berbew | a9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exe
Size

96KB
MD5

a68546a8e849530775f69f0dc8762540
SHA1

6eb94c1e435d72754689f7d1ed88e20cba58f1ad
SHA256

a9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11
SHA512

aad503b31ee849b18b6d1d86c316a46403778da8cb1c7f2df6328c7fa8d0c72eaa5e149d7570f7985923d54253a3b0253b0bdce4eb804b04f81ec09976782482
SSDEEP

1536:xt7Idmqtrf51q7C55KpBIgd8CfPEXK2SL2Lh17RZObZUUWaegPYA:xtomq1f/fF9X0o7ClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Baiqpo32.exeBfhfne32.exeKcqgnfbe.exeMafmfqij.exePaoebbol.exeAapnip32.exeBjohcdab.exeLppgciga.exeNocpfc32.exePmmcad32.exePjqckikd.exeQfqgfh32.exeAidlmcdl.exeAakdnqdo.exeCdclgh32.exeDkanob32.exeJalaid32.exeNjkail32.exeKlkhml32.exeNbdiho32.exeOilmfg32.exeMpjijhof.exeNbkohn32.exeObnlnm32.exeQbekejqe.exeQcdgom32.exeDidnkogg.exeKcepif32.exeCiioopad.exeCdqpbi32.exea9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exeKhifln32.exeLplmhj32.exeOcdnhofj.exeMjggnmab.exeNqjbqe32.exeAiaphc32.exeBkaehdoo.exeLefika32.exeMbhilp32.exeMcjbkc32.exeNcdeaa32.exeAahhia32.exeBbhqbg32.exeCpcglj32.exeDigkqn32.exePifple32.exeMcmoab32.exeNbfemnkg.exeOflddl32.exeOfbjdken.exePpmlcpil.exePpbeno32.exePjgikh32.exeDpofhiod.exeLekbfpgk.exeNfnhbngf.exeOjecok32.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baiqpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhfne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcqgnfbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mafmfqij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paoebbol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aapnip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjohcdab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lppgciga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nocpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmcad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjqckikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfqgfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidlmcdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakdnqdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdclgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkanob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jalaid32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njkail32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klkhml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbdiho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oilmfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mafmfqij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjijhof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkohn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbekejqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcdgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Didnkogg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcepif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciioopad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciioopad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdqpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khifln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplmhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbdiho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnhofj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjggnmab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqjbqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiaphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkaehdoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefika32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbhilp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcjbkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdeaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aahhia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aidlmcdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhqbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcglj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Digkqn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pifple32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcqgnfbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjijhof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmoab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbfemnkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflddl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofbjdken.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppmlcpil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppbeno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjgikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpofhiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekbfpgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfnhbngf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojecok32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

Processes:

Jalaid32.exeJicija32.exeJopabhna.exeKhifln32.exeKldblmmk.exeKemfeb32.exeKlgoalkh.exeKcqgnfbe.exeKikokq32.exeKpdghkao.exeKeappapf.exeKlkhml32.exeKcepif32.exeKedlea32.exeKlndbkep.exeKpiqcj32.exeLchmoe32.exeLefika32.exeLplmhj32.exeLcjide32.exeLhgbmlia.exeLekbfpgk.exeLhioblgo.exeLppgciga.exeLhkkhk32.exeLcaped32.exeLhnhnk32.exeMafmfqij.exeMpgmdhai.exeMbhilp32.exeMhbaijod.exeMpjijhof.exeMbkfap32.exeMffbbomn.exeMplfog32.exeMcjbkc32.exeMjdkhmcd.exeMqnceg32.exeMcmoab32.exeMjggnmab.exeMlecjhae.exeNocpfc32.exeNfnhbngf.exeNhldoifj.exeNqclpfgl.exeNbdiho32.exeNjkail32.exeNmjmeg32.exeNcdeaa32.exeNbfemnkg.exeNiqnjh32.exeNokfgbja.exeNfdncm32.exeNqjbqe32.exeNbkohn32.exeNjbgik32.exeOoopbb32.exeObnlnm32.exeOjecok32.exeOqolldmo.exeObphcm32.exeOflddl32.exeOodimaaf.exeOfnajk32.exe

pid	Process
1884	Jalaid32.exe
2672	Jicija32.exe
4768	Jopabhna.exe
2576	Khifln32.exe
3492	Kldblmmk.exe
1176	Kemfeb32.exe
1960	Klgoalkh.exe
2840	Kcqgnfbe.exe
1392	Kikokq32.exe
3996	Kpdghkao.exe
4900	Keappapf.exe
980	Klkhml32.exe
2084	Kcepif32.exe
2880	Kedlea32.exe
3240	Klndbkep.exe
3156	Kpiqcj32.exe
1028	Lchmoe32.exe
628	Lefika32.exe
2412	Lplmhj32.exe
2812	Lcjide32.exe
1432	Lhgbmlia.exe
2956	Lekbfpgk.exe
3760	Lhioblgo.exe
1016	Lppgciga.exe
1616	Lhkkhk32.exe
1312	Lcaped32.exe
5016	Lhnhnk32.exe
5100	Mafmfqij.exe
2024	Mpgmdhai.exe
2976	Mbhilp32.exe
4600	Mhbaijod.exe
2392	Mpjijhof.exe
3140	Mbkfap32.exe
3964	Mffbbomn.exe
2680	Mplfog32.exe
4624	Mcjbkc32.exe
5040	Mjdkhmcd.exe
4992	Mqnceg32.exe
2400	Mcmoab32.exe
2224	Mjggnmab.exe
3364	Mlecjhae.exe
4344	Nocpfc32.exe
3596	Nfnhbngf.exe
180	Nhldoifj.exe
2728	Nqclpfgl.exe
536	Nbdiho32.exe
4564	Njkail32.exe
912	Nmjmeg32.exe
2552	Ncdeaa32.exe
3612	Nbfemnkg.exe
2108	Niqnjh32.exe
2288	Nokfgbja.exe
736	Nfdncm32.exe
1240	Nqjbqe32.exe
2900	Nbkohn32.exe
844	Njbgik32.exe
4728	Ooopbb32.exe
4440	Obnlnm32.exe
1244	Ojecok32.exe
4524	Oqolldmo.exe
4864	Obphcm32.exe
4760	Oflddl32.exe
1364	Oodimaaf.exe
3508	Ofnajk32.exe

Drops file in System32 directory 64 IoCs

Processes:

