594a28594db24b87c3bc624392f880f8caca1009447a1834fdcae43fbf363d1e9ffa75a04bee6c5189fcf0c10281e2d19747d744cc5f979a0e3

Download Submit
C:\Windows\SysWOW64\Fkciihgg.exe

Filesize
163KB

MD5
dad17c3d84d92d4d3275c30f0c26acda

SHA1
8dd0fa8cb105e430053c8aac7cd83c66dfe04e1d

SHA256
2f0f1572e840c24d36fded73383a536e0afac53b4f4575836e76035d955c812b

SHA512
04531818d84fe4e8d4b14bb614fc2946a71942adb29291667ee60290fd086911f80918caf2d58c11d7fc94eac56a5dbaff895ca072fa6d52b7cc6f930c53c004

Download Submit
C:\Windows\SysWOW64\Fllpbldb.exe

Filesize
163KB

MD5
12a1e30b0edb6835da4115801b6d43c4

SHA1
03a51182db74ad90b35392be0aadd626ecd998b0

SHA256
00fd0ed0dbf0b245bc3c142140b3644136e8258429c9933d5853bd8cac4196ff

SHA512
870001d8df3f48afbc692017149e3e4f57ade03526cf6224bd3a065bf050181fae95f9149decc414c5947d1fb2387d3df4fed78ed8d62d307b8a1bed51c8b890

Download Submit
C:\Windows\SysWOW64\Foabofnn.exe

Filesize
163KB

MD5
5345ce6adcd1645fc93e2e4c4e496fd9

SHA1
182c2c1a8aac2b29ccca05f4395a425d2e51f712

SHA256
8b61ed1b49a86c8b9b9c600fa90d700f74d07837db7513d29173d4c221811bc9

SHA512
26fb1cc00457576537e6662ed1880c6cf8a841b09d31da37851711446c87f14396a3f1d76325a594e970fbee88e6cceea79169c261f5523546c2b38ebdcee8e9

Download Submit
C:\Windows\SysWOW64\Fojlngce.exe

Filesize
163KB

MD5
c0dc72b15ea78537c7a95b71a9c8002e

SHA1
948fb88cd3ce2ef4f1fdb116f84b260e44db8cff

SHA256
fd8d5458ea6ce56425ff92ef7f0d555b059fbb55f57358fc737466038cc3f2fa

SHA512
bcbbef099e30de848b3725d3a3453b71914ecf600cfd45cee1b8d6229019e2eb37f335f1dbdca471c244cb6453287c664d3bae833e33bf6e6c8ea38759fc160e

Download Submit
C:\Windows\SysWOW64\Fomhdg32.exe

Filesize
163KB

MD5
3f9e8fb40751f4e15285d7781c12ac55

SHA1
443eb1fa85c6fdde91530e5f864490c48ff88441

SHA256
2674caf6d336379f82e42a906b64f2b25b74a4c3c079bbda6a1362d750279b2e

SHA512
25f63ef4854fa1027817fe91387aaec6581e06ab569f75fc220c64eae8982b542b59a82f94bc44734c194493c5e5c1953a75deb92fa16c5779bdeabf3f32beca

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
163KB

MD5
730647b3b3feec702f227ba6101313f3

SHA1
811ddb4bf46d2f2fdff065247f84e1ed066a7fa5

SHA256
740b9880542f83286097b1226379858164653d8f88ab6f671747c46e94378229

SHA512
6d7f9fd37dbdc8a1dc3506c6fa1eef884a47d632fa98e23d911ac74f5fa2a5a3d85d234d67d00226dda5f34e3d67bf7f1094e4a5178c451500601f96e4fd6778

Download Submit
C:\Windows\SysWOW64\Gcddpdpo.exe

Filesize
163KB

MD5
e432c036db93aac6cb671e045a9b7039

SHA1
f91f0d845b987e032ab74d870d7af9ae08644daa

SHA256
c715319c193deea1404e7667487d133fe166ea8446294cd515bc68463faaaa8f

SHA512
a9d87f690b80084aec2a0f4f48a953dea926d9de412e56d1bfe6a2bda231a3251a40103b037cc1c7b49b85a9b7f2e8d0c2c240ac5029926dd306fac5e50e7d9f

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
163KB

MD5
65ee401b44cd10ee44448c4a834743ae

SHA1
e3d3cfff7782c0a2b76be5c61e66e4fa4bd778b5

SHA256
3a5e4f1d49e4e1da3e0d83d7ac52799b10ebbb35ce3ddd450ddcd89ab1903d3c

SHA512
94333bfa2824da51aaa5d16c540fff5862671b2702c9e2b373bc2e0b2fd2255923549512d8e466dca76bd4bcff59147c2f59640ec480e5081bc804a53d579fcf

