d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exe
Size

320KB
MD5

9a69844d550130d44fac9c8db5310943
SHA1

0ec7a64a30a0dff2444745e0646ccc77db583bc0
SHA256

d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a
SHA512

e519b53e5f88e8bffc0506447afcb578a112be0045cc6c5720634f68b2b551086cfbebcf5786430c68b69e48ff322c0e54917f3ba2318d8e48d472fd1a460397
SSDEEP

3072:EMdJ+OeAVhary8/41QUUZm8/41QrAoUZ4pWLB51jozFWLBggS2LHqN:EvdA+hZgZ0Wd/OWdPS2L8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Qnjnnj32.exeBfdodjhm.exeBmpcfdmg.exeCnkplejl.exeNcdgcf32.exeNlaegk32.exeOqfdnhfk.exePjmehkqk.exeDogogcpo.exeDaekdooc.exeAglemn32.exeDopigd32.exeMiemjaci.exeMgimcebb.exePfhfan32.exePncgmkmj.exeMmlpoqpg.exeBmemac32.exeDodbbdbb.exeAndqdh32.exeDaqbip32.exeLfhdlh32.exeMlampmdo.exeOjjolnaq.exeAjckij32.exePgllfp32.exeAeiofcji.exeBgehcmmm.exeCnffqf32.exeDdakjkqi.exed04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exeNgdmod32.exeMenjdbgj.exeAclpap32.exeAnfmjhmd.exePnlaml32.exePqdqof32.exeBebblb32.exeLphoelqn.exeMpjlklok.exeQdbiedpa.exeCdabcm32.exeDjgjlelk.exeAqppkd32.exeDejacond.exeCnnlaehj.exeLiimncmf.exeOcgmpccl.exeBeihma32.exeNnlhfn32.exePmfhig32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjlklok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe

Executes dropped EXE 64 IoCs

Processes:

Lfhdlh32.exeLpqiemge.exeLiimncmf.exeLdoaklml.exeLikjcbkc.exeLbdolh32.exeLebkhc32.exeLphoelqn.exeMgagbf32.exeMmlpoqpg.exeMpjlklok.exeMlampmdo.exeMiemjaci.exeMgimcebb.exeMenjdbgj.exeNngokoej.exeNcdgcf32.exeNjnpppkn.exeNnlhfn32.exeNdfqbhia.exeNgdmod32.exeNlaegk32.exeOflgep32.exeOjjolnaq.exeOcbddc32.exeOqfdnhfk.exeOjoign32.exeOcgmpccl.exePnlaml32.exePfhfan32.exePdifoehl.exePqpgdfnp.exePncgmkmj.exePmfhig32.exePgllfp32.exePnfdcjkg.exePqdqof32.exePjmehkqk.exeQdbiedpa.exeQfcfml32.exeQnjnnj32.exeQgcbgo32.exeAjanck32.exeAqkgpedc.exeAjckij32.exeAeiofcji.exeAclpap32.exeAjfhnjhq.exeAqppkd32.exeAgjhgngj.exeAndqdh32.exeAglemn32.exeAnfmjhmd.exeAccfbokl.exeBjmnoi32.exeBebblb32.exeBfdodjhm.exeBaicac32.exeBjagjhnc.exeBmpcfdmg.exeBgehcmmm.exeBnpppgdj.exeBeihma32.exeBmemac32.exe

pid	Process
4992	Lfhdlh32.exe
740	Lpqiemge.exe
4936	Liimncmf.exe
1704	Ldoaklml.exe
1164	Likjcbkc.exe
2436	Lbdolh32.exe
4788	Lebkhc32.exe
3508	Lphoelqn.exe
3960	Mgagbf32.exe
3172	Mmlpoqpg.exe
4600	Mpjlklok.exe
2280	Mlampmdo.exe
2404	Miemjaci.exe
3672	Mgimcebb.exe
4768	Menjdbgj.exe
1196	Nngokoej.exe
4616	Ncdgcf32.exe
372	Njnpppkn.exe
5112	Nnlhfn32.exe
4544	Ndfqbhia.exe
2448	Ngdmod32.exe
3124	Nlaegk32.exe
3012	Oflgep32.exe
2728	Ojjolnaq.exe
2856	Ocbddc32.exe
4856	Oqfdnhfk.exe
2608	Ojoign32.exe
4976	Ocgmpccl.exe
3208	Pnlaml32.exe
3312	Pfhfan32.exe
2100	Pdifoehl.exe
4844	Pqpgdfnp.exe
2732	Pncgmkmj.exe
4472	Pmfhig32.exe
64	Pgllfp32.exe
2228	Pnfdcjkg.exe
816	Pqdqof32.exe
848	Pjmehkqk.exe
2632	Qdbiedpa.exe
4236	Qfcfml32.exe
1900	Qnjnnj32.exe
2144	Qgcbgo32.exe
3520	Ajanck32.exe
3856	Aqkgpedc.exe
2084	Ajckij32.exe
872	Aeiofcji.exe
3728	Aclpap32.exe
4724	Ajfhnjhq.exe
2880	Aqppkd32.exe
1476	Agjhgngj.exe
4364	Andqdh32.exe
4536	Aglemn32.exe
1784	Anfmjhmd.exe
2192	Accfbokl.exe
4796	Bjmnoi32.exe
2712	Bebblb32.exe
2628	Bfdodjhm.exe
3492	Baicac32.exe
5040	Bjagjhnc.exe
3660	Bmpcfdmg.exe
2348	Bgehcmmm.exe
2148	Bnpppgdj.exe
4048	Beihma32.exe
5108	Bmemac32.exe