Lplmhj32.exeOpfebqpd.exeCmggeohk.exeCchiie32.exeDigkqn32.exeBmbnjo32.exeCkkhocgd.exeBdbcqklh.exeDghodc32.exeNfdncm32.exePfegjjck.exeMqnceg32.exeCipepo32.exeCaijfljl.exeDancal32.exeMlecjhae.exeCiioopad.exeQbekejqe.exeAdnjek32.exeBjjohe32.exeOqolldmo.exePaaahbmi.exeBpidfl32.exeCapgpnbf.exeCbachf32.exeMhbaijod.exeAificcbj.exeObphcm32.exePpkonp32.exeAiaphc32.exeKcqgnfbe.exeMafmfqij.exeKlgoalkh.exeDkfgjamg.exeCagmamlo.exeLhgbmlia.exeOcbacp32.exeKedlea32.exeMpjijhof.exePfjqei32.exeKcepif32.exeLekbfpgk.exePpmlcpil.exePaoebbol.exeAdpgkk32.exeBaiqpo32.exeBdjjaj32.exeNhldoifj.exeNbfemnkg.exeLefika32.exeAamadpbl.exeCbofbf32.exeDcopidle.exeOcdnhofj.exeQmhbmc32.exeOflddl32.exeBffihe32.exeBpqjfk32.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lcjide32.exe	Lplmhj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbacp32.exe	Opfebqpd.exe
File opened for modification	C:\Windows\SysWOW64\Cdqpbi32.exe	Cmggeohk.exe
File created	C:\Windows\SysWOW64\Ofmlog32.dll	Cchiie32.exe
File opened for modification	C:\Windows\SysWOW64\Dancal32.exe	Digkqn32.exe
File opened for modification	C:\Windows\SysWOW64\Bpqjfk32.exe	Bmbnjo32.exe
File opened for modification	C:\Windows\SysWOW64\Cmidknfh.exe	Ckkhocgd.exe
File opened for modification	C:\Windows\SysWOW64\Bfapmfkk.exe	Bdbcqklh.exe
File created	C:\Windows\SysWOW64\Afchdfgd.dll	Dghodc32.exe
File opened for modification	C:\Windows\SysWOW64\Nqjbqe32.exe	Nfdncm32.exe
File created	C:\Windows\SysWOW64\Dbdoodpc.dll	Pfegjjck.exe
File created	C:\Windows\SysWOW64\Mcmoab32.exe	Mqnceg32.exe
File opened for modification	C:\Windows\SysWOW64\Mcmoab32.exe	Mqnceg32.exe
File created	C:\Windows\SysWOW64\Oblanggg.dll	Cipepo32.exe
File opened for modification	C:\Windows\SysWOW64\Ddhfbhip.exe	Caijfljl.exe
File created	C:\Windows\SysWOW64\Dcopidle.exe	Dancal32.exe
File opened for modification	C:\Windows\SysWOW64\Nocpfc32.exe	Mlecjhae.exe
File created	C:\Windows\SysWOW64\Bnlono32.dll	Ciioopad.exe
File opened for modification	C:\Windows\SysWOW64\Qfqgfh32.exe	Qbekejqe.exe
File created	C:\Windows\SysWOW64\Aflfag32.exe	Adnjek32.exe
File opened for modification	C:\Windows\SysWOW64\Bimocbla.exe	Bjjohe32.exe
File opened for modification	C:\Windows\SysWOW64\Dcopidle.exe	Dancal32.exe
File created	C:\Windows\SysWOW64\Cfplpc32.dll	Oqolldmo.exe
File created	C:\Windows\SysWOW64\Pfnjqikq.exe	Paaahbmi.exe
File opened for modification	C:\Windows\SysWOW64\Bbhqbg32.exe	Bpidfl32.exe
File opened for modification	C:\Windows\SysWOW64\Cpcglj32.exe	Capgpnbf.exe
File opened for modification	C:\Windows\SysWOW64\Cmggeohk.exe	Cbachf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjijhof.exe	Mhbaijod.exe
File created	C:\Windows\SysWOW64\Foljjfdj.dll	Aificcbj.exe
File created	C:\Windows\SysWOW64\Oflddl32.exe	Obphcm32.exe
File created	C:\Windows\SysWOW64\Pfegjjck.exe	Ppkonp32.exe
File created	C:\Windows\SysWOW64\Aahhia32.exe	Aiaphc32.exe
File created	C:\Windows\SysWOW64\Cgeedfgk.dll	Kcqgnfbe.exe
File opened for modification	C:\Windows\SysWOW64\Mpgmdhai.exe	Mafmfqij.exe
File opened for modification	C:\Windows\SysWOW64\Kcqgnfbe.exe	Klgoalkh.exe
File created	C:\Windows\SysWOW64\Dnedfmlk.exe	Dkfgjamg.exe
File created	C:\Windows\SysWOW64\Cchiie32.exe	Cagmamlo.exe
File created	C:\Windows\SysWOW64\Nibimbeo.dll	Lhgbmlia.exe
File created	C:\Windows\SysWOW64\Beekdcmo.dll	Ocbacp32.exe
File created	C:\Windows\SysWOW64\Jehnpp32.dll	Kedlea32.exe
File created	C:\Windows\SysWOW64\Afbmdp32.dll	Mafmfqij.exe
File opened for modification	C:\Windows\SysWOW64\Mbkfap32.exe	Mpjijhof.exe
File opened for modification	C:\Windows\SysWOW64\Paoebbol.exe	Pfjqei32.exe
File opened for modification	C:\Windows\SysWOW64\Kedlea32.exe	Kcepif32.exe
File created	C:\Windows\SysWOW64\Qoodla32.dll	Lekbfpgk.exe
File created	C:\Windows\SysWOW64\Pipmdblk.dll	Ppmlcpil.exe
File created	C:\Windows\SysWOW64\Ppbeno32.exe	Paoebbol.exe
File created	C:\Windows\SysWOW64\Bjjohe32.exe	Adpgkk32.exe
File opened for modification	C:\Windows\SysWOW64\Bdgmlj32.exe	Baiqpo32.exe
File created	C:\Windows\SysWOW64\Bfhfne32.exe	Bdjjaj32.exe
File opened for modification	C:\Windows\SysWOW64\Nqclpfgl.exe	Nhldoifj.exe
File opened for modification	C:\Windows\SysWOW64\Niqnjh32.exe	Nbfemnkg.exe
File created	C:\Windows\SysWOW64\Cpcglj32.exe	Capgpnbf.exe
File created	C:\Windows\SysWOW64\Lplmhj32.exe	Lefika32.exe
File created	C:\Windows\SysWOW64\Opjlhike.dll	Aamadpbl.exe
File created	C:\Windows\SysWOW64\Ciioopad.exe	Cbofbf32.exe
File created	C:\Windows\SysWOW64\Hkmlejlc.dll	Dcopidle.exe
File created	C:\Windows\SysWOW64\Ofbjdken.exe	Ocdnhofj.exe
File opened for modification	C:\Windows\SysWOW64\Qbekejqe.exe	Qmhbmc32.exe
File created	C:\Windows\SysWOW64\Iljnongi.dll	Oflddl32.exe
File created	C:\Windows\SysWOW64\Dkbcln32.dll	Bffihe32.exe
File opened for modification	C:\Windows\SysWOW64\Cbofbf32.exe	Bpqjfk32.exe
File created	C:\Windows\SysWOW64\Omaffope.dll	Bpqjfk32.exe
File created	C:\Windows\SysWOW64\Acdlmq32.dll	Cagmamlo.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
5488	5292	WerFault.exe	231

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Ddolcgch.exeNfdncm32.exeQmhbmc32.exeCipepo32.exeQmkobbpk.exeDancal32.exeNhldoifj.exeNokfgbja.exeOfpnok32.exeAidlmcdl.exeAamadpbl.exeBfhfne32.exeBpqjfk32.exeMcjbkc32.exeOfnajk32.exePaaahbmi.exeLcaped32.exeAapnip32.exeBpidfl32.exeCmidknfh.exeCkoajb32.exeMffbbomn.exeNmjmeg32.exeOflddl32.exeAdnjek32.exeCdclgh32.exeKikokq32.exeMjggnmab.exeAahhia32.exePfegjjck.exeKemfeb32.exeMjdkhmcd.exeOqolldmo.exeDcopidle.exeNbdiho32.exeNjbgik32.exeCkmedbeb.exeDpofhiod.exeMbhilp32.exeMqnceg32.exeBffihe32.exeMhbaijod.exeOjecok32.exeBaiqpo32.exea9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exeKldblmmk.exeKlkhml32.exeLchmoe32.exeNiqnjh32.exePifple32.exeAmfooafm.exeBjjohe32.exeBimocbla.exeNqclpfgl.exeQcdgom32.exeAblafi32.exeLppgciga.exeAbnnlhhj.exeCbachf32.exeKeappapf.exeNbfemnkg.exePfjqei32.exeAdiqjlcb.exeLhnhnk32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddolcgch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfdncm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmhbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cipepo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkobbpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dancal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhldoifj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nokfgbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofpnok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidlmcdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aamadpbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhfne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcjbkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnajk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paaahbmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcaped32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aapnip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpidfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmidknfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffbbomn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmjmeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflddl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnjek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdclgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikokq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjggnmab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aahhia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfegjjck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemfeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjdkhmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqolldmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcopidle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdiho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njbgik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmedbeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpofhiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbhilp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqnceg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffihe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhbaijod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojecok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baiqpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kldblmmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klkhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lchmoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niqnjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pifple32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfooafm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjjohe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimocbla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqclpfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcdgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ablafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lppgciga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abnnlhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbachf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keappapf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbfemnkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjqei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adiqjlcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhnhnk32.exe

Modifies registry class 64 IoCs

Processes:

Klgoalkh.exeKpdghkao.exePjgikh32.exeObnlnm32.exePpkonp32.exeDancal32.exea9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exePmmcad32.exeNcdeaa32.exeOjecok32.exePifple32.exeAdnjek32.exeMplfog32.exeOfbjdken.exeAificcbj.exeKikokq32.exeMbkfap32.exeMcjbkc32.exeQmkobbpk.exeAdpgkk32.exeBjohcdab.exeLhgbmlia.exeNbfemnkg.exeBdgmlj32.exeBdbcqklh.exeBkaehdoo.exeKcepif32.exeMpjijhof.exeNmjmeg32.exeKemfeb32.exeMhbaijod.exeOfnajk32.exeBpidfl32.exeCdqpbi32.exePamhmb32.exeQcdgom32.exeCmggeohk.exeCagmamlo.exeCkkhocgd.exeKedlea32.exeLhnhnk32.exePfegjjck.exeBjjohe32.exeBffihe32.exeAflfag32.exeNfnhbngf.exeAiaphc32.exeAjeemfil.exeKhifln32.exeLhioblgo.exeMjdkhmcd.exeMlecjhae.exeQfqgfh32.exeMffbbomn.exePjqckikd.exePfjqei32.exePblhokip.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klgoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjdme32.dll"	Kpdghkao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeinggog.dll"	Pjgikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obnlnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giijoi32.dll"	Ppkonp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dancal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmmcad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncdeaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojecok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pifple32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnjek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mplfog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofbjdken.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aificcbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kikokq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbkfap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcjbkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkobbpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iochne32.dll"	Mplfog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adpgkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdebhm32.dll"	Bjohcdab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhgbmlia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbfemnkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdgmlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bncpqm32.dll"	Bdbcqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfickphb.dll"	Bkaehdoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcepif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjijhof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmjmeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kemfeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhbaijod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnajk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebpgnkb.dll"	Bpidfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkjbpk32.dll"	Cdqpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klngce32.dll"	Pamhmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdbcqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcdgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmggeohk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagmamlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iokalh32.dll"	Ckkhocgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jehnpp32.dll"	Kedlea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhnhnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfegjjck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdlea32.dll"	Bjjohe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffihe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifceapa.dll"	Aflfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neelfb32.dll"	Nfnhbngf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aiaphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgnlcdn.dll"	Bdgmlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apibhl32.dll"	Ajeemfil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khifln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eginhm32.dll"	Lhioblgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjdkhmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlecjhae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfqgfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kikokq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mffbbomn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmcad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapbnf32.dll"	Pjqckikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjqei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnajk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjqckikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccliam32.dll"	Pblhokip.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exeJalaid32.exeJicija32.exeJopabhna.exeKhifln32.exeKldblmmk.exeKemfeb32.exeKlgoalkh.exeKcqgnfbe.exeKikokq32.exeKpdghkao.exeKeappapf.exeKlkhml32.exeKcepif32.exeKedlea32.exeKlndbkep.exeKpiqcj32.exeLchmoe32.exeLefika32.exeLplmhj32.exeLcjide32.exeLhgbmlia.exe

