5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
Size

10.4MB
MD5

11f1eb0f5bc7b2154d81e5aefd9b2810
SHA1

5fb0ba246b285b7c341fc0465ffc520356f6b5ad
SHA256

5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179
SHA512

b03dcf048451eddeb1313583bd9ee2b1ddb3ae775e6a520108e78799ae68bd11d552de967a7e3a6f348783ef280ea135651391e243dec350b6cf95388a06d941
SSDEEP

196608:XZGmuosR2/LGPLCXOKODxH5qFlXS47dV2MANpvrjVbEKGWIoS:XZGnosREJLODBWlX3d+NpvdHIo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
804	hpuchkkwgm.exe
2760	hpuchkkwgm.exe
2932	ohpsgofvlg.exe
2900	ohpsgofvlg.exe
2844	trewvjtaxc.exe
1948	trewvjtaxc.exe
2384	qpmkdqdksl.exe
1108	qpmkdqdksl.exe
3012	nerhyzwlgt.exe
2748	nerhyzwlgt.exe
2020	ywjsnaqenu.exe
1960	ywjsnaqenu.exe
2400	vgctbjpvaq.exe
2332	vgctbjpvaq.exe
2064	kruevtrqkw.exe
2120	kruevtrqkw.exe
780	fftvtaikjg.exe
112	fftvtaikjg.exe
2208	kehwmwchax.exe
916	kehwmwchax.exe
1600	yhxchochea.exe
1188	yhxchochea.exe
1612	ugnqnffnsd.exe
1844	ugnqnffnsd.exe
1432	vmtksnlzbu.exe
896	vmtksnlzbu.exe
1524	pdsxpxcppb.exe
2600	pdsxpxcppb.exe
2268	ficcnpisca.exe
784	ficcnpisca.exe
2928	nsofndjeqb.exe
2796	nsofndjeqb.exe
2348	djopufjhyt.exe
2896	djopufjhyt.exe
1500	dqnnfiwmyl.exe
2640	dqnnfiwmyl.exe
2696	kyifzxfefv.exe
1476	kyifzxfefv.exe
2932	qfwuncjwva.exe
2736	qfwuncjwva.exe
1272	nlmqkafyug.exe
2844	nlmqkafyug.exe
1204	ardknqnxvv.exe
3060	ardknqnxvv.exe
2416	fwwsgzrfpd.exe
3056	fwwsgzrfpd.exe
776	wozdnsprbz.exe
1972	wozdnsprbz.exe
1756	citaujvkdn.exe
1976	citaujvkdn.exe
1892	tvmtjdpuie.exe
1956	tvmtjdpuie.exe
2064	ilvmppawpq.exe
1812	ilvmppawpq.exe
1752	nmdgfvgcpm.exe
2208	nmdgfvgcpm.exe
2100	kqkekrdclq.exe
932	kqkekrdclq.exe
780	ovrqltazos.exe
1644	ovrqltazos.exe
940	okhwcbdoiq.exe
2424	okhwcbdoiq.exe
2576	lamqyppypm.exe
2488	lamqyppypm.exe