Drops file in System32 directory 64 IoCs

Processes:

Likjcbkc.exeLphoelqn.exeCabfga32.exeMlampmdo.exeNcdgcf32.exePnlaml32.exeCfdhkhjj.exeBmpcfdmg.exeCeehho32.exeDogogcpo.exeOjjolnaq.exeBmemac32.exeCnffqf32.exeDaekdooc.exeMmlpoqpg.exeBaicac32.exeAjckij32.exeMiemjaci.exeNdfqbhia.exePgllfp32.exeAndqdh32.exeOcgmpccl.exePnfdcjkg.exeQfcfml32.exeCnkplejl.exeLdoaklml.exePjmehkqk.exeQnjnnj32.exeAccfbokl.exeBjagjhnc.exeCffdpghg.exeLpqiemge.exePncgmkmj.exeAnfmjhmd.exeNjnpppkn.exeOjoign32.exeDaqbip32.exeLebkhc32.exeNngokoej.exeOqfdnhfk.exeQdbiedpa.exeDejacond.exeMenjdbgj.exeAeiofcji.exeAqppkd32.exeBelebq32.exeOflgep32.exeOcbddc32.exeCnnlaehj.exeNgdmod32.exePdifoehl.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lbdolh32.exe	Likjcbkc.exe
File created	C:\Windows\SysWOW64\Mgagbf32.exe	Lphoelqn.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Mpjlklok.exe	Mmlpoqpg.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Miemjaci.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Jcjpfk32.dll	Ldoaklml.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Liimncmf.exe	Lpqiemge.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Phkjck32.dll	Lebkhc32.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ecaobgnf.dll	Mmlpoqpg.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Menjdbgj.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Oolpjdob.dll	Lpqiemge.exe
File created	C:\Windows\SysWOW64\Likjcbkc.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pdifoehl.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1716	2868	WerFault.exe	169

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Pmfhig32.exeAccfbokl.exeCabfga32.exeNgdmod32.exeNdfqbhia.exeOcgmpccl.exeAgjhgngj.exeAndqdh32.exeDdakjkqi.exeLpqiemge.exeBeihma32.exeCmlcbbcj.exeOjoign32.exeNngokoej.exePqdqof32.exeAjanck32.exeChokikeb.exeLikjcbkc.exeLphoelqn.exePfhfan32.exeQdbiedpa.exeQfcfml32.exeBmpcfdmg.exeBnpppgdj.exeCdabcm32.exeLfhdlh32.exeDaqbip32.exeDodbbdbb.exeDogogcpo.exeBgehcmmm.exeMiemjaci.exeMgimcebb.exePqpgdfnp.exePjmehkqk.exeQgcbgo32.exeAqkgpedc.exeAglemn32.exeMmlpoqpg.exeCnkplejl.exeDopigd32.exeDmllipeg.exeChjaol32.exeMlampmdo.exeQnjnnj32.exeAnfmjhmd.exeBebblb32.exeBelebq32.exed04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exeNnlhfn32.exeOflgep32.exePnlaml32.exeBjmnoi32.exeBjagjhnc.exeBmemac32.exeCfdhkhjj.exeLbdolh32.exeDhfajjoj.exeCnnlaehj.exeNcdgcf32.exeNlaegk32.exePncgmkmj.exeAjfhnjhq.exeAqppkd32.exeDejacond.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Likjcbkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lphoelqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfhdlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmlpoqpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe

Modifies registry class 64 IoCs

Processes:

Baicac32.exeBelebq32.exed04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exePdifoehl.exeQnjnnj32.exeAglemn32.exeBfdodjhm.exeMmlpoqpg.exeOjoign32.exeQdbiedpa.exeBmpcfdmg.exeChjaol32.exeBgehcmmm.exeLphoelqn.exeMenjdbgj.exePjmehkqk.exeAqkgpedc.exeCffdpghg.exeBebblb32.exeCnnlaehj.exeDjgjlelk.exeDodbbdbb.exeLdoaklml.exeNnlhfn32.exeOjjolnaq.exeChokikeb.exeCmlcbbcj.exeAeiofcji.exeBjagjhnc.exeAclpap32.exeNcdgcf32.exeLfhdlh32.exeAjckij32.exeDaqbip32.exeMgagbf32.exeAnfmjhmd.exeLebkhc32.exeDaekdooc.exeDopigd32.exeOcgmpccl.exePfhfan32.exeNlaegk32.exeCdabcm32.exeCeehho32.exeMiemjaci.exeNngokoej.exeBeihma32.exeNgdmod32.exeOcbddc32.exePmfhig32.exeBmemac32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cojlbcgp.dll"	d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nniadn32.dll"	Lphoelqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjpfk32.dll"	Ldoaklml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgagbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll"	Lebkhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphoelqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exeLfhdlh32.exeLpqiemge.exeLiimncmf.exeLdoaklml.exeLikjcbkc.exeLbdolh32.exeLebkhc32.exeLphoelqn.exeMgagbf32.exeMmlpoqpg.exeMpjlklok.exeMlampmdo.exeMiemjaci.exeMgimcebb.exeMenjdbgj.exeNngokoej.exeNcdgcf32.exeNjnpppkn.exeNnlhfn32.exeNdfqbhia.exeNgdmod32.exe