Download Submit
C:\Windows\SysWOW64\Gdjjckag.exe

Filesize
163KB

MD5
8329b5add5d2383d649218fa18c70446

SHA1
2d86356e6fb2b160536fe9ca7f00e58e11e4b40f

SHA256
b2648776c0acb5c49fe342496f948806012c8fd5ac83ba803ec2c116f283e12b

SHA512
7ee41b21ef24fb4d76b905c700f8a424dcb26d56670589ec56333fb572148af77b476aad7beb45fa3c1b9b61143efc4d4afb9cc3fef3b0df990415707ce3dbac

Download Submit
C:\Windows\SysWOW64\Ghlcnk32.exe

Filesize
163KB

MD5
a117655d218daad7a64f7630fa68778f

SHA1
2fb76059f5cfbcc2dc28f72ab3b7d389697848e7

SHA256
7c6d07f57e8bb7c4b0b1b7588d749896e649b4ee9dba46b667534efb938755a5

SHA512
71daddd193b4a4a0ae583c8ce4597b9e11d89aff399d4522588a2e9cbae2abac1ec5d95d806dc5ae4e4238545ee31cc9b0704cfbd79191c5f90b0260128f3b8e

Download Submit
C:\Windows\SysWOW64\Gkmlofol.exe

Filesize
163KB

MD5
6fc5f5c7c51dac291d128cdbc73fd831

SHA1
d9d4620ba9bce081a3025e2ee5cbf1a3da45734b

SHA256
be19f3dea49307adb8fdbfe01469e8e361ff2478d1c96d4e5b2020898c3d26a6

SHA512
d27ddc719022007b1799016e48a5df785cbfe9a388f6680aa71bcbcff03cbfe01cc2c01ed74664fd7daf1c81a5d2e9ddaab3c1234cab47aab91e3b8ac2af3d56

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
163KB

MD5
0892751400d3b23c16702360cc53d3bf

SHA1
fd728227dc4a197d593435544c99f4884e796e69

SHA256
7a36e956a92de97530620512f44755f371156481903941ea9adc5c29f9387392

SHA512
c5a6d045d95f5ddddf1f2ef118e5d3cb944981d54692e2b43ec107368d57274f2af6fd73c395fe502e4f8c490117473c1e6debe5589e36c7c0be143668e0504c

Download Submit
C:\Windows\SysWOW64\Gokdeeec.exe

Filesize
163KB

MD5
3f1b5aa04bf6115a63d7008682fa6454

SHA1
acc13828c238d2ddc22521206446e47d29a08d74

SHA256
d019e547d8b397abf1af58c198de1bc126610db6c4e400cf79a537f1995d5a75

SHA512
5bed5a2fae69d1274984369816c193f2e0ed461f5e9c74b6e04a1f27bda7b55f1bddc66f2e73c639f6cf10d2e1ebbdc1461d11c42342593d293f651916db45f0

Download Submit
C:\Windows\SysWOW64\Gomakdcp.exe

Filesize
163KB

MD5
6e466e6301eebf23eec149a179f2407d

SHA1
dc4c7acf3e481d22bb239b25873e17e3017e0dda

SHA256
a32171a253c9af216653cd358542474b9a7ade2d776a99e4b21553f30f8926b2

SHA512
22cc91d3a13d997a6bfcf781d8310b576bbcd7fb8fb15a94add284c73b7287e4a3606b08770b4d7e196c35e508c21b03d3b03188fa84750576339c94279f4e99

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
163KB

MD5
a84eec1256719de372788f8a64014451

SHA1
08a718ebee1a4cb6253eeb38aed78c680de7f912

SHA256
afbe3868a2cc7d7775e0dcf43a91d4b36bc94a4c247727cce0f15639accb4521

SHA512
281e63b552bf604c1f4726f1eb13a6f4c9a548935a6a9aa2c19f981a68835b7192b7c209a96bc1238b29278165d3496c1394bbc4d9b08ded414d5f0d858a8975

Download Submit
C:\Windows\SysWOW64\Hcbpab32.exe

Filesize
163KB

MD5
d23ef7fbaeb999488d54cac97b400f23

SHA1
d30d3fda0fdaf2dec4ae7a5b726091b7dfb32424

SHA256
113c845cbe53b808b26b20f5719f00e8cea029741a1fae2ef29e67743dba69d1

SHA512
6d23b210a2f9f7d57d034cc9834748c533b08965c1057d1cb4b20d0a9856040925d0f73025351e9405ea0485d5d0678addbe4e9082c24a7adccbfb78daf06415

