8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715

Analysis

max time kernel
93s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
Size

448KB
MD5

f036661c2cb817454eeaf7454f4998fd
SHA1

81f0c1bd132fe070aa1029d4b2ad35e2f358cfff
SHA256

8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715
SHA512

ac165d58de05be277967b5dad4b20c9982df69b769fcbe093311e5c33365dc7ced8041daef62935ece525b17df3b366fee0539720c2a97dc8a8169383b865798
SSDEEP

6144:/X9/4SxPCth3AxiLUmKyIxLDXXoq9FJZCUmKyIxL:Vg4PC/w832XXf9Do3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Mmpijp32.exeNnlhfn32.exeCmiflbel.exeNgdmod32.exeNcbknfed.exeNepgjaeg.exeNfjjppmm.exeAcnlgp32.exeMdhdajea.exeMlefklpj.exeNckndeni.exeOflgep32.exeKplpjn32.exeMpoefk32.exeNeeqea32.exeLingibiq.exeCfpnph32.exeBffkij32.exeCjpckf32.exeLekehdgp.exeNcdgcf32.exeBganhm32.exeNgbpidjh.exeOponmilc.exeDaekdooc.exeLbdolh32.exeLgokmgjm.exeMlopkm32.exeNphhmj32.exeCjmgfgdf.exeNebdoa32.exeNlaegk32.exeAcqimo32.exeCdabcm32.exeMdckfk32.exeMckemg32.exeNgpccdlj.exeNpfkgjdn.exeAminee32.exeCeckcp32.exe8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exeMbfkbhpa.exePggbkagp.exeDgbdlf32.exeLmiciaaj.exeMlhbal32.exeNpmagine.exeNilcjp32.exeNljofl32.exeBcoenmao.exeKdeoemeg.exeLdleel32.exeOlfobjbg.exeCnnlaehj.exeNloiakho.exeOdkjng32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lingibiq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekehdgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlopkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgokmgjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbfkbhpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmiciaaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeoemeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldleel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe

Executes dropped EXE 64 IoCs

Processes:

Kdeoemeg.exeKlqcioba.exeKplpjn32.exeLekehdgp.exeLlemdo32.exeLdleel32.exeLfkaag32.exeLiimncmf.exeLlgjjnlj.exeLdoaklml.exeLgmngglp.exeLepncd32.exeLmgfda32.exeLljfpnjg.exeLdanqkki.exeLbdolh32.exeLgokmgjm.exeLingibiq.exeLmiciaaj.exeLllcen32.exeMdckfk32.exeMbfkbhpa.exeMgagbf32.exeMipcob32.exeMmlpoqpg.exeMlopkm32.exeMdehlk32.exeMibpda32.exeMmnldp32.exeMplhql32.exeMdhdajea.exeMckemg32.exeMgfqmfde.exeMiemjaci.exeMmpijp32.exeMlcifmbl.exeMpoefk32.exeMcmabg32.exeMgimcebb.exeMelnob32.exeMigjoaaf.exeMlefklpj.exeMpablkhc.exeMdmnlj32.exeMgkjhe32.exeMenjdbgj.exeMnebeogl.exeMlhbal32.exeNpcoakfp.exeNcbknfed.exeNgmgne32.exeNepgjaeg.exeNilcjp32.exeNljofl32.exeNpfkgjdn.exeNcdgcf32.exeNgpccdlj.exeNebdoa32.exeNnjlpo32.exeNlmllkja.exeNphhmj32.exeNcfdie32.exeNgbpidjh.exeNeeqea32.exe

pid	process
4908	Kdeoemeg.exe
4524	Klqcioba.exe
3116	Kplpjn32.exe
1472	Lekehdgp.exe
3540	Llemdo32.exe
3424	Ldleel32.exe
3292	Lfkaag32.exe
1072	Liimncmf.exe
4604	Llgjjnlj.exe
784	Ldoaklml.exe
4284	Lgmngglp.exe
1984	Lepncd32.exe
2548	Lmgfda32.exe
844	Lljfpnjg.exe
1440	Ldanqkki.exe
4012	Lbdolh32.exe
3444	Lgokmgjm.exe
4300	Lingibiq.exe
1464	Lmiciaaj.exe
5056	Lllcen32.exe
1952	Mdckfk32.exe
3880	Mbfkbhpa.exe
2168	Mgagbf32.exe
4872	Mipcob32.exe
3984	Mmlpoqpg.exe
3520	Mlopkm32.exe
4476	Mdehlk32.exe
2096	Mibpda32.exe
3384	Mmnldp32.exe
1820	Mplhql32.exe
1612	Mdhdajea.exe
2728	Mckemg32.exe
3012	Mgfqmfde.exe
1700	Miemjaci.exe
4940	Mmpijp32.exe
8	Mlcifmbl.exe
2432	Mpoefk32.exe
1168	Mcmabg32.exe
4280	Mgimcebb.exe
4488	Melnob32.exe
4360	Migjoaaf.exe
4812	Mlefklpj.exe
448	Mpablkhc.exe
5088	Mdmnlj32.exe
316	Mgkjhe32.exe
540	Menjdbgj.exe
1580	Mnebeogl.exe
3004	Mlhbal32.exe
1904	Npcoakfp.exe
1588	Ncbknfed.exe
1220	Ngmgne32.exe
1792	Nepgjaeg.exe
1188	Nilcjp32.exe
1208	Nljofl32.exe
2008	Npfkgjdn.exe
3332	Ncdgcf32.exe
5016	Ngpccdlj.exe
4744	Nebdoa32.exe
4568	Nnjlpo32.exe
4032	Nlmllkja.exe
864	Nphhmj32.exe
2712	Ncfdie32.exe
4460	Ngbpidjh.exe
2368	Neeqea32.exe