description	pid	Process	procid_target
PID 2520 wrote to memory of 4992	2520	d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exe	84
PID 2520 wrote to memory of 4992	2520	d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exe	84
PID 2520 wrote to memory of 4992	2520	d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exe	84
PID 4992 wrote to memory of 740	4992	Lfhdlh32.exe	85
PID 4992 wrote to memory of 740	4992	Lfhdlh32.exe	85
PID 4992 wrote to memory of 740	4992	Lfhdlh32.exe	85
PID 740 wrote to memory of 4936	740	Lpqiemge.exe	86
PID 740 wrote to memory of 4936	740	Lpqiemge.exe	86
PID 740 wrote to memory of 4936	740	Lpqiemge.exe	86
PID 4936 wrote to memory of 1704	4936	Liimncmf.exe	87
PID 4936 wrote to memory of 1704	4936	Liimncmf.exe	87
PID 4936 wrote to memory of 1704	4936	Liimncmf.exe	87
PID 1704 wrote to memory of 1164	1704	Ldoaklml.exe	88
PID 1704 wrote to memory of 1164	1704	Ldoaklml.exe	88
PID 1704 wrote to memory of 1164	1704	Ldoaklml.exe	88
PID 1164 wrote to memory of 2436	1164	Likjcbkc.exe	89
PID 1164 wrote to memory of 2436	1164	Likjcbkc.exe	89
PID 1164 wrote to memory of 2436	1164	Likjcbkc.exe	89
PID 2436 wrote to memory of 4788	2436	Lbdolh32.exe	90
PID 2436 wrote to memory of 4788	2436	Lbdolh32.exe	90
PID 2436 wrote to memory of 4788	2436	Lbdolh32.exe	90
PID 4788 wrote to memory of 3508	4788	Lebkhc32.exe	91
PID 4788 wrote to memory of 3508	4788	Lebkhc32.exe	91
PID 4788 wrote to memory of 3508	4788	Lebkhc32.exe	91
PID 3508 wrote to memory of 3960	3508	Lphoelqn.exe	92
PID 3508 wrote to memory of 3960	3508	Lphoelqn.exe	92
PID 3508 wrote to memory of 3960	3508	Lphoelqn.exe	92
PID 3960 wrote to memory of 3172	3960	Mgagbf32.exe	93
PID 3960 wrote to memory of 3172	3960	Mgagbf32.exe	93
PID 3960 wrote to memory of 3172	3960	Mgagbf32.exe	93
PID 3172 wrote to memory of 4600	3172	Mmlpoqpg.exe	94
PID 3172 wrote to memory of 4600	3172	Mmlpoqpg.exe	94
PID 3172 wrote to memory of 4600	3172	Mmlpoqpg.exe	94
PID 4600 wrote to memory of 2280	4600	Mpjlklok.exe	95
PID 4600 wrote to memory of 2280	4600	Mpjlklok.exe	95
PID 4600 wrote to memory of 2280	4600	Mpjlklok.exe	95
PID 2280 wrote to memory of 2404	2280	Mlampmdo.exe	96
PID 2280 wrote to memory of 2404	2280	Mlampmdo.exe	96
PID 2280 wrote to memory of 2404	2280	Mlampmdo.exe	96
PID 2404 wrote to memory of 3672	2404	Miemjaci.exe	97
PID 2404 wrote to memory of 3672	2404	Miemjaci.exe	97
PID 2404 wrote to memory of 3672	2404	Miemjaci.exe	97
PID 3672 wrote to memory of 4768	3672	Mgimcebb.exe	98
PID 3672 wrote to memory of 4768	3672	Mgimcebb.exe	98
PID 3672 wrote to memory of 4768	3672	Mgimcebb.exe	98
PID 4768 wrote to memory of 1196	4768	Menjdbgj.exe	99
PID 4768 wrote to memory of 1196	4768	Menjdbgj.exe	99
PID 4768 wrote to memory of 1196	4768	Menjdbgj.exe	99
PID 1196 wrote to memory of 4616	1196	Nngokoej.exe	100
PID 1196 wrote to memory of 4616	1196	Nngokoej.exe	100
PID 1196 wrote to memory of 4616	1196	Nngokoej.exe	100
PID 4616 wrote to memory of 372	4616	Ncdgcf32.exe	101
PID 4616 wrote to memory of 372	4616	Ncdgcf32.exe	101
PID 4616 wrote to memory of 372	4616	Ncdgcf32.exe	101
PID 372 wrote to memory of 5112	372	Njnpppkn.exe	102
PID 372 wrote to memory of 5112	372	Njnpppkn.exe	102
PID 372 wrote to memory of 5112	372	Njnpppkn.exe	102
PID 5112 wrote to memory of 4544	5112	Nnlhfn32.exe	103
PID 5112 wrote to memory of 4544	5112	Nnlhfn32.exe	103
PID 5112 wrote to memory of 4544	5112	Nnlhfn32.exe	103
PID 4544 wrote to memory of 2448	4544	Ndfqbhia.exe	104
PID 4544 wrote to memory of 2448	4544	Ndfqbhia.exe	104
PID 4544 wrote to memory of 2448	4544	Ndfqbhia.exe	104
PID 2448 wrote to memory of 3124	2448	Ngdmod32.exe	105