Loads dropped DLL 64 IoCs

pid	Process
2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
804	hpuchkkwgm.exe
804	hpuchkkwgm.exe
2932	ohpsgofvlg.exe
2932	ohpsgofvlg.exe
2844	trewvjtaxc.exe
2844	trewvjtaxc.exe
2384	qpmkdqdksl.exe
2384	qpmkdqdksl.exe
3012	nerhyzwlgt.exe
3012	nerhyzwlgt.exe
2020	ywjsnaqenu.exe
2020	ywjsnaqenu.exe
2400	vgctbjpvaq.exe
2400	vgctbjpvaq.exe
2064	kruevtrqkw.exe
2064	kruevtrqkw.exe
780	fftvtaikjg.exe
780	fftvtaikjg.exe
2208	kehwmwchax.exe
2208	kehwmwchax.exe
1600	yhxchochea.exe
1600	yhxchochea.exe
1612	ugnqnffnsd.exe
1612	ugnqnffnsd.exe
1432	vmtksnlzbu.exe
1432	vmtksnlzbu.exe
1524	pdsxpxcppb.exe
1524	pdsxpxcppb.exe
2268	ficcnpisca.exe
2268	ficcnpisca.exe
2928	nsofndjeqb.exe
2928	nsofndjeqb.exe
2348	djopufjhyt.exe
2348	djopufjhyt.exe
1500	dqnnfiwmyl.exe
1500	dqnnfiwmyl.exe
2696	kyifzxfefv.exe
2696	kyifzxfefv.exe
2932	qfwuncjwva.exe
2932	qfwuncjwva.exe
1272	nlmqkafyug.exe
1272	nlmqkafyug.exe
1204	ardknqnxvv.exe
1204	ardknqnxvv.exe
2416	fwwsgzrfpd.exe
2416	fwwsgzrfpd.exe
776	wozdnsprbz.exe
776	wozdnsprbz.exe
1756	citaujvkdn.exe
1756	citaujvkdn.exe
1892	tvmtjdpuie.exe
1892	tvmtjdpuie.exe
2064	ilvmppawpq.exe
2064	ilvmppawpq.exe
1752	nmdgfvgcpm.exe
1752	nmdgfvgcpm.exe
2100	kqkekrdclq.exe
2100	kqkekrdclq.exe
780	ovrqltazos.exe
780	ovrqltazos.exe
940	okhwcbdoiq.exe
940	okhwcbdoiq.exe
2576	lamqyppypm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
2288	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
804	hpuchkkwgm.exe
2760	hpuchkkwgm.exe
2932	ohpsgofvlg.exe
2900	ohpsgofvlg.exe
2844	trewvjtaxc.exe
1948	trewvjtaxc.exe
2384	qpmkdqdksl.exe
1108	qpmkdqdksl.exe
3012	nerhyzwlgt.exe
2748	nerhyzwlgt.exe
2020	ywjsnaqenu.exe
1960	ywjsnaqenu.exe
2400	vgctbjpvaq.exe
2332	vgctbjpvaq.exe
2064	kruevtrqkw.exe
2120	kruevtrqkw.exe
780	fftvtaikjg.exe
112	fftvtaikjg.exe
2208	kehwmwchax.exe
916	kehwmwchax.exe
1600	yhxchochea.exe
1188	yhxchochea.exe
1612	ugnqnffnsd.exe
1844	ugnqnffnsd.exe
1432	vmtksnlzbu.exe
896	vmtksnlzbu.exe
1524	pdsxpxcppb.exe
2600	pdsxpxcppb.exe
2268	ficcnpisca.exe
784	ficcnpisca.exe
2928	nsofndjeqb.exe
2796	nsofndjeqb.exe
2348	djopufjhyt.exe
2896	djopufjhyt.exe
1500	dqnnfiwmyl.exe
2640	dqnnfiwmyl.exe
2696	kyifzxfefv.exe
1476	kyifzxfefv.exe
2932	qfwuncjwva.exe
2736	qfwuncjwva.exe
1272	nlmqkafyug.exe
2844	nlmqkafyug.exe
1204	ardknqnxvv.exe
3060	ardknqnxvv.exe
2416	fwwsgzrfpd.exe
3056	fwwsgzrfpd.exe
776	wozdnsprbz.exe
1972	wozdnsprbz.exe
1756	citaujvkdn.exe
1976	citaujvkdn.exe
1892	tvmtjdpuie.exe
1956	tvmtjdpuie.exe
2064	ilvmppawpq.exe
1812	ilvmppawpq.exe
1752	nmdgfvgcpm.exe
2208	nmdgfvgcpm.exe
2100	kqkekrdclq.exe
932	kqkekrdclq.exe
780	ovrqltazos.exe
1644	ovrqltazos.exe
940	okhwcbdoiq.exe
2424	okhwcbdoiq.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kehwmwchax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wozdnsprbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tvmtjdpuie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilvmppawpq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmdgfvgcpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trewvjtaxc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vgctbjpvaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyifzxfefv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tvmtjdpuie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xutqeodrix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnxtzsdnyi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trewvjtaxc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qpmkdqdksl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yhxchochea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ardknqnxvv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpuchkkwgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ugnqnffnsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqnnfiwmyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ovrqltazos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lamqyppypm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kehwmwchax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lezwlajldk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ovrqltazos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tphgtcxpsf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qpmkdqdksl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vgctbjpvaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fftvtaikjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	djopufjhyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqnnfiwmyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfwuncjwva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dnxtzsdnyi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nerhyzwlgt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kruevtrqkw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdsxpxcppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfwuncjwva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwwsgzrfpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	citaujvkdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lamqyppypm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xutqeodrix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywjsnaqenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsofndjeqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ardknqnxvv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwwsgzrfpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	citaujvkdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okhwcbdoiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvxjwzmosu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvxjwzmosu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpuchkkwgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fftvtaikjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmtksnlzbu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyifzxfefv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kqkekrdclq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lezwlajldk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohpsgofvlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yhxchochea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ugnqnffnsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ficcnpisca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohpsgofvlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nerhyzwlgt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmtksnlzbu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdsxpxcppb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ficcnpisca.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
2288	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
804	hpuchkkwgm.exe
804	hpuchkkwgm.exe
2760	hpuchkkwgm.exe
2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
2932	ohpsgofvlg.exe
804	hpuchkkwgm.exe
2932	ohpsgofvlg.exe
2900	ohpsgofvlg.exe
2844	trewvjtaxc.exe
2932	ohpsgofvlg.exe
2844	trewvjtaxc.exe
1948	trewvjtaxc.exe
2384	qpmkdqdksl.exe
2384	qpmkdqdksl.exe
2844	trewvjtaxc.exe
1108	qpmkdqdksl.exe
3012	nerhyzwlgt.exe
3012	nerhyzwlgt.exe
2748	nerhyzwlgt.exe
2384	qpmkdqdksl.exe
2020	ywjsnaqenu.exe
2020	ywjsnaqenu.exe
1960	ywjsnaqenu.exe
3012	nerhyzwlgt.exe
2400	vgctbjpvaq.exe
2400	vgctbjpvaq.exe
2332	vgctbjpvaq.exe
2020	ywjsnaqenu.exe
2064	kruevtrqkw.exe
2064	kruevtrqkw.exe
2400	vgctbjpvaq.exe
2120	kruevtrqkw.exe
780	fftvtaikjg.exe
2064	kruevtrqkw.exe
780	fftvtaikjg.exe
112	fftvtaikjg.exe
2208	kehwmwchax.exe
2208	kehwmwchax.exe
780	fftvtaikjg.exe
916	kehwmwchax.exe
2208	kehwmwchax.exe
1600	yhxchochea.exe
1600	yhxchochea.exe
1188	yhxchochea.exe
1612	ugnqnffnsd.exe
1600	yhxchochea.exe
1612	ugnqnffnsd.exe
1844	ugnqnffnsd.exe
1432	vmtksnlzbu.exe
1432	vmtksnlzbu.exe
896	vmtksnlzbu.exe
1524	pdsxpxcppb.exe
1524	pdsxpxcppb.exe
2600	pdsxpxcppb.exe
1612	ugnqnffnsd.exe
2268	ficcnpisca.exe
1432	vmtksnlzbu.exe
2268	ficcnpisca.exe
1524	pdsxpxcppb.exe
784	ficcnpisca.exe
2928	nsofndjeqb.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
2288	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
2288	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
804	hpuchkkwgm.exe
804	hpuchkkwgm.exe
2760	hpuchkkwgm.exe
2760	hpuchkkwgm.exe
2932	ohpsgofvlg.exe
2932	ohpsgofvlg.exe
2900	ohpsgofvlg.exe
2900	ohpsgofvlg.exe
2844	trewvjtaxc.exe
2844	trewvjtaxc.exe
1948	trewvjtaxc.exe
1948	trewvjtaxc.exe
2384	qpmkdqdksl.exe
2384	qpmkdqdksl.exe
1108	qpmkdqdksl.exe
1108	qpmkdqdksl.exe
3012	nerhyzwlgt.exe
3012	nerhyzwlgt.exe
2748	nerhyzwlgt.exe
2748	nerhyzwlgt.exe
2020	ywjsnaqenu.exe
2020	ywjsnaqenu.exe
1960	ywjsnaqenu.exe
1960	ywjsnaqenu.exe
2400	vgctbjpvaq.exe
2400	vgctbjpvaq.exe
2332	vgctbjpvaq.exe
2332	vgctbjpvaq.exe
2064	kruevtrqkw.exe
2064	kruevtrqkw.exe
2120	kruevtrqkw.exe
2120	kruevtrqkw.exe
780	fftvtaikjg.exe
780	fftvtaikjg.exe