description	pid	Process	procid_target
PID 2124 wrote to memory of 1884	2124	a9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exe	82
PID 2124 wrote to memory of 1884	2124	a9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exe	82
PID 2124 wrote to memory of 1884	2124	a9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exe	82
PID 1884 wrote to memory of 2672	1884	Jalaid32.exe	83
PID 1884 wrote to memory of 2672	1884	Jalaid32.exe	83
PID 1884 wrote to memory of 2672	1884	Jalaid32.exe	83
PID 2672 wrote to memory of 4768	2672	Jicija32.exe	84
PID 2672 wrote to memory of 4768	2672	Jicija32.exe	84
PID 2672 wrote to memory of 4768	2672	Jicija32.exe	84
PID 4768 wrote to memory of 2576	4768	Jopabhna.exe	85
PID 4768 wrote to memory of 2576	4768	Jopabhna.exe	85
PID 4768 wrote to memory of 2576	4768	Jopabhna.exe	85
PID 2576 wrote to memory of 3492	2576	Khifln32.exe	86
PID 2576 wrote to memory of 3492	2576	Khifln32.exe	86
PID 2576 wrote to memory of 3492	2576	Khifln32.exe	86
PID 3492 wrote to memory of 1176	3492	Kldblmmk.exe	87
PID 3492 wrote to memory of 1176	3492	Kldblmmk.exe	87
PID 3492 wrote to memory of 1176	3492	Kldblmmk.exe	87
PID 1176 wrote to memory of 1960	1176	Kemfeb32.exe	88
PID 1176 wrote to memory of 1960	1176	Kemfeb32.exe	88
PID 1176 wrote to memory of 1960	1176	Kemfeb32.exe	88
PID 1960 wrote to memory of 2840	1960	Klgoalkh.exe	89
PID 1960 wrote to memory of 2840	1960	Klgoalkh.exe	89
PID 1960 wrote to memory of 2840	1960	Klgoalkh.exe	89
PID 2840 wrote to memory of 1392	2840	Kcqgnfbe.exe	90
PID 2840 wrote to memory of 1392	2840	Kcqgnfbe.exe	90
PID 2840 wrote to memory of 1392	2840	Kcqgnfbe.exe	90
PID 1392 wrote to memory of 3996	1392	Kikokq32.exe	91
PID 1392 wrote to memory of 3996	1392	Kikokq32.exe	91
PID 1392 wrote to memory of 3996	1392	Kikokq32.exe	91
PID 3996 wrote to memory of 4900	3996	Kpdghkao.exe	92
PID 3996 wrote to memory of 4900	3996	Kpdghkao.exe	92
PID 3996 wrote to memory of 4900	3996	Kpdghkao.exe	92
PID 4900 wrote to memory of 980	4900	Keappapf.exe	93
PID 4900 wrote to memory of 980	4900	Keappapf.exe	93
PID 4900 wrote to memory of 980	4900	Keappapf.exe	93
PID 980 wrote to memory of 2084	980	Klkhml32.exe	94
PID 980 wrote to memory of 2084	980	Klkhml32.exe	94
PID 980 wrote to memory of 2084	980	Klkhml32.exe	94
PID 2084 wrote to memory of 2880	2084	Kcepif32.exe	95
PID 2084 wrote to memory of 2880	2084	Kcepif32.exe	95
PID 2084 wrote to memory of 2880	2084	Kcepif32.exe	95
PID 2880 wrote to memory of 3240	2880	Kedlea32.exe	96
PID 2880 wrote to memory of 3240	2880	Kedlea32.exe	96
PID 2880 wrote to memory of 3240	2880	Kedlea32.exe	96
PID 3240 wrote to memory of 3156	3240	Klndbkep.exe	97
PID 3240 wrote to memory of 3156	3240	Klndbkep.exe	97
PID 3240 wrote to memory of 3156	3240	Klndbkep.exe	97
PID 3156 wrote to memory of 1028	3156	Kpiqcj32.exe	98
PID 3156 wrote to memory of 1028	3156	Kpiqcj32.exe	98
PID 3156 wrote to memory of 1028	3156	Kpiqcj32.exe	98
PID 1028 wrote to memory of 628	1028	Lchmoe32.exe	99
PID 1028 wrote to memory of 628	1028	Lchmoe32.exe	99
PID 1028 wrote to memory of 628	1028	Lchmoe32.exe	99
PID 628 wrote to memory of 2412	628	Lefika32.exe	100
PID 628 wrote to memory of 2412	628	Lefika32.exe	100
PID 628 wrote to memory of 2412	628	Lefika32.exe	100
PID 2412 wrote to memory of 2812	2412	Lplmhj32.exe	101
PID 2412 wrote to memory of 2812	2412	Lplmhj32.exe	101
PID 2412 wrote to memory of 2812	2412	Lplmhj32.exe	101
PID 2812 wrote to memory of 1432	2812	Lcjide32.exe	102
PID 2812 wrote to memory of 1432	2812	Lcjide32.exe	102
PID 2812 wrote to memory of 1432	2812	Lcjide32.exe	102
PID 1432 wrote to memory of 2956	1432	Lhgbmlia.exe	103

C:\Users\Admin\AppData\Local\Temp\a9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exe
"C:\Users\Admin\AppData\Local\Temp\a9ae2cfb6e0eca331ba9ad87efd2c820126cd6bba4c7e51c6ad2f71677c7cb11N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\Jalaid32.exe
  C:\Windows\system32\Jalaid32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\Jicija32.exe
    C:\Windows\system32\Jicija32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\Jopabhna.exe
      C:\Windows\system32\Jopabhna.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\SysWOW64\Khifln32.exe
        
        C:\Windows\system32\Khifln32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\SysWOW64\Kldblmmk.exe
        
        C:\Windows\system32\Kldblmmk.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Kemfeb32.exe
        
        C:\Windows\system32\Kemfeb32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Klgoalkh.exe
        
        C:\Windows\system32\Klgoalkh.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Kcqgnfbe.exe
        
        C:\Windows\system32\Kcqgnfbe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Kikokq32.exe
        
        C:\Windows\system32\Kikokq32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Kpdghkao.exe
        
        C:\Windows\system32\Kpdghkao.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Keappapf.exe
        
        C:\Windows\system32\Keappapf.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Klkhml32.exe
        
        C:\Windows\system32\Klkhml32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Kcepif32.exe
        
        C:\Windows\system32\Kcepif32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Kedlea32.exe
        
        C:\Windows\system32\Kedlea32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Klndbkep.exe
        
        C:\Windows\system32\Klndbkep.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Kpiqcj32.exe
        
        C:\Windows\system32\Kpiqcj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Lchmoe32.exe
        
        C:\Windows\system32\Lchmoe32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Lefika32.exe
        
        C:\Windows\system32\Lefika32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Lplmhj32.exe
        
        C:\Windows\system32\Lplmhj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Lcjide32.exe
        
        C:\Windows\system32\Lcjide32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Lhgbmlia.exe
        
        C:\Windows\system32\Lhgbmlia.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Lekbfpgk.exe
        
        C:\Windows\system32\Lekbfpgk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Lhioblgo.exe
        
        C:\Windows\system32\Lhioblgo.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Lppgciga.exe
        
        C:\Windows\system32\Lppgciga.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\Lhkkhk32.exe
        
        C:\Windows\system32\Lhkkhk32.exe
        26⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Lcaped32.exe
        
        C:\Windows\system32\Lcaped32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\Lhnhnk32.exe
        
        C:\Windows\system32\Lhnhnk32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Mafmfqij.exe
        
        C:\Windows\system32\Mafmfqij.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Mpgmdhai.exe
        
        C:\Windows\system32\Mpgmdhai.exe
        30⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Mbhilp32.exe
        
        C:\Windows\system32\Mbhilp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Mhbaijod.exe
        
        C:\Windows\system32\Mhbaijod.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Mpjijhof.exe
        
        C:\Windows\system32\Mpjijhof.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Mbkfap32.exe
        
        C:\Windows\system32\Mbkfap32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Mffbbomn.exe
        
        C:\Windows\system32\Mffbbomn.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Mplfog32.exe
        
        C:\Windows\system32\Mplfog32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Mcjbkc32.exe
        
        C:\Windows\system32\Mcjbkc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Mjdkhmcd.exe
        
        C:\Windows\system32\Mjdkhmcd.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Mqnceg32.exe
        
        C:\Windows\system32\Mqnceg32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Mcmoab32.exe
        
        C:\Windows\system32\Mcmoab32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Mjggnmab.exe
        
        C:\Windows\system32\Mjggnmab.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Mlecjhae.exe
        
        C:\Windows\system32\Mlecjhae.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Nocpfc32.exe
        
        C:\Windows\system32\Nocpfc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Nfnhbngf.exe
        
        C:\Windows\system32\Nfnhbngf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Nhldoifj.exe
        
        C:\Windows\system32\Nhldoifj.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:180
        
        C:\Windows\SysWOW64\Nqclpfgl.exe
        
        C:\Windows\system32\Nqclpfgl.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Nbdiho32.exe
        
        C:\Windows\system32\Nbdiho32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Njkail32.exe
        
        C:\Windows\system32\Njkail32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Nmjmeg32.exe
        
        C:\Windows\system32\Nmjmeg32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Ncdeaa32.exe
        