Drops file in System32 directory 64 IoCs

Processes:

Kplpjn32.exeLepncd32.exeLingibiq.exeNpfkgjdn.exeNlaegk32.exeMbfkbhpa.exeMdmnlj32.exeMgkjhe32.exeCeqnmpfo.exePdmpje32.exeBnhjohkb.exeLdoaklml.exeMibpda32.exeMenjdbgj.exeNljofl32.exeNcfdie32.exeCdabcm32.exeKdeoemeg.exeLljfpnjg.exeLfkaag32.exeBjddphlq.exeMigjoaaf.exeNcbknfed.exeNpjebj32.exeAcnlgp32.exeCabfga32.exeLmiciaaj.exeMgagbf32.exeMlopkm32.exeOflgep32.exeCfpnph32.exeDdonekbl.exeNeeqea32.exeNggjdc32.exeKlqcioba.exeAcqimo32.exeCnnlaehj.exeDaekdooc.exeLekehdgp.exeLdanqkki.exeMipcob32.exeOponmilc.exeOgkcpbam.exeBmngqdpj.exeLlemdo32.exeMmlpoqpg.exeNgmgne32.exeNlmllkja.exeNfgmjqop.exeCeckcp32.exePcijeb32.exeQnhahj32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Lmgfda32.exe	Lepncd32.exe
File created	C:\Windows\SysWOW64\Lmiciaaj.exe	Lingibiq.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Mbfkbhpa.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Lgmngglp.exe	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Mmnldp32.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nljofl32.exe
File created	C:\Windows\SysWOW64\Coffpf32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Okokppbk.dll	Kdeoemeg.exe
File created	C:\Windows\SysWOW64\Ldanqkki.exe	Lljfpnjg.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Lfkaag32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Lllcen32.exe	Lmiciaaj.exe
File opened for modification	C:\Windows\SysWOW64\Mipcob32.exe	Mgagbf32.exe
File created	C:\Windows\SysWOW64\Blleba32.dll	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Kplpjn32.exe	Klqcioba.exe
File created	C:\Windows\SysWOW64\Nhgfglco.dll	Lljfpnjg.exe
File created	C:\Windows\SysWOW64\Mdehlk32.exe	Mlopkm32.exe
File created	C:\Windows\SysWOW64\Mmnldp32.exe	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Llemdo32.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Deimfpda.dll	Ldanqkki.exe
File created	C:\Windows\SysWOW64\Bnecbhin.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Efhaoapj.dll	Llemdo32.exe
File created	C:\Windows\SysWOW64\Mlopkm32.exe	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ngmgne32.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Eiecmmbf.dll	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Mgagbf32.exe	Mbfkbhpa.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5980 5900 WerFault.exe Dmllipeg.exe

pid	pid_target	process	target process
5980	5900	WerFault.exe	Dmllipeg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Ldleel32.exeMbfkbhpa.exeLlemdo32.exeLlgjjnlj.exeLbdolh32.exeNcianepl.exeMibpda32.exeMiemjaci.exeMlcifmbl.exeBcoenmao.exeCjmgfgdf.exePcbmka32.exeCjpckf32.exeLgokmgjm.exeMelnob32.exeMenjdbgj.exeNgmgne32.exeNgbpidjh.exeOflgep32.exeLfkaag32.exeLgmngglp.exeMckemg32.exeMgimcebb.exeNpcoakfp.exeNpjebj32.exeMpoefk32.exeOjgbfocc.exeChcddk32.exeCnnlaehj.exeLepncd32.exeNljofl32.exeNpfkgjdn.exeNfgmjqop.exePdmpje32.exeKlqcioba.exeLdoaklml.exeNjefqo32.exeOlfobjbg.exeDgbdlf32.exeKplpjn32.exePdifoehl.exeCajlhqjp.exeDmcibama.exeDmefhako.exeLekehdgp.exeMgagbf32.exeMdehlk32.exeBnhjohkb.exeLiimncmf.exeLmiciaaj.exeMcmabg32.exePmfhig32.exeBfhhoi32.exeDmllipeg.exeBffkij32.exeCdabcm32.exeLdanqkki.exeMmlpoqpg.exeMdhdajea.exeNilcjp32.exeOdkjng32.exeBganhm32.exeCfpnph32.exeMnebeogl.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldleel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbfkbhpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgjjnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcifmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmngglp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepncd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldoaklml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekehdgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgagbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liimncmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmiciaaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldanqkki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe

Modifies registry class 64 IoCs

Processes:

Ceckcp32.exeNgpccdlj.exeBfhhoi32.exeBcoenmao.exeNpmagine.exeNfjjppmm.exeNjefqo32.exeOdkjng32.exeMdhdajea.exeMdmnlj32.exeMnebeogl.exeQqfmde32.exeCabfga32.exeCfpnph32.exeDeokon32.exeNgmgne32.exeNckndeni.exeNeeqea32.exeNggjdc32.exeAmgapeea.exeBganhm32.exeBfkedibe.exeNljofl32.exeNcdgcf32.exeNphhmj32.exeOflgep32.exePggbkagp.exeLgokmgjm.exeLllcen32.exeMlopkm32.exeMckemg32.exeNilcjp32.exeKlqcioba.exeLlgjjnlj.exeLmgfda32.exePcijeb32.exeAcqimo32.exeNcianepl.exeCdabcm32.exeCajlhqjp.exeMlhbal32.exePdifoehl.exeMbfkbhpa.exeMmlpoqpg.exeMlcifmbl.exeBjddphlq.exeKdeoemeg.exeMlefklpj.exeOgifjcdp.exeMplhql32.exeNlaegk32.exeAcnlgp32.exeBnhjohkb.exeDhfajjoj.exeMmpijp32.exeMgimcebb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Neeqea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfcej32.dll"	Lgokmgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlopkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llgjjnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmgfda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Lmgfda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbfkbhpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijfjal32.dll"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdeoemeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihbcp32.dll"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mgimcebb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exeKdeoemeg.exeKlqcioba.exeKplpjn32.exeLekehdgp.exeLlemdo32.exeLdleel32.exeLfkaag32.exeLiimncmf.exeLlgjjnlj.exeLdoaklml.exeLgmngglp.exeLepncd32.exeLmgfda32.exeLljfpnjg.exeLdanqkki.exeLbdolh32.exeLgokmgjm.exeLingibiq.exeLmiciaaj.exeLllcen32.exeMdckfk32.exe

description	pid	process	target process
PID 2332 wrote to memory of 4908	2332	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe	Kdeoemeg.exe
PID 2332 wrote to memory of 4908	2332	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe	Kdeoemeg.exe
PID 2332 wrote to memory of 4908	2332	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe	Kdeoemeg.exe
PID 4908 wrote to memory of 4524	4908	Kdeoemeg.exe	Klqcioba.exe
PID 4908 wrote to memory of 4524	4908	Kdeoemeg.exe	Klqcioba.exe
PID 4908 wrote to memory of 4524	4908	Kdeoemeg.exe	Klqcioba.exe
PID 4524 wrote to memory of 3116	4524	Klqcioba.exe	Kplpjn32.exe
PID 4524 wrote to memory of 3116	4524	Klqcioba.exe	Kplpjn32.exe
PID 4524 wrote to memory of 3116	4524	Klqcioba.exe	Kplpjn32.exe
PID 3116 wrote to memory of 1472	3116	Kplpjn32.exe	Lekehdgp.exe
PID 3116 wrote to memory of 1472	3116	Kplpjn32.exe	Lekehdgp.exe
PID 3116 wrote to memory of 1472	3116	Kplpjn32.exe	Lekehdgp.exe
PID 1472 wrote to memory of 3540	1472	Lekehdgp.exe	Llemdo32.exe
PID 1472 wrote to memory of 3540	1472	Lekehdgp.exe	Llemdo32.exe
PID 1472 wrote to memory of 3540	1472	Lekehdgp.exe	Llemdo32.exe
PID 3540 wrote to memory of 3424	3540	Llemdo32.exe	Ldleel32.exe
PID 3540 wrote to memory of 3424	3540	Llemdo32.exe	Ldleel32.exe
PID 3540 wrote to memory of 3424	3540	Llemdo32.exe	Ldleel32.exe
PID 3424 wrote to memory of 3292	3424	Ldleel32.exe	Lfkaag32.exe
PID 3424 wrote to memory of 3292	3424	Ldleel32.exe	Lfkaag32.exe
PID 3424 wrote to memory of 3292	3424	Ldleel32.exe	Lfkaag32.exe
PID 3292 wrote to memory of 1072	3292	Lfkaag32.exe	Liimncmf.exe
PID 3292 wrote to memory of 1072	3292	Lfkaag32.exe	Liimncmf.exe
PID 3292 wrote to memory of 1072	3292	Lfkaag32.exe	Liimncmf.exe
PID 1072 wrote to memory of 4604	1072	Liimncmf.exe	Llgjjnlj.exe
PID 1072 wrote to memory of 4604	1072	Liimncmf.exe	Llgjjnlj.exe
PID 1072 wrote to memory of 4604	1072	Liimncmf.exe	Llgjjnlj.exe
PID 4604 wrote to memory of 784	4604	Llgjjnlj.exe	Ldoaklml.exe
PID 4604 wrote to memory of 784	4604	Llgjjnlj.exe	Ldoaklml.exe
PID 4604 wrote to memory of 784	4604	Llgjjnlj.exe	Ldoaklml.exe
PID 784 wrote to memory of 4284	784	Ldoaklml.exe	Lgmngglp.exe
PID 784 wrote to memory of 4284	784	Ldoaklml.exe	Lgmngglp.exe
PID 784 wrote to memory of 4284	784	Ldoaklml.exe	Lgmngglp.exe
PID 4284 wrote to memory of 1984	4284	Lgmngglp.exe	Lepncd32.exe
PID 4284 wrote to memory of 1984	4284	Lgmngglp.exe	Lepncd32.exe
PID 4284 wrote to memory of 1984	4284	Lgmngglp.exe	Lepncd32.exe
PID 1984 wrote to memory of 2548	1984	Lepncd32.exe	Lmgfda32.exe
PID 1984 wrote to memory of 2548	1984	Lepncd32.exe	Lmgfda32.exe
PID 1984 wrote to memory of 2548	1984	Lepncd32.exe	Lmgfda32.exe
PID 2548 wrote to memory of 844	2548	Lmgfda32.exe	Lljfpnjg.exe
PID 2548 wrote to memory of 844	2548	Lmgfda32.exe	Lljfpnjg.exe
PID 2548 wrote to memory of 844	2548	Lmgfda32.exe	Lljfpnjg.exe
PID 844 wrote to memory of 1440	844	Lljfpnjg.exe	Ldanqkki.exe
PID 844 wrote to memory of 1440	844	Lljfpnjg.exe	Ldanqkki.exe
PID 844 wrote to memory of 1440	844	Lljfpnjg.exe	Ldanqkki.exe
PID 1440 wrote to memory of 4012	1440	Ldanqkki.exe	Lbdolh32.exe
PID 1440 wrote to memory of 4012	1440	Ldanqkki.exe	Lbdolh32.exe
PID 1440 wrote to memory of 4012	1440	Ldanqkki.exe	Lbdolh32.exe
PID 4012 wrote to memory of 3444	4012	Lbdolh32.exe	Lgokmgjm.exe
PID 4012 wrote to memory of 3444	4012	Lbdolh32.exe	Lgokmgjm.exe
PID 4012 wrote to memory of 3444	4012	Lbdolh32.exe	Lgokmgjm.exe
PID 3444 wrote to memory of 4300	3444	Lgokmgjm.exe	Lingibiq.exe
PID 3444 wrote to memory of 4300	3444	Lgokmgjm.exe	Lingibiq.exe
PID 3444 wrote to memory of 4300	3444	Lgokmgjm.exe	Lingibiq.exe
PID 4300 wrote to memory of 1464	4300	Lingibiq.exe	Lmiciaaj.exe
PID 4300 wrote to memory of 1464	4300	Lingibiq.exe	Lmiciaaj.exe
PID 4300 wrote to memory of 1464	4300	Lingibiq.exe	Lmiciaaj.exe
PID 1464 wrote to memory of 5056	1464	Lmiciaaj.exe	Lllcen32.exe
PID 1464 wrote to memory of 5056	1464	Lmiciaaj.exe	Lllcen32.exe
PID 1464 wrote to memory of 5056	1464	Lmiciaaj.exe	Lllcen32.exe
PID 5056 wrote to memory of 1952	5056	Lllcen32.exe	Mdckfk32.exe
PID 5056 wrote to memory of 1952	5056	Lllcen32.exe	Mdckfk32.exe
PID 5056 wrote to memory of 1952	5056	Lllcen32.exe	Mdckfk32.exe
PID 1952 wrote to memory of 3880	1952	Mdckfk32.exe	Mbfkbhpa.exe