112	fftvtaikjg.exe
112	fftvtaikjg.exe
2208	kehwmwchax.exe
2208	kehwmwchax.exe
916	kehwmwchax.exe
916	kehwmwchax.exe
1600	yhxchochea.exe
1600	yhxchochea.exe
1188	yhxchochea.exe
1188	yhxchochea.exe
1612	ugnqnffnsd.exe
1612	ugnqnffnsd.exe
1844	ugnqnffnsd.exe
1844	ugnqnffnsd.exe
1432	vmtksnlzbu.exe
1432	vmtksnlzbu.exe
896	vmtksnlzbu.exe
896	vmtksnlzbu.exe
1524	pdsxpxcppb.exe
1524	pdsxpxcppb.exe
2600	pdsxpxcppb.exe
2600	pdsxpxcppb.exe
2268	ficcnpisca.exe
2268	ficcnpisca.exe
784	ficcnpisca.exe
784	ficcnpisca.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2288	2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	31
PID 2140 wrote to memory of 2288	2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	31
PID 2140 wrote to memory of 2288	2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	31
PID 2140 wrote to memory of 2288	2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	31
PID 2140 wrote to memory of 804	2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	32
PID 2140 wrote to memory of 804	2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	32
PID 2140 wrote to memory of 804	2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	32
PID 2140 wrote to memory of 804	2140	5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe	32
PID 804 wrote to memory of 2760	804	hpuchkkwgm.exe	33
PID 804 wrote to memory of 2760	804	hpuchkkwgm.exe	33
PID 804 wrote to memory of 2760	804	hpuchkkwgm.exe	33
PID 804 wrote to memory of 2760	804	hpuchkkwgm.exe	33
PID 804 wrote to memory of 2932	804	hpuchkkwgm.exe	34
PID 804 wrote to memory of 2932	804	hpuchkkwgm.exe	34
PID 804 wrote to memory of 2932	804	hpuchkkwgm.exe	34
PID 804 wrote to memory of 2932	804	hpuchkkwgm.exe	34
PID 2932 wrote to memory of 2900	2932	ohpsgofvlg.exe	35
PID 2932 wrote to memory of 2900	2932	ohpsgofvlg.exe	35
PID 2932 wrote to memory of 2900	2932	ohpsgofvlg.exe	35
PID 2932 wrote to memory of 2900	2932	ohpsgofvlg.exe	35
PID 2932 wrote to memory of 2844	2932	ohpsgofvlg.exe	36
PID 2932 wrote to memory of 2844	2932	ohpsgofvlg.exe	36
PID 2932 wrote to memory of 2844	2932	ohpsgofvlg.exe	36
PID 2932 wrote to memory of 2844	2932	ohpsgofvlg.exe	36
PID 2844 wrote to memory of 1948	2844	trewvjtaxc.exe	37
PID 2844 wrote to memory of 1948	2844	trewvjtaxc.exe	37
PID 2844 wrote to memory of 1948	2844	trewvjtaxc.exe	37
PID 2844 wrote to memory of 1948	2844	trewvjtaxc.exe	37
PID 2844 wrote to memory of 2384	2844	trewvjtaxc.exe	38
PID 2844 wrote to memory of 2384	2844	trewvjtaxc.exe	38
PID 2844 wrote to memory of 2384	2844	trewvjtaxc.exe	38
PID 2844 wrote to memory of 2384	2844	trewvjtaxc.exe	38
PID 2384 wrote to memory of 1108	2384	qpmkdqdksl.exe	39
PID 2384 wrote to memory of 1108	2384	qpmkdqdksl.exe	39
PID 2384 wrote to memory of 1108	2384	qpmkdqdksl.exe	39
PID 2384 wrote to memory of 1108	2384	qpmkdqdksl.exe	39
PID 2384 wrote to memory of 3012	2384	qpmkdqdksl.exe	40
PID 2384 wrote to memory of 3012	2384	qpmkdqdksl.exe	40
PID 2384 wrote to memory of 3012	2384	qpmkdqdksl.exe	40
PID 2384 wrote to memory of 3012	2384	qpmkdqdksl.exe	40
PID 3012 wrote to memory of 2748	3012	nerhyzwlgt.exe	41
PID 3012 wrote to memory of 2748	3012	nerhyzwlgt.exe	41
PID 3012 wrote to memory of 2748	3012	nerhyzwlgt.exe	41
PID 3012 wrote to memory of 2748	3012	nerhyzwlgt.exe	41
PID 3012 wrote to memory of 2020	3012	nerhyzwlgt.exe	42
PID 3012 wrote to memory of 2020	3012	nerhyzwlgt.exe	42
PID 3012 wrote to memory of 2020	3012	nerhyzwlgt.exe	42
PID 3012 wrote to memory of 2020	3012	nerhyzwlgt.exe	42
PID 2020 wrote to memory of 1960	2020	ywjsnaqenu.exe	43
PID 2020 wrote to memory of 1960	2020	ywjsnaqenu.exe	43
PID 2020 wrote to memory of 1960	2020	ywjsnaqenu.exe	43
PID 2020 wrote to memory of 1960	2020	ywjsnaqenu.exe	43
PID 2020 wrote to memory of 2400	2020	ywjsnaqenu.exe	44
PID 2020 wrote to memory of 2400	2020	ywjsnaqenu.exe	44
PID 2020 wrote to memory of 2400	2020	ywjsnaqenu.exe	44
PID 2020 wrote to memory of 2400	2020	ywjsnaqenu.exe	44
PID 2400 wrote to memory of 2332	2400	vgctbjpvaq.exe	45
PID 2400 wrote to memory of 2332	2400	vgctbjpvaq.exe	45
PID 2400 wrote to memory of 2332	2400	vgctbjpvaq.exe	45
PID 2400 wrote to memory of 2332	2400	vgctbjpvaq.exe	45
PID 2400 wrote to memory of 2064	2400	vgctbjpvaq.exe	46
PID 2400 wrote to memory of 2064	2400	vgctbjpvaq.exe	46
PID 2400 wrote to memory of 2064	2400	vgctbjpvaq.exe	46
PID 2400 wrote to memory of 2064	2400	vgctbjpvaq.exe	46