        C:\Windows\system32\Ncdeaa32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Nbfemnkg.exe
        
        C:\Windows\system32\Nbfemnkg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Niqnjh32.exe
        
        C:\Windows\system32\Niqnjh32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Nokfgbja.exe
        
        C:\Windows\system32\Nokfgbja.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\Nfdncm32.exe
        
        C:\Windows\system32\Nfdncm32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\Nqjbqe32.exe
        
        C:\Windows\system32\Nqjbqe32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1240
        
        C:\Windows\SysWOW64\Nbkohn32.exe
        
        C:\Windows\system32\Nbkohn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Njbgik32.exe
        
        C:\Windows\system32\Njbgik32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Ooopbb32.exe
        
        C:\Windows\system32\Ooopbb32.exe
        58⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\Obnlnm32.exe
        
        C:\Windows\system32\Obnlnm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Ojecok32.exe
        
        C:\Windows\system32\Ojecok32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Oqolldmo.exe
        
        C:\Windows\system32\Oqolldmo.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Obphcm32.exe
        
        C:\Windows\system32\Obphcm32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\Oflddl32.exe
        
        C:\Windows\system32\Oflddl32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Oodimaaf.exe
        
        C:\Windows\system32\Oodimaaf.exe
        64⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Ofnajk32.exe
        
        C:\Windows\system32\Ofnajk32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Oilmfg32.exe
        
        C:\Windows\system32\Oilmfg32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1744
        
        C:\Windows\SysWOW64\Opfebqpd.exe
        
        C:\Windows\system32\Opfebqpd.exe
        67⤵
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\Ocbacp32.exe
        
        C:\Windows\system32\Ocbacp32.exe
        68⤵
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Ofpnok32.exe
        
        C:\Windows\system32\Ofpnok32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\Ocdnhofj.exe
        
        C:\Windows\system32\Ocdnhofj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Ofbjdken.exe
        
        C:\Windows\system32\Ofbjdken.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Pmmcad32.exe
        
        C:\Windows\system32\Pmmcad32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Ppkonp32.exe
        
        C:\Windows\system32\Ppkonp32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Pfegjjck.exe
        
        C:\Windows\system32\Pfegjjck.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Pjqckikd.exe
        
        C:\Windows\system32\Pjqckikd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Ppmlcpil.exe
        
        C:\Windows\system32\Ppmlcpil.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Pblhokip.exe
        
        C:\Windows\system32\Pblhokip.exe
        77⤵
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Pifple32.exe
        
        C:\Windows\system32\Pifple32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Pamhmb32.exe
        
        C:\Windows\system32\Pamhmb32.exe
        79⤵
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Pfjqei32.exe
        
        C:\Windows\system32\Pfjqei32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Paoebbol.exe
        
        C:\Windows\system32\Paoebbol.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Ppbeno32.exe
        
        C:\Windows\system32\Ppbeno32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:740
        
        C:\Windows\SysWOW64\Pjgikh32.exe
        
        C:\Windows\system32\Pjgikh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Paaahbmi.exe
        
        C:\Windows\system32\Paaahbmi.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Pfnjqikq.exe
        
        C:\Windows\system32\Pfnjqikq.exe
        85⤵
        
        PID:8
        
        C:\Windows\SysWOW64\Qmhbmc32.exe
        
        C:\Windows\system32\Qmhbmc32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\Qbekejqe.exe
        
        C:\Windows\system32\Qbekejqe.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\Qfqgfh32.exe
        
        C:\Windows\system32\Qfqgfh32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Qmkobbpk.exe
        
        C:\Windows\system32\Qmkobbpk.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Qcdgom32.exe
        
        C:\Windows\system32\Qcdgom32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Aiaphc32.exe
        
        C:\Windows\system32\Aiaphc32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Aahhia32.exe
        
        C:\Windows\system32\Aahhia32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Abjdqi32.exe
        
        C:\Windows\system32\Abjdqi32.exe
        93⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Aidlmcdl.exe
        
        C:\Windows\system32\Aidlmcdl.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Aakdnqdo.exe
        
        C:\Windows\system32\Aakdnqdo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2676
        
        C:\Windows\SysWOW64\Adiqjlcb.exe
        
        C:\Windows\system32\Adiqjlcb.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Ablafi32.exe
        
        C:\Windows\system32\Ablafi32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Aificcbj.exe
        
        C:\Windows\system32\Aificcbj.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Aamadpbl.exe
        
        C:\Windows\system32\Aamadpbl.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Abnnlhhj.exe
        
        C:\Windows\system32\Abnnlhhj.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Ajeemfil.exe
        
        C:\Windows\system32\Ajeemfil.exe
        101⤵
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Aapnip32.exe
        
        C:\Windows\system32\Aapnip32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Adnjek32.exe
        
        C:\Windows\system32\Adnjek32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Aflfag32.exe
        
        C:\Windows\system32\Aflfag32.exe
        104⤵
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Amfooafm.exe
        
        C:\Windows\system32\Amfooafm.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Adpgkk32.exe
        
        C:\Windows\system32\Adpgkk32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Bjjohe32.exe
        
        C:\Windows\system32\Bjjohe32.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Bimocbla.exe
        
        C:\Windows\system32\Bimocbla.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Bdbcqklh.exe
        
        C:\Windows\system32\Bdbcqklh.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Bfapmfkk.exe
        
        C:\Windows\system32\Bfapmfkk.exe
        110⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Bipliajo.exe
        
        C:\Windows\system32\Bipliajo.exe
        111⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Bpidfl32.exe
        
        C:\Windows\system32\Bpidfl32.exe
        112⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Bbhqbg32.exe
        
        C:\Windows\system32\Bbhqbg32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3852
        
        C:\Windows\SysWOW64\Bjohcdab.exe
        
        C:\Windows\system32\Bjohcdab.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Baiqpo32.exe
        
        C:\Windows\system32\Baiqpo32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Bdgmlj32.exe
        
        C:\Windows\system32\Bdgmlj32.exe
        116⤵
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Bffihe32.exe
        
        C:\Windows\system32\Bffihe32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Bkaehdoo.exe
        
        C:\Windows\system32\Bkaehdoo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Bdjjaj32.exe
        
        C:\Windows\system32\Bdjjaj32.exe
        119⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Bfhfne32.exe
        
        C:\Windows\system32\Bfhfne32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\Bmbnjo32.exe
        
        C:\Windows\system32\Bmbnjo32.exe
        121⤵
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Bpqjfk32.exe
        
        C:\Windows\system32\Bpqjfk32.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\Cbofbf32.exe
        
        C:\Windows\system32\Cbofbf32.exe
        123⤵
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Ciioopad.exe
        
        C:\Windows\system32\Ciioopad.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Capgpnbf.exe
        
        C:\Windows\system32\Capgpnbf.exe
        125⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Cpcglj32.exe
        
        C:\Windows\system32\Cpcglj32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Cbachf32.exe
        
        C:\Windows\system32\Cbachf32.exe
        127⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\Cmggeohk.exe
        
        C:\Windows\system32\Cmggeohk.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Cdqpbi32.exe
        
        C:\Windows\system32\Cdqpbi32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Ckkhocgd.exe
        
        C:\Windows\system32\Ckkhocgd.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Cmidknfh.exe
        
        C:\Windows\system32\Cmidknfh.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Cdclgh32.exe
        
        C:\Windows\system32\Cdclgh32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Ckmedbeb.exe
        
        C:\Windows\system32\Ckmedbeb.exe
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Cipepo32.exe
        
        C:\Windows\system32\Cipepo32.exe
        134⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Cagmamlo.exe
        
        C:\Windows\system32\Cagmamlo.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Cchiie32.exe
        
        C:\Windows\system32\Cchiie32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Ckoajb32.exe
        
        C:\Windows\system32\Ckoajb32.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Caijfljl.exe
        
        C:\Windows\system32\Caijfljl.exe
        138⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Ddhfbhip.exe
        
        C:\Windows\system32\Ddhfbhip.exe
        139⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Dkanob32.exe
        
        C:\Windows\system32\Dkanob32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Didnkogg.exe
        
        C:\Windows\system32\Didnkogg.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Dpofhiod.exe
        
        C:\Windows\system32\Dpofhiod.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Dghodc32.exe
        
        C:\Windows\system32\Dghodc32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Digkqn32.exe
        
        C:\Windows\system32\Digkqn32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Dancal32.exe
        
        C:\Windows\system32\Dancal32.exe
        145⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Dcopidle.exe
        
        C:\Windows\system32\Dcopidle.exe
        146⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Dkfgjamg.exe
        
        C:\Windows\system32\Dkfgjamg.exe
        147⤵
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Dnedfmlk.exe
        
        C:\Windows\system32\Dnedfmlk.exe
        148⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Ddolcgch.exe
        
        C:\Windows\system32\Ddolcgch.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 400
        150⤵
        Program crash
        
        PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5292 -ip 5292
1⤵
PID:5384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aapnip32.exe

Filesize
96KB

MD5
7ca7d8e200b2124699db9d74c4231293

SHA1
04da450276e93290253260c71a0e9f0ac4eea7f3

SHA256
8f2c596c964e9d8cbaa6e3cb42ea95874bf1f121c199aa83f20609936a1908f1

SHA512
adf0ccff271306eb145fe6d6efff73eb12ea042ca69f561c6fdf6041905add4b2cdbc89fcbda37a445416eb4394d9f16fbb217d48881f7ec9f1070bac3edeb65