C:\Users\Admin\AppData\Local\Temp\8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
"C:\Users\Admin\AppData\Local\Temp\8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\Kdeoemeg.exe
  C:\Windows\system32\Kdeoemeg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\Klqcioba.exe
    C:\Windows\system32\Klqcioba.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\Kplpjn32.exe
      C:\Windows\system32\Kplpjn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3116
    - - C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Llgjjnlj.exe
        
        C:\Windows\system32\Llgjjnlj.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Ldanqkki.exe
        
        C:\Windows\system32\Ldanqkki.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        30⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        34⤵
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        44⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        60⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3168
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3592
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4428
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        72⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        79⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        82⤵
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        86⤵
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        87⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        93⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        95⤵
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        96⤵
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        98⤵
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1372
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        103⤵
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        107⤵
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        113⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        117⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        118⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        121⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        122⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        125⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        126⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5844
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 408
        130⤵
        Program crash
        
        PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5900 -ip 5900
1⤵
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amgapeea.exe

Filesize
448KB

MD5
4797b159bca9208521a30a687b0bf220

SHA1
3add1c43f5bbbda7b2adaf315e97827d6bb251f7

SHA256
eeed329398c68e97b1c6565c87d7e55f452d7b8d5654fba601c986fbde7a5b48

SHA512
350e250dc26a7d233f4bae409dadee22ce0cd4a299227f808f60a64b967b845b9c581781f5f6b7c3a5637aa0dcbad94ed0403106f0dce6fbd975296ccd4a77bb

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
448KB

MD5
930155532ed3bea076a2c979475e1875

SHA1
9fdd71661d3467c554d4a9d1e5f3496a9add9686

SHA256
568c7f54a8a06fba5cc4c00ca3f480d7de296f852bc96b9bcfe60d780584b9eb

SHA512
43f38f8c2a0434de5fefd0c5599b1cd583d49d0059642405b2bb1d69604a303e06cca5e4a4647f0e3004ca60f4873900757dafcff6890b8bc43ab20a84a39901

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
448KB

MD5
a07997ebc28036ff1904e76778b1cf15

SHA1
84e0e00d016168319c7e221a6e13ee5c014d9663

SHA256
aebc1d138a2e7b9307a2d655d3190240985e2f8f81ca285dbdc5a7f102c19b2b

SHA512
d30235aa57cf90bba5751e37a4ae8f0c522eaf0b6031aeb8569a276e9e1e4d6b5c0a206c24cd70aca315c53a70ecf960a01928e191e22802c93484ed2af6a8f6

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
448KB

MD5
1e494157a84a324c0d84d568c38a795d

SHA1
19161d0bd0fe3557766159912b999e0cb886d800

SHA256
df57853b18c340ab7026ae352447e839a49f72885e5b94b079d77ad265741d59

SHA512
8142acc7761674d61a4a663d3d26c84160ac85aff9af329a75ad783687a5bd36619b2a697384a8c38550a6209997f813b61aa61b9c94e6ea54a5cdbc8e9d5be5