C:\Users\Admin\AppData\Local\Temp\5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
"C:\Users\Admin\AppData\Local\Temp\5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe
  C:\Users\Admin\AppData\Local\Temp\5f0e909942b1ea81dc1214e3b8650ee38bb19ae1772db8db2f724da32a5e1179.exe update hpuchkkwgm.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\hpuchkkwgm.exe
  C:\Users\Admin\AppData\Local\Temp\hpuchkkwgm.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Users\Admin\AppData\Local\Temp\hpuchkkwgm.exe
    C:\Users\Admin\AppData\Local\Temp\hpuchkkwgm.exe update ohpsgofvlg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\ohpsgofvlg.exe
    C:\Users\Admin\AppData\Local\Temp\ohpsgofvlg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\ohpsgofvlg.exe
      C:\Users\Admin\AppData\Local\Temp\ohpsgofvlg.exe update trewvjtaxc.exe
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\trewvjtaxc.exe
      C:\Users\Admin\AppData\Local\Temp\trewvjtaxc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Users\Admin\AppData\Local\Temp\trewvjtaxc.exe
        
        C:\Users\Admin\AppData\Local\Temp\trewvjtaxc.exe update qpmkdqdksl.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\qpmkdqdksl.exe
        
        C:\Users\Admin\AppData\Local\Temp\qpmkdqdksl.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Users\Admin\AppData\Local\Temp\qpmkdqdksl.exe
        
        C:\Users\Admin\AppData\Local\Temp\qpmkdqdksl.exe update nerhyzwlgt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1108
      - C:\Users\Admin\AppData\Local\Temp\nerhyzwlgt.exe
        
        C:\Users\Admin\AppData\Local\Temp\nerhyzwlgt.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\nerhyzwlgt.exe
        
        C:\Users\Admin\AppData\Local\Temp\nerhyzwlgt.exe update ywjsnaqenu.exe
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\ywjsnaqenu.exe
        
        C:\Users\Admin\AppData\Local\Temp\ywjsnaqenu.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\ywjsnaqenu.exe
        
        C:\Users\Admin\AppData\Local\Temp\ywjsnaqenu.exe update vgctbjpvaq.exe
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\vgctbjpvaq.exe
        
        C:\Users\Admin\AppData\Local\Temp\vgctbjpvaq.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\vgctbjpvaq.exe
        
        C:\Users\Admin\AppData\Local\Temp\vgctbjpvaq.exe update kruevtrqkw.exe
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\kruevtrqkw.exe
        
        C:\Users\Admin\AppData\Local\Temp\kruevtrqkw.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\kruevtrqkw.exe
        
        C:\Users\Admin\AppData\Local\Temp\kruevtrqkw.exe update fftvtaikjg.exe
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\fftvtaikjg.exe
        
        C:\Users\Admin\AppData\Local\Temp\fftvtaikjg.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\fftvtaikjg.exe
        
        C:\Users\Admin\AppData\Local\Temp\fftvtaikjg.exe update kehwmwchax.exe
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\kehwmwchax.exe
        
        C:\Users\Admin\AppData\Local\Temp\kehwmwchax.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\kehwmwchax.exe
        
        C:\Users\Admin\AppData\Local\Temp\kehwmwchax.exe update yhxchochea.exe
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\yhxchochea.exe
        
        C:\Users\Admin\AppData\Local\Temp\yhxchochea.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\yhxchochea.exe
        
        C:\Users\Admin\AppData\Local\Temp\yhxchochea.exe update ugnqnffnsd.exe
        13⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\ugnqnffnsd.exe
        
        C:\Users\Admin\AppData\Local\Temp\ugnqnffnsd.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\ugnqnffnsd.exe
        
        C:\Users\Admin\AppData\Local\Temp\ugnqnffnsd.exe update vmtksnlzbu.exe
        14⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\vmtksnlzbu.exe
        
        C:\Users\Admin\AppData\Local\Temp\vmtksnlzbu.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\vmtksnlzbu.exe
        
        C:\Users\Admin\AppData\Local\Temp\vmtksnlzbu.exe update pdsxpxcppb.exe
        15⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\pdsxpxcppb.exe
        
        C:\Users\Admin\AppData\Local\Temp\pdsxpxcppb.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\pdsxpxcppb.exe
        
        C:\Users\Admin\AppData\Local\Temp\pdsxpxcppb.exe update ficcnpisca.exe
        16⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\ficcnpisca.exe
        
        C:\Users\Admin\AppData\Local\Temp\ficcnpisca.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\ficcnpisca.exe
        
        C:\Users\Admin\AppData\Local\Temp\ficcnpisca.exe update nsofndjeqb.exe
        17⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\nsofndjeqb.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsofndjeqb.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\nsofndjeqb.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsofndjeqb.exe update djopufjhyt.exe
        18⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\djopufjhyt.exe
        
        C:\Users\Admin\AppData\Local\Temp\djopufjhyt.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\djopufjhyt.exe
        
        C:\Users\Admin\AppData\Local\Temp\djopufjhyt.exe update dqnnfiwmyl.exe
        19⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\dqnnfiwmyl.exe
        
        C:\Users\Admin\AppData\Local\Temp\dqnnfiwmyl.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\dqnnfiwmyl.exe
        
        C:\Users\Admin\AppData\Local\Temp\dqnnfiwmyl.exe update kyifzxfefv.exe
        20⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\kyifzxfefv.exe
        
        C:\Users\Admin\AppData\Local\Temp\kyifzxfefv.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\kyifzxfefv.exe
        
        C:\Users\Admin\AppData\Local\Temp\kyifzxfefv.exe update qfwuncjwva.exe
        21⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\qfwuncjwva.exe
        
        C:\Users\Admin\AppData\Local\Temp\qfwuncjwva.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\qfwuncjwva.exe
        
        C:\Users\Admin\AppData\Local\Temp\qfwuncjwva.exe update nlmqkafyug.exe
        22⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\nlmqkafyug.exe
        
        C:\Users\Admin\AppData\Local\Temp\nlmqkafyug.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\nlmqkafyug.exe
        
        C:\Users\Admin\AppData\Local\Temp\nlmqkafyug.exe update ardknqnxvv.exe
        23⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\ardknqnxvv.exe
        
        C:\Users\Admin\AppData\Local\Temp\ardknqnxvv.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\ardknqnxvv.exe
        