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
163KB

MD5
c2281ba032e7dc168d5c23523a30befe

SHA1
b2dd72b3f5cf0b6aa64686d882cf1f7055b493ed

SHA256
a471dc1bd351bf62e956f87bd4cb8966d2213b0d8a7cbcc70fcd889831f28f89

SHA512
fd8c6210ef0c25428040f9a6a43dd8cc26e4dacb5a1e18e2021654ad6e653748c476976fafeddb078868c65f4d13ba3f9a7d9ba9f5f16560d7f27917f7b32ede

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
163KB

MD5
3b1d554dc3288180948922993ab36cc7

SHA1
e17d823b4d4bf4096ea910d35b21da5ba8c08338

SHA256
db7f76fc5c20aa36cf6340147718314c81027f9ed98b3f069e0c2760a04c2dad

SHA512
6fecaa00c7d193ea59480369b955e3c20aefba94b7228aecae9f55869e7484a3c96cce9fc9e147545df118fbfe0d5e6abe267faa61606aac8af43c6934631df9

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
163KB

MD5
4be050a2a089387156ac174bdd00ae2f

SHA1
2359877712d73ad9f471b04d9517ffebbc946778

SHA256
4995d68dda48d0a1d68394fbf4f06b0c840edeb4c06b201225b3fdf7525ae1e7

SHA512
5ed7609db989ca0c458c20260c3772712acaac80cc53759a8499eb7d946d165657664ce73ef471c50b17cf7ecff4af585b27f68765fc7f892d55fcb6d035310b

Download Submit
C:\Windows\SysWOW64\Hmfkoh32.exe

Filesize
163KB

MD5
0bf4a0d754d6ff79243170840b4d7a66

SHA1
9227d8a6916f4cdce2fc56e5f5576991524cf413

SHA256
c58a53c871b4cd4ad2d1a1824d7c411e41c257b7dff879c28075a1a4484f3933

SHA512
ec8b2b05b5b2ad754c036892346a8ceac247cefb4218d5812396435a9ec82cf1f32de308f12f8622e392b0e6f7b39ab8277de021f7dd78697d3c69459977284b

Download Submit
C:\Windows\SysWOW64\Hmhhehlb.exe

Filesize
163KB

MD5
3f9290deb73b9c7174829c7a7a65c4ce

SHA1
96a9ce41bed78471952a9b287a03ef11fed03407

SHA256
4d0063e57162dc4eac640bdfa6c7dc13aa7cffed4044dcd239209066fb8870b5

SHA512
9bf61259cfa74f1fba4c59f79ad5fced50e0bd471e7ebe69f1d67714adb6be9d6751bca47da2f5222521d04bb376964c3c40f0575d76cfc993efda655b7d7cc9

Download Submit
C:\Windows\SysWOW64\Hmjdjgjo.exe

Filesize
163KB

MD5
b0dfcecd9fe89d6a391e0c613b3dd8fc

SHA1
fa5321a94a45df7242c9f0d04f37c2ac395061e0

SHA256
0fd1b04d0ad03d5948ab3a88f5fa7c618111211644c5c1134cda1072699629f5

SHA512
ad7870c88529d8a8871f9d213264ae08ada3885085eab232f327110e2a0ec67db8482fedad704e30392f5bb5aa8a7f7dc06a54f95d9d0c68519695a6a5761324

Download Submit
C:\Windows\SysWOW64\Hopnqdan.exe

Filesize
163KB

MD5
746d8c61f6f7961c92fb9675bb37e8c7

SHA1
dbfe8cd91a57099967a11593589e1683c90e01a4

SHA256
0b6655d5edce90828e1c0b597ebe704c710856298792cfa6ff82978e8665e1e9

SHA512
307a72e367652c452e3f9f9107e3b3fad9aadcf8a28f44ad5fb7fd1a9f6e891450b0b644ab5dd7c2b4606c77b182b52dd390962ba45b066b2b993ac1db76c0f7

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
163KB

MD5
129e7dae4631d24714f5b32becec9c61

SHA1
9e8f531a3105ab8ac63361ee1574fb11afe2c8ec

SHA256
7294e61de7ada647f5f4ddcbbd5915ef92a13d9fd46cf305c80d71f35f599616

SHA512
0e3584d252c13509b5ba2768311013f7766e9e23253e0b3f2ff0eda4eaabc06e4330ba877a0543eb781c0adc4fac7b6ec2e675c54978628198da476fbfb4fb91