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
448KB

MD5
93bb4c7b7ca973cf043215c66f39c51d

SHA1
857e77c6572957172d89f64f362fb13933fd999f

SHA256
b5bbb8381920af99149bc8a505258b2c898d3c8976dcd0fa1ca6bad4a509a9b0

SHA512
08898e4b1b548e36689c3a349c8a2f2bb921d540936aff0c5c7ba09745c7ceb09551e9345625493f93e3d83e872d9cd8a94a44758c39b7c85e4b79753c7ceef0

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
448KB

MD5
cd425e1a399bd3d9e58549d6074edd3d

SHA1
9e7ce3e316c0b8efda9d0250721cab3f0063793a

SHA256
1e597eeb19353009d684d3fbb1cd220155da625d83ebd760ea4081e4441eaf8c

SHA512
9b159ef0f63adeadfee3a6188bc688d35a5fa165fd41a16f68cb470085741416d91e65b155605017d71a516d63ce37590c608947f521474b31ef31c752b1afbe

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
448KB

MD5
86cfac851a180984e5f5b85a0b497f9e

SHA1
616ad5422d5994f7d6854146fbb9d520ead99ffe

SHA256
4270d80a3d2e49fdbce635fb9c0f804fd709f49336c0b93dc3847fb9b027ed12

SHA512
5ec0f1e615c35f16586b0ebd06c379e25a134383a79550dc0d452c6526fc9f07c2e17b68f46987fe2766dffc944c5cff86d332c3550eb7eddfe265cdb31fac21

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
448KB

MD5
3e82e1eb6106f40ccfcb2cf3052b85fa

SHA1
f0fa0b3c8ba3f213c7784c26b80ecb9eb7a2e058

SHA256
3a8adc7b56e9c1b023e7f80e184963b895d4a404a37a09be152ebf6271e0f42f

SHA512
9321b5e74cf413dcc30fcfddc5f7b7a7f4a3616b2894901ed67a63071ce28fbbd04d37181f4652603c5a451e741cbb1ebdfc2940229768d6846941436fb1016f

Download Submit
C:\Windows\SysWOW64\Gilnhifk.dll

Filesize
7KB

MD5
cce61817212ebc3a4e0555a4057fb172

SHA1
56861d14296010a713ce05ef6bc5099f1ea3a894

SHA256
3f87e8794924f5a5dbb37a2a513566e669b8ff8ebd814e7df712f65a71ccb4ca

SHA512
74203c9239a19096a5e3c0c13b6f498e773c727bced03973e96688ebc43a8c0af993d463cc0a7415d3ebeacb48758fb063f7acf9761f020ec8c4107e52ddca54

Download Submit
C:\Windows\SysWOW64\Kdeoemeg.exe

Filesize
448KB

MD5
54be7949c0f7a5683209518ba53f669b

SHA1
ecbedd7250ef73f40e2f07ed7978c4eea55683f4

SHA256
6fbae8c9e329ab995044e59165f6862cb4f9bbcaf9fec5f8f80cae7f66fcd636

SHA512
0fa69d490692c92c631b422b292fa7731585f6b20d9d382cde8c2ca753fe95a4d3a84bf6b9f65ce725df64fd0b5d42a0184708ae2eb39f605544ff51c1cf6a8d

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
448KB

MD5
53aee6b65457546ea5d3e1c8fbaaad19

SHA1
e41da2d0de861bc232e74478038f8eebfdd9ad60

SHA256
32a8680f2968fa2ffa4391f6d778c1d8e9fa3cd267c1e304a3440033c726203d

SHA512
f88244b63bbdfbdfb4be13082adb9d69d4e742c5da4575f62ccf6ae767826068c7308f152a971dc8a76365bbc727a5185bb7889bf972e45116e2506dd6fb6310

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
448KB

MD5
66198a3f4546d45f0ddc5c3cba5001e8

SHA1
27ce556b32f6b8e99a378ee9ee0a9785eea2bb9e

SHA256
435959038fdde3164bdd693241d9108d3f83a2a6ce8d90cbe6612ba6e5b1bf67

SHA512
14c1f233a8458cf2dd51a319dbff2f5cecdc8ca08d8aba893862d5677443603f9564549b17c049b78ee1911513881d6a6b5f5c3d4fd05d700723775999a41cba

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
448KB

MD5
2f8476cc87fea5e7a27a9f18d2b69b6b

SHA1
e3c80fcd89e22e53f8a5625e1d6a7b8a27c93d95

SHA256
1859034d0308861b1bbc2d9098aa6643f2080d0c53a6ce285ec37cb14d61fcdc

SHA512
6ef27a7ac937f8f7db716e4453230d9470d557b58dff8b631d62279853a5da56863523cd944b3622f18ad1401a79117ff3a6c80d5a2e9c438c4f776671fcc07d

Download Submit
C:\Windows\SysWOW64\Ldanqkki.exe

Filesize
448KB

MD5
b11db5182ba72e268f72397422bfc19b

SHA1
d59e61c2a7eac5789e5e961806205e6a66b0c6aa

SHA256
9ec0b7e2b18c86d374b279f1b7821087a771894a29c8b819ebbdc174115dbe8e

SHA512
7c4dda39534b0dcf5f6b7948d362c8bc20be0cc91b574cee7b7ba718c7d31f14826cda2b8d3cc078a3560103f605c105dde10146b5fa864aeaf8e8ad21e4de95