        C:\Users\Admin\AppData\Local\Temp\ardknqnxvv.exe update fwwsgzrfpd.exe
        24⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\fwwsgzrfpd.exe
        
        C:\Users\Admin\AppData\Local\Temp\fwwsgzrfpd.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\fwwsgzrfpd.exe
        
        C:\Users\Admin\AppData\Local\Temp\fwwsgzrfpd.exe update wozdnsprbz.exe
        25⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\wozdnsprbz.exe
        
        C:\Users\Admin\AppData\Local\Temp\wozdnsprbz.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\wozdnsprbz.exe
        
        C:\Users\Admin\AppData\Local\Temp\wozdnsprbz.exe update citaujvkdn.exe
        26⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\citaujvkdn.exe
        
        C:\Users\Admin\AppData\Local\Temp\citaujvkdn.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\citaujvkdn.exe
        
        C:\Users\Admin\AppData\Local\Temp\citaujvkdn.exe update tvmtjdpuie.exe
        27⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tvmtjdpuie.exe
        
        C:\Users\Admin\AppData\Local\Temp\tvmtjdpuie.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tvmtjdpuie.exe
        
        C:\Users\Admin\AppData\Local\Temp\tvmtjdpuie.exe update ilvmppawpq.exe
        28⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\ilvmppawpq.exe
        
        C:\Users\Admin\AppData\Local\Temp\ilvmppawpq.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\ilvmppawpq.exe
        
        C:\Users\Admin\AppData\Local\Temp\ilvmppawpq.exe update nmdgfvgcpm.exe
        29⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\nmdgfvgcpm.exe
        
        C:\Users\Admin\AppData\Local\Temp\nmdgfvgcpm.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\nmdgfvgcpm.exe
        
        C:\Users\Admin\AppData\Local\Temp\nmdgfvgcpm.exe update kqkekrdclq.exe
        30⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\kqkekrdclq.exe
        
        C:\Users\Admin\AppData\Local\Temp\kqkekrdclq.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\kqkekrdclq.exe
        
        C:\Users\Admin\AppData\Local\Temp\kqkekrdclq.exe update ovrqltazos.exe
        31⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\ovrqltazos.exe
        
        C:\Users\Admin\AppData\Local\Temp\ovrqltazos.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\ovrqltazos.exe
        
        C:\Users\Admin\AppData\Local\Temp\ovrqltazos.exe update okhwcbdoiq.exe
        32⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\okhwcbdoiq.exe
        
        C:\Users\Admin\AppData\Local\Temp\okhwcbdoiq.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\okhwcbdoiq.exe
        
        C:\Users\Admin\AppData\Local\Temp\okhwcbdoiq.exe update lamqyppypm.exe
        33⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\lamqyppypm.exe
        
        C:\Users\Admin\AppData\Local\Temp\lamqyppypm.exe
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\lamqyppypm.exe
        
        C:\Users\Admin\AppData\Local\Temp\lamqyppypm.exe update xutqeodrix.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\xutqeodrix.exe
        
        C:\Users\Admin\AppData\Local\Temp\xutqeodrix.exe
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\xutqeodrix.exe
        
        C:\Users\Admin\AppData\Local\Temp\xutqeodrix.exe update dnxtzsdnyi.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\dnxtzsdnyi.exe
        
        C:\Users\Admin\AppData\Local\Temp\dnxtzsdnyi.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\dnxtzsdnyi.exe
        
        C:\Users\Admin\AppData\Local\Temp\dnxtzsdnyi.exe update lezwlajldk.exe
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\lezwlajldk.exe
        
        C:\Users\Admin\AppData\Local\Temp\lezwlajldk.exe
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\lezwlajldk.exe
        
        C:\Users\Admin\AppData\Local\Temp\lezwlajldk.exe update tphgtcxpsf.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tphgtcxpsf.exe
        
        C:\Users\Admin\AppData\Local\Temp\tphgtcxpsf.exe
        37⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tphgtcxpsf.exe
        
        C:\Users\Admin\AppData\Local\Temp\tphgtcxpsf.exe update nvxjwzmosu.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\nvxjwzmosu.exe
        
        C:\Users\Admin\AppData\Local\Temp\nvxjwzmosu.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\nvxjwzmosu.exe
        
        C:\Users\Admin\AppData\Local\Temp\nvxjwzmosu.exe update usjhifyvtc.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\usjhifyvtc.exe
        
        C:\Users\Admin\AppData\Local\Temp\usjhifyvtc.exe
        39⤵
        
        PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fftvtaikjg.exe

Filesize
10.4MB

MD5
4bc7dd476c540385091ee38c479ff9d7

SHA1
56ff5aa6e10d606d10f64481cf62a4ca77369ecc

SHA256
5593f6ddc961f94b9909da5ede41f2790a77e66caafbdf316c79c3aa01d3d16d

SHA512
7e4ead5fab90e611559773cc50604b2394b1057ca5a2df0c97dce3a248cd96f1004abbf34ed0bf6d307e58971725b95598adbeae096b29ab50bfa7848052003f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kehwmwchax.exe