C:\Users\Admin\AppData\Local\Temp\d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exe
"C:\Users\Admin\AppData\Local\Temp\d04e065f7446836bcbb3999cbedbccc670bfb1f9ed91dbf054b378d6ddfd9e6a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\Lfhdlh32.exe
  C:\Windows\system32\Lfhdlh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\Lpqiemge.exe
    C:\Windows\system32\Lpqiemge.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\SysWOW64\Liimncmf.exe
      C:\Windows\system32\Liimncmf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
      - C:\Windows\SysWOW64\Likjcbkc.exe
        
        C:\Windows\system32\Likjcbkc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Lebkhc32.exe
        
        C:\Windows\system32\Lebkhc32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Lphoelqn.exe
        
        C:\Windows\system32\Lphoelqn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Mgagbf32.exe
        
        C:\Windows\system32\Mgagbf32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 396
        88⤵
        Program crash
        
        PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2868 -ip 2868
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
320KB

MD5
d192adcc413a22cbae1a0b9b2318f6a5

SHA1
4d57a03e51d3393b851c78dbb7331abfd63397b4

SHA256
4a7874560322250a852aff7554382e52457c46ee1c8a94d30ec0a9dc970d9ce9

SHA512
2881f854714af42a7bde8757c1f12fe8bcceb689963bb8da32ada8c595e3682fad4185496a6bb1f4157647706a677fd38064501f47ebd03d8b2ec96367b342f0

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
320KB

MD5
704ceb009303c4f5d6f8045019e88ee9

SHA1
1249712faf8840e832f7023736dd29604c77f179

SHA256
2bd134049b0497fbc80eba4b6602141a3ee58d5f60e7a4d867348a806aa16917

SHA512
4506959300e2a64b51ad6581b1bb46e97c9019a5073bbd73eaeee7e6705bb0ef451dcc633f4b11919b4f5b602de522f6ce00056867a32ec6f1d1c955b4aab96b

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
320KB

MD5
e896b356f79a4c8764e89f5becd53728

SHA1
d53c7d18db2d3e62732aec5df5638c7fa57a57e5

SHA256
ba8b4a23b722a27a2ef0d7f1fe709271b967c4810506b9608eb33ff11ad091b0

SHA512
ac7f48948eb0c31449b0bd1e95ca0c0fc737468ffc0d705158e9fe13b839da2f80830892074d98444f4081ac503d4af08f0664e85fd545cbeb514dd17254c5a7

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
320KB

MD5
9309103db64911e80d7838601f926944

SHA1
5264c07542c5f6b117d5fc03f693a6cccf52a5d9

SHA256
d03aa3ad5e8f1e906693da36d4851ceb10f60e1fce3178511aeee02910c132ff

SHA512
1c9e4ad43eb77cff90cc49cff6efcad5e204cdf57866cf66c67d44c855e581b6f95532cae8707a92ffd6fdeecb612247cd91b79d381a12defc8ad7ff4708c445

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
320KB

MD5
119f731f2387eb04a8608fedda37e7f0

SHA1
18c1d050ea3eaa704b00ab81d672f9ce0f4d740b

SHA256
abacb1af2debaee2eb1b3a997baebbcd9de3f3a69236779a821319760549ac4f

SHA512
e05aba0275986f87ff958320e90ed3ae5b0b04c4ea3a14de38fc81bc16ef3de50a19cf7edc153e71ee7463a156766b6b4ed85c50f220950ddfd041449886849f

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
320KB

MD5
330d5e48e2c9b2d54750259965bff26c

SHA1
6c56bce79493ebeac51080c561058cb4c37e667b

SHA256
e101bcfac851144fbcafd786ef5f76f22cef8ed0d5b451ddfe24452d5f7ad956

SHA512
89351535289c85b8468b092e1a9043511e73ac45509c1c847d5eefa6b2a310ab0c627656575425cd6387b7daa019ae510fd546b307a962b4a9ceb24b83c2c0e1

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
320KB

MD5
272eb4d2bbf19d33223a26c5c9cd638d

SHA1
4450b181408d7a05f5d7d3b861be78e54c1a4b67

SHA256
3449719a8a1e8e7aa2086a09ae086424b4759ec99f90006f994944e27c6d6cd7

SHA512
cb0379721db274acac65c41ca7a451935476cdc9a198a4f54864049be3f9cbe40cfe8e7a8f726da028b41169209fec8f590681727aff0bd5f97590346f5a48a5

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
320KB

MD5
22346b4a69102ab7cb49283b83226e74

SHA1
c57234f0939f3ac587b5e9ddacb765476e3653a7

SHA256
32ffa33a7eaeca30c5755bbfb83de570fd1a9a68c822fb6879737049c0a14c22

SHA512
1bebb5b12fbe2d066351d963e6d5a96db6db62603054dde7a5bdd5ae537310e8bd69986ae75a19d15d2eb5ae53c0aabc055bb9ac5706fa6473cc242839e52eef

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
320KB

MD5
17e1f4dbdffe1494de9d9be2ac2ee20a

SHA1
45acba25f56cbbbe3a32b9c367b3fbd4ec6008f8

SHA256
7a0c2c809efcf93adc479e51129c0907228ce56974d3855f5f144637173b2fd1

SHA512
430c7b9d2031fd5eefb3129d26a1e854e356c0b3a8ab7bf939acfd80be82c13ba456fda03df9123b1133aafb8c1995473c20542e38d33681821e7543dac3bc87