Download Submit
C:\Windows\SysWOW64\Ldleel32.exe

Filesize
448KB

MD5
aae3a5d65695438757c9d045a6767d31

SHA1
43eae07236dc18c34012d73946f41c6304627468

SHA256
c203e095ea22cded671ab12dd464e2166f19f60358d891974ff96bbcc75db664

SHA512
451bffdd2abeba2449538b8f390775d33d06599e59d4be1d2607207d11ae5956264be0824625beebfa5e1ba8820680f0382549ef60476deea7b22c077c15acdf

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
448KB

MD5
cc5e01f08b8b12c66cb601587cc815bf

SHA1
3dbc16fc5c7f8e48ee4c06af39001f9576d3e948

SHA256
67c6bbc2d00404047b37fb39075651bf6937c373325f71aa425ed627ab5f3ebd

SHA512
535c2f0697d8fda2c2668d00b7d1688000ccad1cef1b1ad921b73281977eca7f562dd411fd87b3270d61673e012a8191a19302cd2642200c63611b7fde4a2bb7

Download Submit
C:\Windows\SysWOW64\Lekehdgp.exe

Filesize
448KB

MD5
bebd68d90db156025246e267d61a22c6

SHA1
6c8c34b0d42da6a3fc4cf9396cb61ac2d38d41b5

SHA256
d1b8efc2411552bfdf4d7fc36b8f9a6e4695b2bfe53d7f374e41dbdfdd331935

SHA512
c8b56484d88b47869e889269b537b683e0249cb8520a27041cac7104923e0ede2340bcbab3d7bbc885b80b3d28b11ca5d42a72fef832bddddb4e85865f49496b

Download Submit
C:\Windows\SysWOW64\Lepncd32.exe

Filesize
448KB

MD5
44835ebcca0b8ac81be9bed9db4d3bee

SHA1
0af8f29b64df2619ebfb0b9b879e94c331273232

SHA256
60a25fd27364b26ce8231a90e2808fc59148b4c4dfc883b759834b65c94198c8

SHA512
9ebd145db88e055bdbae0da208f1f523918d528b445eccf392d2f2f1e421e681bcd30cd1996e17feaf53d3710672dc2148cac979082b90b1691750b74b3d50d4

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
448KB

MD5
26f7c3184cbbf9271b0a60322909342f

SHA1
93eaf38f5162ab153f45583a2b477fee2214252e

SHA256
28514461a0cda90afd47e5fdeaa621d505bd8bec1a704b1db44c1df62a13434c

SHA512
5700e5fe9389bf1af134739c23ace644827da38eae9b00c181b465e3f9e13a72cb2c92ac73c11775c9c527b7c8f84e0a50d5be90b43a29cc5052c41ac9045fe3

Download Submit
C:\Windows\SysWOW64\Lgmngglp.exe

Filesize
448KB

MD5
016dfb78adbe7508ee7729612c267a55

SHA1
70c8bb9b19fb0397d445bc79d1d8bffdfb2605d8

SHA256
8b4581542adfbb839fffa5e7edfc57ed28a04cc7a89d9012cb13c782ded41bce

SHA512
947ae95bb0a370cb69c745bf20e0b8399031feaa2bc78691578a0f8455e3d5a7be945a1d92fc32b4b729328e346d57ce14961827fa08219a213250341e78c63b

Download Submit
C:\Windows\SysWOW64\Lgokmgjm.exe

Filesize
448KB

MD5
01bcf05072fb8f8c38ff606562d479cf

SHA1
9f902e71eb978c746c9df9ff82c31f6a95ca3c7f

SHA256
fa00c056a60b46587bc67ef5e4533ebb3990bcae434b9fbf85d260dad5ab2c27

SHA512
b73f394bce273ebca30e4e943dfd68b66111aac84d8d612d8dc2ca79d8772fc7467d94d8da669537979415352cecfaac43297b18a54a6c2809a53667e682241c

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
448KB

MD5
962ac9eb5d05ee6700f00b7b9ac27cd1

SHA1
cebff0a90c3f16f0345b1a6a32a07d3c333e4d32

SHA256
527a1a12228544e9917b592a237410d5c3a373c8ac4f1dbd7af8a633dd14eacc

SHA512
13b1f40b023854e19186af4eaa935af4ece3db2a20710f81bf80d52a0a611587b781e592f8acf080d939ec0e8ea23ea0a0201c246e2cead647296ad972ef8181

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
448KB

MD5
7086fd7efca4fcc07e48a80f7b6863b8

SHA1
4061372e95a2f79cb833f0503de93b30170a419d

SHA256
0a59a09a20f8e0b4c3d91bf72693d41893c1348954d2ca3f37a665976479c461

SHA512
71a8b6254cded3408387a798f260a30d8d80d729d282a6a8806227a73ce7131dbbf4c83c1d012acdf6ee39a0316b51588db306c5edf3cb88c067c35b3a3d08f9

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
448KB

MD5
0736560f9a39255bcb8b72a78fc31c86

SHA1
e2802bf412eb200319a5ee3af4b5f6c38fc71cae

SHA256
74927fe2c17d730122f73b26e6aea62b6cd6533bd9c44cc20bbb784c4e315e8a

SHA512
97d1dd9d796d0aa364cb06bd13ea6e168a8b19a0db74f8168dbe4937d77090438812d2a9f63ae56c13d8f9fa32b678728b38e7a6f2fa4adfb33098e92434303e