Download Submit
C:\Windows\SysWOW64\Ifefimom.exe

Filesize
163KB

MD5
8607f3f4b159955b0399461d3f7c3279

SHA1
85fb3b8f7b735e918fcb0a32c446fc2bea28d562

SHA256
964340a59895dd4997b4a9ac2397146820d9de77ff3d3b83d0984043f4247b11

SHA512
9317da020141e5a3ec7d5d6319fd7d37d99f8513e2b8424fd53315dceaa3a0347b9b935fb73fbe4d0d98ad71dcb3f1138a4156f496d9c3ddd309c776e99cc631

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
163KB

MD5
803392a62d64441305e8bd6b48fad964

SHA1
0e38f6052de49d753406880253194505538ea3af

SHA256
2d9c79fc248e6e3684398a8d73061ea4961d8df6c07daba34c3befde7913383a

SHA512
4f84913c6faa2489e3a3181674efaf8cd9a10b300461a602473dce95fed4daa7e6c724fdd281cf779d0244812bb82c3215a69e3e79c2511f1e8ec17501399c58

Download Submit
C:\Windows\SysWOW64\Ildkgc32.exe

Filesize
163KB

MD5
2666776ff970d7058c83984011bbbc2a

SHA1
d47a61f57863ef7d580c61ef480d184601bc5020

SHA256
2ed048d2f0ffbbe017b9b810ddb036f9757d1b8c8786c5bc79c2553e7ffdcbe2

SHA512
dca66b0bdb895f8e8d575d8bfe9b25f46c46c46b45f5a7a18b0cce8b50a2518c6995f123d7fdeed8af8566f3dff973d163b9741b6d5b04395d8647c47f23e1d9

Download Submit
C:\Windows\SysWOW64\Immapg32.exe

Filesize
163KB

MD5
92f4591207f759d7934500b5f9a01757

SHA1
d417f5373f3784655469646791532b4983f47e64

SHA256
c275f206cee480b7f1c8659d331e7f7472051c05500da98f271567a3eba2752b

SHA512
9d5690996d65131a616886628e20ca88009d7ed036866b735f108486135ffb16386c6fae432739637005127b3abb9fd395bdadd8b428f511c4bcc494d705c776

Download Submit
C:\Windows\SysWOW64\Imoneg32.exe

Filesize
163KB

MD5
2bd8f009c62bc9fa6d48e0ed63d46924

SHA1
162f1fbc7456feb6b628e63d36884dad28f9b524

SHA256
6d54b03bb4f1cd829192adefb44c8fabd3f7efcf8897210b30588283275bcf10

SHA512
a8198a426ce54329d725b1d5dbbcf309ea2cdd88c37a483332479cd25055aa63a59c065bca1a017754e8e79ce5733599f168e71a4c9d9b1fca92caea56e6c3fe

Download Submit
C:\Windows\SysWOW64\Jcioiood.exe

Filesize
163KB

MD5
5c6533ca3dd538e2603b1050cf1f9c12

SHA1
09f12bca4ffba9ddbf74119e5d5caa40ae764f13

SHA256
beaf8c41670d3519569c39136b9deec56b624b2bce0d14d5eb6f71fb77189242

SHA512
4564d581e5f8c6fed5e3fb477cd1de8e4140c754e4604979a8333086028a8ce5a053ce52c2ab7ad93581b3e24eacec8b280c9e87b89dd42e875d8da3aa19a450

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
163KB

MD5
53ceb2ec32daf0af6b6c2ba1841d575e

SHA1
be980076daefc4213e4a5051277c4e92290ee3e1

SHA256
b7f6e97a67f066895f3d43c79dee0ac380b670177998d8d8cdf4fb5f5d6cd1fd

SHA512
f6a0f6087d6159fbde97d579ae149d1b27699cbf622769bba3fd609657028fa136cc88a3aad22d406d75b5edce095243daf6e13ba52441fcdf36bd62722e95bc

Download Submit
C:\Windows\SysWOW64\Kfjhkjle.exe

Filesize
163KB

MD5
bdb0ec73a591cc285d86a86ece7ba8a3

SHA1
e063eb5f92d18f07dd58199f552676c8a8d839ce

SHA256
9585647dbd5e2acb9d5f7bf8bdcb6944719bdcbf1f40752340e409ad30672ee1

SHA512
b720dd2cbb6d5951eeb2e32e7cf04b0f11c47be8607b86cd330236f638258c4c695fd54067e9b606a93523c1d231f9f548e3d79dc5dfccb365ae93a1e05db341