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
320KB

MD5
8e3b8a34715310a69bba08b8f925a562

SHA1
23f96966bc2655959d801a40b6703ac565c83f7a

SHA256
c249472b26515f5593a7ec678aa87c54f8445c8c7b30fa0f850a22bd5021c666

SHA512
ed200dede507d1bb1f25c1ac24e375d4dd04f9cfef860904834891ab9bb8111aab46bc51cba73607a1eb04677a134f389a2fc2d0a4593d98b37a4f604694e259

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
320KB

MD5
482263540c0b13d41833e5de209170e4

SHA1
45388270cbffc60b327ebf19290a07df89ba86f2

SHA256
bb4b6b5ef78f03f4802b5dbddfd261364067722a4c72d3e4b896c059056a7b68

SHA512
5c84d9a7f62b49b94c3d1aa9dfefb8217de947c2acc67f86566bf929f9f0cad0bef5ae0632fcb6a69858d2aa8a4132aa0e35a938f3b1bf3c4cfaa5ae0bb2d7aa

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
320KB

MD5
772485e77a014bb22ce064b640d27b38

SHA1
b5c45723e97fc7ede757538d1367d866e9b2f3e1

SHA256
cd9966707431d7261909e0225cee86fcea96bfbb0b842afbbb549cee35809ed9

SHA512
8f3de1d732671171f52fa9ad0c74fe256e3073d7dc3711c6da2f821b1d68812f69c3484472b522ffa1a963571e6d4a92d4042fc489d7f3960bc18134cf19508b

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
128KB

MD5
cef75ccccc2b1066922c5f6e7aa396ed

SHA1
e866edae8a85039b1086b929df160aab02660e5e

SHA256
092611ee4cf2ece9759c66f6a5ab587ff5606b35d3f58f5b52443eda60425fc6

SHA512
61fe604d3f70271cb738c9ff00f7212bb9a3a74d379fb4b0399e2a2470e0a4f1faf1e2f0bf4db77e7adc48b326589d9e191215e0e40f6f2ad8bf90ec21502b05

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
320KB

MD5
67adbf27be525b37a6cbca0eba18d3b4

SHA1
1faff961179b03781ddb0ba0a6dc289d5952d3ee

SHA256
ff9f8c1c94c64e5adeb45a455d748b73ea301f35fa241e37d78c88442b56904e

SHA512
919cde368a43c5140f36e0952ef1332faaff211f4f34cca6609f38ce0ef00b9d1674b256b8f01ca440e36bf23cb4966c37cb553e6ddde3aac0fa470b3e472003

Download Submit
C:\Windows\SysWOW64\Lbdolh32.exe

Filesize
320KB

MD5
d0adf42bbd0ef90f0bb4ad63bf2a75b0

SHA1
e672e8a08f72b6682a340e85173e0755f6462138

SHA256
ca0668ad9bd34fe9d6bbaeb3a475ab9e4c971e09c99261cd4be54905dbd4df2e

SHA512
bcd0e558d33d7ced0890d7a3bdbe204587f5e4132829862e7c184e060a7643140d3b509f226c3a1b6a106f0fc6122ef303b9380b1acf562d7e21ecdc53819645

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
320KB

MD5
3a641ad3092acb5c177db3552838682a

SHA1
9b38eee95f68c592463bfdacc4b7ab6eff7efb2a

SHA256
2239ca5ba2f4a3674c8778146051516aecf15533278c1925a4396255c238166f

SHA512
1912d877b27cb92f82660822eb61f420672c83c493c91c7153bf6dbceda78bcc88ae2589f4437bebdcc9b4b7dbed9c952854f8c12c5ddac94122f4a35b621857

Download Submit
C:\Windows\SysWOW64\Lebkhc32.exe

Filesize
320KB

MD5
374e29fe5a17bbeb7b043345aef8e0a6

SHA1
de94f4bc2825be9c2fe3394fd271ea3967fbff28

SHA256
6fac47b52ffda1338fa997ac4884bbe285024ee958586908537fd3d7e5b0b84b

SHA512
8239e94eb1ea29c179b4bc5d5da5fb79c03ca407a41d0f2bde51ad160569e5be36db5885cc1e77bb617bb6fdcb1b2db1787be07bdc94977c811ad002dce7ec6d

Download Submit
C:\Windows\SysWOW64\Lfhdlh32.exe

Filesize
320KB

MD5
406c00ae758698cbb5cad3fe94990303

SHA1
655d48adf4a0f91c636951b13b4b4098bdd212a1

SHA256
3d325ecad4932ada90dff97fb6579ec85875d41c96880c1e3307999183e9fd0d

SHA512
9d78b54d58930da920c5aa72278e5528f0f909f0caf226f1ac12be08ac91ccf73b548baca23a8e45c64212504e7fd6202a3a4f4f16f4a7c90c199d8502889b78

Download Submit
C:\Windows\SysWOW64\Liimncmf.exe

Filesize
320KB

MD5
64c6f01ce3cf83dc0390cbfb3801a572

SHA1
232de35883bdc501a7aba2252591b63b19dddebf

SHA256
abab1193a7f9fa21132c336c8d6032137af038e061dc0f6c002f68075a6fb42d

SHA512
985a88a54c543533fff032fecd54065022fc755016dbf02f8c8c9477fb0323a55927562616417572906f6ba6d4f4f54811a7e1ff2b0a6046e166e287abbba2b9