Download Submit
C:\Windows\SysWOW64\Abjdqi32.exe

Filesize
96KB

MD5
71535d106c8491b1ee386a400fad9352

SHA1
c3f9e23490056c5b271d0eb655c5d600a8f1cfaf

SHA256
49b83fa6baec95d66dae9fd534777b0d260874d31397321bbcbeac0068dd561d

SHA512
56dc779b94c312bd1a05dee61589291d2ad14c493fbeef36fea772b945af356c9910c4f419bd020f75ec0f409b9becda3cbb92faba32fc49a9db252f9c2dcc4b

Download Submit
C:\Windows\SysWOW64\Abnnlhhj.exe

Filesize
96KB

MD5
266004e8025793aa250ebbe5f1d7fb46

SHA1
29eff0263632d2dc88a07762529cdbaf64ee8aec

SHA256
7965ea2618593cb9d133eb9924c969448a678fce640c9a24f76fe359248dd73f

SHA512
85c87461ac7951f3e1fd52a38fbc4eed7da1451a1de5dd116e07bffbcec02fa3cf262107c4abc10451f0f1bac71d1b61d5dfa5c08c17dd378b80d2d64b118a11

Download Submit
C:\Windows\SysWOW64\Aflfag32.exe

Filesize
96KB

MD5
60ad2f98abde466cbde5c419d3fac4c0

SHA1
f7bf3f88666ec6fc27f6cfce232b9fdbc0bf8a91

SHA256
8d8e0a20e5f2cee293d12ba102e7378189ad072e77e7a1434aa9d5dfb20a7a57

SHA512
0de3473d810a02c5723bcf4f6813fcef11ba0aa01b9d22f86e54ee267a744c8e9bc235316fb23ac983b74a720a865ae645d308d0e09a87730209be242826bb56

Download Submit
C:\Windows\SysWOW64\Aiaphc32.exe

Filesize
96KB

MD5
0a18f729aabde6acae3606fba5c55c65

SHA1
92681829fa69e6c1e266d5c01795d7226451876f

SHA256
0b3abed7c56267df9367f86937587b4145078169827327dafe3736c779f57ed5

SHA512
a73e79ec51e1ff05512086c25b73302e633b13755852ef3c8df75356221e4873df399ca82328d4a59328bca2b5246f6eb77d945225412c56f77253c7e2618adc

Download Submit
C:\Windows\SysWOW64\Aificcbj.exe

Filesize
96KB

MD5
f7b708a8bea5bff1ef81a42505be0b7c

SHA1
8a5a2b42418b2f42f5ba21444581c55fc0773634

SHA256
89a1a4e6b7805c92cf1601032313cc0bd3e2a603165065296c2e38a7f892fb87

SHA512
80c826d02631cc213ed4f602b10031f321191660bb92bd79f999e2b037cab1bf47920ae893ca219c065f160675a4489def836a9c32ffea0721e54bb19cda22cd

Download Submit
C:\Windows\SysWOW64\Baiqpo32.exe

Filesize
96KB

MD5
075b088614ab75a321188d3680de8cc1

SHA1
34e39f2dc7630b13d59af1f86cb160228e0d3ca2

SHA256
0c1df57bc9156f0f4d2c8d221fa2d3fcd1fe7cd912d6b18e4ce75480d1385920

SHA512
0f213450aad28a468c9c995107fbbcc36e4b5606a9ec921fdf4b32343001aad38eec6edb9ca3f8522a2371e1a238440a5dfbce9096be52ed68b9d19926cefe45

Download Submit
C:\Windows\SysWOW64\Bdbcqklh.exe

Filesize
96KB

MD5
00a1df38235c02af0950bd6ba7a70499

SHA1
af979421edcc8a53326850de9a3dca8a2e07dea8

SHA256
92064857cb68672642e360999d5437bbd23ca4f31a7fbc3b1f1bb0c49dc641e3

SHA512
ee2f72bb95d6e94bb43a7c3947f6af238e89080b307878f53cf1c819b59e919cb43e30a934d807ff92851e0965706feb6b386aeb9ff4039d2c42cfdaa082ff68

Download Submit
C:\Windows\SysWOW64\Bfhfne32.exe

Filesize
96KB

MD5
97996faca4216955b567bc0f47287716

SHA1
af69aedfc352de6a4c35650317d7d2947dba66ce

SHA256
6f9eff7bc0e2be9f1a43f8f88ca98eaad42747912d0811291fa54e362113bb73

SHA512
d488aeeab7754b4823a009f62c6fb3941b61bdb12f587401de9a473ae83e158cbef8297b330f582c479404682c1bcfe0cd8b009d908b72f66a754f9188e26683

Download Submit
C:\Windows\SysWOW64\Bpidfl32.exe

Filesize
96KB

MD5
891435dae2a670db04bd4b22902c8f7e

SHA1
fb50b0e08525cc62aebf7c19e404364aaec8b410

SHA256
40784b88b345f7cbd95fc617f2602bd94c09a73e601eebfad423dd5b25c1ff0f

SHA512
237c2e38e35e8b71437ecf2a100af9755c1918404c57c46a19d781df6f51c93ff8ab4efe01070309255f4abff30df4a8c4f55cae5c6511af9948b7799c2687b0

Download Submit
C:\Windows\SysWOW64\Cchiie32.exe

Filesize
64KB

MD5
f73a99c6a4ae1a9ab09574502f31f36f

SHA1
0236d87ff7dbfbe29b082c25aee2f3be4546ade0

SHA256
22e21d567002e9d9ae49031d7208e5117bf89209b9d536f2e828808186fbd049

SHA512
da325858765d8aefc05e66c3a304bdbf62a8a341d02768301871849135ae44c1173593c8f87be4dd6181f1c9ba13a0f29b751c74211e9648a90a37df3536f15d

Download Submit
C:\Windows\SysWOW64\Ckmedbeb.exe

Filesize
96KB

MD5
a0e8dc2d5a81bfc90b20ac8664586314

SHA1
08c74297ea85089f553ad185fd1e93d188978871

SHA256
86d22a10ccf0735423941298c226746d907d59fa1f15af7d29076e702fd0cba8

SHA512
64d6ed131658d00c6b8427fb6cfbb0ce42ad7e28a76c99b1272fa96587037115b856c174298dddc8c2f9acfa681fd131ece5a02f4791160c1c49e95347351fd0

Download Submit
C:\Windows\SysWOW64\Cmggeohk.exe

Filesize
96KB

MD5
1406780b59bc7d0df5a39acfcf28dc7e

SHA1
e149dde3ffd8e0dcfce716d5579b68e6b1b1d02e

SHA256
21f2213bae552e97815ab7251ad452eac6c1b2863503019c72f35d4946b4dd60

SHA512
7c73ae0e16f28d450ae440824185a7937edde55d876f87fda7839f053b63760063858937f1aa1f7502b8dbb2805b66a929b76a209177019abefcc01c62f0244c

Download Submit
C:\Windows\SysWOW64\Ddolcgch.exe

Filesize
96KB

MD5
ed99b8dcbf7b5309a5b1931beb9adfba

SHA1
e430ddc09d809641cffc8cbb3c8739da3de00be1

SHA256
bc8f23750900eeb92f19b9783fc2b6bf924e7817df4edebb3766bf6850c94071

SHA512
13e2442d9e963a89ccc63be262e1187f75afada856b5bae8390b509cc4059cdd2c52a1fb5a164cae6483324ae322c93942314a9a1dcbd8efc6e2b6ab5fda42d2

Download Submit
C:\Windows\SysWOW64\Dpofhiod.exe

Filesize
96KB

MD5
ea03f04a89b5b40ff79e2aeda24628c7

SHA1
bc9c4cd68e65907796fbd2af960b7e83eb788cc9

SHA256
57ab498b8690aa2b7b1567d7eea66a0b71cd5bc2225625a5d08d55e16433b186

SHA512
da04dda4e206ffbba4a04ca16a56818ee4c91213ea05f2e3b7913c90bc508055380fce5521e202799fc1181639e6a8687e04a82c99970f960cec70a9a4da4afe

Download Submit
C:\Windows\SysWOW64\Jalaid32.exe

Filesize
96KB

MD5
194736f40a6fc08274db5db8ca687a87

SHA1
36ae2fff7f6a5b91e2f761463297f13f27f96e89

SHA256
66b10a7471c8dec86be4f6fb017b33260f4503fdeddf12736cc36766f550530f

SHA512
2bcc4d8485db4554984b5c330ad8a458ce544ed641b910559282291154061e94f29d327c1c3683c886b0cbc6a5f82f278a4f1db22c25acd7b0b942cfae86c566

Download Submit
C:\Windows\SysWOW64\Jicija32.exe

Filesize
96KB

MD5
d1f184d49f2557190610dd0df1bf4a82

SHA1
fe10f493b6381d49ef6936249959e8c1b3c367fe

SHA256
e22df8fdefbfc83f4d97daf6cdb1c33724d957b2ab9c0e71428a947a2d6d64cc

SHA512
6a4e45d34f01cd20e73a748dab3bebc29ac2750db037baf418a98c4a7936e41ef194b04028c3b06ae289b8e76fc87006746e2e32403a04fc9924ba184d112c16

Download Submit
C:\Windows\SysWOW64\Jopabhna.exe

Filesize
96KB

MD5
3545c0a413885ec589adb531e9992c70

SHA1
0a1bc6d29d3abd41abea3473b699fa5469357d81

SHA256
65bddfae07fb8e106d15896f29e2651cd5b4e16e72bbaf1857d3cd3f92b6e93a

SHA512
0999daaf94679f44af4fdba9957bc0d1fc58a9a60bceea83f30e16d39116beaeb979fec482048db9f98e433e645c45f016a7c15ac4dc6137b25b14e02ab5b8aa