Filesize
10.4MB

MD5
707ef9a7280e8ac418041f1213d41929

SHA1
cda3bde97db90914d8437f4d86dc1350e75590f4

SHA256
eb2c178dbfaa11b0aa594968c45ecef129cfe962d9c789999f752622da951f0c

SHA512
7a029bedf0bb5c944db340781b73d144b763b224cc9c46b1023dc6a54b04dda4200bfaaeab1434a86ef770c75aba46f8cddacec53a021866bf3bfe2b674eba0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kruevtrqkw.exe

Filesize
10.4MB

MD5
1f7a816eb0512f973fe82c3e5614e079

SHA1
b2f5fa785a22f0e0e49c2b4409fba7c4667feb98

SHA256
621024a2f834155cf889543c33c99f4706952accd30458dda4dbedaa801a0a1c

SHA512
f23acf0c4e6a6c0b0afced6b9b1c87485f3ef3b6591f8b2df565aa38510cd9c81e72b914e097067dcf6ce3e02c6f29e0bb945f5ba26556f9c3329aea633adea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nerhyzwlgt.exe

Filesize
10.4MB

MD5
5fb59764752857368c85ab6292bc3280

SHA1
d76180099020247144817f3f7bda8550e978443b

SHA256
438a2a93b885b7e3e057f96a2793806829b21aed8ebe6981d81f7ffd14b1c8f2

SHA512
1bac747562df6cf7b5ab7e1e9108c3c921acdcd5ca8bdcb4309fb3e4ce48510e22de888c86f15e8725faf169dc4b990ff23bedc2aee9872a98ab7d746bf83e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpmkdqdksl.exe

Filesize
10.4MB

MD5
77a44d96f4f267c53ec02a741f74369a

SHA1
74f9ac98ee61508dfabfa0c7dcca61d55e2aa8c4

SHA256
d9ad564138d0b22d8c4f5f994b0c09118e0b832bc329d65ce41a145589533b79

SHA512
1a6fa36071a00b99f782d793ec6b2d847defc5276a5b797b5c394be4deabcd364a095f61e7c7ca386def5c103e4726a49027d97aebba9e64e1ba0caa28358f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\trewvjtaxc.exe

Filesize
10.4MB

MD5
2996c2a74400e0df99cd94d78d653ad2

SHA1
30f7a2aa9d8169d854e1abe44013535b2e4160f2

SHA256
26f3dedf6b5983751d9645a604d8c8a36a26e531a5e519008989d93397dde267

SHA512
97de6866654bf47b4e2f21787b9063171b3749c8fcd3101060a1f0b4e8338b120fb7cd20673be0f005142c7323e4e46a11780abb0bf472b0cf9e7d3599e50124

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
46c05d72ea8faa19d5e60fe1e78c7f48

SHA1
1f33bb7a47a6388a6eb510c24f7d680f69ffe4a5

SHA256
35fa42dec9e966b4e269ec89772c6e87814a460a5de252448f0f201fed53df03

SHA512
242715edcdc34f37e32d382e57969a740b5985b175ebe6c8f5eb7d120b64f734ad771529a37bb7ce8c1be1c5cda86f9a3b98f487258bfc99862c29263f027201

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
928265c633a34b40a2df151b44b0d279

SHA1
385b6a954c12650cd03c374d8165c5258011cae4

SHA256
cc8665ed1199ebf601a571246413b909a0673bf3b9910dfab8a542add104f463

SHA512
35cb15cb5f327085030785b169c7b483ca54854df2056c25e7042d28ac7e8fa709eaf20173e0593460df96497e58b7f503fb6ba21706280f60454ef7fe6e406f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
689e4876f79368efdf74e453e3b98eb9

SHA1
78ae90de8c7766fd89ae7c9ae60e4240e1132469

SHA256
1eada9390685581da4a4e04a24e4e64bf529df06ad2a0cd78bc6781153b592a9

SHA512
68514c96b5335af7e638ae732f123195f8bfe93dbb3b3b33109c103900eb38c5ad0fb718dc671742425838dee975d0d6c8e45dd37b938f65f35222b5707f5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
26ede5a71273876a1e42bf1261de305a

SHA1
1ea9285501ba615424174ff644d3ae0fdfb8977b

SHA256
aecc667a2d6fff343c4d83b451bb206b557494f0ba3b4b64d570d2fdeadf0f22

SHA512
c89e2b67b751255077f719c9ebdc61f5fe2cfde57e4cf746a49ad14b5ae89be97249dbff2564b76fb4caf6a28f3d8c3f6bb548be38bbdcfbf421e8b5d2c24d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
e33b5c6acaa54b1374ba63a5d54f0a7b

SHA1
82e404546b10086f8fc2f15c394e9b94c3c255d9

SHA256
a0355a5422fc117762a084747cdcc8d667464d4630896f6f282019096dc951f8

SHA512
4cc12e435d2070001307ad49852502695486551fdd4edeebfe65d65c5f15361eac00c620a6c54102f2c860f2371ff53467d642b7d8f0774eadb4056b910ba66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
6b53b42104788f812242400a0c79bebf