Download Submit
C:\Windows\SysWOW64\Likjcbkc.exe

Filesize
320KB

MD5
6c4f915efe13bfdfb568423f28a51218

SHA1
a2ec2f25d24cbb750970c034cff10f4b17b75a01

SHA256
1adc85428e913af2e27fbeba768946a0b396d2ba82cc6a2a7a787636802ce89e

SHA512
9e6164bcba1268dc7058c5c01719463f5dac9e3473b5cd5e203d2e5ba165e06c5a2c645c4fa58b92e0e4129261ecc4bdfa4e73ace70c7d7e277a22fc1a48cff3

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Lphoelqn.exe

Filesize
320KB

MD5
54ac1ef7b61810f56766ec5c2a268a6b

SHA1
31b35b03a18b1f04ea2f562344953d2a994a4e90

SHA256
86a51cc9c2d172d3693618c2f05f914dc85d2f4537496cf06e979d702edafa1b

SHA512
0dae1beed25e2601ba8df763aafe31e8542d114a37814048bad387d6c8601e1d1b3254ea2596d583919321c3954f754a3f553368d9e716db3f4ab7218066988d

Download Submit
C:\Windows\SysWOW64\Lpqiemge.exe

Filesize
320KB

MD5
cbb0efcbde26a9934747b276cabc1833

SHA1
46d6faf606d3780ad330ade68f0d9a1a6e918271

SHA256
e87079b04633d4bf9373e5bd70b0e85ceb75211efe5c7c3c7fe163ba50e6f59a

SHA512
db14ac254e3eda220f74df226ca820ff0865a34850c237e2d9a6dce6e4bc184d188c365585d58f859d29b67e344131487c071112871ee1aa0ee23750f76dbf87

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
320KB

MD5
ba31472980fdfe0aa33195c4e4a76298

SHA1
571ebcce7eea18b1af228a9ccc35a6cd2a83f997

SHA256
5ec49d382e153b665d7da7e189c66a1c0529d6696d94e003cd34a91e95d0d581

SHA512
bb61359b6e630469151643a4e17b11857a85a53e8569dd4760d4d1f5c7ee7855ad368b3a622d89467716a86e79a37932b9095f8c8422f2afd65258822d6bf23d

Download Submit
C:\Windows\SysWOW64\Mgagbf32.exe

Filesize
320KB

MD5
2cd90a74b17b3d43447da1571a8fde32

SHA1
aec1f9572a592f31cbd6473fb1a06f5dccd6a533

SHA256
2ed7b1769dd1425a024bb66382c57eaf2e36cef7696c3c520624ea5cc8d5ca5b

SHA512
c7265e3060b0644ae8b4f32e9b9917fcc81739fc18caa52b8602abc7472e9fee31792ebd3230403f2d1d952ef7faec48e4b3a146f2169bbfd4edee319c518a2e

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
320KB

MD5
c57a769c61f7663bc42351b2f4acf196

SHA1
3147b4ae10e5050ec7964ffa09365a5d0a993036

SHA256
a92956a48e35e59d1db03b6f83b1a65f75eed53944c94e6e2b3f20c24b6581ab

SHA512
baaaec87b48615c3113c402b6f6fa8dfafbb7eab600165c21ce845cc47b1d4a6eeb433685500e53c41b78c24671c941222540b5350b4780de9c553fc0b3bc786

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
320KB

MD5
429787249ba96d72d7306b59122a6b65

SHA1
7c7148a2c5eec69b3fba7560f198254b6044951a

SHA256
d92fd84cd75e8871b9efcbc6642475cae4fbd56df40635ec297f3d958d799727

SHA512
645cceed421133610f56a51d19b85426853f1f5dedcd087af2fc0d1c545ca453510dfa578f2146a28c8f230c347165333eb6905f0fd06d9fe9ab0d165a7afed6

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
320KB

MD5
b8c50fedb6419b23ad8530bcb3a7ff49

SHA1
099ef6e78d80de0bb797e4782908a28c2303aea5

SHA256
03c31e0859e73fdcc78aa99da021c8c091161e01b82f80ac90a1e55deb852e0c

SHA512
833f73269a71c473dcaec70b9f7cb85d0f8752495d4ac530dbe75aed5c238d03764465d85eab49d359cc68240d08dde1af4af7dca3ff81a824d8259913fc0013

Download Submit
C:\Windows\SysWOW64\Mmlpoqpg.exe

Filesize
320KB

MD5
6767c4b9421f9528eedb310db6cae560

SHA1
31042f28163dd4b5a93a31f029a9be18621fb89c

SHA256
b071b12d6358c708b569a484fb09be07c6b098a732f2b94ccf5086cc7544b9c4

SHA512
ecbca857077ae24851e5431256240a28a1fdf19901a8088e5d5efa1af054ed30b66f4c959a18545a3db8607c95a4bc60a56da02e0704bc2f42f399b439d12a87

Download Submit
C:\Windows\SysWOW64\Mpjlklok.exe

Filesize
320KB

MD5
02b663a6e4babb34498e95043406d1e7

SHA1
3fb06e93d18a9f8e06d7cf25619b440b0a5633a4

SHA256
61523999b910709ec7701744fb1f937bdc99f2383b0459856aeb55d18aae5158

SHA512
c24b15617d490fc961104d87c944d4742dd522a346ea441ed87478ac7cfdf3f2918ce1d23e63d2c22aceeabe135ef0d517cc69e198c66df40abd570621a050f2