Download Submit
C:\Windows\SysWOW64\Kcepif32.exe

Filesize
96KB

MD5
2d45163d48f0ed5a24a05eeda7fe6085

SHA1
39c1dbd66b881c7edea1c1f42d2709eb6c56a2de

SHA256
4168a8a4fc0bc50db34acc591634850f6bbd4236f34bbc2cb362d5d553faa1c8

SHA512
fdbd7afc8ff8a34ffc3c49fc55ce63d85818c337d7eb49c4873e6224235ae50cbe787a8cdacd9d7155749412ff068040ead5cdb8cc4d9d783d40493da838239e

Download Submit
C:\Windows\SysWOW64\Kcqgnfbe.exe

Filesize
96KB

MD5
d1ba980ce13df7385ec9c2db18065477

SHA1
8b3b803e0d3cc13b38980071f9d7d21bb66f344a

SHA256
d75ee4e425e0e1a0df3d624a773759eb0c3fc82ff9afeb6336a6af2c54e8c76c

SHA512
ec7a9a0716f2e014262b779ba1c0edd3af10b53f855bb5b27ba74a3a63345d7c3d9b8044039508ed291371b1679134e0f22823e9fcbd11dd7755dbbf8deac2c8

Download Submit
C:\Windows\SysWOW64\Keappapf.exe

Filesize
96KB

MD5
4ba4fc12dc14bf7abdddf65e8f0e84c5

SHA1
9608ae283b14d80971b4867b85408aae0527cae6

SHA256
c46074d129282e567b8e3abf561a9a8fd19d0f78a345af424b7dc5e3fbcea0c8

SHA512
27360111fa9c477d6bf4af5777474253d5d8e559646cb8bc96cfde174be26435fccb93fbde32a5618bec2cc74128221405bac8875321f08ce8f0b0d950a43dba

Download Submit
C:\Windows\SysWOW64\Kedlea32.exe

Filesize
96KB

MD5
36e7da8086d4f6f78521d3b01bef5369

SHA1
3f11309210e72bb3c34a10d066563f5bac438f4f

SHA256
7c900362f977f0ff6c18e0a29502a815e4ef3d28397d51bafab87f05bfc558ac

SHA512
75085cde5ddc13f784e1ba28b768f8cc3385a48a3444d8411f061234d6f44cbbb6708cdba957312a038c56ce526ffd99e2e12494c64bd060c81e2529303dff30

Download Submit
C:\Windows\SysWOW64\Kemfeb32.exe

Filesize
96KB

MD5
c61c5c780ed6ae41ad174ad696b36133

SHA1
55abde74345708d7f8e7fdf746c365268c3b0687

SHA256
a9820110a7cb8e11e78bbad1da3ac48ca1a43dee26ef04effa72c1b4c2d14b81

SHA512
f4b3804a1f66d87e91a3e1d0d36d6898ec0b8d1e8d43d43b5d8cefab1668021a9162f1f68fe2b7ce2d70ad29b304172aaaca510561fe74fdbe0672126e640608

Download Submit
C:\Windows\SysWOW64\Khifln32.exe

Filesize
96KB

MD5
7dfd58f2ab9f6be573ca6974cf5bb38e

SHA1
9121c26bdfc3bea25286fb608084e52dd5a04e3b

SHA256
582bd89a0427d88db636d5727a9e0f43919fc240f5af5e460e76bd592c16e44b

SHA512
41c8234ec899ea3db1fede1e032270414c485b9fc118366801d4127e81fe58a3736d0c33a387542bfd21cff9bee30f6353ebc0c20dec4522554b91b6c92b5e84

Download Submit
C:\Windows\SysWOW64\Kikokq32.exe

Filesize
96KB

MD5
8f091f2cd0c8f6cad7338efae1636687

SHA1
67e1b7176cd6d18f2e8096927200c27d684ab20c

SHA256
cfbcfaa62084c23261bb2be66980467dc11ea8f10a8301a0c27d6ffee12c132d

SHA512
997c7e6b722b0b816a901556e0adbf2f7fdd5ae023b5827fee829af6c27b39125b20660f249cd7f6fcc2a52bd58fb3048bd7f4040b7fe77d27556650754158be

Download Submit
C:\Windows\SysWOW64\Kldblmmk.exe

Filesize
96KB

MD5
5d97014fc370c3a1b35fe1d10c996683

SHA1
d992d46106f171705ac81a9b2ed8860d7223c337

SHA256
be9d0d4297d2199c5e008d202cacaeef9b954b314fcef116d44e39ee5d45facb

SHA512
cec60162e4f7cadcb5197fa73ee7ca77e94ba7bbffb6e83682327e21db8a3b6765913df191adfad3e5fbba875f371f34a063ae5a737b23c9b60ad4450a1ecf55

Download Submit
C:\Windows\SysWOW64\Klgoalkh.exe

Filesize
96KB

MD5
cc47133633b3107903adc6e86f410f9c

SHA1
60a246fdcb212f97d83ddd771224c75db15f5f20

SHA256
86df89ebd6a23200dc3bc8183f32b732d3480cb773c089dbb9ee2c69a967425f

SHA512
623440c0a1aee6cbb58359450692e90126411091c6d861180d9386c9149c831441c17b375a3b6a3dd75b71209dc5f3218037fdb40e42ef07d0f76830b2737b80

Download Submit
C:\Windows\SysWOW64\Klkhml32.exe

Filesize
96KB

MD5
918c119a570be76f83bdebe4d4dc0ba9

SHA1
6138a55580f717acafbc25139be3c226ee41c2fe

SHA256
b2f2497e935a15123f2a91cf3845922583c9ece24c9e5b1829d6fbb248aef572

SHA512
51f3c641147b4d989b28d2b92dc40702cad6fccb1a9a5b4cdecefaf51122138f2521874ecd45482e5e15fbad0f94f5a1408e1c01ea5195cd68229b7b0ee09f09

Download Submit
C:\Windows\SysWOW64\Klndbkep.exe

Filesize
96KB

MD5
93252b823a81b98147b2c693c174569f

SHA1
b4a62c5ae6a729b89a4dc421f181a8723cfb641f

SHA256
f81bf7668860db9d6fbb68576e5ecd0f61846dbbe5a71718c271b2fa767dafcf

SHA512
55ca22781d4ae520ee3dbe78202077941889c16fe1a0be8c3c9ab49fd111eabc6d4ee417e4183d394c637563f5a3962e18a9f1b90dc41233b96ce652b422853e

Download Submit
C:\Windows\SysWOW64\Kpdghkao.exe

Filesize
96KB

MD5
ab6ff07e60fbf5d2af9ca3e007118c96

SHA1
21c4de264a8aad727100a022a775853e4f7971a6

SHA256
5b6874170e12bf13987e0ce215a0c5c21172ef9a89e9170ee9461daace39d702

SHA512
57eef62f451c51394492dff42940fd0014029a11b8c1e4f7bc2a8d8208cdbc0c8155a0c078d515a1697b3b069605690cc7753ade104e9e2e2d20feb68580a5d4

Download Submit
C:\Windows\SysWOW64\Kpiqcj32.exe

Filesize
96KB

MD5
8f477bd9381a7dc8eaccc7642e7bfbd8

SHA1
5c997998fac83b5998a0735dcd3313b131e6b481

SHA256
8600f89b9176a0f7f668496f1a96300af638a447c8d82a6170f62fc6aafa4053

SHA512
f32a11fae6bbde1bb47915990814eca6d2d8092705c03f4541e7aca2d23935ccb7f2c36b276fd2a16bc7d04e5f0f2823300f6a122c48429c77a6dc91db163192

Download Submit
C:\Windows\SysWOW64\Lcaped32.exe

Filesize
96KB

MD5
5ddbc1dd9235075d10f8d316bcbbee38

SHA1
0103ed0e9d8ba3a19584464eb31a3532c81d168a

SHA256
0c406259a1a311788330e8709f7c960705d6b12eb493c3726b666f4d4e473409

SHA512
74c5804b69f770382319edadce31c54c1a56979a4bd90786d5797003bd157de7612b0c997c3860e3f845289d77308c6d5641aa2cca40940ab9da1f1c113298ed

Download Submit
C:\Windows\SysWOW64\Lchmoe32.exe

Filesize
96KB

MD5
4d5351d5a4dd89c665096717c6fb437c

SHA1
27b659830ed5fa10bbeaed20bfa6f3496cc87e5b

SHA256
36ee34b3b1eaa6b9b873c3beb90f93cb773ee6ab9f9b3fb1de73bed7c8db2ce5

SHA512
e03755a81e7a91d8367cb525c2b5827d2b6d9ed3b400ba83ca5690e5ae132c20c6a13bb9be3b69e0d644930bf3be6b769942462b3ea072b87dd1cabfe02979f0

Download Submit
C:\Windows\SysWOW64\Lcjide32.exe

Filesize
96KB

MD5
c38eab23c0885eefcb26aeffcf4c9126

SHA1
67ff2128d378041916733160b16f17ab21ff68c6

SHA256
d6ba3a8ce19f373b47da0f0cfb3cba5740a3c5e4383299e7579b9d434e6d6c31

SHA512
961b52719ca7531a25148ead1571131a3917cbe78f7110821699b4485590e2cb8c900eeb8be64e7bb2e568a245c539b77ad959ec1dffab33ecc8a38137c04bc5