Download Submit
C:\Windows\SysWOW64\Llgjjnlj.exe

Filesize
448KB

MD5
75d0da86474da4e5c42d543c5a6ea1a7

SHA1
ae3ba3e87650a838bf4d6c85232ddabb6fd41a9d

SHA256
65f4ea03ac5d745a7c65a5e280677d35a3a41bbea5084e40b53ea829aaef39b1

SHA512
f384f5c34d48ce6e7351999a5e2862abd912aed5cc1f338bd33bab70c9f821cec3acf1b879662f9d6557972cd14e999a3e00332814b70316c2583ec5e99b26bd

Download Submit
C:\Windows\SysWOW64\Lljfpnjg.exe

Filesize
448KB

MD5
3e224c3865aa9310f1672a2f32a9b349

SHA1
3c80a15a9562df6ab8a7c07c3354d9cbcc8dac68

SHA256
cbf36ad9840c9ec26f6a7b6b59c675e4a9fbcdd2a8266a6a540f87248d356c98

SHA512
3e3f2610a05b1a8173b0215052e406632a025d65f876d7bae196aefe76328449d56ea51ea426eea22215ff17d094549d4f6dc29e60480a19575d92f0ff38d937

Download Submit
C:\Windows\SysWOW64\Lllcen32.exe

Filesize
448KB

MD5
ace692e3a7ed3047fbfa886869843244

SHA1
6cefed053e757b4bac13008c02189e34d2c647e7

SHA256
6811df185bc9f27337f74ca890c4aa6d63af62c6491cc42e8215e1a22033e61c

SHA512
bdb024fcc6fd0407e75353004cf3164dc49aa190b8d6cb864761eb49b1ca9ecc4326ed99d741eb3c75c4fbc2735159ff63dad2b9f32ba564adca280636892d8b

Download Submit
C:\Windows\SysWOW64\Lmgfda32.exe

Filesize
448KB

MD5
3a19f5482ed6e76b73d071f532b8e2aa

SHA1
7383fa2a90053751d776b6ccdccfccb92da850ee

SHA256
3ae801ca53719643c4f3e9e58eb7d378838ab20280b67bb993d3cb88a6b94abc

SHA512
db3e4e0ce18aa8d9935afbf55bd59061f2f0eefe87615b0a5a995574d227d7e03376cb31ae9bc71877670cfad5f71c942d896b149a036216b0b505dea0097e1f

Download Submit
C:\Windows\SysWOW64\Lmiciaaj.exe

Filesize
448KB

MD5
b2be19ca7f33b26b651d30b7a9bb8093

SHA1
88720aae2330c611f8c7190122292baa887d58b1

SHA256
3d2131279977751bc3b91228940ccc4eeb1bf890eb555e1f8e8dd6982b2faf91

SHA512
931c2bc21bd539dd089270640d0c3ad46ef1b1c65f26197ff35bff177660d69aedc61e5c26b1684a79a711e4463a7f5c0b773b342af6290ba65ee5f77523d6cf

Download Submit
C:\Windows\SysWOW64\Mbfkbhpa.exe

Filesize
448KB

MD5
b648a9e796914cf7d4fdf10eab4d9181

SHA1
3f6166e5e315ce15a6d634344368239123e8f5bd

SHA256
5b9b2ed8bcab00eaa61225b457525841bcf376d2e84b1b7078f980929bb24337

SHA512
86a11deb8c81055fa4357cb414ed4da1e02c35c1966f2aacc015b4138e79100035511abbf25b5a5823730332c0a8ddca07c5bd16e5514847662fc4f98b24eff6

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
448KB

MD5
b3ff749fc4cef1795f02f1fffda461d6

SHA1
3e40d511d5108320941a9ee7c578a904af035cd8

SHA256
9d2dca856dfa5200800e563e563af0fa62107a97e8ed7ec4eb48737fb992fa53

SHA512
929186a3042c5932413a05a2c46e58a1735c279d7dd2806facf023369c083857f458b4b06bc72b58f0194ff0cd4d1f584110ea50c12df985591feace8e229373

Download Submit
C:\Windows\SysWOW64\Mdckfk32.exe

Filesize
448KB

MD5
b893cc69e8afd80005226903be7b3b78

SHA1
2f1a603d7b9ed8d69bf1d34efae02f19061764d0

SHA256
7e19cfef89d15c9e7a8d0bb0a7d936d543ecba483743ea95e10e324aaae9cc06

SHA512
b5dbef767fbead1fb24e1e932ccd5ef40f3a3711caf7862b807daaec9741a9a4843b5e6afb1ae943877b00f73e670ee00b8032cbf54d68e797956a118c640b21

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
448KB

MD5
d1bfa4de2269546083b34b499d8dcff2

SHA1
319c98dc54626cdbb675811fc826d120da03fe0b

SHA256
bd24c897eeea3e7f068f28fedc8d435fd9aaed1197918bffb752bdce04874637

SHA512
60bb590ca55d37d43ef60f5e1313099ceb5b3d3a302a678d72ca2e5036bd539417721271306a576b82c1e94b33a9e22878af5a8d45ebdce4f3dc866a2d417d51

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
448KB

MD5
08b0afa3f3199c3ed07a6123670b0c15

SHA1
c2e018360bcfa476a6a28eb3385382e2874acadd

SHA256
591e603404cf363476903aee834d9636c8f85e9c9c36261b3f1dd95dd704dde7

SHA512
73e08929d32bdda169954cf7a0a926d4ce058229a43e210fb5f67ff64a82b804bb855c26644084192a1eab5c6e43cc8c60c2e3405898ab164d86a371bb806640