SHA1
f8a09bca0149d4be3b9ae8fc833eb74bbfa7d023

SHA256
f0fb7e0cfc22eac0f4ab1b37d2f74c03063688c2f3d52b9e3bcf1321b7120e35

SHA512
fd8f962a729d4b87dba258e32e6e034ed3bad2fc49c6c34fee2daec2587c0c7ef44a872c9e5427038c60bdbaaf4854e93d954553a07587717a8d05739b230080

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
10.4MB

MD5
6569278a91762ae2a7d6654123624b29

SHA1
65bb6a69a5eebb1e5dea68cbb48963e59294c633

SHA256
38a43ce1a689950807917aa1802ece374185bf99d352237cc0d9f4bbfe36fb09

SHA512
20243404c3831c252ab27e987be2a1fdd45d5294f35799eabd6c22462d76b5977f7dfc042f3546d863683b95acecdfedc4ccc090ccd588ebb7334c79f0343ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgctbjpvaq.exe

Filesize
10.4MB

MD5
1e1b17363e523f028604e6d1171dd657

SHA1
5f79a3e1488697e5d6a6934af0192e18225090c3

SHA256
387578a95d167967d00217064263653c75e8bd39a6952bfdb12f3652fefbfcfb

SHA512
ba0f891d5f08385ebcde3dfcd5a00438503cdff4178b4a28bfc5f57a6e8d4cff4d2d703b3e2784b5782f1678e51fd5c2d7e2cbc0b9e0e91f401703e547e5adaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\yhxchochea.exe

Filesize
10.4MB

MD5
80b47c9af0b9321b35714170ccd8e939

SHA1
5d95f77439302e63f900c4845fdf8be527c9796c

SHA256
3f36534e5772f696bf2b01ffbf3444ec0d106be823037c698b84e3a8dae7ce5d

SHA512
9851223edab948b7b75f174784b7434941e6b10ab5fe9896d41f7f95d61d13da1973b269ab397da78714fbf71a80817b2f69eb3bd87c1ebbf323bfc384e5c555

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywjsnaqenu.exe

Filesize
10.4MB

MD5
e4f78115ff5e1f6a76f9992ff265ec0b

SHA1
84639779efe5a5860b52822ae4334d0171ee3e3b

SHA256
b35806d265572e9a7e381eef78fe39bac87c9e6e3ee8a5e3706c05e1cd7ca229

SHA512
fe783d31f82336a22c814ffcc7e966bf9c249bb1c1769a8b6167255e087003ce9a6a24785b6deb85764387c55d248603e4b2ea3cc07e972f671a68489c9ede88

Download Submit
\Users\Admin\AppData\Local\Temp\hpuchkkwgm.exe

Filesize
10.4MB

MD5
25f57f1185f0b61af442f618c6f9cb1e

SHA1
d8ec2771aac6d598576896b930a0a41fb7b4a8e3

SHA256
e37ddaa657cd8b0e93a57a87df8372a965fa268cbe1aa840bcbcc482a0dcd481

SHA512
27327aaf1a505b57bf8e166e3dd80dc16595481cae517c9064c58d94b389f6991083e5efa9f33d77c55ad9656114e66dbb2553a1af72ada03a6784afced09e74

Download Submit
\Users\Admin\AppData\Local\Temp\ohpsgofvlg.exe

Filesize
10.4MB

MD5
dc1958e0420efee2d7f8ec654ead3f6c

SHA1
14f6598862d1a966a8658ae8dcb092335ffecc3e

SHA256
a4d15782276c0bb29ce60ab828a9801eb023b5451a514c43ba080a712e23dc20

SHA512
c072d18d6fd823834169852f0235ffd87c62e91ebace01d3703d1bc0ce8964d5dd0e1984fcf6b6ec4a2f473096a5e8ff7ca50fc1d5e11e80a7ec8e04057adcfd

Download Submit
\Users\Admin\AppData\Local\Temp\ugnqnffnsd.exe

Filesize
10.4MB

MD5
167827eaa39008619f1df2194c4fcc58

SHA1
58837ad735f34da3b88fc78c7021f78ce04d79a0

SHA256
02d31d96c04b8540889196c035658f6da23a09eaa5ddae1bfc856c4057e0791f

SHA512
0c86e4231ae65dae0f0e51d13c7455e4812f7b3ce661bedfb7660862467a022cbaea8b03757a1082b1c082a49ea84cedf846425b8a1c4ef17b783fb19522db25

Download Submit
memory/804-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/804-24-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/804-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1108-91-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1948-70-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1948-73-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/1948-72-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2140-6-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2140-57-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/2140-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2140-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2140-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2140-0-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/2140-51-0x00000000005D7000-0x0000000000C65000-memory.dmp

Filesize
6.6MB

Download
memory/2288-15-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2288-13-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2288-7-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2384-83-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2384-80-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2384-82-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2760-32-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2844-60-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2844-62-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2844-63-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2900-50-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/2932-42-0x0000000000400000-0x0000000000E90000-memory.dmp

Filesize
10.6MB

Download
memory/3012-100-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download