Download Submit
C:\Windows\SysWOW64\Lefika32.exe

Filesize
96KB

MD5
603022c0273fb97a1216c2d0c3ceb189

SHA1
6cbabb2ad7c256e9057a8a0495c8c8ffba943800

SHA256
22775cc7a9975ddd0a3c35fa3d355ff70b9a4196e5572ba21552418d533baf5b

SHA512
4fd142d7ff199c70f56c71e614d9f896c59b8497cce80dc11602397f6a782f6a9b289cc129947ffe95f83f466a0bfb1c74c1945eafc6f16a40f5efe9906cb568

Download Submit
C:\Windows\SysWOW64\Lekbfpgk.exe

Filesize
96KB

MD5
10d873fa448856d5637435eaedb682dd

SHA1
4b8e151fc4af22abfd39ff186167429790e81181

SHA256
153b01c08ea8cb3866c8a5da8ddd6da16eb680f735bd3cfc487c488bcbb785ef

SHA512
0acd0c1c62a3941fe4af634fcdb4ff654be8fd8093d110f2f242428f0b10d569fbfbf49a66d716d99d3b680b9ef4420ed622b6a0de922110de177924f95480c2

Download Submit
C:\Windows\SysWOW64\Lhgbmlia.exe

Filesize
96KB

MD5
79665dc2fa7a5c9b6ba5ec670c656089

SHA1
cc29d0e29c1002cf836e152bda09d317749ce223

SHA256
f7f93cdc91ce639075ef3c19d8bc29545bac022800e4de377ce00803fc149368

SHA512
25f345c220a6d89151da00114e0198b5a4cf27356d93fff502138400a17de9c04fc9d5ec321916dd27580b4f4990e87a0ab84d6147e76e6a58a1e8801ef8b6b7

Download Submit
C:\Windows\SysWOW64\Lhioblgo.exe

Filesize
96KB

MD5
25391bde17001c1e171eac3c66bdca29

SHA1
7cfa4ade78f841fb39efb7b6c3841b6d103fb1dc

SHA256
a7711aa5d1ad67c05d5e57ffd9a5220437f659d7caee8e68cf132a79370a6ba7

SHA512
2ad268b481d13d49dbff2ae7392a80ffa0c973c8b515b59147e76293c4c80d92bddeb64e8cdb68602fdd6cf9969f2c6837009eaec1147d9599a9a428a19f4a73

Download Submit
C:\Windows\SysWOW64\Lhkkhk32.exe

Filesize
96KB

MD5
13d572290e1c1726e2cfa2b71d827a5a

SHA1
4839bb807d6353dabc7421845163c9ca39d00786

SHA256
cdee7378c5032e4c183b94b98e832c92d751b451ec09def4608842c4b615da3a

SHA512
817e72b682990b8c53551df3c68019358b27614ce2273ba3ba54c090899eec899cc69ca0dc0f52557bc073199f9b4c53d276dcc878249b2ce87e8add6f2f1b1c

Download Submit
C:\Windows\SysWOW64\Lhnhnk32.exe

Filesize
96KB

MD5
7b83a92d9055926b57fbfe091d9e075d

SHA1
1f5d9e20f1528c98ff43e0d44ceb4548d2fd20ec

SHA256
c7665ab99f85f7209542281ced7a932e3da107446b8915c6816578842e8e512d

SHA512
1ab1bbaf48a52286b5a76fb190f32239f1dc26a4839ac8ae3774d491a306d29bfcc388dade092ed38512c5e6f4247f6a9f0c639dd39d67956268b2f8f8d8ac7d

Download Submit
C:\Windows\SysWOW64\Lplmhj32.exe

Filesize
96KB

MD5
b13fdb1bfa5c018ea7b0354bd6cc68bb

SHA1
d771ae3360595ae6fb747641b78edc55a5698975

SHA256
8abcf983bf69af0a7b92f204c8aa7e0910663ba29c01399cd43c4de54de47e90

SHA512
a3bd4491d175fe6ac74fcdbd019e9c79060c254f54f18a463ed1a65ee8c7a387db67e44e99165d8afa81ce5bbff7eab10de940e0d249bd8f7fdda596c89e9830

Download Submit
C:\Windows\SysWOW64\Lppgciga.exe

Filesize
96KB

MD5
c7a05c5163cc4720aad3e2fffba058d2

SHA1
3e6651fadb7cc7d14890c49be1f23304f7d63f1b

SHA256
14bda3c3a5eb45c904877ca6a237285e8ff58e44c20877e3490c7ed713c34444

SHA512
111068b2b591b1407898c373caba6f4800140a13046ea6c47c95925f66431aa4eb9b8508b84a2a99361c37bb47b3a4e01be0b6ae096ec792e6f7a1ecd46fb7a3

Download Submit
C:\Windows\SysWOW64\Mafmfqij.exe

Filesize
96KB

MD5
8862174d11204122968f365f49622267

SHA1
7be4d33ebf73f4dc0b6318ae12c24085c3a19442

SHA256
f74762feb651648b94f802830345953ff3f7643fc37e2ec945381a0cbb2028be

SHA512
488b5d367ed020667bc0cf93ceade4584032e123174ee88f3181fbdecbffd934c302d1dde8f850df877c6e7e030e035835ad4c50e69dcaa8f54362038c5804af

Download Submit
C:\Windows\SysWOW64\Mbhilp32.exe

Filesize
96KB

MD5
e424b8f4d29cbf3b820bcb396226d0ef

SHA1
32eb01a0b03a69bbec73562210a9bf64e03dc99d

SHA256
f31a8c36cb242ec0816389be5042b5c6c21f69cc07a365efac068585631d2391

SHA512
4dca597b3f15035b167442d28ef878122af0bad48eb9b8213be11abef0159ed5cd57288ae38e42038e3a7608b9f6bb1c9b45312dd71ec4fc2841600f0f248cd5

Download Submit
C:\Windows\SysWOW64\Mcmoab32.exe

Filesize
96KB

MD5
8d1c15f59e9dba7fe54f0f05892ffd27

SHA1
4a70ea2ceef2176e21fb91ae63376d1bd23a9a5b

SHA256
e0c3f7557c394b7d9753dba1d3ca3dc266ee0d9b5ffb7799a500c61d0eb3ef4c

SHA512
1d1deb04b79a3badc1352a00eed7d516f0b50a0b5f77c91c67fb1fc5f9e860cf844550196346ffe15f123b11290546dd626c9a81702696a6a1234fcca778ea02

Download Submit
C:\Windows\SysWOW64\Mhbaijod.exe

Filesize
96KB

MD5
f5339d36e0a68fb55e4795f82332cb6f

SHA1
af5d6985f4ccac2d58c316b73d742defcb47b5cd

SHA256
806bb7274aeec0c546bdd6cfdecadd56ac4431dfb34c55dca368f1338d83af76

SHA512
1649de37cce935ba7199c806856c4c6b01942d84a289dfea293f82a2e95ee01771c783566942a8bdfa7de704e9aea4713a762e6298c52fbdfcf9e31c2e69a7ce

Download Submit
C:\Windows\SysWOW64\Mjdkhmcd.exe

Filesize
96KB

MD5
60e383def7717e4d19b8f492d04a338f

SHA1
bd66840a317889451d0d1d0a0fb1c5d21f76412d

SHA256
aa9a8b1ad1c98afdf1558003ef68c738c216625246a7c150c76f67a35e64792e

SHA512
3d7525094e23333547337ce876209ccafcabcf6209a75318c4720e7a7eaf38a5a6b29e93b11165089b18fb2356e33edea93756c6167a7ef9b368c6c095d1417f

Download Submit
C:\Windows\SysWOW64\Mlecjhae.exe

Filesize
96KB

MD5
b982fc4170ac14bfdbe7940006cfa155

SHA1
d1af53cd4b83147b6bd19e670478e9cc8edce9ea

SHA256
c3e14e5ddbe578c5f4c5abe5541c73b0f18210274400e43c720aa015fcb5f637

SHA512
bedbf65e39b953f70a0c7452b1993cf1080c852c89894e6d1180c0deb51e46a90003bc2abf10fed17cb2f4f564d16d6f36c66033075fc609e0b53847d4b69c5d

Download Submit
C:\Windows\SysWOW64\Mpgmdhai.exe

Filesize
96KB

MD5
e09b1f33bb41aa005cb2b3e306b29454

SHA1
23954f9322c4ba34b6397db944d018bd9f2a1927

SHA256
a89156f0249d35a994ac147c45f0c0f1edff97cc15a207eb0b2d8f7ce383aca2

SHA512
99a28d37b5bfb86a2c187ad08da5b4a4a0addb20f1a7b857cf54ba39e3555e88a9ab9b2e5326893b4031f126c0a639409f8cd687e55faa08df70c211aaf3ed0b

Download Submit
C:\Windows\SysWOW64\Mpjijhof.exe

Filesize
96KB

MD5
14ea4a4d51962556024eed78a7009a4f

SHA1
7948e86687b44c3b302646013bc6d08d9e85af66

SHA256
1e89b5d8f10f03b57941f1c82be9ff0ce5819805f090a7478f023fefd2360e05

SHA512
1b77b12971635ff059fa66a16ba6b7c224c352640a3089f00c0e46f3daea3b4218bf98d87fa8fb9839ede8e15bf8bc5c30ea15374c026c2ce21e5a3839133d44