Download Submit
C:\Windows\SysWOW64\Kmfmmcbo.exe

Filesize
163KB

MD5
65fadf8968df3ff34b5ae4025092d70c

SHA1
d4aa647be7e9a510d6ce775a51d064a043e1e150

SHA256
973c95101b7d836e8595481dd2b403d47a261e7540128835eb3ace485c3763e9

SHA512
f1449182d584ab417351853ee63b48d7ab5c586615c22cf4d9bbb6237235ab2bba7337b8992398533dbf0befd2b4aa3a037293039a31087c77f26371a44143c7

Download Submit
C:\Windows\SysWOW64\Lenamdem.exe

Filesize
163KB

MD5
13034027f162ea058c1cc2a781b8215e

SHA1
024a994879718865311e249d9400f9bb19e11d3c

SHA256
c175a01b51c2a8da426579c97b08de4f8e2d8f946c0845c5ba18fa0c451410eb

SHA512
52961ce31ecdf8e63507572640b1e27cb3915af0f34bd4432b3265f07f6ba91c67b6122ba04378ccc2e77824e6efc8ee584d07ef6f966328a893d8e4de03015e

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
163KB

MD5
242d23d7fc9b2850406032fa4d83c24d

SHA1
02590f0e732b72c90195e38827ee176368c5cab6

SHA256
2581a8fd1b44f7fc38130b8ca835a834b32da79e1f23aa468e8a7ff58c980067

SHA512
88563b9c027b28c713e88390f22294abf8a1cefe6374bf0f60527118fe20fdecf94bac10feb7b07c9243ac89ee12be0526f5039f76ed784cc27d4c6b3d05b866

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
163KB

MD5
1d29cab7ab6cad72bc8029eb4be3c45d

SHA1
81b62017ffe58d10a8898e1940eb437e72bc1e61

SHA256
a35ea935623766c6754fff308acf44bc3ddb32dc7743359749b9fa0f06d1b805

SHA512
67db3bea381b60242882481a2fdf909d99f73854342d9ddb8f50f4f73684cce74570e8e12080ee9e752eea5507b0543ae3ed714612bd6692036a63d9894178e5

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
163KB

MD5
a85aed758704d20ca897cc0bbcb21438

SHA1
afe5792ea0820717e73773adfec0144564862ad1

SHA256
bfc06a1291d6691d3d34caf8269b7033749f6c61760c033e6d41b26515bcf2d7

SHA512
74487ac266f406bb60c4e8d7dfc1c635120aa5a993e6508c829d01acffe1aaff578ab1b8d74a5c52d154b102912dfac4bc715677284faf0e80be385126595de1

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
163KB

MD5
4d5cece1d0488afa7af2c06104332758

SHA1
aa947c92dfcd05374b7ac78c3ef322c2b401ca17

SHA256
a5826f158327e92cdc9187ab0d40d88f66aa1e9fafb2aa3ebd102c4ae624cf27

SHA512
383930d0941211f8f4862314b29f6ed425fa9c568ee25a296d1deb99437decadb847f1c57d468e18f5a033b65cfd17dbb8ea8e017e0c045482c73e12ba1908f7

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
163KB

MD5
4ec7a885168f7061610dbd5abb670561

SHA1
7eb79b3360b777032965fb039eda690b5d855380

SHA256
34431c4bfa4e8d909e7c71f5de6c195bc59be71d93606e6f7c09926db8f94185

SHA512
41ac077457136be1d57689933219d26c7530ec6b4930280727a638c49572d97faa5cce0143de09504bfb92783032ba79e84cdc9e6984d66ee1bfa979215b42ab

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
163KB

MD5
ad20eebe41f0aae149b6cb7834b4ff11

SHA1
dfe6bf77fd038a86b241608246b6c4c93bf2298f

SHA256
2f7d77eb2f8e3b7f203aed8483c56ce77740a6a3edae19ccb500dc4064441acf

SHA512
80c6de853626be04821699e5f16e31aaafdc264881d81fbf0c69a4b5994f68075a3ba814fffd8857210626749b4e99129853842c8ddcfe363ced625b15d6f621