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
448KB

MD5
90354bc9f7f2cfc2553c052782023b5f

SHA1
8474c0e07875ee9de428ba545f7e064ce725aa27

SHA256
28b5366c3cce804e8bf8059cbadf4e16e82597bc8f9a5bb01b49f76c4f528cd3

SHA512
b6be51f14aa1ef0d6b231c439cd3200dbf8bc06c7ba5907ed7fecd9b3cc1aa18bbc131f2947828b67e65d5d8be7ac49cba9164e615b88d9e77b69e672b20b69c

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
448KB

MD5
7d68026b6b038e89bc354265ad603b49

SHA1
b4917b61d461ebccc250f82544cbf56b46f6b191

SHA256
fa0e14134df9e6ed124a9d56ecb4b39830afb2fea7f7fa78eec642e346fa40fd

SHA512
3e0a8ef073cea94476a18db51a37376235549a211eef919cf81f92e5fa31bf9f8d41c2e008d519a367b353b08d3899cd05f1ba3fdec7570e87fb44ba430b09bd

Download Submit
C:\Windows\SysWOW64\Mipcob32.exe

Filesize
448KB

MD5
42dbfd4201d84baf81acde8aa9bbbb6f

SHA1
07e1a4995f95fa6c091ccf8ada52e0925b8b8baa

SHA256
ca9cf9f843b807fd857d099ecf9fb97df5c6b165f7b1dcd25829f767329076b2

SHA512
f7e57d30302d18600f97ded086a5e91a31f3a1b26f96e7bf6600e4dfbeb0e54a6e657dc391d2e85891fa459407ec23aa56ff2d5fc9e547b0993e7b75cbc09a94

Download Submit
C:\Windows\SysWOW64\Mlopkm32.exe

Filesize
448KB

MD5
f0c36c28d41dee9dfed12795551dd566

SHA1
2f0b4d696ba4f6c3e4710a8f656cd3213a6bfa1c

SHA256
35a2f25e4fc15ff2c5d8ad73667356c4273fc28d9b03162e942deb496f951e11

SHA512
0ce0062146aec3934fdda4747e6760bfd67f13cbfcfb56144c65960086e7e2f88e1a165015d99e18c70ea0828b23872f8804ee7c772211b0d6fdd1c0c42b0cef

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
448KB

MD5
115680e6b1599637a759ba1f4b0180dd

SHA1
d158e1469c5bfdda108e8f7b9a36815d03ad1762

SHA256
6e5f41d0357fe3cac5765f17639b4b14ebf69409bfca6283c2bdba31c247c4f5

SHA512
770e44002848ad7b8a311d56440eb1d18415123045f8459007c9af6e204f204ee0fd7a70b99665d761350fd3378c10224ce5f3c40b98b24ae31fcac96a0bc011

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
448KB

MD5
d34f99bd7b670e89e80360686970fbf3

SHA1
ae07609a3b33df7d5f6a7bef3789a303a9811df4

SHA256
dcf439191f2b7765a71b8a43bd07766e9f5f8e5ae4e2fa8134f3490a0a89e4d3

SHA512
5b6106fc13da8f5178ba35b3075decc39a402ab16ed3506090b3f2dee65cece692f9471180dcbd50133fec8c20fe579ede8ddec634aecb5cbe1dd0e9e55704eb

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
448KB

MD5
efbc44b8917c5a874cf6e679edaa527c

SHA1
595ecd7e5462ab6e7635762f37fa6442be285887

SHA256
a8cf21235e6508d1965e54384d6ac7ca11de0166a25e70d691ae5e4a619e9a3b

SHA512
20d6dd815f06f5b51589c127ff54444aea098a24ffd45491228aeeee289d298a898921e77fff06d8f5b85b15e13d7f8bf7fc2e458bc8e244124dd679c92b5472

Download Submit
memory/316-532-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/540-533-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/784-488-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/844-496-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1060-592-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1072-487-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1164-658-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1188-540-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1208-541-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1220-538-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1372-616-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1440-497-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1464-502-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1472-31-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1564-652-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1588-537-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1612-517-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1700-976-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1768-675-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1792-539-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1820-516-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1860-556-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1904-536-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1952-504-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1984-490-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2008-542-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2052-578-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2096-510-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2168-505-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2332-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2460-568-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2528-562-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2548-491-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2612-622-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2868-628-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2892-580-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2900-555-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3004-535-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3116-23-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3260-681-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3264-664-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3292-56-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3332-543-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3384-511-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3424-1031-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3424-48-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3444-500-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3484-544-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3520-508-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3540-40-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3624-646-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3764-634-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3964-598-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3984-507-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4012-1012-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4012-498-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4032-924-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4144-586-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4280-524-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4284-489-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4300-501-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4468-610-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4476-509-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4488-525-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4524-18-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4540-640-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4836-604-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4872-506-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4908-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4940-519-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5056-503-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5088-956-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5088-531-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5156-691-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5228-698-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5272-704-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5316-710-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5360-720-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5360-812-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5404-726-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5404-810-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5436-728-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5436-808-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5508-806-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5548-739-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5548-804-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5608-745-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5608-802-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5648-751-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5688-757-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5688-799-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5728-797-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5728-763-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5768-794-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5768-795-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5768-769-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5812-793-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5812-779-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5844-791-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5844-781-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5900-789-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5900-787-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download