Download Submit
C:\Windows\SysWOW64\Mplfog32.exe

Filesize
96KB

MD5
b5f04391d5dfc916ac27be0fadd74859

SHA1
00b71699a25a078dadcc0f1b9fda6145780ceea0

SHA256
6a987935b6d41e6e58a0a1c45229799490e019feb490954de6eed5a039c5669f

SHA512
42b6816f070ed4c759d5da3280feabe964b8934283f12b19915b6423bd3d79c6fd5cd4a678e9d8c510b9984f84887999436a0126d5d75aedf7b50b1072a8a702

Download Submit
C:\Windows\SysWOW64\Nbdiho32.exe

Filesize
96KB

MD5
619ac1ddbfbcad64fdbcc1f3b4977b60

SHA1
d761e7ac3a15ee7c69da3c3e83ff5fdbacb7c403

SHA256
f6f63c43392da95100e3aab8921c159b044d8c5e0c7857ebdab9f2ff71897560

SHA512
b39e893925fc33e0a30b248a6cc7ead0b5a1268c2723aa984a5c8b9a3617dce51e6f308e1256f1e2b5f983a958d04c5d24da2f95c445715ad7023a4a6b1eb113

Download Submit
C:\Windows\SysWOW64\Nbkohn32.exe

Filesize
96KB

MD5
6a0a0fb29a6dedf816d79106910f257b

SHA1
ea1a3bfa102947259e352039e53e9bfe0a57d8c1

SHA256
9ab3776a43f97c659c99896b73c33e3cb777d3d955ca51f3bb3c8f78d8c84145

SHA512
a65f46caf44e04599fab392deb16fdffb1ac2343adc69c581ac3beb3052e9dd7247c0e0df3063790875bee1b728a9a87ed89071693fbe2f07c0716e64daa9de8

Download Submit
C:\Windows\SysWOW64\Ncdeaa32.exe

Filesize
96KB

MD5
0e8f94d1704170567e4f384f1225e18c

SHA1
7e99c164795c21a5ecddd97d16ab23873a365113

SHA256
00947c3795805f4270ed094e1d34468f469c68064134099d3f3626548db6b439

SHA512
d12d555e34f64de939a88f9db3a138230fa512b821eb8732c31f1380cfc11a426532acbc714688fa1b53a98ece9649ab5f60ac5effca7817f0fea52c909fcc30

Download Submit
C:\Windows\SysWOW64\Nfnhbngf.exe

Filesize
96KB

MD5
08857f74101e276427358c69cb58db9d

SHA1
1260b491dd5d1def7be2371ac4c4074180ab4c0e

SHA256
a3f43a8eff0b2afbcd97123d9099d19b3a998a3c08e238260e488f714562636b

SHA512
4fb9eb177ae4a70addd937a5af39ca29300ae158413b8d11bbe96facc1f676a35330b5f4688bdb18a43d7185a2176fc844e229c11e06181a8505599b08ada500

Download Submit
C:\Windows\SysWOW64\Obnlnm32.exe

Filesize
96KB

MD5
e88d0dfb46f10a2e0fa267c5b1434f74

SHA1
e64f88b830acf08516f7d3d74fdc29a23c352eb6

SHA256
e8888838703577ea6ec96b2d530bc127bdeabbbd3d2560cd1593fd067e7db33e

SHA512
e1d512b39fbc0020332a481a10d72aae68b53c58ece9eacdbd195f1a981d8a7fd24795c1741c47505ba9796b2ce26c51b576a822022ff88b9cd8a08c58dca118

Download Submit
C:\Windows\SysWOW64\Ofbjdken.exe

Filesize
96KB

MD5
8f0b3c3c7c288bbbff8e6f9998e39cd7

SHA1
ebfc7ab9a8ebd7f79725da3b12747b0aedfe00e6

SHA256
6bcd34f72cbabbe29c39299060b6c5ed0f864e1681fe0c36f469799e7dc240d1

SHA512
ea4c13ab9d5fb5a7d1381dfde962070d5044757e4578c2e85c713c3d6417271629e2b07f3b201ca5c8cf870c01aa4b914c4b68e9df7a17207200195ab6e83027

Download Submit
C:\Windows\SysWOW64\Ofpnok32.exe

Filesize
96KB

MD5
2a73ba77d04131c78e118540f880802f

SHA1
3572adc577f68bbc4a19a6de135d129c4a43e316

SHA256
44008ac893ff5f3b1d0789a3d85a434917c38215e331f40f1b38318626820629

SHA512
56c8ab0a82eae5f2830dace26c71de1024a22be8435f650e6a19acb4ce0d8a73b0334ac410c68fd46805dfceb7e1f8e35faf4fa8c1a9f495d18fb9a845c165f7

Download Submit
C:\Windows\SysWOW64\Oilmfg32.exe

Filesize
96KB

MD5
e264cba26fa76114e4833ccf0f3df9da

SHA1
c6786559b9b690e8b8efcda8466e042c28607e07

SHA256
363fbe863e7f21917103baef644f81c956e52b24d246fd38763ff62ed6311a8c

SHA512
be242c288902c30b7dd739c404752a6ea1b87e5ea32de8e874ebca8a82a11e6dc2e28f04a3e9ae747bccc56ed05b8a43a31d55dfc3b0cd3bbe00e1a67d3034bf

Download Submit
C:\Windows\SysWOW64\Oodimaaf.exe

Filesize
96KB

MD5
bc951f1e7a0d2202d7a2cc9b1ae68738

SHA1
2a488a36a7bd3dd5ed360ccf5ecaaeed4a2325a4

SHA256
1fab19579c1dbecccd20519bd66caf2e7b9767444dd3a6ba5e36e7f75d065d7e

SHA512
11862e7baf70c148a55ca835e004cbee197248e42da9ae9bdc2529446d0e1daf4cd69c490d7a322de9e665fcb3e17664ef8a7730fce673c01dddba5a41f65a78

Download Submit
C:\Windows\SysWOW64\Oqolldmo.exe

Filesize
96KB

MD5
5d0d53b298713c41a6ecf3b745db4c5b

SHA1
a3db13532b1e320e97015a0a63415c955e8e86bb

SHA256
0085efd48f605808e8a61e537c1b8c051d42c7489209aece102ea95e7ae02589

SHA512
09cc1f1d399a2130a6f84fa6a746d99ba3e1c9f33a4f6dae3b9125aa844f2e8ed63aed34311b22d09fd2ac4054861a2560f2fde8048730ce9c1d839836d9f56a

Download Submit
C:\Windows\SysWOW64\Pfegjjck.exe

Filesize
64KB

MD5
c4292084932375a1bc53319a9dd4c144

SHA1
e5f058c644e5a054e4ac6f1c7cfad9743d2fc7b1

SHA256
1ff2f13aa59e88bc14db897c805292614874cda436f89dd575c63702ba8518ee

SHA512
ba9fe262da7cbc21394598b0017d4a2c58863262dccec9d2e020d9f679bdee26e9d942831c564aacce9d52a979abcf0fc3ad3270f65db417378e5cfc3f3d386f

Download Submit
C:\Windows\SysWOW64\Pfjqei32.exe

Filesize
96KB

MD5
0ad71d13a9f40e12df040256a2f3d7e5

SHA1
30bfa28e4331dc09991ce00ecaf88fc194319976

SHA256
9028687e47aad9d767042c1413179610c197fbf57e27a5f8ffc0b4500d107c2d

SHA512
9c3e336962b70b25ea161981cdf5a58f163aa25d0213795871fd5ed0a58062e7bf431275b11e66ab9e34c1c0f6687cdd642f59397e6bd8fcaf1927288806d0c5

Download Submit
C:\Windows\SysWOW64\Pifple32.exe

Filesize
96KB

MD5
330e34fc74a2eead01a66d3567b94db4

SHA1
8bc069e88811dcd370eb77d0e20f0803a464643c

SHA256
db8912b70afae01fe05dc8c9e39bb2cf7ebf9e38c4b32a774496a0bee351bf83

SHA512
8a2f205dae902df7421d7168a82a94d0a4cb24151e781de2a61268789d1ddb5db315a73a708714570da00e4a54252689caa977214ddd20fcc389fc3d4c722b6b

Download Submit
C:\Windows\SysWOW64\Qbekejqe.exe

Filesize
96KB

MD5
532d0f8473390fcbb713464e8a57aa03

SHA1
4f1384c528d0b03174d5d474fff18d0a49625cd5

SHA256
bea0d9b89f432763f60dd1fd49730eb9afca1b0b3d0fc623415a285e529c74b7

SHA512
cae0feab21e247165ad125210b456dfc525f60da97f66dfc86d5718b3a9840144ea5f704412d909a1f863db81bc14ca617615be790645eef4b34e74536eee185

Download Submit
C:\Windows\SysWOW64\Qmkobbpk.exe

Filesize
96KB

MD5
cd59b92fd4934ac14dadd3a90be1e4f3

SHA1
51a7fae8579a2abd58454a95adcb8fb743a64e96

SHA256
c6eaf517f51da7b43c34dd3c197fc11c29434d096cd5f2429fcbdc515d4db2e6

SHA512
4484e8e3d1893d1950bbc31352003b28d63413d495b2994e27611734481edb318eb46947fc693febd4288b6dd41d255d4d561ca228e5b67e367f03be957e6214

Download Submit
memory/8-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/180-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/844-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-1131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2124-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-1115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-1103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-1098-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-1059-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5304-1054-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5436-1049-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5800-1034-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5888-1032-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download