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
163KB

MD5
7c3b166c79beb6716e83bba8ba1ecc78

SHA1
6574ebf5109bc41b77920191e6757c1add828a5f

SHA256
924e2bed6b5ddaa560da2af8425b0a8c847dc79930e8510fff4fcea0a964c5e2

SHA512
d72eb55081a641a9234ec7ff53a84bc55b4fd8d5421522033a5afbd7a12a9846b71aca10915ed3131a3ec06239048516d100b614679c4f7583907b1cf221a87e

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
163KB

MD5
b0a52f624dfd3851e5328217cf9cec13

SHA1
d4485e74de7195005b0733370bdd741eea7b9c29

SHA256
30f0d2bcf9851b123b200bdbbc137c216250aee903848e666089f368f2bb9e2e

SHA512
c55f991e426bb4ab0a9fb27c38246d83e2a11a8ae76318c091e62465fb6018c37c1d7d8f80ab39e87affa008ccacf4a4ed29f9c7925844f66810cd501c5c8401

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
163KB

MD5
6031694afa56e2d12f01fa6311f367cd

SHA1
142604e97a3e3eea99dcd2ef35712900f62cfd0c

SHA256
c7d516e9f95414155c700626ee9011458588e4fa4b00fdcc047073263395c891

SHA512
eed4e685d29a5c5c5e4f9fd4e654ea820191aee86cc76fa6212048e26047095e0dbb21a52ba6a7e6b7edeec5b5b6d72bdbaf015aa61c30f58bda069f6135f999

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
163KB

MD5
1214ee51ec8bcaab047e24e846bfd601

SHA1
b93aca22c3f58abeb7796d6f29e40845b56b6850

SHA256
4339b3c5ecce9f4dee7a1dbbde053eb10ac2f4a56ff48451746c411a91641bb2

SHA512
f300a84b02df85008802c4255ff3b6210b8994855f3b307297a125e9113a9e4e3c8dfff8c4f23ab81223f6d6c16639a5d457247a642c54e2434eb87baeb22714

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
163KB

MD5
33ca9f3fd4261daa63060fcc8c73de15

SHA1
52890f4f80a5c6e1d6be2e1519bb1a536e2bdb58

SHA256
46799841ef7f6ad5296b19b17abc50f35e9d64a10901fb40edb88ecfe70f1655

SHA512
1442dfbfb5177153944111301698ef400a7ce74f5e13dabb770d80678097cca87aa9fd64a16f2750997062145a734b1612735d1f3b8755f85c13b2ed6d5d5b9b

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
163KB

MD5
3edec877a6af6781d8464bb8a9a2031a

SHA1
42d2fc696bdfaf3b147c2dcb22171f3cfbe54207

SHA256
0ad24f99c3b7d346b53028a0012c7993a0f6a725cde244da47cd533c7567b818

SHA512
cd44ebdd240a6d8fe1e494bde673e48a1df9fb44220515c1147e180bf8d1881d6167276569b43107cc0bd9faea3038ec998f624dbd049b68afc293ad3dc7b7a5

Download Submit
memory/352-533-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/404-527-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/452-455-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/544-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/644-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/644-547-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/692-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/700-120-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/716-473-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/728-568-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/728-32-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/732-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/756-1540-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/756-359-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/788-1541-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/788-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/872-467-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/952-97-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/992-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1188-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1272-256-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1280-485-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1624-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1644-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1904-153-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1964-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2032-1498-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2032-479-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2040-535-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2056-383-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2164-1478-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2164-503-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2272-389-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2312-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-582-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2316-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2364-381-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2372-534-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2372-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2372-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2612-1446-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2624-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2632-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2664-160-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2700-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2724-575-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2724-41-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2780-1485-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2780-497-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2920-491-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2952-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3000-21-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3000-554-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3004-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3052-1538-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3052-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3092-413-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3104-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3256-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3288-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3292-461-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3296-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3296-561-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3456-515-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3612-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3652-216-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3652-1581-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3672-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3704-548-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3716-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3724-371-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3736-509-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3768-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3816-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3980-521-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4000-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4000-1583-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4008-395-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4016-1445-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4076-555-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4092-576-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4104-562-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4244-193-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4244-1584-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4268-365-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4288-569-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4332-1414-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4344-208-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4388-1566-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4388-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4416-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4420-443-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4444-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4468-431-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4640-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4648-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4652-541-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4804-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4840-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4892-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4932-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4940-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4940-589-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4996-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5000-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5000-1578-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5024-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5092-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5100-583-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5328-1317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5340-1403-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5600-1385-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5756-1327-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5864-1324-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6196-1286-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6396-1276-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/6436-1274-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download