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
320KB

MD5
e98ab5e485b8232495d242f08d09761e

SHA1
0a47256effbe32a8c64ad7fd17642cc284fd7aa3

SHA256
5418c11b72869b9212d70b3c86307ec3f3a9d4b70f1a49e0bad0622316e68075

SHA512
6281ad64a302ec3c6519c9d98752764263f711118feaec3a978a5534baef868704206389e194e1c44d76f67b6333d0e5b9ae40fb4a9536b5f43a7476d731a889

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
320KB

MD5
5b68936f9e5cc3986b64321534ee5b37

SHA1
027cc74123199a489ba27980bab5adb5510e6b14

SHA256
b332da14d6106bc50454ca6f2e9f32a85066c6cb23982590bea7a3a90e237f6d

SHA512
aa6f257d05b120e11029507b9d267704cf493c1794cb213152cc14af85baf335d545d2d1d7fd5eef476c8a7b9b8ddb29d956b84a5c3b8b9db51338c25a34d92f

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
320KB

MD5
48063c938de883f42ee487ca5df4251c

SHA1
910d8df0c4f39d96993de20f993a357bf7c8e2fc

SHA256
bd9771679c2b78f0dce72aa7b51ac92011a3d1cda8fdf6c604936794206849d6

SHA512
b4edaf7793832266f6170f31a7ad9bc853cc0f67bfc9daecf4b0634a989d7f7cb4097ed9f098ad81a9be8ab679c4c474ed02da0df361b98b22e50dc92d6a7993

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
320KB

MD5
d460f4fc857d3a4758a260b28d14296a

SHA1
dd2ea03eeb3ca22fd5b6c97cacb275c0c4c5cd1b

SHA256
773c37d9c015e727d3bba0e5920b3fc29b1d62cec73b1e8335d44b2cd9e0475f

SHA512
7eb0904fa04eace7f5ee57cd1555cc84c0209f5799b52473d37a40194c918ffed0e55182351b58f127db11b528f62824eb28f74036a05241444193043aa97200

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
320KB

MD5
83a4ed6c0e8a7a06c7dd5fd2adf844b3

SHA1
6e8353dfdc2be3411be13a43696677b1f16d8815

SHA256
3b83ab5bb585e3b6622364e6cdc27bb9867558193288e484c3c729484796f8e8

SHA512
00e86b5f0a5638f85184065cc3aa91856e1ebad919cfe83c423459ddc722b6728d01a2961bdbb620321bc4031301a85eb5db4db157a45bb19837ed6b7236d62d

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
320KB

MD5
f4c525fd1eaff56bfcb1b6eb60a966a9

SHA1
5fa70775c23c2fdc7671293735e0b2ea49c21e92

SHA256
c05c42744084c486fdb3dd94068e55000cac85b43f1128a4535eb8105e128e63

SHA512
17e74e3b5bac9927c08aa49e7e6badedcebb06581644d978ab168e0fc6d3ca93ed675a69cb988eddde90d56e34720208b807ad9c6ef21ebdfd1dd41e5cf0832e

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
320KB

MD5
062bbb8203e1b9ae10233591a01ce41d

SHA1
98c25f90a5176a599bb63804a3fb41a360c963d9

SHA256
c5c8d6b2935fda31d608606bcf1854dd2b106c9e7c164a1b12c89bf6ed1adf18

SHA512
4ff3bae00e29fec724c3493cb504c74a0f3aa07e66665b43cd70405b8a9652d1f9b51907633b312b6a897ae3b407eee6de7460c1143532c99709e405909b4ecb

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
320KB

MD5
510293b7c0fe8c9e2fd485d98013820f

SHA1
b786039bd7d3d6df7b29d42fbb01ae1b7faeb7f5

SHA256
3b79e37ec7d6dce95a0c740cc90428e2484daa2baf6cc20da11916477a243d4f

SHA512
0bb6fc2950a8903e20a91e2f4c83bbe73ef4297474e245f61887e2947116a0d889009e2bb156a020e5d5532b14beddf0c45e1d430bf91c92a98c893e6b9412ad

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
320KB

MD5
7206f04a1e43b6656079a1c3cfd5b9a5

SHA1
9fbc266aa21b466b8a320f65f0eda41d64371a59

SHA256
9cb56e95f4328028dd39f2b346205100dbb63c0ab497191c4e7420d960511a90

SHA512
e14239b45f2fa079069f724f98a763eefd6375f06f64c56d5c79243387418c50e2ba9d7d1c21b89e56610ebebd125046d5b6e67c7eafe44513a80cd12b219c63

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
320KB

MD5
5e319259624f8d728f7e0be6254b97d9

SHA1
0330af8a016438a3d95cddbb50f7b414ee55f6d8

SHA256
f4bbee4483fe2a0eca827edfa028ec88b62ed63273ef544e55eec3ac4312df69

SHA512
a0efe12d8030a4e3fce4c18b3c65dd4b98e3ebfeaa484b7a6072982a799f7faa6cbddc7821c7e72196a1e216ae1ffe05746e7165d01fdd36e42478f5bdf86a0a

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
320KB

MD5
5298037471eeec09c4ea483a4818d977

SHA1
5f203feb3e0031ff68e619dfba4467145634d32d

SHA256
f02656a5f38448356243915ec15eefdab00e3998a95696f8be87e8fb2792caf7

SHA512
0fc8618bf707bd740719cb8170ac360a3c136cc66a163917e9981a5f13a33ed271512bc00f2ad435b0fe047fc554055ebc69656a23792d056881189ec2505a5a

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
320KB

MD5
488d9601deb44bf9f12dac22872361b2

SHA1
788fe28689ee4e1e57084864ed674a8468d90175

SHA256
8a19e42dd86b0c31a40a8f8a0f97853f10f8e76c00d07df404cccfdf420b843a

SHA512
0b3747aac52bf60f11af5ffb0fd45482feb52829ab38cb3af0b373b243492acee3768be2affab1af1771a90dee5c061ff62d3eed98bbb847f3490e4a74232d90

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
320KB

MD5
1aec3916a68ce63f6e6ddd1398c4f6eb

SHA1
f8f036fcacddee9b41418d50c917c3c03d297f4d

SHA256
88f68e1abfed4d0d369e992b0a971cfc1f795747de5986bf20a885c16259ffcc

SHA512
0653cc36760af41dc034cd27fa66ff0fa2d7758a5a8a83e6e12d2c28b2e223df859746c7858c02ff63a20b1475829efb00e254df1e0136c2734c99b4bfcf5756

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
320KB

MD5
0178a106ecef6064e6bcad1eb6c4477c

SHA1
39df48c8a0c886457c2951e67e08fd0e0cd1f7fe

SHA256
ca5bcc0942ccba1e8fd595bc7995abe077108b0ff0719586c514b1be02f2eeb4

SHA512
7781fd9d4121b96626b00b8dfb83969a8d812174c39d5f9d4077da296996db252dfa80281e70a86d019e06e20ff6f1e96bd711cb02d19418edff28e3bdae5fab

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
320KB

MD5
0db59fe9d2442d941f84a8c32b1ba7e9

SHA1
93cab5813a3a425085c866fee76b84c13e486e3d

SHA256
f14e52af950a84576efff719fe3c80b0bbd89bc47cd0770a08467f4572ea9cfe

SHA512
c62be0d7708d6f6547050f8159a7778e0bc3acb185e31bf3b6434373f64547a146d090a696022e6bee10555aa28d04b0e136a263c5b152a25bd9d6877de2ac7a

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
320KB

MD5
e57abcc4bda05b2036d4d1813903f3eb

SHA1
619bd34f9aa8925053493a7f0c36cf9091cbe633

SHA256
96db72050f371f43f1f8ee19c46b0f237cdd87876d3ccee2c7db944eb091db73

SHA512
84210f21b14dcd20a757172244b0e28a1ee6a5ce69a24b386f315de39e09bfc7cd859e6fe9ad7b2881318ccdf92bca04694eacdf512acb26f2fbc1ec23fafda5

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
320KB

MD5
913c2408f1fde63036ba7251b85d44fc

SHA1
b29081c65401fe00c5d43cbd811399a0eecbd02a

SHA256
0ad6f9b738457d7486983f80154468851fcdaf61abb770c5e18d142a0504b918

SHA512
89923849ca0e110470ec42dbade0d7a83fcda66c81749f1fc8b82b7c000510410d4349fda598580208ad3e1edc478233a4ba41448c4e0e93780988cf8cff60f1

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
320KB

MD5
8880013d7742ccc238d69df06f74a7ff

SHA1
72243f6402dd165f5935c6748abe4b871d855614

SHA256
2a64b657afa178c0bd13692367698a68b652796f9ea886cbadcf89fb2e925f8d

SHA512
6455a6893abbe5076e641beb405e59fdb865eebc1bb2155745b39a3380faf066cc6886bc30ff3e31480d6feaa4ddb0a26cb0f47af7744bc9eed4699adb90ee2a

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
320KB

MD5
5de13cab94f156d42669c9658baa8ec2

SHA1
88f07d3e57c74caf750fe7680f7fb107b871d988

SHA256
8c1cda44f6c85db03ab9254cd465228beaa88c9a5ff403b326f33a312f2b2a22

SHA512
563aca17d75d1ecaf62d043976da6537a43dcdbf4967c704c1a182e14d34ab7accabe20b7b3ae77c7e69c6a5c63237d03941597a1220b96d41f2f7b65f4a5197

Download Submit
memory/64-274-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/372-143-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/448-496-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/628-529-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/740-16-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/740-556-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/816-286-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/848-292-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/872-340-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1164-39-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1164-575-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1196-127-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1476-368-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1704-31-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1704-569-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1784-382-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1888-478-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1900-310-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2084-334-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2100-247-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2144-316-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2148-633-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2148-436-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2192-388-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2228-280-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2264-502-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2280-96-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2296-558-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2296-596-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2348-430-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2404-103-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2436-48-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2436-582-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2448-168-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2520-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2520-542-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2608-215-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2628-406-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2632-298-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2708-484-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2712-400-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2716-592-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2728-191-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2732-262-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2856-199-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2864-460-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2868-586-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2868-583-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2880-358-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2964-590-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3012-711-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3012-183-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3124-176-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3124-712-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3172-82-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3208-231-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3312-240-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3476-548-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3492-412-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3508-64-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3520-326-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3660-424-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3672-111-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3728-346-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3744-474-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3856-328-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3924-550-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3924-594-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3960-71-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4012-458-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4012-626-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4020-466-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4048-442-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4236-307-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4364-370-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4376-576-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4376-587-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4472-268-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4524-519-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4536-376-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4544-165-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4600-87-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4616-135-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4724-352-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4768-119-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4784-490-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4788-56-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4796-394-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4844-255-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4856-207-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4936-563-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4936-24-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4960-513-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4976-223-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4992-549-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4992-7-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5040-418-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5068-536-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5108-448-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5112-151-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download